[webkit-changes] [WebKit/WebKit] e46667: [JSC] Deferred module namespace's `"then"` leaks i...

Wed, 10 Jun 2026 17:20:31 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e46667fac7213242c664feaa8017bc9e964450e4
      
https://github.com/WebKit/WebKit/commit/e46667fac7213242c664feaa8017bc9e964450e4
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    A JSTests/modules/import-defer-then-not-enumerable.js
    M Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp

  Log Message:
  -----------
  [JSC] Deferred module namespace's `"then"` leaks into `Object.keys`
https://bugs.webkit.org/show_bug.cgi?id=316610

Reviewed by Yusuke Suzuki.

Per the import defer proposal, IsSymbolLikeNamespaceKey(P, O) treats "then"
as symbol-like on a deferred namespace, so [[GetOwnProperty]]("then") returns
OrdinaryGetOwnProperty(O, "then") = undefined. EnumerableOwnProperties filters
each key through [[GetOwnProperty]] and skips keys whose descriptor is
undefined, so Object.keys / Object.values / Object.entries / spread / for-in
must not list "then". [[OwnPropertyKeys]] returns [[Exports]] unfiltered, so
Reflect.ownKeys and Object.getOwnPropertyNames still include it.

JSModuleNamespaceObject::getOwnPropertyNames in DontEnumPropertiesMode::Exclude
already performed [[GetOwnProperty]] on each export name (for the ReferenceError
side effect on uninitialized bindings) but ignored its result and added every
key unconditionally, so "then" leaked into Object.keys:

    // dep.js: export let foo = 1; export function then(cb) { cb(); }
    import defer * as ns from "./dep.js";
    Object.keys(ns);  // ["foo", "then"], must be ["foo"]

Use the result of the [[GetOwnProperty]] lookup and skip keys with no
descriptor, the same way ProxyObject::performGetOwnEnumerablePropertyNames
implements this filter. The only key that can lack a descriptor is the
symbol-like "then" of a deferred namespace, so non-deferred namespaces are
unaffected.

Test: JSTests/modules/import-defer-then-not-enumerable.js

* JSTests/modules/import-defer-then-not-enumerable.js: Added.
(shouldBe.JSON.stringify):
* Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::getOwnPropertyNames):

Canonical link: https://commits.webkit.org/314977@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to