LibJS: GlobalObject must mark builtin prototypes

Failing to mark them leads to use-after-free since the GlobalObject cached prototypes are used for new NumberObject, StringObject, etc. Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30319
author: Andreas Kling <kling@serenityos.org> 2021-02-05 14:51:18 +0100
committer: Andreas Kling <kling@serenityos.org> 2021-02-05 14:53:16 +0100
commit: 7df3b951267bd77b2b72f04d697ea5148073e29d (patch)
tree: df0bf870bf15c0308fafc5c22b0fa790ea8de90a
parent: 0269578d3eadaa117dc0c030f739fce09e59d8d2 (diff)
download: serenity-7df3b951267bd77b2b72f04d697ea5148073e29d.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/Userland/Libraries/LibJS/Runtime/GlobalObject.cpp b/Userland/Libraries/LibJS/Runtime/GlobalObject.cpp
index 37135f907c..0a17ac6186 100644
--- a/Userland/Libraries/LibJS/Runtime/GlobalObject.cpp
+++ b/Userland/Libraries/LibJS/Runtime/GlobalObject.cpp
@@ -167,8 +167,10 @@ void GlobalObject::visit_edges(Visitor& visitor)
     visitor.visit(m_proxy_constructor);
 
 #define __JS_ENUMERATE(ClassName, snake_name, PrototypeName, ConstructorName, ArrayType) \
-    visitor.visit(m_##snake_name##_constructor);
+    visitor.visit(m_##snake_name##_constructor);                                         \
+    visitor.visit(m_##snake_name##_prototype);
     JS_ENUMERATE_ERROR_SUBCLASSES
+    JS_ENUMERATE_BUILTIN_TYPES
 #undef __JS_ENUMERATE
 
 #define __JS_ENUMERATE(ClassName, snake_name) \
author	Andreas Kling <kling@serenityos.org>	2021-02-05 14:51:18 +0100
committer	Andreas Kling <kling@serenityos.org>	2021-02-05 14:53:16 +0100
commit	7df3b951267bd77b2b72f04d697ea5148073e29d (patch)
tree	df0bf870bf15c0308fafc5c22b0fa790ea8de90a
parent	0269578d3eadaa117dc0c030f739fce09e59d8d2 (diff)
download	serenity-7df3b951267bd77b2b72f04d697ea5148073e29d.zip