[Webkit-unassigned] [Bug 261528] New: structuredClone rejects intrinsic prototype objects

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 13 14:17:41 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=261528

            Bug ID: 261528
           Summary: structuredClone rejects intrinsic prototype objects
           Product: WebKit
           Version: Safari 17
          Hardware: Mac (Apple Silicon)
                OS: macOS 13
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: akaster at serenityos.org

Steps to reproduce:

Open JS console:

```
let a = { "a": 12 }
structuredClone(a.proto)
let b = new RegExp(".", "")
structuredClone(b.proto)
```

Actual results:

The prototype of the ordinary object a is cloned and printed to the console.

A DOM Exception is thrown when trying to clone the RegExp.prototype object from b.

Expected results:

The spec steps for structured serialize internal (html.spec.whatwg.org/multipage/structured-data.html#structuredserializeinternal) don't seem to preclude serializing intrinsic object prototypes:

In step 21, the algorithm precludes any objects with funky internal slots

    Otherwise, if value has any internal slot other than [[Prototype]] or [[Extensible]], then throw a "DataCloneError" DOMException.

If we look at the ES spec for RegExp Prototype: tc39.es/ecma262/#sec-properties-of-the-regexp-prototype-object

It says that that object:

    is %RegExp.prototype%.
    is an ordinary object.
    is not a RegExp instance and does not have a [[RegExpMatcher]] internal slot or any of the other internal slots of RegExp instance objects.
    has a [[Prototype]] internal slot whose value is %Object.prototype%.

Which suggests to me that it should fall through to the next step, step 23, which says:

    Otherwise, if value is an exotic object and value is not the %Object.prototype% intrinsic object associated with any realm, then throw a "DataCloneError" DOMException.

Since %RegExp.prototype% is an ordinary object, it's not exotic, and so it should be cloneable as any other object.

Chromium does this per the spec, and Gecko does not.

Gecko bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1853050

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230913/2e48216c/attachment-0001.htm>

More information about the webkit-unassigned mailing list