Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4d71f0dd2f9bca81802dd141123f33541861d986
https://github.com/WebKit/WebKit/commit/4d71f0dd2f9bca81802dd141123f33541861d986
Author: Sihui Liu <[email protected]>
Date: 2026-03-09 (Mon, 09 Mar 2026)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
WebPageProxy should ignore DidFailLoadForFrame message from non-loading
process
https://bugs.webkit.org/show_bug.cgi?id=309387
rdar://168795695
Reviewed by Per Arne Vollan.
Message check for `frame->frameLoadState().state()` in
`WebPageProxy::didChangeProvisionalURLForFrameShared` sometimes
fails even though the process is not malicius. According to system logs when
the crash reproduces, there is a chance
that frame state is updated by a non-loading web process during provisional
load. Here is the flow:
1. WebProcess1 asks UIProcess for navigation decision for a load.
2. UIProcess decides this load needs to continue in WebProcess2: it tells
WebProcess1 to cancel the load and tells
WebProcess2 to load.
3. UIProcess receives `DidChangeProvisionalURLForFrame` from WebProcess2, and
sets frame state to `Provisional`.
4. UIProcess receives `DidFailLoadForFrame` from WebProcess2, and sets frame
state to `Finished`.
5. UIProcess receives `DidChangeProvisionalURLForFrame` from WebProcess1, and
message check fails as state is not
`Provisional`.
There is a race between step 3 and 4. If step 4 happens first, then we won't
see the message check failure; but there is
no gurantee about the ordering. To fix this, make sure `WebPageProxy` validates
the sender process before proceeding
with `DidFailLoadForFrame` operation. We already have a similar check in
`WebPageProxy::didFailProvisionalLoadForFrame`.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didFailLoadForFrame):
Canonical link: https://commits.webkit.org/308947@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
