You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the base linker's MethodSynthesizer generates reflective proxies in hijacked classes, it creates This nodes with type ClassType(HijackedClass). This is not valid in the IR; they should have the corresponding primitive type. For IR coming from ClassDefs, this is checked by the ClassDefChecker. Synthesized methods, however, are not checked by the ClassDefChecker and therefore bypass the problem.
I was not able to produce a user-visible bug because of this. This seems to be because
The only hijacked class for which the tpe of This node matters is Character (in terms of how the Emitter works)
Character has a direct implementation of every method that is not declared on Any
Therefore, we never synthesize a reflective proxy in Character, and we never run into the issue in practice.
The same problem likely exists in default bridges in theory. In practice, though, none of the hijacked classes inherit from any default method that they don't override. So it never even leads to any invalid default bridge being generated, let alone one that we can exploit to produce a bug.
The text was updated successfully, but these errors were encountered:
sjrd
added
bug
Confirmed bug. Needs to be fixed.
internal
Not visible to users of Scala.js (only by devs in this repo)
labels
May 11, 2024
When the base linker's
MethodSynthesizer
generates reflective proxies in hijacked classes, it createsThis
nodes with typeClassType(HijackedClass)
. This is not valid in the IR; they should have the corresponding primitive type. For IR coming fromClassDef
s, this is checked by theClassDefChecker
. Synthesized methods, however, are not checked by theClassDefChecker
and therefore bypass the problem.I was not able to produce a user-visible bug because of this. This seems to be because
tpe
ofThis
node matters isCharacter
(in terms of how theEmitter
works)Character
has a direct implementation of every method that is not declared onAny
Therefore, we never synthesize a reflective proxy in
Character
, and we never run into the issue in practice.However, we discovered this issue while working on the WebAssembly backend, for which all hijacked classes need to have
This
types with the correct type in order to produce well-typed Wasm code. See the workaround here:https://github.com/tanishiking/scala-wasm/blob/c9b8270e3da1a8f5335b18fc9bc79969e7541ec5/wasm/src/main/scala/org/scalajs/linker/backend/wasmemitter/WasmExpressionBuilder.scala#L1684-L1692
The same problem likely exists in default bridges in theory. In practice, though, none of the hijacked classes inherit from any default method that they don't override. So it never even leads to any invalid default bridge being generated, let alone one that we can exploit to produce a bug.
The text was updated successfully, but these errors were encountered: