Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 719a73b464bfaf60a7e3c2c716ce5045f4ae838e
https://github.com/WebKit/WebKit/commit/719a73b464bfaf60a7e3c2c716ce5045f4ae838e
Author: Brandon Stewart <[email protected]>
Date: 2026-06-12 (Fri, 12 Jun 2026)
Changed paths:
M Source/JavaScriptCore/inspector/protocol/Page.json
M Source/WebCore/inspector/InspectorInstrumentation.cpp
M Source/WebInspectorUI/UserInterface/Controllers/DOMDebuggerManager.js
M Source/WebKit/WebProcess/Inspector/PageAgentProxy.cpp
M Source/WebKit/WebProcess/Inspector/WebInspectorBackend.cpp
Log Message:
-----------
[Site Isolation] Emit live Page.frameNavigated/frameDetached from
cross-origin processes
https://bugs.webkit.org/show_bug.cgi?id=316664
rdar://179117260
Reviewed by BJ Burg.
Under Site Isolation a cross-origin frame commits in its own WebContent
process, so
the per-page InspectorPageAgent (which lives in the main frame's process) never
sees
it. The UIProcess ProxyingPageAgent aggregates frame state across processes,
but it
received no frame lifecycle events from non-main processes, so dynamically
added or
removed cross-origin iframes were invisible to it.
Re-enable the dispatch of frameNavigated/frameDetached to the cross-process
PageAgentProxy (registered in the enabledPageProxy slot of each participating
process's InstrumentingAgents). PageAgentProxy forwards them over IPC to the
UIProcess ProxyingPageAgent. Late-joining processes are already instrumented via
WebPageInspectorController::didCreateFrame, and the frame's InstrumentingAgents
falls back to the page's, where the proxy is registered -- so no additional
instrumentation plumbing is needed.
This dispatch was reverted previously because it crashed. The crash was a
use-after-free: WebInspectorBackend::disablePageInstrumentation() destroyed the
PageAgentProxy without clearing it from the page's InstrumentingAgents
enabledPageProxy
slot, so the next frame commit in that process dereferenced a freed pointer.
Fix by
disabling (which clears the slot) before destroying.
* Source/WebCore/inspector/InspectorInstrumentation.cpp:
(WebCore::InspectorInstrumentation::frameDetachedFromParentImpl):
(WebCore::InspectorInstrumentation::didCommitLoadImpl):
Dispatch to enabledPageProxy() alongside enabledPageAgent(). Include
PageAgentInstrumentation.h for the now-required complete type.
* Source/WebKit/WebProcess/Inspector/WebInspectorBackend.cpp:
(WebKit::WebInspectorBackend::disablePageInstrumentation):
Call PageAgentProxy::disable() (clears the enabledPageProxy slot) before
destroying
it, fixing the dangling-pointer crash.
* Source/WebKit/WebProcess/Inspector/PageAgentProxy.cpp:
(WebKit::PageAgentProxy::frameNavigated):
(WebKit::PageAgentProxy::frameDetached):
Guard against a null parentProcessConnection() rather than dereferencing it.
* Source/JavaScriptCore/inspector/protocol/Page.json:
Remove frameDetached's targetTypes:["page"] restriction so it is available on
the
"web-page" multiplexing target (matching frameNavigated), where the
ProxyingPageAgent
dispatches it. Without this the frontend rejected it as an unspecified method.
* Source/WebInspectorUI/UserInterface/Controllers/DOMDebuggerManager.js:
(WI.DOMDebuggerManager.prototype._mainFrameDidChange):
Guard against a transiently-null mainFrame while frame events from multiple Site
Isolation processes are reconciled. Full cross-process merge is the live-UI
follow-up.
Canonical link: https://commits.webkit.org/315108@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
