Hardening TypedArray
See original GitHub issueCurrently, freezing a TypedArray throws, so harden throws. But
- typed arrays really ought to be directly marshalable for ergonomic reasons. The alternative is to wrap all typedarrays in a Blob wrapper of some kind
- hardening a Map or Set is morally equivalent to preventing extensions and making all properties non-writable on a TypedArray
Making a special case for typed array in harden poses a couple challenges:
Differentiating a typed array appears to require try/catch, and try/catch in a hot loop is expensive. try/catch deoptimizes the entire surrounding function, so the usual trick to making it go fast is to have an intermediate function on the stack between two optimizable functions. We could amortize the cost by making a freeze queue and a trampoline that may resume flushing the queue if freeze throws and verifying the type of the typed array does not.
The current best idea for inducing the isTypedArray check is:
Reflect.apply(Object.getOwnPropertyDescriptor(Object.getPrototypeOf(Uint8Array.prototype), Symbol.toStringTag).get, target, [])
as of 2022-01-28, by @mhofman
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (8 by maintainers)
Top Results From Across the Web
TypedArray - JavaScript - MDN Web Docs
A TypedArray object describes an array-like view of an underlying binary data buffer. There is no global property named TypedArray, ...
Read more >Hardening the XS JavaScript Engine - Moddable
Hardening the XS JavaScript Engine ... 885, ToNumber incorrectly accepts "INFINITY". 886, TypedArrays incorrectly write to "NaN" properties ...
Read more >Typed array is converted to an Object after being sent through ...
I'm trying to pass a typed array between a script running within the page context and a devtools panel. I'm using postMessage() and...
Read more >GitHub Workflows security hardening #44717
This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of...
Read more >Weaponization of a JavaScriptCore Vulnerability
While developing exploits against hardened or otherwise complex ... The structure of a TypedArray (in the context of JavaScriptCore) is ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Good catch! Uh oh. Fixing this will be complicated:
The proxy doesn’t have to pass the brand check. The proxy has to pass
harden
, and thereforeisFrozen
, while still acting adequately like a typed array. By adequately, I mean that it does SET and PUT of indexed properties “correctly”. But it does not need to pretend these are own properties. It can pretend to have inherited the indexed properties. I’d guess less than 1% of TypeArray code will care about this loss of fidelity.Yuck! But I think it would work.
Ah right, since the real index own props are non-configurable already,
preventExtensions
should be strictly equivalent toseal
if we update all the descriptions of the other properties to non-configurable non-writable!