From 751ad19c8615a6e0eb98ec5d8c9f4e45eac41022 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Mon, 17 May 2021 19:57:40 +0200
Subject: [PATCH] LibJS: Don't consider cells in the lazy freelist in
 conservative scan

Cells after the lazy freelist bump index are guaranteed to not be
valid cell pointers, so ignore them during the conservative scan.
---
 Userland/Libraries/LibJS/Heap/HeapBlock.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibJS/Heap/HeapBlock.h b/Userland/Libraries/LibJS/Heap/HeapBlock.h
index e21ed79fdf..9472827816 100644
--- a/Userland/Libraries/LibJS/Heap/HeapBlock.h
+++ b/Userland/Libraries/LibJS/Heap/HeapBlock.h
@@ -60,7 +60,8 @@ public:
         if (pointer < reinterpret_cast<FlatPtr>(m_storage))
             return nullptr;
         size_t cell_index = (pointer - reinterpret_cast<FlatPtr>(m_storage)) / m_cell_size;
-        if (cell_index >= cell_count())
+        auto end = has_lazy_freelist() ? m_next_lazy_freelist_index : cell_count();
+        if (cell_index >= end)
             return nullptr;
         return cell(cell_index);
     }