From 1d964c2341491b5fb0f175ae1424c98da3a1530d Mon Sep 17 00:00:00 2001
From: Sandeep Agarwal <saagarwa@microsoft.com>
Date: Fri, 19 Jan 2018 10:29:49 -0800
Subject: [PATCH] OS#15522456 ScriptContext created after calling
 JsDiagStopDebugging should set debugging mode as SourceRunDown instead of
 Debugging.

Found by OSS-Fuzz.
---
 lib/Jsrt/Jsrt.cpp                        | 22 ++++++++++++++++------
 lib/Jsrt/JsrtDiag.cpp                    | 10 +++++++---
 test/Debugger/emptyJson.dbg.baseline     |  1 +
 test/Debugger/loadscript_after_detach.js | 17 +++++++++++++++++
 test/Debugger/rlexe.xml                  |  6 ++++++
 5 files changed, 47 insertions(+), 9 deletions(-)
 create mode 100644 test/Debugger/emptyJson.dbg.baseline
 create mode 100644 test/Debugger/loadscript_after_detach.js

diff --git a/lib/Jsrt/Jsrt.cpp b/lib/Jsrt/Jsrt.cpp
index f9656729846..0bb3af94ca3 100644
--- a/lib/Jsrt/Jsrt.cpp
+++ b/lib/Jsrt/Jsrt.cpp
@@ -178,17 +178,27 @@ JsErrorCode CreateContextCore(_In_ JsRuntimeHandle runtimeHandle, _In_ TTDRecord
 
     if(jsrtDebugManager != nullptr)
     {
+        // JsDiagStartDebugging was called
+        threadContext->GetDebugManager()->SetLocalsDisplayFlags(Js::DebugManager::LocalsDisplayFlags::LocalsDisplayFlags_NoGroupMethods);
+
         Js::ScriptContext* scriptContext = context->GetScriptContext();
-        scriptContext->InitializeDebugging();
 
         Js::DebugContext* debugContext = scriptContext->GetDebugContext();
         debugContext->SetHostDebugContext(jsrtDebugManager);
 
-        Js::ProbeContainer* probeContainer = debugContext->GetProbeContainer();
-        probeContainer->InitializeInlineBreakEngine(jsrtDebugManager);
-        probeContainer->InitializeDebuggerScriptOptionCallback(jsrtDebugManager);
-
-        threadContext->GetDebugManager()->SetLocalsDisplayFlags(Js::DebugManager::LocalsDisplayFlags::LocalsDisplayFlags_NoGroupMethods);
+        if (!jsrtDebugManager->IsDebugEventCallbackSet())
+        {
+            // JsDiagStopDebugging was called so we need to be in SourceRunDownMode
+            debugContext->SetDebuggerMode(Js::DebuggerMode::SourceRundown);
+        }
+        else
+        {
+            // Set Debugging mode
+            scriptContext->InitializeDebugging();
+            Js::ProbeContainer* probeContainer = debugContext->GetProbeContainer();
+            probeContainer->InitializeInlineBreakEngine(jsrtDebugManager);
+            probeContainer->InitializeDebuggerScriptOptionCallback(jsrtDebugManager);
+        }
     }
 #endif
 
diff --git a/lib/Jsrt/JsrtDiag.cpp b/lib/Jsrt/JsrtDiag.cpp
index c80c62e01bf..fafd982dd62 100644
--- a/lib/Jsrt/JsrtDiag.cpp
+++ b/lib/Jsrt/JsrtDiag.cpp
@@ -99,9 +99,13 @@ CHAKRA_API JsDiagStartDebugging(
                 return JsErrorFatal;
             }
 
-            Js::ProbeContainer* probeContainer = debugContext->GetProbeContainer();
-            probeContainer->InitializeInlineBreakEngine(jsrtDebugManager);
-            probeContainer->InitializeDebuggerScriptOptionCallback(jsrtDebugManager);
+            // ScriptContext might get closed in OnDebuggerAttached
+            if (!scriptContext->IsClosed())
+            {
+                Js::ProbeContainer* probeContainer = debugContext->GetProbeContainer();
+                probeContainer->InitializeInlineBreakEngine(jsrtDebugManager);
+                probeContainer->InitializeDebuggerScriptOptionCallback(jsrtDebugManager);
+            }
         }
 
         return JsNoError;
diff --git a/test/Debugger/emptyJson.dbg.baseline b/test/Debugger/emptyJson.dbg.baseline
new file mode 100644
index 00000000000..0637a088a01
--- /dev/null
+++ b/test/Debugger/emptyJson.dbg.baseline
@@ -0,0 +1 @@
+[]
\ No newline at end of file
diff --git a/test/Debugger/loadscript_after_detach.js b/test/Debugger/loadscript_after_detach.js
new file mode 100644
index 00000000000..e52bc839e9d
--- /dev/null
+++ b/test/Debugger/loadscript_after_detach.js
@@ -0,0 +1,17 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+var count = 0;
+function foo() {
+  count++;
+  if (count == 3) {
+    WScript.LoadScript("", "samethread"); // ScriptContext should be created in sourcerundown mode instead of debugging mode
+  }
+}
+foo();
+WScript.Attach(foo);
+WScript.Detach(foo);
+WScript.Attach(foo);
+WScript.Echo("pass");
diff --git a/test/Debugger/rlexe.xml b/test/Debugger/rlexe.xml
index 43e5f0fa49c..065ceba6d42 100644
--- a/test/Debugger/rlexe.xml
+++ b/test/Debugger/rlexe.xml
@@ -74,4 +74,10 @@
       <files>dumpFunctionProperties.js</files>
     </default>
   </test>
+  <test>
+    <default>
+      <compile-flags>-dbgbaseline:emptyJson.dbg.baseline</compile-flags>
+      <files>loadscript_after_detach.js</files>
+    </default>
+  </test>
 </regress-exe>