Removal of WeakMap/WeakSet clear

David Bruant bruant.d at gmail.com
Thu Dec 4 04:58:53 PST 2014


Le 04/12/2014 09:55, Andreas Rossberg a écrit :
> On 4 December 2014 at 00:54, David Bruant <bruant.d at gmail.com> wrote:
>> The way I see it, data structures are a tool to efficiently query data. They
>> don't *have* to be arbitrarily mutable anytime for this purpose.
>> It's a point of view problem, but in my opinion, mutability is the problem,
>> not sharing the same object. Being able to create and share structured data
>> should not have to mean it can be modified by anyone anytime. Hence
>> Object.freeze, hence the recent popularity of React.js.
> I agree, but that is all irrelevant regarding the question of weak
> maps, because you cannot freeze their content.
The heart of the problem is mutability and .clear is a mutability 
capability, so it's relevant. WeakMap are effectively frozen for some 
bindings if you don't have the keys.

> So my question stands: What would be a plausible scenario where
> handing a weak map to an untrusted third party is not utterly crazy to
> start with?
Sometimes you call functions you don't have written and pass arguments 
to them. WeakMaps are new, but APIs will have functions with WeakMaps as 
arguments. I don't see what's crazy. It'd be nice if I don't have to 
review all NPM packages I use to make sure they dont use .clear when I 
pass a weakmap.
If you don't want to pass the WeakMap directly, you have to create a new 
object "just in case" (cloning or wrapping) which carries its own 
obvious efficiency. Security then comes at the cost of performance while 
both could have been achieved if the same safe-by-default weakmap can be 
shared.

> In particular, when can giving them the ability to clear
> be harmful, while the ability to add random entries, or attempt to
> remove entries at guess, is not?
I don't have an answer to this case, now.
That said, I'm uncomfortable with the idea of seeing a decision being 
made that affects the language of the web until its end based on the 
inability of a few person to find a scenario that is deemed plausible by 
few other persons within a limited timeframe. It's almost calling for an 
"I told you so" one day.
I would return the question: can you demonstrate there are no such scenario?

We know ambiant authority is a bad thing, examples are endless in JS.
The ability to modify global variable has been the source of bugs and 
vulnerabilities.
JSON.parse implementations were modified by browsers because they used 
malicious versions of Array as a constructor which led to data leakage.
WeakMap.prototype.clear is ambiant authority. Admittedly, its effects 
are less broad and its malicious usage is certainly more subtle.

David


More information about the es-discuss mailing list