From 693499c1ea7b0e331b175ff75eeeec0ff7a0166c Mon Sep 17 00:00:00 2001
From: Matthew Gaudet <mgaudet@mozilla.com>
Date: Wed, 9 Aug 2023 19:26:01 +0000
Subject: [PATCH] Bug 1847360 - Don't crash on other magic values when checking
 for uninitialized lexical values r=arai

Differential Revision: https://phabricator.services.mozilla.com/D185715
---
 js/src/jit-test/tests/debug/bug1847360.js | 18 ++++++++++++++++++
 js/src/vm/EnvironmentObject.cpp           |  5 ++++-
 2 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 js/src/jit-test/tests/debug/bug1847360.js

diff --git a/js/src/jit-test/tests/debug/bug1847360.js b/js/src/jit-test/tests/debug/bug1847360.js
new file mode 100644
index 000000000000..89d1d73afe15
--- /dev/null
+++ b/js/src/jit-test/tests/debug/bug1847360.js
@@ -0,0 +1,18 @@
+try {
+    g = newGlobal({ newCompartment: true });
+    g.z = this;
+    g.eval(
+        "(" +
+        function () {
+            Debugger(z).onExceptionUnwind = function (y) {
+                y.eval("f=0");
+            };
+        } +
+        ")()"
+    );
+    (function f() {
+        x;
+    })();
+} catch (e) {
+    assertEq(e instanceof ReferenceError, true);
+}
diff --git a/js/src/vm/EnvironmentObject.cpp b/js/src/vm/EnvironmentObject.cpp
index 2a1dad137f74..b90f142c9da6 100644
--- a/js/src/vm/EnvironmentObject.cpp
+++ b/js/src/vm/EnvironmentObject.cpp
@@ -2266,7 +2266,10 @@ class DebugEnvironmentProxyHandler : public BaseProxyHandler {
         if (!GetProperty(cx, env, env, id, &initialVal)) {
           return false;
         }
-        if (initialVal.isMagic(JS_UNINITIALIZED_LEXICAL)) {
+        // Note: initialVal could be JS_OPTIMIZED_OUT, which is why we don't use
+        // .whyMagic(JS_UNINITALIZED_LEXICAL).
+        if (initialVal.isMagic() &&
+            initialVal.whyMagic() == JS_UNINITIALIZED_LEXICAL) {
           ReportRuntimeLexicalErrorId(cx, JSMSG_UNINITIALIZED_LEXICAL, id);
           return false;
         }