Ladybird is built around a multi-process architecture designed to contain the damage that hostile or buggy web content can cause. Rather than running the entire browser in a single address space, each major responsibility — rendering, networking, and image decoding — lives in its own sandboxed process. This means a crashed tab does not take down the rest of the browser, and a compromised renderer cannot directly access the network or the user’s file system.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ladybirdBrowser/ladybird/llms.txt
Use this file to discover all available pages before exploring further.
The ProcessArchitecture.md
source document is partly aspirational: some aspects of the sandboxing and process isolation
described here are still being implemented. The architecture represents the intended end-state, not
necessarily the current state of every code path.
Process Overview
Every running instance of the Browser application can have one or more tabs open. Each tab gets its own dedicated WebContent process. Two critical functions — network requests and image decoding — are further separated into their own processes: RequestServer and ImageDecoder. All processes are aggressively sandboxed. Beyond operating-system-level isolation, all helper processes run as an unprivileged user that is separate from the primary logged-in desktop user, adding an extra layer of defence.WebContent
Hosts LibWeb (HTML/CSS engine) and LibJS (JavaScript engine). Receives input events from
the Browser UI, paints web content into shared bitmaps, and communicates with the outside world
only through its dedicated RequestServer.
RequestServer
Handles all outgoing network activity using protocols such as HTTP and HTTPS. Each WebContent
process gets its own RequestServer. DNS resolution is delegated to the system-wide
LookupServer service.
ImageDecoder
Decodes image formats (PNG, JPEG, BMP, ICO, PBM, and more) in a fresh, strongly sandboxed
process per image. On success it returns a decoded bitmap to WebContent; a crash here has no
effect on the rest of the browser.
Browser UI
The main application process. It manages windows, tabs, and the address bar, and spawns
WebContent processes on demand. It never runs untrusted web content directly.
How Processes Are Spawned
Process creation relies on pre-created Unix domain sockets managed by SystemServer.- The Browser spawns a new WebContent process by connecting to the socket at
/tmp/session/%sid/portal/webcontent, where%sidis the current login session ID. SystemServer forks a fresh WebContent instance for every incoming connection. - WebContent itself spawns RequestServer and ImageDecoder using the same socket mechanism when it first needs them. The Browser is not involved in those spawns.
Sandboxing
All helper processes use platform sandboxing primitives to restrict what they can do at the kernel level. The intent is that even if an attacker gains arbitrary code execution inside a WebContent process, they cannot read the user’s files or establish outgoing network connections — those capabilities are stripped away before any untrusted content is loaded.Class Overview
The chain of objects that connects the browser UI to the rendered DOM is:OutOfProcessWebView is a widget placed inside a GUI window. It transparently manages the
lifetime of all helper processes. The WebContentClient object it holds implements the IPC
protocol that crosses the process boundary. On the other side, WebContent::ConnectionFromClient
receives those messages and delegates to a WebContent::PageHost, which owns the LibWeb
Web::Page object. Inside LibWeb, a Web::Page has a main Web::Frame — and potentially
child frames for <frame> or <iframe> elements — each with a Web::Document at its root.
Why Multi-Process?
Stability
A crash in a WebContent process (for example, triggered by a malformed web page) affects only
that tab. The Browser UI and all other tabs continue running.
Security
Each WebContent process is sandboxed and runs as an unprivileged user. Even if an attacker
exploits a bug in LibWeb or LibJS, they are constrained to that one isolated process.
Network isolation
WebContent never opens network connections directly. All requests go through a dedicated
RequestServer, limiting the blast radius of any renderer compromise to a single connection
pipeline.
Safe image decoding
Image format parsers are historically fertile ground for vulnerabilities. Running each decode
job in its own throwaway ImageDecoder process means a malicious image can only crash that one
process, not the renderer.
Explore the Architecture
LibWeb
The HTML/CSS rendering pipeline: resource loading, parsing, style computation, layout, and
painting inside the WebContent process.
LibJS & LibWasm
Ladybird’s from-scratch JavaScript engine and WebAssembly runtime, including the garbage
collector and WebIDL bindings.
IPC & Services
How LibIPC connects the processes, and how LibCore’s EventLoop drives asynchronous work inside
each one.
