Bug 195534
| Summary: | with(aProxy) {/*stuff*/} causes wrong traps | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mark S. Miller <erights> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | 709922234, erights, evan.exe, fpizlo, keith_miller, mark.lam, msaboff, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Mark S. Miller
See https://github.com/tc39/proposal-realms/issues/200#issuecomment-471254838 and the enclosing thread. The traps seen
* are surprising
* violate the spec
* differ from the behavior seen on chrome and firefox
* are currently blocking the realms shim from working on safari/jsc
Once we understand these bugs we can probably modify the realms shim to work and maintain security despite these bugs. But until we understand these bugs, we cannot be confident that even the current realms shim maintains security. We need to know how the with-on-a-proxy trapping behavior differs from the spec. Thanks.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
evan.exe
There's some more detail here: https://github.com/tc39/proposal-realms/issues/200#issuecomment-472190359. This is a minimal repro case:
const alwaysThrowHandler = new Proxy(Object.freeze({}), {
get(target, prop) {
throw new Error(`unexpected scope handler trap called: ${prop}`)
}
})
const proxy = new Proxy(Object.create(this), {
__proto__: alwaysThrowHandler,
get: (target, prop) => target[prop],
has: (target, prop) => true,
})
with (proxy) eval(`(async () => {})()`)
This runs fine with V8 but throws "unexpected scope handler trap called: getPrototypeOf" in JSC.
Putting a breakpoint on "ProxyObject::performGetPrototype" shows that it comes from "JSScope::resolve" being called with "newPromiseCapability", which I think is from the implementation of "let promiseCapability be @newPromiseCapability(@Promise)" in BytecodeGenerator.cpp.
Radar WebKit Bug Importer
<rdar://problem/49392145>
Mark S. Miller
See https://github.com/DimensionDev/realms-shim/commit/55963b0b26c92235123afb0a95c251e0f48fd59d#commitcomment-34258398
Does this workaround look safe? Should we do something narrower?
Mark S. Miller
What is the status of this?
Yusuke Suzuki
I think that the main issue is fixed at some point.
[Log] async function expression, uninvoked (test.html, line 27)
[Log] async function expression, invoked (test.html, line 35)
[Log] async function declaration and invocation (test.html, line 43)
[Log] trapped outer/has – "shouldExistInTrapScope does not exist" (test.html, line 9)
[Log] trapped inner/has – "shouldExistInTrapScope does not exist" (test.html, line 9)
[Log] accessing actual property of with-object (test.html, line 52)
[Log] trapped outer/has – "shouldExistInTrapScope does not exist" (test.html, line 9)
[Log] trapped outer/get – "shouldExistInTrapScope does not exist" (test.html, line 9)
[Log] trapped inner/get – "shouldExistInTrapScope does not exist" (test.html, line 9)
[Log] trapped outer/get – "shouldExistInTrapScope does not exist" (test.html, line 9)
> [Log] trapped outer/has – "shouldExistInTrapScope does not exist" (test.html, line 9)
> [Log] trapped inner/has – "shouldExistInTrapScope does not exist" (test.html, line 9)
They are because of function declaration scope.
Yusuke Suzuki
Yes, this is fixed in Safari 13. Thanks!
*** This bug has been marked as a duplicate of bug 200898 ***
Yusuke Suzuki
(In reply to Yusuke Suzuki from comment #6)
> Yes, this is fixed in Safari 13. Thanks!
>
> *** This bug has been marked as a duplicate of bug 200898 ***
Ah, no, it is Safari 13.1 (April's release).
Yusuke Suzuki
Yeah, I've checked deeply and ensured that this is fixed in last Safari release, thanks for your report!