From 7550b4175e594e4ecf00d78611c5da6216a305c6 Mon Sep 17 00:00:00 2001
From: Luke Wilde <lukew@serenityos.org>
Date: Wed, 9 Aug 2023 21:08:52 +0100
Subject: [PATCH] LibWeb: Unregister IntersectionObserver in finalize, not the
 destructor

Otherwise it UAFs the intersection root. Not sure how this didn't cause
a lot of crashes!
---
 .../LibWeb/IntersectionObserver/IntersectionObserver.cpp      | 4 +++-
 .../LibWeb/IntersectionObserver/IntersectionObserver.h        | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibWeb/IntersectionObserver/IntersectionObserver.cpp b/Userland/Libraries/LibWeb/IntersectionObserver/IntersectionObserver.cpp
index 283602790e..f4d7b2242b 100644
--- a/Userland/Libraries/LibWeb/IntersectionObserver/IntersectionObserver.cpp
+++ b/Userland/Libraries/LibWeb/IntersectionObserver/IntersectionObserver.cpp
@@ -53,7 +53,9 @@ IntersectionObserver::IntersectionObserver(JS::Realm& realm, JS::GCPtr<WebIDL::C
     });
 }
 
-IntersectionObserver::~IntersectionObserver()
+IntersectionObserver::~IntersectionObserver() = default;
+
+void IntersectionObserver::finalize()
 {
     intersection_root().visit([this](auto& node) {
         node->document().unregister_intersection_observer({}, *this);
diff --git a/Userland/Libraries/LibWeb/IntersectionObserver/IntersectionObserver.h b/Userland/Libraries/LibWeb/IntersectionObserver/IntersectionObserver.h
index d0efaf11e9..8204476058 100644
--- a/Userland/Libraries/LibWeb/IntersectionObserver/IntersectionObserver.h
+++ b/Userland/Libraries/LibWeb/IntersectionObserver/IntersectionObserver.h
@@ -66,6 +66,7 @@ private:
 
     virtual void initialize(JS::Realm&) override;
     virtual void visit_edges(JS::Cell::Visitor&) override;
+    virtual void finalize() override;
 
     // https://www.w3.org/TR/intersection-observer/#dom-intersectionobserver-callback-slot
     JS::GCPtr<WebIDL::CallbackType> m_callback;