308573 – LocalFrame::frameWasDisconnectedFromOwner does not properly reset RenderView

RESOLVED FIXED308573

LocalFrame::frameWasDisconnectedFromOwner does not properly reset RenderView

https://bugs.webkit.org/show_bug.cgi?id=308573

Summary LocalFrame::frameWasDisconnectedFromOwner does not properly reset RenderView

Brent Fulgham

Reported 2026-02-24 12:19:34 PST

The Document object holds a pointer to a RenderView (m_renderView) that holds a CheckedRef to a LocalFrameView. The LocalFrameView is an aspect of the m_frame member of the Document. When the Document detaches from a frame, the RenderView pointer it holds is no longer valid. Crash data indicated that the RenderView was not being properly cleaned up when the frame member was cleared or changed. This seems to be because of Document::frameWasDisconnectedFromOwner (and more recent Site isolation versions of this logic) improperly called Document::detachFromFrame directly, rather than Document::willBeRemovedFromFrame, which handles the bookkeeping for keeping RenderView (as well as selection views, etc.) in sync.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2026-02-24 12:19:39 PST

<rdar://problem/171101953>

Brent Fulgham

Comment 3 2026-02-25 15:54:32 PST

Pull request: https://github.com/WebKit/WebKit/pull/59459

EWS

Comment 4 2026-02-26 20:11:47 PST

Committed 308317@main (7ff8905cfd09): <https://commits.webkit.org/308317@main> Reviewed commits have been landed. Closing PR #59459 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component DOM

Assignee

Brent Fulgham

Reported

2026-02-24 12:19 PST

Modified

2026-02-26 20:11 PST History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks