From 64ad536dbb5cc774b5e3cdea7c1df261bdaca358 Mon Sep 17 00:00:00 2001 From: Aliaksandr Kalenik Date: Wed, 24 Apr 2024 00:38:28 +0200 Subject: [PATCH] LibWeb: Create HeapFunction for after_document_populated ...to make it visited by SafeFunction callback of deferred_invoke(). Fixes use-after-free ASAN error that happens if you try to reload the page. --- Userland/Libraries/LibWeb/HTML/TraversableNavigable.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Userland/Libraries/LibWeb/HTML/TraversableNavigable.cpp b/Userland/Libraries/LibWeb/HTML/TraversableNavigable.cpp index a0c9e0bbe7b..f9cd5cce49c 100644 --- a/Userland/Libraries/LibWeb/HTML/TraversableNavigable.cpp +++ b/Userland/Libraries/LibWeb/HTML/TraversableNavigable.cpp @@ -599,10 +599,10 @@ TraversableNavigable::HistoryStepResult TraversableNavigable::apply_the_history_ // 7. In parallel, attempt to populate the history entry's document for targetEntry, given navigable, potentiallyTargetSpecificSourceSnapshotParams, // targetSnapshotParams, with allowPOST set to allowPOST and completionSteps set to queue a global task on the navigation and traversal task source given // navigable's active window to run afterDocumentPopulated. - Platform::EventLoopPlugin::the().deferred_invoke([populated_target_entry, potentially_target_specific_source_snapshot_params, target_snapshot_params, this, allow_POST, navigable, after_document_populated] { + Platform::EventLoopPlugin::the().deferred_invoke([populated_target_entry, potentially_target_specific_source_snapshot_params, target_snapshot_params, this, allow_POST, navigable, after_document_populated = JS::create_heap_function(this->heap(), move(after_document_populated))] { navigable->populate_session_history_entry_document(populated_target_entry, *potentially_target_specific_source_snapshot_params, target_snapshot_params, {}, Empty {}, CSPNavigationType::Other, allow_POST, [this, after_document_populated, populated_target_entry]() mutable { queue_global_task(Task::Source::NavigationAndTraversal, *active_window(), JS::create_heap_function(this->heap(), [after_document_populated, populated_target_entry]() mutable { - after_document_populated(true, populated_target_entry); + after_document_populated->function()(true, populated_target_entry); })); }) .release_value_but_fixme_should_propagate_errors();