From 8f015a18a5e2e09a7ccb6afed552f87535b658c5 Mon Sep 17 00:00:00 2001
From: Jelle Raaijmakers <jelle@gmta.nl>
Date: Tue, 14 Feb 2023 01:22:54 +0100
Subject: [PATCH] LibJS: Dereference intrinsic accessor before deleting it

The iterator used to find an intrinsic accessor is used after calling
`HashMap.remove()` on it, which works for our current implementation but
will fall apart when you consider that modifications to the hash map
might invalidate all existing iterators that came from it, as many
implementations do.

Since we're aiming to replace our `HashTable` implementation with
something new, let's fix this first :^)
---
 Userland/Libraries/LibJS/Runtime/Object.cpp | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/Userland/Libraries/LibJS/Runtime/Object.cpp b/Userland/Libraries/LibJS/Runtime/Object.cpp
index 839e331316..88015c463e 100644
--- a/Userland/Libraries/LibJS/Runtime/Object.cpp
+++ b/Userland/Libraries/LibJS/Runtime/Object.cpp
@@ -1007,12 +1007,13 @@ static Optional<Object::IntrinsicAccessor> find_intrinsic_accessor(Object const*
     if (intrinsics == s_intrinsics.end())
         return {};
 
-    auto accessor = intrinsics->value.find(property_key.as_string());
-    if (accessor == intrinsics->value.end())
+    auto accessor_iterator = intrinsics->value.find(property_key.as_string());
+    if (accessor_iterator == intrinsics->value.end())
         return {};
 
-    intrinsics->value.remove(accessor);
-    return move(accessor->value);
+    auto accessor = accessor_iterator->value;
+    intrinsics->value.remove(accessor_iterator);
+    return accessor;
 }
 
 Optional<ValueAndAttributes> Object::storage_get(PropertyKey const& property_key) const