LibWeb/HTML: Iterate safely in perform_a_microtask_checkpoint()

This list we are iterating over is removed from when there are no more GC references to an ESO. This may be triggered by a GC allocation. Since UniversalGlobalScopeMixin::notify_about_rejected_promises performs GC allocations (by, for example, allocating a GC function), it is not safe to simply iterate over this list. Fix this by taking a strong reference to all registered ESOs by copying them across to a RootVector before iteration. Fixes: #4652
Author: https://github.com/shannonbooth Commit: 5f5975c81d Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/5129 Reviewed-by: https://github.com/gmta ✅
2025-07-09 02:21:53 +00:00 · 2025-06-18 20:05:32 +12:00 · 2025-06-18 20:05:32 +12:00 · 5f5975c81d · 2025-06-18 11:09:39 +00:00
commit 5f5975c81d
parent 00002c6443
1 changed files with 2 additions and 1 deletions
--- a/Libraries/LibWeb/HTML/EventLoop/EventLoop.cpp
+++ b/Libraries/LibWeb/HTML/EventLoop/EventLoop.cpp
@ -594,7 +594,8 @@ void EventLoop::perform_a_microtask_checkpoint()
    }

    // 4. For each environment settings object settingsObject whose responsible event loop is this event loop, notify about rejected promises given settingsObject's global object.
-    for (auto& environment_settings_object : m_related_environment_settings_objects) {
+    auto environments = GC::RootVector { heap(), m_related_environment_settings_objects };
+    for (auto& environment_settings_object : environments) {
        auto* global = dynamic_cast<HTML::UniversalGlobalScopeMixin*>(&environment_settings_object->global_object());
        VERIFY(global);
        global->notify_about_rejected_promises({});