Bug 1163520: Don't hand out internal function objects via Debugger.Environment.prototype.callee. r=shu

--HG--
extra : rebase_source : 3619bc13d7839405d9df30f103b903f5d6d03126

js/src/jit-test/tests/debug/Environment-callee-04.js

@@ -0,0 +1,22 @@
+// We shouldn't hand out environment callees when we can only provide the
+// internal function object, not the live function object. (We should never
+// create Debugger.Object instances referring to internal function objects.)
+
+var g = newGlobal();
+var dbg = new Debugger(g);
+
+dbg.onDebuggerStatement = function (frame) {
+  assertEq(frame.older.environment.parent.callee, null);
+}
+
+g.evaluate(`
+
+           function h() { debugger; }
+           (function () {
+             return function () {
+               h();
+               return 1;
+             }
+           })()();
+
+           `);

js/src/jit-test/tests/debug/Environment-getVariable-15.js

@@ -0,0 +1,31 @@
+// Don't hand out internal function objects via Debugger.Environment.prototype.getVariable.
+
+// When the real scope chain object holding the binding for 'f' in 'function f()
+// { ... }' is optimized out because it's never used, we whip up fake scope
+// chain objects for Debugger to use, if it looks. However, the value of the
+// variable f will be an internal function object, not a live function object,
+// since the latter was not recorded. Internal function objects should not be
+// exposed via Debugger.
+
+var g = newGlobal();
+var dbg = new Debugger(g);
+
+dbg.onDebuggerStatement = function (frame) {
+  var g_call_env = frame.older.environment;     // g's locals
+  var g_decl_env = g_call_env.parent;           // 'function g' binding
+  var f_call_env = g_decl_env.parent;           // f's locals
+  var f_decl_env = f_call_env.parent;           // 'function f' binding
+  assertEq(f_decl_env.getVariable('f').optimizedOut, true);
+}
+
+g.evaluate(`
+
+           function h() { debugger; }
+           (function f() {
+             return function g() {
+               h();
+               return 1;
+             }
+           })()();
+
+           `);

js/src/vm/Debugger.cpp

@@ -806,6 +806,7 @@ Debugger::wrapDebuggeeValue(JSContext* cx, MutableHandleValue vp)
         RootedObject obj(cx, &vp.toObject());
 
         if (obj->is<JSFunction>()) {
+            MOZ_ASSERT(!IsInternalFunctionObject(*obj));
             RootedFunction fun(cx, &obj->as<JSFunction>());
             if (!EnsureFunctionHasScript(cx, fun))
                 return false;
@@ -7628,7 +7629,11 @@ DebuggerEnv_getCallee(JSContext* cx, unsigned argc, Value* vp)
     if (callobj.isForEval())
         return true;
 
-    args.rval().setObject(callobj.callee());
+    JSFunction& callee = callobj.callee();
+    if (IsInternalFunctionObject(callee))
+        return true;
+
+    args.rval().setObject(callee);
     if (!dbg->wrapDebuggeeValue(cx, args.rval()))
         return false;
     return true;
@@ -7757,6 +7762,16 @@ DebuggerEnv_getVariable(JSContext* cx, unsigned argc, Value* vp)
         }
     }
 
+    // When we've faked up scope chain objects for optimized-out scopes,
+    // declarative environments may contain internal JSFunction objects, which
+    // we shouldn't expose to the user.
+    if (v.isObject()) {
+        RootedObject obj(cx, &v.toObject());
+        if (obj->is<JSFunction>() &&
+            IsInternalFunctionObject(obj->as<JSFunction>()))
+            v.setMagic(JS_OPTIMIZED_OUT);
+    }
+
     if (!dbg->wrapDebuggeeValue(cx, &v))
         return false;
     args.rval().set(v);