diff --git a/js/src/jit-test/tests/debug/Environment-callee-04.js b/js/src/jit-test/tests/debug/Environment-callee-04.js new file mode 100644 index 000000000000..b2b9534d0723 --- /dev/null +++ b/js/src/jit-test/tests/debug/Environment-callee-04.js @@ -0,0 +1,22 @@ +// We shouldn't hand out environment callees when we can only provide the +// internal function object, not the live function object. (We should never +// create Debugger.Object instances referring to internal function objects.) + +var g = newGlobal(); +var dbg = new Debugger(g); + +dbg.onDebuggerStatement = function (frame) { + assertEq(frame.older.environment.parent.callee, null); +} + +g.evaluate(` + + function h() { debugger; } + (function () { + return function () { + h(); + return 1; + } + })()(); + + `); diff --git a/js/src/jit-test/tests/debug/Environment-getVariable-15.js b/js/src/jit-test/tests/debug/Environment-getVariable-15.js new file mode 100644 index 000000000000..b6eee90e616a --- /dev/null +++ b/js/src/jit-test/tests/debug/Environment-getVariable-15.js @@ -0,0 +1,31 @@ +// Don't hand out internal function objects via Debugger.Environment.prototype.getVariable. + +// When the real scope chain object holding the binding for 'f' in 'function f() +// { ... }' is optimized out because it's never used, we whip up fake scope +// chain objects for Debugger to use, if it looks. However, the value of the +// variable f will be an internal function object, not a live function object, +// since the latter was not recorded. Internal function objects should not be +// exposed via Debugger. + +var g = newGlobal(); +var dbg = new Debugger(g); + +dbg.onDebuggerStatement = function (frame) { + var g_call_env = frame.older.environment; // g's locals + var g_decl_env = g_call_env.parent; // 'function g' binding + var f_call_env = g_decl_env.parent; // f's locals + var f_decl_env = f_call_env.parent; // 'function f' binding + assertEq(f_decl_env.getVariable('f').optimizedOut, true); +} + +g.evaluate(` + + function h() { debugger; } + (function f() { + return function g() { + h(); + return 1; + } + })()(); + + `); diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp index 448f9769ca7a..1a404dbcfeb0 100644 --- a/js/src/vm/Debugger.cpp +++ b/js/src/vm/Debugger.cpp @@ -806,6 +806,7 @@ Debugger::wrapDebuggeeValue(JSContext* cx, MutableHandleValue vp) RootedObject obj(cx, &vp.toObject()); if (obj->is()) { + MOZ_ASSERT(!IsInternalFunctionObject(*obj)); RootedFunction fun(cx, &obj->as()); if (!EnsureFunctionHasScript(cx, fun)) return false; @@ -7628,7 +7629,11 @@ DebuggerEnv_getCallee(JSContext* cx, unsigned argc, Value* vp) if (callobj.isForEval()) return true; - args.rval().setObject(callobj.callee()); + JSFunction& callee = callobj.callee(); + if (IsInternalFunctionObject(callee)) + return true; + + args.rval().setObject(callee); if (!dbg->wrapDebuggeeValue(cx, args.rval())) return false; return true; @@ -7757,6 +7762,16 @@ DebuggerEnv_getVariable(JSContext* cx, unsigned argc, Value* vp) } } + // When we've faked up scope chain objects for optimized-out scopes, + // declarative environments may contain internal JSFunction objects, which + // we shouldn't expose to the user. + if (v.isObject()) { + RootedObject obj(cx, &v.toObject()); + if (obj->is() && + IsInternalFunctionObject(obj->as())) + v.setMagic(JS_OPTIMIZED_OUT); + } + if (!dbg->wrapDebuggeeValue(cx, &v)) return false; args.rval().set(v);