LibWeb: Visit internal fields of Crypto in visit_edges

Not visiting the field holding SubtleCrypto in Crypto caused subtle
crashes all over the Value functions, due to accessing SubtleCrypto
after it was garbage collected (and potentially replaced by a new cell).
This meant that the crashes were only appearing in Value::to_boolean,
Value::typeof, etc. Which then held pointer to things that looked like
Shapes, Environments and other non-Object Cells.

To find the actual cause, all pointer used to construct Values were
checked and if a pointer was none of the allowed types, the backtrace
is logged.

Co-authored-by: Luke Wilde <lukew@serenityos.org>

2 files changed, 9 insertions, 0 deletions

diff --git a/Userland/Libraries/LibWeb/Crypto/Crypto.cpp b/Userland/Libraries/LibWeb/Crypto/Crypto.cpp
index f9f1a3b2a2..f4626ac331 100644
--- a/Userland/Libraries/LibWeb/Crypto/Crypto.cpp
+++ b/Userland/Libraries/LibWeb/Crypto/Crypto.cpp
@@ -114,4 +114,10 @@ String Crypto::random_uuid() const
     return builder.to_string();
 }
 
+void Crypto::visit_edges(Cell::Visitor& visitor)
+{
+    Base::visit_edges(visitor);
+    visitor.visit(m_subtle.ptr());
+}
+
 }
diff --git a/Userland/Libraries/LibWeb/Crypto/Crypto.h b/Userland/Libraries/LibWeb/Crypto/Crypto.h
index 8d0a782a2a..73e88d8375 100644
--- a/Userland/Libraries/LibWeb/Crypto/Crypto.h
+++ b/Userland/Libraries/LibWeb/Crypto/Crypto.h
@@ -25,6 +25,9 @@ public:
     DOM::ExceptionOr<JS::Value> get_random_values(JS::Value array) const;
     String random_uuid() const;
 
+protected:
+    virtual void visit_edges(Cell::Visitor&) override;
+
 private:
     explicit Crypto(HTML::Window&);
     virtual void initialize(JS::Realm&) override;