iterator proxy vs. SetterThatIgnoresPrototypeProperties – infinite recursion

[phoddie]

Fuzzilli found a bug in the XS implementation of SetterThatIgnoresPrototypeProperties. After fixing the bug, the result is infinite recursion.

Here is the code (simplified from Fuzzilli):

function trap() {
   return { configurable:true };
}
const array = new Array();
const iterator = array.keys();
const proxy = new Proxy(iterator, { getOwnPropertyDescriptor: trap });
proxy.constructor = {};

Here are the results with eshost:

#### JavaScriptCore

#### SpiderMonkey
InternalError: too much recursion

#### v8

#### XS
Error: stack overflow

We believe that XS is now following the relevant spec steps faithfully.

Note that both XS and SpiderMonkey show infinite recursion, but somehow JSC and v8 do not. What is the expected behavior?

[ljharb]

• 'constructor' in iterator === true && Object.getOwnPropertyDescriptor(iterator, 'constructor') === undefined
• trap ensures that every property reports as being own and configurable
• https://tc39.es/ecma262/#sec-SetterThatIgnoresPrototypeProperties indeed triggers a Set, which seems inherently recursive

My initial reading suggests that this is indeed an infinite loop for a misconfigured Proxy, and that jsc and v8 aren't matching the spec, but hopefully more folks will weigh in.

[mhofman]

I was actually about to report a similar issue, without proxy

Object.create(null, {constructor: Object.getOwnPropertyDescriptor(Iterator.prototype, 'constructor')}).constructor = 'bar'
VM423:1 Uncaught RangeError: Maximum call stack size exceeded

[bakkot]

I think an infinite loop is the expected behavior, yup. Having a Proxy which reports having a property which the underlying object lacks will often have strange behavior.

@mhofman I don't think that one's an issue; the setter is not designed to be re-homed.

[mhofman]

@mhofman I don't think that one's an issue; the setter is not designed to be re-homed.

Yeah it was just very surprising we have an infinite recursion purely in spec code.