LibWeb: Use JS::HeapFunction for HTML::Timer callback

Before the completion_steps for timer were casted from JS::SafeFunction to Function in HTML::Timer constructor, which is incorrect because then callback's captured GC-allocated objects are not protected from being deallocated. Let's modify HTML::Timer to use JS::HeapFunction for the callback instead.
2025-05-31 12:38:12 +00:00 · 2023-09-26 14:48:53 +02:00 · 2023-09-26 14:48:53 +02:00 · 4e8654e31b
commit 4e8654e31b
parent 883a97984c
3 changed files with 17 additions and 9 deletions
--- a/Userland/Libraries/LibWeb/HTML/Timer.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Timer.cpp
@ -13,16 +13,17 @@ namespace Web::HTML {

 JS::NonnullGCPtr<Timer> Timer::create(JS::Object& window_or_worker_global_scope, i32 milliseconds, Function<void()> callback, i32 id)
 {
-    return window_or_worker_global_scope.heap().allocate_without_realm<Timer>(window_or_worker_global_scope, milliseconds, move(callback), id);
+    auto heap_function_callback = JS::create_heap_function(window_or_worker_global_scope.heap(), move(callback));
+    return window_or_worker_global_scope.heap().allocate_without_realm<Timer>(window_or_worker_global_scope, milliseconds, heap_function_callback, id);
 }

-Timer::Timer(JS::Object& window_or_worker_global_scope, i32 milliseconds, Function<void()> callback, i32 id)
+Timer::Timer(JS::Object& window_or_worker_global_scope, i32 milliseconds, JS::NonnullGCPtr<JS::HeapFunction<void()>> callback, i32 id)
    : m_window_or_worker_global_scope(window_or_worker_global_scope)
    , m_callback(move(callback))
    , m_id(id)
 {
    m_timer = Core::Timer::create_single_shot(milliseconds, [this] {
-        m_callback();
+        m_callback->function()();
    }).release_value_but_fixme_should_propagate_errors();
 }

@ -30,6 +31,7 @@ void Timer::visit_edges(Cell::Visitor& visitor)
 {
    Base::visit_edges(visitor);
    visitor.visit(m_window_or_worker_global_scope.ptr());
+    visitor.visit(m_callback);
 }

 Timer::~Timer()