fix(ses): completePrototypes on Hermes

[leotm]

Description

• Refs: SES lockdown Hermes compat tracking issue #1891
  • completePrototypes
• Follow-up to
  • feat(ses): Shim compatible with Hermes compiler #2334

Calling lockdown on Hermes, in the VM or React Native runtime, we reach

endo/packages/ses/src/intrinsics.js

Lines 101 to 104 in 7b8c677

	const namePrototype = permit.prototype;
	if (!namePrototype) {
	throw TypeError(`${name}.prototype property not whitelisted`);
	}

# Hermes VM
Uncaught TypeError: lockdown.prototype property not whitelisted

checking the lockdown intrinsic descriptor

{"length":{"value":1,"writable":false,"enumerable":false,"configurable":true},"name":{"value":"","writable":false,"enumerable":false,"configurable":true},"caller":{"enumerable":false,"configurable":false},"arguments":{"enumerable":false,"configurable":false},"prototype":{"value":{},"writable":true,"enumerable":false,"configurable":false}}

we see it's because the prototype is non-standard

endo/packages/ses/src/permits.js

Line 1644 in 7b8c677

lockdown: fn,

endo/packages/ses/src/permits.js

Lines 282 to 283 in 7b8c677

	// Aliases
	const fn = FunctionInstance;

endo/packages/ses/src/permits.js

Lines 265 to 273 in 7b8c677

	// Function Instances
	export const FunctionInstance = {
	'[[Proto]]': '%FunctionPrototype%',
	length: 'number',
	name: 'string',
	// Do not specify "prototype" here, since only Function instances that can
	// be used as a constructor have a prototype property. For constructors,
	// since prototype properties are instance-specific, we define it there.
	};

so we should be terminating the current loop iteration instead of throwing the error, ideally at

endo/packages/ses/src/intrinsics.js

Lines 93 to 96 in 7b8c677

	if (!objectHasOwnProperty(intrinsic, 'prototype')) {
	// eslint-disable-next-line no-continue
	continue;
	}

the initial approach fixed our 3 problematic intrinsics on Hermes
by terminating the current loop iteration earlier
before throwing the error as intended
i.e. skip completing prototypes that shouldn't be there

Repro branch including proposed fix and detailed Hermes VM print output (no Babel)

• feat(ses): Shim compatible with Hermes compiler #2334
  • https://github.com/endojs/endo/tree/ses-hermes-completePrototypes-repro
  • https://github.com/endojs/endo/tree/ses-hermes-whitelistIntrinsics-repro
    • yarn clean && yarn build:hermes && test:hermes

TODO: check v0.13.0 for RN0.75.x ✅ partially fixed: lockdown intrinsic only
we can easily test this in #2334 by downloading the .tar.gz locally then updating both binary paths

// Hermes release v0.13.0 for RN0.75.x

// lockdown, fixed - no prototype
{"length":{"value":1,"writable":false,"enumerable":false,"configurable":true},"name":{"value":"","writable":false,"enumerable":false,"configurable":true},"caller":{"enumerable":false,"configurable":false},"arguments":{"enumerable":false,"configurable":false}}

// - Uncaught TypeError: harden.prototype property not whitelisted
{"length":{"value":1,"writable":false,"enumerable":false,"configurable":true},"name":{"value":"harden","writable":false,"enumerable":false,"configurable":true},"caller":{"enumerable":false,"configurable":false},"arguments":{"enumerable":false,"configurable":false},"prototype":{"value":{},"writable":true,"enumerable":false,"configurable":false}}

// - Uncaught TypeError: %InitialGetStackString%.prototype property not whitelisted
{"length":{"value":1,"writable":false,"enumerable":false,"configurable":true},"name":{"value":"getStackString","writable":false,"enumerable":false,"configurable":true},"caller":{"enumerable":false,"configurable":false},"arguments":{"enumerable":false,"configurable":false},"prototype":{"value":{},"writable":true,"enumerable":false,"configurable":false}}

nb:

endo/packages/ses/src/permits.js

Lines 1644 to 1647 in 7b8c677

	lockdown: fn,
	harden: { ...fn, isFake: 'boolean' },
	'%InitialGetStackString%': fn,

TODO: build Static Hermes with cmake and ninja then test (i.e. is it fully fixed upstream?)

• https://github.com/facebook/hermes/tree/sh_stable
• https://github.com/facebook/hermes/tree/static_h

yes ✅ object literals short hand method

• Short-hand methods don't have prototype / construct facebook/hermes#1371
• facebook/hermes@00f18c8

the current proposed change accounts for Hermes' non-standard fn instance prototype (fixed in Static Hermes), by setting it to undefined when completing the prototypes

another approach: #2563 (comment)

Security Considerations

Does this change introduce new assumptions or dependencies that, if violated, could introduce security vulnerabilities? How does this PR change the boundaries between mutually-suspicious components? What new authorities are introduced by this change, perhaps by new API calls?

