fixup! unhardenable proxies refuse suppressTrapping

Author: erights

packages/captp/src/trap.js

@@ -19,7 +19,12 @@ export const nearTrapImpl = harden({
   },
 });
 
-/** @type {ProxyHandler<any>} */
+/**
+ * While the resulting proxy can be frozen, it refuses to be made non-trapping
+ * and so cannot be hardened.
+ *
+ * @type {ProxyHandler<any>}
+ */
 const baseFreezableProxyHandler = {
   set(_target, _prop, _value) {
     return false;
@@ -33,6 +38,10 @@ const baseFreezableProxyHandler = {
   deleteProperty(_target, _prop) {
     return false;
   },
+  // @ts-expect-error suppressTrapping is not yet in the TS ProxyHandler
+  suppressTrapping(_target) {
+    return false;
+  },
 };
 
 /**

packages/eventual-send/src/E.js

@@ -10,7 +10,12 @@ const { assign, create, freeze } = Object;
 
 const onSend = makeMessageBreakpointTester('ENDO_SEND_BREAKPOINTS');
 
-/** @type {ProxyHandler<any>} */
+/**
+ * While the resulting proxy can be frozen, it refuses to be made non-trapping
+ * and so cannot be hardened.
+ *
+ * @type {ProxyHandler<any>}
+ */
 const baseFreezableProxyHandler = {
   set(_target, _prop, _value) {
     return false;
@@ -24,6 +29,10 @@ const baseFreezableProxyHandler = {
   deleteProperty(_target, _prop) {
     return false;
   },
+  // @ts-expect-error suppressTrapping is not yet in the TS ProxyHandler
+  suppressTrapping(_target) {
+    return false;
+  },
 };
 
 // E Proxy handlers pretend that any property exists on the target and returns

packages/eventual-send/src/handled-promise.js

@@ -307,23 +307,32 @@ export const makeHandledPromise = () => {
         const { proxy: proxyOpts } = options;
         let presence;
         if (proxyOpts) {
-          // TODO for these cases, it will be unreasonably hard for all uses
-          // to avoid hardening the returned proxy.
           const {
             handler: proxyHandler,
             target: proxyTarget,
             revokerCallback,
           } = proxyOpts;
+
+          // While the resulting proxy can be frozen, by default,
+          // it refuses to be made non-trapping and so cannot be hardened.
+          // However, we allow proxyOpts.proxyHandler to explicitly override
+          // this default `suppressTrapping`.
+          const fullProxyHandler = {
+            suppressTrapping(_target) {
+              return false;
+            },
+            ...proxyHandler,
+          }
           if (revokerCallback) {
             // Create a proxy and its revoke function.
             const { proxy, revoke } = Proxy.revocable(
               proxyTarget,
-              proxyHandler,
+              fullProxyHandler,
             );
             presence = proxy;
             revokerCallback(revoke);
           } else {
-            presence = new Proxy(proxyTarget, proxyHandler);
+            presence = new Proxy(proxyTarget, fullProxyHandler);
           }
         } else {
           // Default presence.

packages/marshal/src/marshal-stringify.js

@@ -15,6 +15,12 @@ const doNotConvertValToSlot = val =>
 const doNotConvertSlotToVal = (slot, _iface) =>
   Fail`Marshal's parse must not encode any slots ${slot}`;
 
+/**
+ * While the resulting proxy can be frozen, it refuses to be made non-trapping
+ * and so cannot be hardened.
+ *
+ * @type {ProxyHandler<any>}
+ */
 const badArrayHandler = harden({
   get: (_target, name, _receiver) => {
     if (name === 'length') {
@@ -23,6 +29,9 @@ const badArrayHandler = harden({
     // `throw` is noop since `Fail` throws. But linter confused
     throw Fail`Marshal's parse must not encode any slot positions ${name}`;
   },
+  suppressTrapping(_target) {
+    return false;
+  },
 });
 
 // Note the use of `freeze` rather than `harden` below. This is because

packages/ses/src/strict-scope-terminator.js

@@ -35,6 +35,11 @@ export const alwaysThrowHandler = new Proxy(
  * scopeTerminatorHandler manages a strictScopeTerminator Proxy which serves as
  * the final scope boundary that will always return "undefined" in order
  * to prevent access to "start compartment globals".
+ *
+ * While the resulting proxy can be frozen, it refuses to be made non-trapping
+ * and so cannot be hardened.
+ *
+ * @type {ProxyHandler<any>}
  */
 const scopeProxyHandlerProperties = {
   get(_shadow, _prop) {
@@ -76,6 +81,10 @@ const scopeProxyHandlerProperties = {
   ownKeys(_shadow) {
     return [];
   },
+
+  suppressTrapping(_target) {
+    return false;
+  },
 };
 
 // The scope handler's prototype is a proxy that throws if any trap other