Bug 1684821 - Fix asserts in DebugEnvironmentProxy::initSnapshot. r=jorendorff

When leaving a frame, we may need to snapshot frame values that debugger is observing. At this time, the environment chain may still have the body LexicalEnvironmentObject before the CallObject. This was tripping an assert in `initSnapshot` that ensured if a snapshot already existed that the frame was for a generator/async that may have already paused. Differential Revision: https://phabricator.services.mozilla.com/D102636
2021-01-21 20:28:24 +00:00 · 2021-01-21 20:28:24 +00:00 · 2260b7c845
--- a/js/src/jit-test/tests/debug/bug1684821.js
+++ b/js/src/jit-test/tests/debug/bug1684821.js
@ -0,0 +1,26 @@
+let g = newGlobal({newCompartment: true});
+let d = new Debugger(g);
+
+d.onDebuggerStatement = function (frame) {
+  frame.environment;
+};
+
+g.evaluate(`
+  function * foo() {
+    // Force CallObject + LexicalEnvironmentObject
+    let x;
+    let y = () => x;
+
+    // Force DebuggerEnvironment
+    debugger;
+
+    // Force suspend and frame snapshot
+    yield;
+
+    // Popping this frame will trigger a second snapshot
+  }
+`)
+
+let x = g.foo();
+x.next();
+x.next();
--- a/js/src/vm/EnvironmentObject.cpp
+++ b/js/src/vm/EnvironmentObject.cpp
@ -2468,8 +2468,7 @@ ArrayObject* DebugEnvironmentProxy::maybeSnapshot() const {
 void DebugEnvironmentProxy::initSnapshot(ArrayObject& o) {
  MOZ_ASSERT_IF(
      maybeSnapshot() != nullptr,
-      environment().is<CallObject>() &&
-          environment().as<CallObject>().callee().isGeneratorOrAsync());
+      CallObject::find(&environment())->callee().isGeneratorOrAsync());
  setReservedSlot(SNAPSHOT_SLOT, ObjectValue(o));
 }