RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 08:27:45 +00:00
Code Issues Activity Actions

LibJS: Call the correct base class in LexicalEnvironment::visit_edges()

Browse source 
We were calling directly up to Cell, skipping over ScopeObject.
This made us not mark the scope chain parent for lexical environments,
sometimes causing them to get GC'd and use-after-free'd.

Found by Fuzzilli.

Fixes #5140.
This commit is contained in:
Andreas Kling 2021-01-28 10:13:47 +01:00
parent 7ec8f83a7f
commit 803a20fa86
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibJS/Runtime/LexicalEnvironment.cpp
View file

@ -63,7 +63,7 @@ LexicalEnvironment::~LexicalEnvironment()
void LexicalEnvironment::visit_edges(Visitor& visitor) void LexicalEnvironment::visit_edges(Visitor& visitor)
{ {
Cell::visit_edges(visitor); Base::visit_edges(visitor);
visitor.visit(m_this_value); visitor.visit(m_this_value);
visitor.visit(m_home_object); visitor.visit(m_home_object);
visitor.visit(m_new_target); visitor.visit(m_new_target);