Bug 769754: Debugger handler functions should not corrupt the debuggee's JSContext::iterValue. r=jorendorff

2024-09-13 09:24:08 -07:00 · 2012-07-09 13:19:09 -07:00 · 2012-07-09 13:19:09 -07:00 · 943b321364
commit 943b321364
parent d21539b1f1
3 changed files with 38 additions and 0 deletions
--- a/js/src/jit-test/tests/debug/Frame-onStep-iterators.js
+++ b/js/src/jit-test/tests/debug/Frame-onStep-iterators.js
@ -0,0 +1,20 @@
+var g = newGlobal('new-compartment');
+var dbg = new Debugger;
+var gw = dbg.addDebuggee(g);
+var log;
+var a = [];
+
+dbg.onDebuggerStatement = function (frame) {
+  log += 'd';
+  frame.onStep = function () {
+    // This handler must not wipe out the debuggee's value in JSContext::iterValue.
+    log += 's';
+    // This will use JSContext::iterValue in the debugger.
+    for (let i of a)
+      log += 'i';
+  };
+};
+
+log = '';
+g.eval("debugger; for (let i of [1,2,3]) print(i);");
+assertEq(!!log.match(/^ds*$/), true);
--- a/js/src/jsinterp.cpp
+++ b/js/src/jsinterp.cpp
@ -313,6 +313,9 @@ js::InvokeKernel(JSContext *cx, CallArgs args, MaybeConstruct construct)
    JS_ASSERT(args.length() <= StackSpace::ARGS_LENGTH_MAX);
    JS_ASSERT(!cx->compartment->activeAnalysis);

+    /* We should never enter a new script while cx->iterValue is live. */
+    JS_ASSERT(cx->iterValue.isMagic(JS_NO_ITER_VALUE));
+
    /* MaybeConstruct is a subset of InitialFrameFlags */
    InitialFrameFlags initial = (InitialFrameFlags) construct;

--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@ -1223,6 +1223,21 @@ Debugger::onSingleStep(JSContext *cx, Value *vp)
    }
 #endif

+    /* Preserve the debuggee's iterValue while handlers run. */
+    class PreserveIterValue {
+        JSContext *cx;
+        RootedValue savedIterValue;
+
+      public:
+        PreserveIterValue(JSContext *cx) : cx(cx), savedIterValue(cx, cx->iterValue) {
+            cx->iterValue.setMagic(JS_NO_ITER_VALUE);
+        }
+        ~PreserveIterValue() {
+            cx->iterValue = savedIterValue;
+        }
+    };
+    PreserveIterValue piv(cx);
+
    /* Call all the onStep handlers we found. */
    for (JSObject **p = frames.begin(); p != frames.end(); p++) {
        JSObject *frame = *p;