commit 087c870aeae768b85835f34fe856760526ef9748
parent fa4d5d596a2f0799354301f0be19374a33504918
Author: Jon Coppeard <jcoppeard@mozilla.com>
Date: Thu, 13 Nov 2025 12:19:34 +0000
Bug 1999633 - Don't use pointer into debug environments hash map after potential GC r=jandem
Differential Revision: https://phabricator.services.mozilla.com/D272427
Diffstat:
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/js/src/jit-test/tests/debug/bug-1999633.js b/js/src/jit-test/tests/debug/bug-1999633.js
@@ -0,0 +1,8 @@
+gczeal(2);
+a = newGlobal({newCompartment: true});
+Debugger(a).onEnterFrame = function(b) {
+ if (b.type == "eval")
+ return;
+ b.eval("this");
+}
+a.eval("var bar = function() {}; bar.call(2)");
diff --git a/js/src/vm/EnvironmentObject.cpp b/js/src/vm/EnvironmentObject.cpp
@@ -2123,13 +2123,14 @@ class DebugEnvironmentProxyHandler : public NurseryAllocableProxyHandler {
return true;
}
- if (!GetFunctionThis(cx, maybeEnv->frame(), thisv)) {
+ AbstractFramePtr frame = maybeEnv->frame();
+ if (!GetFunctionThis(cx, frame, thisv)) {
return false;
}
// Update the this-argument to avoid boxing primitive |this| more
// than once.
- maybeEnv->frame().thisArgument() = thisv;
+ frame.thisArgument() = thisv;
*success = true;
return true;
}
