search

tc39 / proposal-preserve-virtualizability

Ensure hosts do not add new non-removable extensions
Apache License 2.0
8 stars 0 forks source link

V8 Error extensions may not be virtualizable #3

Open ghost opened 3 years ago

ghost commented 3 years ago

V8 provides a few extensions to the Error class that are not there by default, but may instead be assigned by the script author at runtime. Once assigned, they are called by V8 upon any thrown exceptions.

An automated script like SES-shim can remove them easily, as they aren't non-deletable, but, the code that runs afterward can just reassign them.

Would this be problematic for this proprosal?

erights commented 3 years ago

For the SES-shim, we deal with this well. See https://github.com/Agoric/SES-shim/blob/master/packages/ses/src/error/tame-error-constructor.js and https://github.com/Agoric/SES-shim/blob/master/packages/ses/src/error/tame-v8-error-constructor.js

In all cases, the SES-shim first hides the original Error constructor because of exactly the v8 magic documented at your link.

However, there's the more general issuer of how well do these features play with virtualizability? We can divide this into four questions:

  1. On an actual v8 host, how well can be safely provide a virtual v8 host? The SES-shim does so with the Error constructor left in the start compartment after calling lockdown() or lockdown({errorTaming: 'unsafe'});. This only has v8-like behavior if run on an actual v8 host. But it is a safe subset of the behavior described at that link.
  2. On an actual v8 host, how well can we provide a safe vanilla host? The SES-shim does so with the shared Error constructor installed on all created compartments, i.e., on all compartments other than the start compartment. For all compartments including the start compartment, Error.prototype.constructor is also the shared Error constructor. It provides no non-spec magic.
  3. On a non-v8 vanilla host, how well can be safely emulate a plain vanilla host? This is what SES-shim does on non-v8 hosts.
  4. On a non-v8 vanilla host, how well can we safely emulate a v8 host? The SES-shim does not try. The v8 Error behavior is quite magical and does not seem feasible to emulate on non-v8 hosts.

where we define "plain vanilla host" as one that implements the ES spec and possibly the magic error.stack property.

erights commented 3 years ago

See https://bugs.chromium.org/p/v8/issues/detail?id=10551 for an interesting anomaly of the v8 Error behavior that is specific to Node. Fortunately, the SES-shim is not vulnerable to it.

erights commented 3 years ago

I'm going to leave this open because of point 4 above:

  1. On a non-v8 vanilla host, how well can we safely emulate a v8 host? The SES-shim does not try. The v8 Error behavior is quite magical and does not seem feasible to emulate on non-v8 hosts.
erights commented 3 years ago

For the SES-shim, we deal with this well....

That seems interesting, if I might ask, where can I try running the SES shim myself?

Start at https://medium.com/agoric/ses-support-for-ecmascript-modules-28fc1beb709c attn @kriskowal