231506 – Investigate `JSGlobalObject == JSDOMGlobalObject` WebCore assumption in presence of Shadow Realms

Bug 231506 - Investigate `JSGlobalObject == JSDOMGlobalObject` WebCore assumption in presence of Shadow Realms

Summary: Investigate `JSGlobalObject == JSDOMGlobalObject` WebCore assumption in prese...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore JavaScript (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:	230602
	Show dependency tree / graph

Reported:	2021-10-11 03:10 PDT by Phillip Mates
Modified:	2022-02-16 13:57 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Phillip Mates 2021-10-11 03:10:02 PDT

A lot of WebCore code assumes that JSGlobalObject instances are the JSDOMGlobalObject subclass.
For example, when `incumbentDOMWindow` is traversing JSGlobalObjects in the callstack, and it assumes that these ones are JSDOMWindow.

After introducing Shadow Realms, via https://bugs.webkit.org/show_bug.cgi?id=230602, this won't necessarily be true. That is WebCore's assumption that `JSGlobalObject == JSDOMGlobalObject` might no longer be valid.

This ticket a is a reminder that we need to investigate this and properly adapt the code if needed

Comment 1 Radar WebKit Bug Importer 2021-10-18 03:10:17 PDT

<rdar://problem/84363152>

Comment 2 Phillip Mates 2021-10-25 10:54:00 PDT

Yusuke, you raised this initially. Looking at `incumbentDOMWindow`, it doesn't seem to be used in api contexts that the shadow realm has access to. For example, in the derived JSDOMWindow.cpp, `incumbentDOMWindow` is used for `postMessage`, `closeBody`, `focusBody`, etc, which won't be exposed to the shadow realm global object.

Can you think of other areas we need to look out for, or perhaps this assumption isn't an issue?

Comment 3 Yusuke Suzuki 2021-10-25 12:02:25 PDT

(In reply to Phillip Mates from comment #2)
> Yusuke, you raised this initially. Looking at `incumbentDOMWindow`, it
> doesn't seem to be used in api contexts that the shadow realm has access to.
> For example, in the derived JSDOMWindow.cpp, `incumbentDOMWindow` is used
> for `postMessage`, `closeBody`, `focusBody`, etc, which won't be exposed to
> the shadow realm global object.
> 
> Can you think of other areas we need to look out for, or perhaps this
> assumption isn't an issue?

What happens if you pass these functions to ShadowRealm and calling it inside ShadowRealm's user function?

Comment 4 Joseph Griego 2022-02-16 13:57:44 PST

As mentioned on Slack (https://webkit.slack.com/archives/CTV4FGWF4/p1644353301940789) I think we are pretty comfortable not worrying about this, by the usual design of shadow realms, since when we call into parts of the runtime expecting a JSDOMObject on the stack, we will have the incubating realm's global object installed there because of the existing function wrapping;

I'm gonna leave this open, for now, though; since this does change when we install web APIs into the shadow realm context.