Bug 1847360 - Don't crash on other magic values when checking for uninitialized lexical values r=arai

Differential Revision: https://phabricator.services.mozilla.com/D185715

js/src/jit-test/tests/debug/bug1847360.js

@@ -0,0 +1,18 @@
+try {
+    g = newGlobal({ newCompartment: true });
+    g.z = this;
+    g.eval(
+        "(" +
+        function () {
+            Debugger(z).onExceptionUnwind = function (y) {
+                y.eval("f=0");
+            };
+        } +
+        ")()"
+    );
+    (function f() {
+        x;
+    })();
+} catch (e) {
+    assertEq(e instanceof ReferenceError, true);
+}

js/src/vm/EnvironmentObject.cpp

@@ -2266,7 +2266,10 @@ class DebugEnvironmentProxyHandler : public BaseProxyHandler {
         if (!GetProperty(cx, env, env, id, &initialVal)) {
           return false;
         }
-        if (initialVal.isMagic(JS_UNINITIALIZED_LEXICAL)) {
+        // Note: initialVal could be JS_OPTIMIZED_OUT, which is why we don't use
+        // .whyMagic(JS_UNINITALIZED_LEXICAL).
+        if (initialVal.isMagic() &&
+            initialVal.whyMagic() == JS_UNINITIALIZED_LEXICAL) {
           ReportRuntimeLexicalErrorId(cx, JSMSG_UNINITIALIZED_LEXICAL, id);
           return false;
         }