RESOLVED DUPLICATE of bug 200898 195534
with(aProxy) {/*stuff*/} causes wrong traps 
https://bugs.webkit.org/show_bug.cgi?id=195534
Summary with(aProxy) {/*stuff*/} causes wrong traps
Mark S. Miller
Reported 2019-03-10 13:48:46 PDT
See https://github.com/tc39/proposal-realms/issues/200#issuecomment-471254838 and the enclosing thread. The traps seen * are surprising * violate the spec * differ from the behavior seen on chrome and firefox * are currently blocking the realms shim from working on safari/jsc Once we understand these bugs we can probably modify the realms shim to work and maintain security despite these bugs. But until we understand these bugs, we cannot be confident that even the current realms shim maintains security. We need to know how the with-on-a-proxy trapping behavior differs from the spec. Thanks.
Attachments
Add attachment proposed patch, testcase, etc.
evan.exe
Comment 1 2019-03-12 15:15:14 PDT
There's some more detail here: https://github.com/tc39/proposal-realms/issues/200#issuecomment-472190359. This is a minimal repro case: const alwaysThrowHandler = new Proxy(Object.freeze({}), { get(target, prop) { throw new Error(`unexpected scope handler trap called: ${prop}`) } }) const proxy = new Proxy(Object.create(this), { __proto__: alwaysThrowHandler, get: (target, prop) => target[prop], has: (target, prop) => true, }) with (proxy) eval(`(async () => {})()`) This runs fine with V8 but throws "unexpected scope handler trap called: getPrototypeOf" in JSC. Putting a breakpoint on "ProxyObject::performGetPrototype" shows that it comes from "JSScope::resolve" being called with "newPromiseCapability", which I think is from the implementation of "let promiseCapability be @newPromiseCapability(@Promise)" in BytecodeGenerator.cpp.
Radar WebKit Bug Importer
Comment 2 2019-03-28 13:08:15 PDT
<rdar://problem/49392145>
Mark S. Miller
Comment 3 2019-07-10 14:00:38 PDT
See https://github.com/DimensionDev/realms-shim/commit/55963b0b26c92235123afb0a95c251e0f48fd59d#commitcomment-34258398 Does this workaround look safe? Should we do something narrower?
Mark S. Miller
Comment 4 2020-08-13 19:01:47 PDT
What is the status of this?
Yusuke Suzuki
Comment 5 2020-08-13 19:23:12 PDT
I think that the main issue is fixed at some point. [Log] async function expression, uninvoked (test.html, line 27) [Log] async function expression, invoked (test.html, line 35) [Log] async function declaration and invocation (test.html, line 43) [Log] trapped outer/has – "shouldExistInTrapScope does not exist" (test.html, line 9) [Log] trapped inner/has – "shouldExistInTrapScope does not exist" (test.html, line 9) [Log] accessing actual property of with-object (test.html, line 52) [Log] trapped outer/has – "shouldExistInTrapScope does not exist" (test.html, line 9) [Log] trapped outer/get – "shouldExistInTrapScope does not exist" (test.html, line 9) [Log] trapped inner/get – "shouldExistInTrapScope does not exist" (test.html, line 9) [Log] trapped outer/get – "shouldExistInTrapScope does not exist" (test.html, line 9) > [Log] trapped outer/has – "shouldExistInTrapScope does not exist" (test.html, line 9) > [Log] trapped inner/has – "shouldExistInTrapScope does not exist" (test.html, line 9) They are because of function declaration scope.
Yusuke Suzuki
Comment 6 2020-08-13 19:39:24 PDT
Yes, this is fixed in Safari 13. Thanks! *** This bug has been marked as a duplicate of bug 200898 ***
Yusuke Suzuki
Comment 7 2020-08-13 19:45:19 PDT
(In reply to Yusuke Suzuki from comment #6) > Yes, this is fixed in Safari 13. Thanks! > > *** This bug has been marked as a duplicate of bug 200898 *** Ah, no, it is Safari 13.1 (April's release).
Yusuke Suzuki
Comment 8 2020-08-13 20:00:14 PDT
Yeah, I've checked deeply and ensured that this is fixed in last Safari release, thanks for your report!
Note You need to log in before you can comment on or make changes to this bug.