Accessing variables trapped by JavaScript closure using V8 runtime functions.

runtime-debug.db22c3fb5c.patch

diff --git a/src/runtime/runtime-debug.cc b/src/runtime/runtime-debug.cc
index 98aa3b98e7..2e424ead9e 100644
--- a/src/runtime/runtime-debug.cc
+++ b/src/runtime/runtime-debug.cc
@@ -322,18 +322,19 @@ RUNTIME_FUNCTION(Runtime_GetGeneratorScopeDetails) {
   HandleScope scope(isolate);
   DCHECK_EQ(2, args.length());
 
-  if (!args[0]->IsJSGeneratorObject()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
 
   // Check arguments.
-  CONVERT_ARG_HANDLE_CHECKED(JSGeneratorObject, gen, 0);
+  CONVERT_ARG_HANDLE_CHECKED(JSFunction, gen, 0);
   CONVERT_NUMBER_CHECKED(int, index, Int32, args[1]);
 
   // Only inspect suspended generator scopes.
-  if (!gen->is_suspended()) {
-    return ReadOnlyRoots(isolate).undefined_value();
-  }
 
   // Find the requested scope.
   int n = 0;                                                                

test.js

// ./d8 --allow-natives-syntax ./test.js

const kScopeDetailsObjectIndex = 1;

function noop() {
    return "sf"
}

function out(arg) {
    let obj = {
        f: noop,
        v: 100,
    };
    return function() {
        return arg + obj.v;
    }
}

let inner = out(91);
// %DebugPrint(inner);
// %SetGeneratorScopeVariableValue(inner, 0, "arg", 100)
// print(inner())

try {
    for (let i = 0; i <= 5; i++) {
        // Patch v8 source file `runtime/runtime-debug.cc` function `Runtime_GetGeneratorScopeDetails`
        let details = %GetGeneratorScopeDetails(inner, i)
        let closure = details[kScopeDetailsObjectIndex];
        for (let key in closure) {
            inner[`_${key}`] = closure[key]
        }
    }
} catch (err) {
    err = null
}

// prints "sf"
console.log(inner._hehe.f())