From a0c86df76748935f6d936a0136193aa1ea0e0aa4 Mon Sep 17 00:00:00 2001
From: Karl Seguin <k@openmymind.io>
Date: Fri, 29 May 2026 12:21:52 +0800
Subject: [PATCH] Prevent double-free on Synthetic URL

If a synthetic url (blob URL) causes a navigation event, the frame abort will
deinit the transfer, causing the `defer transfer.deinit()` atop Synthetic.run
from firing. Flag the transfer as .completing to prevent this from happening.
This mimics what non-synthetic urls do.
---
 src/browser/HttpClient.zig | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/browser/HttpClient.zig b/src/browser/HttpClient.zig
index a45b6b6c..81c4dc14 100644
--- a/src/browser/HttpClient.zig
+++ b/src/browser/HttpClient.zig
@@ -602,6 +602,9 @@ const Synthetic = struct {
     }
 
     fn run(transfer: *Transfer, _: *anyopaque) void {
+        // prevents a callback that triggers a navigation queue from killing
+        // this transfer from under us.
+        transfer.state = .completing;
         defer transfer.deinit();
 
         const fulfilled = build(transfer) catch |err| {