serialize-javascript icon indicating copy to clipboard operation
serialize-javascript copied to clipboard

Published 20 hours ago verified publisher icon yahoo

Cross-realm serialization/deserialization issues

Open ethanresnick opened this issue 7 years ago • 5 comments

I just wanted to open a dedicated issue for the conversation here, so that it doesn't get lost.

ethanresnick avatar Jul 20 '17 20:07 ethanresnick

Identity discontinuity is a real pain. I don't think providing expansion slots of any kind will help here because we also serialize functions, and if those functions are parsed and evaluated in a different realm, the objects that they produce (imagine that the function returns a regexp) will always exhibit different identity. The solution must be in user-land by evaluating the code in the correct sandbox, or work around the identity discontinuity problems.

caridy avatar Jul 21 '17 14:07 caridy

The solution must be in user-land by evaluating the code in the correct sandbox, or work around the identity discontinuity problems.

This sounds like the third option I mentioned here, right? I.e., the user should just make sure to eval the serialized result in a realm with globals that come from the same realm that serialize-js is running in.

If so, that seems suboptimal to me. Of course, I agree that this library can't control the identity of the objects produced during deserialization. Still, during serialization, it does seem like the library could correctly identify objects as RegExps or Dates, even if those objects come from a different realm. I think that would be a good thing to do, probably using the second option I mentioned in #27:

We can switch to user-land implementations of util.isDate and util.isRegExp that work around the cross-realm issue (idk how reliably), like https://github.com/ljharb/is-regex and https://github.com/ljharb/is-date-object

ethanresnick avatar Jul 21 '17 18:07 ethanresnick

Still, during serialization, it does seem like the library could correctly identify objects as RegExps or Dates

Yeah, I'm fine with that. My only concern is the performance of the serialization. @ljharb's packages seem to be optimized (I can probably raise this question next week when I see him in person) but I haven't try them. Remember that we will have to do that for every non-function object node in the object graph.

caridy avatar Jul 21 '17 18:07 caridy

My only concern is the performance of the serialization. @ljharb's packages seem to be optimized (I can probably raise this question next week when I see him in person) but I haven't try them.

Makes perfect sense. I'll let you raise it with him and decide what's best.

ethanresnick avatar Jul 21 '17 19:07 ethanresnick

All of my "is-*" libraries are "optimized" in the sense that they have as many fast paths as possible - they return false as early as they can, and in environments that are pre-Symbol.toStringTag, they use Object.prototype.toString.call - but in modern environments, they always have to use a try/catch around a brand-checking prototype method.

If you want to do fast brand checking, the proper path is likely to be https://github.com/jasnell/proposal-istypes (which my packages could help to polyfill).

ljharb avatar Jul 21 '17 19:07 ljharb