Fix Proxy defineProperty trap

Summary: When a data property of a proxied object is assigned a new value, the defineProperty trap of Proxy is triggered with a descriptor with configurable: false, enumerable: false, and writable: false. However, according to the ECMAScript spec (see item 2.d.iii), the descriptor object must have no field other than value. This is problematic if the Proxy attempts to call Reflect.defineProperty() using the passed descriptor, as it unexpectedly "freezes" the property. This is happening because `objectFromPropertyDescriptor` always construct an object with the fields set for writeable, enumerable, and configurable as `ComputedPropertyDescriptor` doesn't have notion of whether these fields exist or not. Fixing this by changing to pass `DefinePropertyFlags` instead to `objectFromPropertyDescriptor` so that it can set the fields based on the existence of the fields. Reviewed By: fbmal7 Differential Revision: D51327887 fbshipit-source-id: f77c4934b13fa1d4e5fda6b54c47beac92c9a56e
facebook · Nov 29, 2023 · 7d93640 · 7d93640
1 parent ae15134
commit 7d93640
Show file tree

Hide file tree

Showing 5 changed files with 137 additions and 47 deletions.
diff --git a/include/hermes/VM/Operations.h b/include/hermes/VM/Operations.h
@@ -455,9 +455,16 @@ ExecutionStatus toPropertyDescriptor(
     MutableHandle<> &valueOrAccessor);
 
 /// ES9 6.2.5.4 FromPropertyDescriptor
+/// \p dpFlags is used to create the property descriptor object.
+/// If dpFlags.isAccessor() is true, it will be an Acessor Property Descriptor
+/// and so it will have getter and setter fields (they might be undefined).
+/// If dpFlags.isAccessor() is false, it will be a Data Property Descriptor, and
+/// so it will have value field, and also will have writable field if
+/// setWritable is true. enumurable and configurable fields will be set if
+/// setEnumurable and setConfigurable are set to true respectively.
 CallResult<HermesValue> objectFromPropertyDescriptor(
     Runtime &runtime,
-    ComputedPropertyDescriptor desc,
+    DefinePropertyFlags dpFlags,
     Handle<> valueOrAccessor);
 
 /// ES2022 21.2.1.1.1 NumberToBigInt(number)

diff --git a/lib/VM/JSLib/Object.cpp b/lib/VM/JSLib/Object.cpp
@@ -367,7 +367,18 @@ CallResult<HermesValue> getOwnPropertyDescriptor(
     valueOrAccessor = std::move(*propRes);
   }
 
-  return objectFromPropertyDescriptor(runtime, desc, valueOrAccessor);
+  DefinePropertyFlags dpFlags;
+  dpFlags.configurable = desc.flags.configurable;
+  dpFlags.enumerable = desc.flags.enumerable;
+  dpFlags.writable = desc.flags.writable;
+  dpFlags.setEnumerable = true;
+  dpFlags.setWritable = true;
+  dpFlags.setConfigurable = true;
+  dpFlags.setGetter = desc.flags.accessor;
+  dpFlags.setSetter = desc.flags.accessor;
+  dpFlags.setValue = !desc.flags.accessor;
+
+  return objectFromPropertyDescriptor(runtime, dpFlags, valueOrAccessor);
 }
 
 CallResult<HermesValue>

diff --git a/lib/VM/JSProxy.cpp b/lib/VM/JSProxy.cpp
@@ -659,13 +659,8 @@ CallResult<bool> JSProxy::defineOwnProperty(
         target, runtime, nameValHandle, dpFlags, valueOrAccessor, opFlags);
   }
   // 8. Let descObj be FromPropertyDescriptor(Desc).
-  ComputedPropertyDescriptor desc;
-  desc.flags.accessor = dpFlags.setGetter || dpFlags.setSetter;
-  desc.flags.writable = dpFlags.setWritable && dpFlags.writable;
-  desc.flags.enumerable = dpFlags.setEnumerable && dpFlags.enumerable;
-  desc.flags.configurable = dpFlags.setConfigurable && dpFlags.configurable;
   CallResult<HermesValue> descObjRes =
-      objectFromPropertyDescriptor(runtime, desc, valueOrAccessor);
+      objectFromPropertyDescriptor(runtime, dpFlags, valueOrAccessor);
   if (descObjRes == ExecutionStatus::EXCEPTION) {
     return ExecutionStatus::EXCEPTION;
   }

