From 803a20fa8676b07680d1e2ae224780ae28266588 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Thu, 28 Jan 2021 10:13:47 +0100
Subject: [PATCH] LibJS: Call the correct base class in
 LexicalEnvironment::visit_edges()

We were calling directly up to Cell, skipping over ScopeObject.
This made us not mark the scope chain parent for lexical environments,
sometimes causing them to get GC'd and use-after-free'd.

Found by Fuzzilli.

Fixes #5140.
---
 Userland/Libraries/LibJS/Runtime/LexicalEnvironment.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibJS/Runtime/LexicalEnvironment.cpp b/Userland/Libraries/LibJS/Runtime/LexicalEnvironment.cpp
index 2275b6402b3..94d1c97e2dc 100644
--- a/Userland/Libraries/LibJS/Runtime/LexicalEnvironment.cpp
+++ b/Userland/Libraries/LibJS/Runtime/LexicalEnvironment.cpp
@@ -63,7 +63,7 @@ LexicalEnvironment::~LexicalEnvironment()
 
 void LexicalEnvironment::visit_edges(Visitor& visitor)
 {
-    Cell::visit_edges(visitor);
+    Base::visit_edges(visitor);
     visitor.visit(m_this_value);
     visitor.visit(m_home_object);
     visitor.visit(m_new_target);