1 files changed, 37 insertions, 0 deletions

diff --git a/js/src/jit-test/tests/fields/private-field-symbol-debugger-access.js b/js/src/jit-test/tests/fields/private-field-symbol-debugger-access.js
new file mode 100644
index 0000000000..cd960a3be1
--- /dev/null
+++ b/js/src/jit-test/tests/fields/private-field-symbol-debugger-access.js
@@ -0,0 +1,37 @@
+// Make a new global to debug
+const global = newGlobal({ newCompartment: true });
+
+// Create an object in that global with a private field.
+global.eval("\nclass MyClass {\n #privateProperty1\n }\nobj = new MyClass();");
+
+// Debug said global.
+const debug = Debugger();
+const globalDebugObject = debug.addDebuggee(global);
+
+// Leak the private name symbol backing the private field.
+var otherGlobalObj = globalDebugObject.getOwnPropertyDescriptor("obj").value
+var privateSymbol = otherGlobalObj.getOwnPrivateProperties()[0]
+
+// Create a different proxy.
+var p = new Proxy({}, {});
+
+// Try to look up the leaked private symbol on the new proxy.
+// This crashes, as it violates the assumption baked into the proxy code
+// that all accesses are scripted, and thus creation and symbol management
+// invariants are correctly observed.
+fail = false;
+try {
+    p[privateSymbol] = 1;
+    fail = true;
+} catch (e) {
+    assertEq(e instanceof TypeError, true);
+}
+assertEq(fail, false);
+
+try {
+    p[privateSymbol];
+    fail = true;
+} catch (e) {
+    assertEq(e instanceof TypeError, true);
+}
+assertEq(fail, false);