Bug 231506

Summary: Investigate `JSGlobalObject == JSDOMGlobalObject` WebCore assumption in presence of Shadow Realms
Product: WebKit Reporter: Phillip Mates <pmates>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: joseph.j.griego, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 230602    

Description Phillip Mates 2021-10-11 03:10:02 PDT 
A lot of WebCore code assumes that JSGlobalObject instances are the JSDOMGlobalObject subclass.
For example, when `incumbentDOMWindow` is traversing JSGlobalObjects in the callstack, and it assumes that these ones are JSDOMWindow.

After introducing Shadow Realms, via https://bugs.webkit.org/show_bug.cgi?id=230602, this won't necessarily be true. That is WebCore's assumption that `JSGlobalObject == JSDOMGlobalObject` might no longer be valid.

This ticket a is a reminder that we need to investigate this and properly adapt the code if needed
Comment 1 Radar WebKit Bug Importer 2021-10-18 03:10:17 PDT 
<rdar://problem/84363152>
Comment 2 Phillip Mates 2021-10-25 10:54:00 PDT 
Yusuke, you raised this initially. Looking at `incumbentDOMWindow`, it doesn't seem to be used in api contexts that the shadow realm has access to. For example, in the derived JSDOMWindow.cpp, `incumbentDOMWindow` is used for `postMessage`, `closeBody`, `focusBody`, etc, which won't be exposed to the shadow realm global object.

Can you think of other areas we need to look out for, or perhaps this assumption isn't an issue?
Comment 3 Yusuke Suzuki 2021-10-25 12:02:25 PDT 
(In reply to Phillip Mates from comment #2)
> Yusuke, you raised this initially. Looking at `incumbentDOMWindow`, it
> doesn't seem to be used in api contexts that the shadow realm has access to.
> For example, in the derived JSDOMWindow.cpp, `incumbentDOMWindow` is used
> for `postMessage`, `closeBody`, `focusBody`, etc, which won't be exposed to
> the shadow realm global object.
> 
> Can you think of other areas we need to look out for, or perhaps this
> assumption isn't an issue?

What happens if you pass these functions to ShadowRealm and calling it inside ShadowRealm's user function?
Comment 4 Joseph Griego 2022-02-16 13:57:44 PST 
As mentioned on Slack (https://webkit.slack.com/archives/CTV4FGWF4/p1644353301940789) I think we are pretty comfortable not worrying about this, by the usual design of shadow realms, since when we call into parts of the runtime expecting a JSDOMObject on the stack, we will have the incubating realm's global object installed there because of the existing function wrapping;

I'm gonna leave this open, for now, though; since this does change when we install web APIs into the shadow realm context.