Bug 1201575 - Give copied FrameIter::Data the cx of the current frame. (r=jimb)

js/src/jit-test/tests/debug/bug1161332.js

@@ -0,0 +1,16 @@
+// |jit-test| error: Error
+
+var g = newGlobal();
+g.eval('function f(a) { if (a == 1) debugger; evaluate("f(" + a + " - 1);", {newContext: true}); }');
+var N = 2;
+var dbg = new Debugger(g);
+var frames = [];
+dbg.onEnterFrame = function (frame) {
+   frames.push(frame);
+   frame.onPop = function () { assertEq(frame.onPop, frame.onPop); };
+};
+dbg.onDebuggerStatement = function (frame) {
+    for (var f of frames)
+        f.eval('a').return;
+};
+evaluate("g.f(N);");

js/src/vm/Stack.cpp

@@ -755,6 +755,11 @@ FrameIter::copyData() const
     MOZ_ASSERT(data_.state_ != ASMJS);
     if (data && data_.jitFrames_.isIonScripted())
         data->ionInlineFrameNo_ = ionInlineFrames_.frameNo();
+    // Give the copied Data the cx of the current activation, which may be
+    // different than the cx that the current FrameIter was constructed
+    // with. This ensures that when we instantiate another FrameIter with the
+    // copied data, its cx is still alive.
+    data->cx_ = activation()->cx();
     return data;
 }