Bug 1423937: Add FrameIter::hasInitialEnvironment to guard FrameIter::callObj r=tcampbell

Differential Revision: https://phabricator.services.mozilla.com/D8395

--HG--
extra : moz-landing-system : lando

js/src/jit-test/tests/arguments/bug1423937.js

@@ -0,0 +1,17 @@
+// |jit-test| exitstatus: 6;
+
+var global = 0;
+setInterruptCallback(function() {
+    foo("A");
+});
+function foo(x) {
+    for (var i = 0; i < 1000; i++) {
+	var stack = getBacktrace({args: true});
+    }
+    if (global > 2) return;
+    global++;
+    interruptIf(true);
+    foo("B");
+    (function()  { g = x;});
+}
+foo("C");

js/src/jit/JSJitFrameIter.h

@@ -844,12 +844,13 @@ class InlineFrameIterator
     bool isModuleFrame() const;
     bool isConstructing() const;
 
-    JSObject* environmentChain(MaybeReadFallback& fallback) const {
+    JSObject* environmentChain(MaybeReadFallback& fallback,
+                               bool* hasInitialEnvironment = nullptr) const {
         SnapshotIterator s(si_);
 
         // envChain
         Value v = s.maybeRead(fallback);
-        return computeEnvironmentChain(v, fallback);
+        return computeEnvironmentChain(v, fallback, hasInitialEnvironment);
     }
 
     Value thisArgument(MaybeReadFallback& fallback) const {

js/src/jit/RematerializedFrame.cpp

@@ -132,6 +132,7 @@ CallObject&
 RematerializedFrame::callObj() const
 {
     MOZ_ASSERT(hasInitialEnvironment());
+    MOZ_ASSERT(callee()->needsCallObject());
 
     JSObject* env = environmentChain();
     while (!env->is<CallObject>()) {

js/src/jsfriendapi.cpp

@@ -924,7 +924,11 @@ FormatFrame(JSContext* cx, const FrameIter& iter, Sprinter& sp, int num,
         for (unsigned i = 0; i < iter.numActualArgs(); i++) {
             RootedValue arg(cx);
             if (i < iter.numFormalArgs() && fi.closedOver()) {
-                arg = iter.callObj(cx).aliasedBinding(fi);
+                if (iter.hasInitialEnvironment(cx)) {
+                    arg = iter.callObj(cx).aliasedBinding(fi);
+                } else {
+                    arg = MagicValue(JS_OPTIMIZED_OUT);
+                }
             } else if (iter.hasUsableAbstractFramePtr()) {
                 if (script->analyzedArgsUsage() &&
                     script->argsObjAliasesFormals() &&

js/src/vm/Stack.cpp

@@ -1420,10 +1420,30 @@ FrameIter::environmentChain(JSContext* cx) const
     MOZ_CRASH("Unexpected state");
 }
 
+bool
+FrameIter::hasInitialEnvironment(JSContext *cx) const {
+    if (hasUsableAbstractFramePtr()) {
+        return abstractFramePtr().hasInitialEnvironment();
+    }
+
+    if (isWasm()) {
+        // See JSFunction::needsFunctionEnvironmentObjects().
+        return false;
+    }
+
+    MOZ_ASSERT(isJSJit() && isIonScripted());
+    bool hasInitialEnv = false;
+    jit::MaybeReadFallback recover(cx, activation()->asJit(), &jsJitFrame());
+    ionInlineFrames_.environmentChain(recover, &hasInitialEnv);
+
+    return hasInitialEnv;
+}
+
 CallObject&
 FrameIter::callObj(JSContext* cx) const
 {
     MOZ_ASSERT(calleeTemplate()->needsCallObject());
+    MOZ_ASSERT(hasInitialEnvironment(cx));
 
     JSObject* pobj = environmentChain(cx);
     while (!pobj->is<CallObject>()) {

js/src/vm/Stack.h

@@ -2151,6 +2151,7 @@ class FrameIter
     template <class Op> inline void unaliasedForEachActual(JSContext* cx, Op op);
 
     JSObject*  environmentChain(JSContext* cx) const;
+    bool hasInitialEnvironment(JSContext* cx) const;
     CallObject& callObj(JSContext* cx) const;
 
     bool        hasArgsObj() const;