Bug 233143

Summary: [JSC] Shadow realms: set correct Function prototype on wrapped functions
Product: WebKit Reporter: Joseph Griego <joseph.j.griego>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: caitp, ews-watchlist, joepeck, keith_miller, mark.lam, msaboff, pmates, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description Joseph Griego 2021-11-15 13:07:42 PST 
[JSC] Shadow realms: set correct Function prototype on wrapped functions
Comment 1 Joseph Griego 2021-11-15 13:14:39 PST 
Created attachment 444299 [details]
Patch
Comment 2 Joseph Griego 2021-11-15 13:21:10 PST 
(NB: in `JSGlobalObject.cpp` i erred on the side of matching surrounding code, but the linter is complaining--not sure what the usual course of action is here)
Comment 3 Phillip Mates 2021-11-16 07:09:56 PST 
Comment on attachment 444299 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=444299&action=review

> Source/JavaScriptCore/runtime/ShadowRealmPrototype.cpp:141
> +    wrappedFn->setPrototype(vm, targetGlobalObj, targetGlobalObj->strictFunctionStructure(isBuiltin)->storedPrototype());

Any idea if `setPrototype` plays nice with function inlining optimizations? Might be worth trying to get some coverage for this change in the stress tests (like in JSTests/stress/shadow-realm-evaluate.js where we try to force inlining)
Comment 4 Joseph Griego 2021-11-18 11:52:15 PST 
Created attachment 444710 [details]
Patch
Comment 5 Joseph Griego 2021-11-18 13:15:24 PST 
I am not sure how correct inlining could ruin our day here, but I added some more tests that we're getting this right to the existing stress tests.
Comment 6 Yusuke Suzuki 2021-11-18 13:48:04 PST 
Comment on attachment 444710 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=444710&action=review

r=me but probably, eventually, I think we need to use bound function.

> Source/JavaScriptCore/builtins/ShadowRealmPrototype.js:56
> +        if (callerRealm !== null) {
> +            @moveFunctionToRealm(wrapped, callerRealm);
> +        }

WebKit coding style do not use brace if there is only one statement.
Comment 7 Caitlin Potter (:caitp) 2021-11-18 14:36:28 PST 
(In reply to Yusuke Suzuki from comment #6)
> Comment on attachment 444710 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=444710&action=review
> 
> r=me but probably, eventually, I think we need to use bound function.

I'm working on a variant using something like JSBoundFunction, it's in progress
Comment 8 Caitlin Potter (:caitp) 2021-11-18 14:37:47 PST 
(In reply to Caitlin Potter (:caitp) from comment #7)
> (In reply to Yusuke Suzuki from comment #6)
> > Comment on attachment 444710 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=444710&action=review
> > 
> > r=me but probably, eventually, I think we need to use bound function.
> 
> I'm working on a variant using something like JSBoundFunction, it's in
> progress

However, I think the JS builtin version is fine, and I'd be happy with it.
Comment 9 Joseph Griego 2021-11-18 15:48:41 PST 
Created attachment 444748 [details]
Patch
Comment 10 Joseph Griego 2021-11-18 15:49:33 PST 
After discussing with caitp, we think this version (using a bool instead of swapping realm arguments) is more readable.

Also fixed the tests (which were typo'd) and style.
Comment 11 Yusuke Suzuki 2021-11-19 10:36:06 PST 
Comment on attachment 444748 [details]
Patch

r=me
Comment 12 EWS 2021-11-19 11:17:14 PST 
Committed r286069 (244456@main): <https://commits.webkit.org/244456@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 444748 [details].
Comment 13 Radar WebKit Bug Importer 2021-11-19 11:18:25 PST 
<rdar://problem/85612395>