diff --git a/lib/VM/Operations.cpp b/lib/VM/Operations.cpp
@@ -2125,14 +2125,16 @@ ExecutionStatus toPropertyDescriptor(
 
 CallResult<HermesValue> objectFromPropertyDescriptor(
     Runtime &runtime,
-    ComputedPropertyDescriptor desc,
+    DefinePropertyFlags dpFlags,
     Handle<> valueOrAccessor) {
   Handle<JSObject> obj = runtime.makeHandle(JSObject::create(runtime));
 
   DefinePropertyFlags dpf = DefinePropertyFlags::getDefaultNewPropertyFlags();
 
-  if (!desc.flags.accessor) {
+  if (!dpFlags.isAccessor()) {
     // Data Descriptor
+    assert(dpFlags.setValue && "Data Descriptor must have value set");
+
     auto result = JSObject::defineOwnProperty(
         obj,
         runtime,
@@ -2147,21 +2149,25 @@ CallResult<HermesValue> objectFromPropertyDescriptor(
       return ExecutionStatus::EXCEPTION;
     }
 
-    result = JSObject::defineOwnProperty(
-        obj,
-        runtime,
-        Predefined::getSymbolID(Predefined::writable),
-        dpf,
-        Runtime::getBoolValue(desc.flags.writable),
-        PropOpFlags().plusThrowOnError());
-    assert(
-        result != ExecutionStatus::EXCEPTION &&
-        "defineOwnProperty() failed on a new object");
-    if (result == ExecutionStatus::EXCEPTION) {
-      return ExecutionStatus::EXCEPTION;
+    if (dpFlags.setWritable) {
+      result = JSObject::defineOwnProperty(
+          obj,
+          runtime,
+          Predefined::getSymbolID(Predefined::writable),
+          dpf,
+          Runtime::getBoolValue(dpFlags.writable),
+          PropOpFlags().plusThrowOnError());
+      assert(
+          result != ExecutionStatus::EXCEPTION &&
+          "defineOwnProperty() failed on a new object");
+      if (result == ExecutionStatus::EXCEPTION) {
+        return ExecutionStatus::EXCEPTION;
+      }
     }
   } else {
     // Accessor
+    assert(!dpFlags.setValue && "Accessor Descriptor cannot have value set");
+
     auto *accessor = vmcast<PropertyAccessor>(valueOrAccessor.get());
 
     auto getter = runtime.makeHandle(
@@ -2203,34 +2209,37 @@ CallResult<HermesValue> objectFromPropertyDescriptor(
     }
   }
 
-  auto result = JSObject::defineOwnProperty(
-      obj,
-      runtime,
-      Predefined::getSymbolID(Predefined::enumerable),
-      dpf,
-      Runtime::getBoolValue(desc.flags.enumerable),
-      PropOpFlags().plusThrowOnError());
-  assert(
-      result != ExecutionStatus::EXCEPTION &&
-      "defineOwnProperty() failed on a new object");
-  if (result == ExecutionStatus::EXCEPTION) {
-    return ExecutionStatus::EXCEPTION;
+  if (dpFlags.setEnumerable) {
+    auto result = JSObject::defineOwnProperty(
+        obj,
+        runtime,
+        Predefined::getSymbolID(Predefined::enumerable),
+        dpf,
+        Runtime::getBoolValue(dpFlags.enumerable),
+        PropOpFlags().plusThrowOnError());
+    assert(
+        result != ExecutionStatus::EXCEPTION &&
+        "defineOwnProperty() failed on a new object");
+    if (result == ExecutionStatus::EXCEPTION) {
+      return ExecutionStatus::EXCEPTION;
+    }
   }
 
