Bug 195534

Summary: with(aProxy) {/*stuff*/} causes wrong traps
Product: WebKit Reporter: Mark S. Miller <erights>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: 709922234, erights, evan.exe, fpizlo, keith_miller, mark.lam, msaboff, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Mark S. Miller 2019-03-10 13:48:46 PDT 
See https://github.com/tc39/proposal-realms/issues/200#issuecomment-471254838 and the enclosing thread. The traps seen
   * are surprising
   * violate the spec
   * differ from the behavior seen on chrome and firefox
   * are currently blocking the realms shim from working on safari/jsc

Once we understand these bugs we can probably modify the realms shim to work and maintain security despite these bugs. But until we understand these bugs, we cannot be confident that even the current realms shim maintains security. We need to know how the with-on-a-proxy trapping behavior differs from the spec. Thanks.
Comment 1 evan.exe 2019-03-12 15:15:14 PDT 
There's some more detail here: https://github.com/tc39/proposal-realms/issues/200#issuecomment-472190359. This is a minimal repro case:

    const alwaysThrowHandler = new Proxy(Object.freeze({}), {
      get(target, prop) {
        throw new Error(`unexpected scope handler trap called: ${prop}`)
      }
    })

    const proxy = new Proxy(Object.create(this), {
      __proto__: alwaysThrowHandler,
      get: (target, prop) => target[prop],
      has: (target, prop) => true,
    })

    with (proxy) eval(`(async () => {})()`)

This runs fine with V8 but throws "unexpected scope handler trap called: getPrototypeOf" in JSC.

Putting a breakpoint on "ProxyObject::performGetPrototype" shows that it comes from "JSScope::resolve" being called with "newPromiseCapability", which I think is from the implementation of "let promiseCapability be @newPromiseCapability(@Promise)" in BytecodeGenerator.cpp.
Comment 2 Radar WebKit Bug Importer 2019-03-28 13:08:15 PDT 
<rdar://problem/49392145>
Comment 3 Mark S. Miller 2019-07-10 14:00:38 PDT 
See https://github.com/DimensionDev/realms-shim/commit/55963b0b26c92235123afb0a95c251e0f48fd59d#commitcomment-34258398

Does this workaround look safe? Should we do something narrower?
Comment 4 Mark S. Miller 2020-08-13 19:01:47 PDT 
What is the status of this?
Comment 5 Yusuke Suzuki 2020-08-13 19:23:12 PDT 
I think that the main issue is fixed at some point.

[Log] async function expression, uninvoked (test.html, line 27)
[Log] async function expression, invoked (test.html, line 35)
[Log] async function declaration and invocation (test.html, line 43)
[Log] trapped outer/has – "shouldExistInTrapScope does not exist" (test.html, line 9)
[Log] trapped inner/has – "shouldExistInTrapScope does not exist" (test.html, line 9)
[Log] accessing actual property of with-object (test.html, line 52)
[Log] trapped outer/has – "shouldExistInTrapScope does not exist" (test.html, line 9)
[Log] trapped outer/get – "shouldExistInTrapScope does not exist" (test.html, line 9)
[Log] trapped inner/get – "shouldExistInTrapScope does not exist" (test.html, line 9)
[Log] trapped outer/get – "shouldExistInTrapScope does not exist" (test.html, line 9)

> [Log] trapped outer/has – "shouldExistInTrapScope does not exist" (test.html, line 9)
> [Log] trapped inner/has – "shouldExistInTrapScope does not exist" (test.html, line 9)
They are because of function declaration scope.
Comment 6 Yusuke Suzuki 2020-08-13 19:39:24 PDT 
Yes, this is fixed in Safari 13. Thanks!

*** This bug has been marked as a duplicate of bug 200898 ***
Comment 7 Yusuke Suzuki 2020-08-13 19:45:19 PDT 
(In reply to Yusuke Suzuki from comment #6)
> Yes, this is fixed in Safari 13. Thanks!
> 
> *** This bug has been marked as a duplicate of bug 200898 ***

Ah, no, it is Safari 13.1 (April's release).
Comment 8 Yusuke Suzuki 2020-08-13 20:00:14 PDT 
Yeah, I've checked deeply and ensured that this is fixed in last Safari release, thanks for your report!