LibWeb: Crash when navigating backwards from Wikipedia media files

[tcl3]

To reproduce:

• Visit: https://en.wikipedia.org/wiki/Trollface#/media/File:Trollface_non-free.png
• Use the back arrow to navigate backwards.

This results in a crash with the following stack trace:

VERIFICATION FAILED: m_current_entry_index != -1 at /home/tim/repos/ladybird/Userland/Libraries/LibWeb/HTML/Navigation.cpp:1429
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-ak.so.0(ak_verification_failed+0xc1) [0x7c65aefa3b71]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0 Web::HTML::Navigation::update_the_navigation_api_entries_for_a_same_document_navigation(JS::NonnullGCPtr<Web::HTML::SessionHistoryEntry>, Web::Bindings::NavigationType) 0x414) [0x7c65af90e354]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0 Web::DOM::Document::update_for_history_step_application(JS::NonnullGCPtr<Web::HTML::SessionHistoryEntry>, bool, unsigned long, unsigned long, AK::Optional<AK::Vector<JS::NonnullGCPtr<Web::HTML::SessionHistoryEntry>, 0ul> >, bool) 0x5a8) [0x7c65af6f8518]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0(+0x9af39c) [0x7c65af9af39c]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0 Web::HTML::Task::execute() 0x49) [0x7c65af82e7d9]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0(+0x82dcf6) [0x7c65af82dcf6]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0(+0xaf16c9) [0x7c65afaf16c9]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-core.so.0 Core::EventLoop::spin_until(AK::Function<bool ()>) 0x9f) [0x7c65b077f18f]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0 Web::Platform::EventLoopPluginSerenity::spin_until(JS::SafeFunction<bool ()>) 0x11b) [0x7c65afaf0a5b]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0 Web::HTML::EventLoop::spin_processing_tasks_with_source_until(Web::HTML::Task::Source, JS::SafeFunction<bool ()>) 0x113) [0x7c65af82db23]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0 Web::HTML::TraversableNavigable::apply_the_history_step(int, bool, AK::Optional<Web::HTML::SourceSnapshotParams>, JS::GCPtr<Web::HTML::Navigable>, AK::Optional<Web::HTML::UserNavigationInvolvement>, AK::Optional<Web::Bindings::NavigationType>, Web::HTML::TraversableNavigable::SynchronousNavigation) 0xb4b) [0x7c65af9ad9bb]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0 Web::HTML::TraversableNavigable::apply_the_traverse_history_step(int, AK::Optional<Web::HTML::SourceSnapshotParams>, JS::GCPtr<Web::HTML::Navigable>, Web::HTML::UserNavigationInvolvement) 0x73) [0x7c65af9ae043]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0(+0x9ae128) [0x7c65af9ae128]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-web.so.0(+0x980c29) [0x7c65af980c29]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-core.so.0 Core::Timer::timer_event(Core::TimerEvent&) 0xb2) [0x7c65b07a09b2]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-core.so.0 Core::EventReceiver::dispatch_event(Core::Event&, Core::EventReceiver*) 0x4d) [0x7c65b07864ed]
/home/tim/repos/ladybird/Build/ladybird/libexec/WebContent(+0x4d8cd) [0x5957a7dd68cd]
/lib/x86_64-linux-gnu/libQt6Core.so.6(+0x183d9b) [0x7c65b0d83d9b]
/lib/x86_64-linux-gnu/libQt6Core.so.6 QTimer::timeout(QTimer::QPrivateSignal) 0x3d) [0x7c65b0d8ed6d]
/lib/x86_64-linux-gnu/libQt6Core.so.6 QObject::event(QEvent*) 0x1c6) [0x7c65b0d76576]
/lib/x86_64-linux-gnu/libQt6Core.so.6 QCoreApplication::notifyInternal2(QObject*, QEvent*) 0xf6) [0x7c65b0d38416]
/lib/x86_64-linux-gnu/libQt6Core.so.6 QTimerInfoList::activateTimers() 0x36b) [0x7c65b0e7b7ab]
/lib/x86_64-linux-gnu/libQt6Core.so.6(+0x333a29) [0x7c65b0f33a29]
/lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x5d5b5) [0x7c65ac1145b5]
/lib/x86_64-linux-gnu/libglib-2.0.so.0(+0xbc717) [0x7c65ac173717]
/lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_iteration+0x33) [0x7c65ac113a53]
/lib/x86_64-linux-gnu/libQt6Core.so.6 QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) 0x6f) [0x7c65b0f315ef]
/lib/x86_64-linux-gnu/libQt6Core.so.6 QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) 0x2e3) [0x7c65b0d429a3]
/home/tim/repos/ladybird/Build/ladybird/libexec/../lib/liblagom-core.so.0 Core::EventLoop::exec() 0x4a) [0x7c65b077f32a]
/home/tim/repos/ladybird/Build/ladybird/libexec/WebContent(+0x5a23e) [0x5957a7de323e]
/home/tim/repos/ladybird/Build/ladybird/libexec/WebContent(main+0xf6) [0x5957a7dd58e6]
/lib/x86_64-linux-gnu/libc.so.6(+0x2a1ca) [0x7c65abe2a1ca]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x8b) [0x7c65abe2a28b]
/home/tim/repos/ladybird/Build/ladybird/libexec/WebContent(+0x4ca15) [0x5957a7dd5a15

This crash happens for any media file associated with an article like this. I would expect navigating backwards to show the article page.

[YoshiRulz]

This is presumably tied to Extension:MultimediaViewer, as the same happens on other wikis with that enabled, such as ladybird 'https://lethal.miraheze.org/wiki/Hoarding_Bug#/media/File:Hoardingbugrender.png'. But it doesn't happen when clicking through to the Media: (i.e. hotlink; where clicking an image takes you if the extension is disabled) or File: (details/preview) pages.

MediaWiki is complex to say the least, but I believe this is a copy of the JS that it adds. If you do need a running MediaWiki instance to repro, apparently there's a minimal template available.