-  result = JSObject::defineOwnProperty(
-      obj,
-      runtime,
-      Predefined::getSymbolID(Predefined::configurable),
-      dpf,
-      Runtime::getBoolValue(desc.flags.configurable),
-      PropOpFlags().plusThrowOnError());
-  assert(
-      result != ExecutionStatus::EXCEPTION &&
-      "defineOwnProperty() failed on a new object");
-  if (result == ExecutionStatus::EXCEPTION) {
-    return ExecutionStatus::EXCEPTION;
+  if (dpFlags.setConfigurable) {
+    auto result = JSObject::defineOwnProperty(
+        obj,
+        runtime,
+        Predefined::getSymbolID(Predefined::configurable),
+        dpf,
+        Runtime::getBoolValue(dpFlags.configurable),
+        PropOpFlags().plusThrowOnError());
+    assert(
+        result != ExecutionStatus::EXCEPTION &&
+        "defineOwnProperty() failed on a new object");
+    if (result == ExecutionStatus::EXCEPTION) {
+      return ExecutionStatus::EXCEPTION;
+    }
   }
-
   return obj.getHermesValue();
 }
 

diff --git a/test/hermes/proxy-props.js b/test/hermes/proxy-props.js
@@ -0,0 +1,68 @@
+/**
+ * Copyright (c) Meta Platforms, Inc. and affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+// RUN: %hermes -Xes6-proxy -non-strict -O -target=HBC %s | %FileCheck --match-full-lines %s
+
+// This is testing that the defineProperty trap of Proxy is triggered with a
+// descriptor with proper attributes when a data property of a proxied object
+// is assigned a new value.
+// We had a bug that we passed a descriptor with incorrect attributes such that
+// if the Proxy attempts to call Reflect.defineProperty() using the passed
+// descriptor, it unexpectedly froze the property.
+// For more detail, refer to https://github.com/facebook/hermes/issues/1065
+// (T159152103)
+var a = new Proxy({}, {
+    defineProperty: (obj, prop, desc) => {
+        // This print output is used for CHECK after each value assignment below.
+        print(JSON.stringify(desc));
+        return Reflect.defineProperty(obj, prop, desc);
+    },
+});
+
+// The first time we assign a value to a property, the descriptor
+// passed to the trap should have writable, enumerable, configurable
+// with all true.
+a.foo = 1;
+//CHECK: {"value":1,"writable":true,"enumerable":true,"configurable":true}
+
+print(a.foo)
+//CHECK-NEXT: 1
+const desc1 = Object.getOwnPropertyDescriptor(a, "foo");
+print(desc1.configurable);
+//CHECK-NEXT: true
+print(desc1.enumerable);
+//CHECK-NEXT: true
+print(desc1.writable);
+//CHECK-NEXT: true
+
+// The second time we assign a value to a property, the descriptor
+// passed to the trap should only have value.
+a.foo = 2;
+//CHECK-NEXT: {"value":2}
+
+print(a.foo)
+//CHECK-NEXT: 2
+const desc2 = Object.getOwnPropertyDescriptor(a, "foo");
+print(desc2.configurable);
+//CHECK-NEXT: true
+print(desc2.enumerable);
+//CHECK-NEXT: true
+print(desc2.writable);
+//CHECK-NEXT: true
+
+// Same as second case. Validating that foo is not unexpectedly fronzen.
+a.foo = 3;
+//CHECK-NEXT: {"value":3}
+print(a.foo)
+//CHECK-NEXT: 3
+const desc3 = Object.getOwnPropertyDescriptor(a, "foo");
+print(desc3.configurable);
+//CHECK-NEXT: true
+print(desc3.enumerable);
+//CHECK-NEXT: true
+print(desc3.writable);
+//CHECK-NEXT: true