Bug 1797255 - Return an empty array from Debugger.findObjects with --fuzzing-safe. r=decoder

Differential Revision: https://phabricator.services.mozilla.com/D160465

js/src/debugger/Debugger.cpp

@@ -57,6 +57,7 @@
 #include "jit/BaselineJIT.h"           // for FinishDiscardBaselineScript
 #include "jit/Invalidation.h"         // for RecompileInfoVector
 #include "jit/JitContext.h"           // for JitContext
+#include "jit/JitOptions.h"           // for fuzzingSafe
 #include "jit/JitScript.h"            // for JitScript
 #include "jit/JSJitFrameIter.h"       // for InlineFrameIterator
 #include "jit/RematerializedFrame.h"  // for RematerializedFrame
@@ -5957,6 +5958,13 @@ bool Debugger::CallData::findObjects() {
     return false;
   }
 
+  // Returning internal objects (such as self-hosting intrinsics) to JS is not
+  // fuzzing-safe. We still want to call parseQuery/findObjects when fuzzing so
+  // just clear the Vector here.
+  if (fuzzingSafe) {
+    query.objects.clear();
+  }
+
   size_t length = query.objects.length();
   Rooted<ArrayObject*> result(cx, NewDenseFullyAllocatedArray(cx, length));
   if (!result) {

js/src/jit-test/tests/debug/Debugger-findObjects-fuzzing.js

@@ -0,0 +1,7 @@
+// |jit-test| --fuzzing-safe
+// Debugger.findObjects returns an empty array with --fuzzing-safe
+
+var g = newGlobal({newCompartment: true});
+g.evaluate("arr = [1, 2, 3].map(x => x + 1)");
+var dbg = new Debugger(g);
+assertEq(dbg.findObjects().length, 0);