[WIP] Shallow harden #1914
[WIP] Shallow harden #1914
Conversation
| @@ -64,14 +66,15 @@ let priorRepairIntrinsics; | |||
| /** @type {Error=} */ | |||
| let priorHardenIntrinsics; | |||
|
|
|||
| // @ts-expect-error harden always defined | |||
| if (globalThis.harden) { | |||
| deleteProperty(globalThis, 'harden'); | |||
There was a problem hiding this comment.
Hmm, what happens with captured references to the pre-lockdown harden?
There was a problem hiding this comment.
Yeah, we need to figure out the story for this. Right now I'm simply removing any harden found, like in the case of our xsnap-worker.
packages/ses/src/lockdown.js
Outdated
| @@ -300,6 +315,16 @@ export const repairIntrinsics = (options = {}) => { | |||
| optGetStackString, | |||
| ); | |||
| globalThis.console = /** @type {Console} */ (consoleRecord.console); | |||
| // eslint-disable-next-line no-underscore-dangle | |||
| if (typeof (/** @type {any} */ (globalThis.console)._times) === 'object') { | |||
| hostIntrinsics.SafeMap = getPrototypeOf( | |||
There was a problem hiding this comment.
This probably needs more explanation.
There was a problem hiding this comment.
Oh yeah, just getting it to pass first. But basically NodeJS has hidden intrinsics, supposed to be internal only but one of them leaks through an "underscore" property of their console.
| }, | ||
| hardenIntrinsics(root) { | ||
| intrinsicsWereHardened = true; | ||
| return harden(root); |
There was a problem hiding this comment.
Can harden throw? Might need afinally here.
There was a problem hiding this comment.
Yes it can, and no need for finally. The goal for now is to leave harden permanently broken. We can discuss whether we want this situation to be resolvable somehow.
| }); | ||
| } | ||
| } | ||
| } else if (setGetSize(protosToCheck) > 0) { |
There was a problem hiding this comment.
If intrinsics were note hardened, we should fail for any objects we intend to harden, but that were already in the hardenedAtLockdown set. (enforcing the rule that a prototype must be hardened before its instances)
|
@erights the use of harden are already in separate commits, but hold off anyway, I'm more thoroughly rewriting the harden implementation to add hooks. |
|
What about Agoric/agoric-sdk#8700 ? It, likewise, seems to be almost all improvements in the use of harden which would be valuable regardless, and could get merged early. Yes? |
mhofman
force-pushed
the
mhofman/harden-no-prototype
branch
from
488d675
to
c216035
Compare
mhofman
force-pushed
the
mhofman/harden-no-prototype
branch
from
c216035
to
f12327d
Compare
@erights I have now done that in #1939. While I have rebased this PR on top of that change (roughly), I do expect to rewrite it significantly to add hooks to fully separate |
mhofman
force-pushed
the
mhofman/harden-no-prototype
branch
from
f12327d
to
6408986
Compare
It's stacked by apparently GH is struggling and didn't update the base ... |
|
I think if you |
harden no longer hardens prototypes. Post lock-down asserts that prototypes are already hardened Add a isHardened predicate which checks if an object is hardened
mhofman
force-pushed
the
mhofman/harden-no-prototype
branch
from
6408986
to
be89d4e
Compare
refs: #1686