[webkit-changes] [WebKit/WebKit] 11ea56: [BFCache] CachedPage::restore() leaks cached frame...

Mon, 11 May 2026 17:45:47 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 11ea563010703b5a65ae224eeb9f5afb447fa6d0
      
https://github.com/WebKit/WebKit/commit/11ea563010703b5a65ae224eeb9f5afb447fa6d0
  Author: Basuke Suzuki <[email protected]>
  Date:   2026-05-11 (Mon, 11 May 2026)

  Changed paths:
    M Source/WebCore/history/CachedPage.cpp

  Log Message:
  -----------
  [BFCache] CachedPage::restore() leaks cached frame state when focus 
restoration is skipped
https://bugs.webkit.org/show_bug.cgi?id=314583
rdar://176824162

Reviewed by Ryosuke Niwa.

CachedPage::restore() has an early-return at `if (!focusedOrMainFrame) return;`
that bypasses the `clear()` call at the end of the function. The cached frame
state (m_cachedMainFrame holding CachedFrames with documents/views) is never
released, even though the cached page's data has already been transferred to
the live page by m_cachedMainFrame->open().

This causes ~CachedPage to call m_cachedMainFrame->destroy() later. After the
fix in bug 314238 (which destroys child CachedFrames before checking
m_document), destroy() now descends into child CachedFrames whose documents
have already been resumed by open() (state = NotInBackForwardCache). The
ASSERT in CachedFrame::destroy()

    ASSERT(document->backForwardCacheState() == Document::InBackForwardCache);

fires, and the subsequent destroy code path corrupts live document state
(detachViewsAndDocumentLoader, detachFromPage, removeAllEventListeners),
hanging the WebContent process.

The early-return path is reached when 
page.focusController().focusedOrMainFrame()
returns null, which happens for iframe-process BFCache restoration where the
page's main frame is a RemoteFrame and there is no LocalFrame to focus.

Call clear() in the early-return branch to release the cached frame state,
since open() has already done its work and the cached storage is no longer
needed.

* Source/WebCore/history/CachedPage.cpp:
(WebCore::CachedPage::restore):

Canonical link: https://commits.webkit.org/313043@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to