LibWeb: Prevent navigation on destroyed navigables

When an iframe is removed before its post-connection session history steps finish processing, the queued steps still run and call navigate() on the now-destroyed navigable. This calls set_delaying_load_events(true), creating a DocumentLoadEventDelayer on the parent document. Since the navigable is destroyed, no finalize step ever runs to clear the delayer, permanently blocking the parent document's load event. Fix this by checking has_been_destroyed() at the start of begin_navigation() and bailing out early.
Author: https://github.com/awesomekling Commit: https://github.com/LadybirdBrowser/ladybird/commit/3240cd536c0 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/7869
2026-04-26 01:35:08 +02:00 · 2026-02-10 14:50:26 +01:00 · 2026-02-10 20:21:26 +00:00
parent bd83591a1c
commit 3240cd536c
1 changed files with 9 additions and 0 deletions
--- a/Libraries/LibWeb/HTML/Navigable.cpp
+++ b/Libraries/LibWeb/HTML/Navigable.cpp
@@ -1640,6 +1640,15 @@ WebIDL::ExceptionOr<void> Navigable::navigate(NavigateParams params)
 // https://html.spec.whatwg.org/multipage/browsing-the-web.html#navigate
 void Navigable::begin_navigation(NavigateParams params)
 {
+    // AD-HOC: Not in the spec but we should not navigate a navigable that has been destroyed.
+    //         This can happen when a session history traversal step for creating a child navigable
+    //         runs after the navigable has been destroyed (e.g. an iframe is removed before its
+    //         post-connection steps finish processing). Without this check, we would call
+    //         set_delaying_load_events(true) below, creating a DocumentLoadEventDelayer on the
+    //         parent document that is never cleared.
+    if (has_been_destroyed())
+        return;
+
    // AD-HOC: Not in the spec but subsequent steps will fail if the navigable doesn't have an active window.
    if (!active_window())
        return;