LibJS+LibWeb: Make JS::ExecutionContext protect its Web::HTML::ESO owner

We can't be nuking the ESO while its owned execution context is still on the VM's execution context stack, as that may lead to a use-after-free. This patch solves this by adding a `context_owner` field to each context and treating it as a GC root.
2025-07-28 09:07:44 +00:00 · 2022-11-21 11:18:15 +01:00 · 2022-11-21 11:18:15 +01:00 · 849499988e
commit 849499988e
parent 1fdce71483
3 changed files with 7 additions and 0 deletions
--- a/Userland/Libraries/LibJS/Runtime/ExecutionContext.h
+++ b/Userland/Libraries/LibJS/Runtime/ExecutionContext.h
@ -58,6 +58,9 @@ public:
    Environment* variable_environment { nullptr };       // [[VariableEnvironment]]
    PrivateEnvironment* private_environment { nullptr }; // [[PrivateEnvironment]]

+    // Non-standard: This points at something that owns this ExecutionContext, in case it needs to be protected from GC.
+    Cell* context_owner { nullptr };
+
    ASTNode const* current_node { nullptr };
    FlyString function_name;
    Value this_value;
--- a/Userland/Libraries/LibJS/Runtime/VM.cpp
+++ b/Userland/Libraries/LibJS/Runtime/VM.cpp
@ -204,6 +204,8 @@ void VM::gather_roots(HashTable<Cell*>& roots)
            roots.set(execution_context->lexical_environment);
            roots.set(execution_context->variable_environment);
            roots.set(execution_context->private_environment);
+            if (auto* context_owner = execution_context->context_owner)
+                roots.set(context_owner);
            execution_context->script_or_module.visit(
                [](Empty) {},
                [&](auto& script_or_module) {