• proposed pr change is minimal and less intrusive than alternate solution below (Compatibility Considerations)
• new assumptions: if the JS engine contains the 3 unexpected prototypes, tolerate them, if not - great!

Scaling Considerations

Does this change require or encourage significant increase in consumption of CPU cycles, RAM, on-chain storage, message exchanges, or other scarce resources? If so, can that be prevented or mitigated?

• no further resources consumed

Documentation Considerations

Give our docs folks some hints about what needs to be described to downstream users. Backwards compatibility: what happens to existing data or deployments when this code is shipped? Do we need to instruct users to do something to upgrade their saved data? If there is no upgrade path possible, how bad will that be for users?

• the solution is backwards compatible with older versions of Hermes (v0.12.0) and React Native to be safe
• intrinsic lockdown is fixed on v0.13.0 for RN0.75.x, so this part of the condition can be sunset when we want to drop support for v0.12.0
• React Native Releases Support Policy

Testing Considerations

Every PR should of course come with tests of its own functionality. What additional tests are still needed beyond those unit tests? How does this affect CI, other test automation, or the testnet?

• see repro to see completePrototypes finishing successfully on Hermes VM with detailed print output

Compatibility Considerations

Does this change break any prior usage patterns? Does this change allow usage patterns to evolve?

Considered alternative solution

      if (
        !objectHasOwnProperty(intrinsic, 'prototype') ||
        (typeof intrinsicPrototype === 'object' &&
          // eslint-disable-next-line
          Object.keys(intrinsicPrototype).length === 0)
      ) {

which accounts for { ... "prototype":{"value":{},"writable":true,"enumerable":false,"configurable":false} }

but this breaks building the ses bundle when calling whitelistIntrinsics after completePrototypes

SES_UNCAUGHT_EXCEPTION: (TypeError#1) Unexpected property prototype with permit %ArrayPrototype% at intrinsics.Array.prototype`

which appears to be a regression, so no bueno

(See also Documentation Considerations RE backward compatibility)

Upgrade Considerations

What aspects of this PR are relevant to upgrading live production systems, and how should they be addressed?

Include *BREAKING*: in the commit message with migration instructions for any breaking change.

Update NEWS.md for user-facing changes.

Delete guidance from pull request description before merge (including this!)

(See also Documentation Considerations RE backward compatibility)

[leotm]

draft pending testing changes from endo sync in VM and React Native

[leotm]

we considered implementing

endo/packages/ses/src/intrinsics.js

Lines 103 to 110 in a13a879

	// Bypass Hermes bug, fixed in: https://github.com/facebook/hermes/commit/00f18c89c720e1c34592bb85a1a8d311e6e99599
	if (
	typeof intrinsic === 'function' &&
	intrinsic.prototype !== undefined &&
	permitPrototype === 'undefined' // permits.js
	) {
	intrinsic.prototype = undefined;
	}

instead in

// packages/ses/src/tame-function-tostring.js
// ...
      if (
        !/^[A-Z]/.test(func.name) &&
        func.prototype !== undefined
      ) {
        func.prototype = undefined;
      }
// ...

but at this point it's too late, so went with the current approach

[leotm]

https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563

Run npx playwright install --with-deps
  npx playwright install --with-deps
  shell: /usr/bin/bash -e {0}
Installing dependencies...
Switching to root user to install dependencies...
Hit:1 http://azure.archive.ubuntu.com/ubuntu noble InRelease
Get:[2](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:2) http://azure.archive.ubuntu.com/ubuntu noble-updates InRelease [126 kB]
Get:[3](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:3) http://azure.archive.ubuntu.com/ubuntu noble-backports InRelease [126 kB]
Get:[4](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:5) http://azure.archive.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Hit:[5](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:6) https://packages.microsoft.com/repos/azure-cli noble InRelease
Get:[6](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:7) https://packages.microsoft.com/ubuntu/24.04/prod noble InRelease [3600 B]
Get:7 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages [59[7](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:8) kB]
Get:8 http://azure.archive.ubuntu.com/ubuntu noble-updates/main Translation-en [146 kB]
Get:9 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 c-n-f Metadata [10.3 kB]
Get:10 http://azure.archive.ubuntu.com/ubuntu noble-updates/universe amd64 Packages [706 kB]
Get:11 http://azure.archive.ubuntu.com/ubuntu noble-updates/universe Translation-en [209 kB]
Get:12 http://azure.archive.ubuntu.com/ubuntu noble-updates/universe amd64 c-n-f Metadata [19.[8](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:9) kB]
Get:13 http://azure.archive.ubuntu.com/ubuntu noble-updates/restricted amd64 Packages [388 kB]
Get:14 http://azure.archive.ubuntu.com/ubuntu noble-updates/restricted Translation-en [74.8 kB]
Get:15 http://azure.archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 Packages [14.8 kB]
Get:16 http://azure.archive.ubuntu.com/ubuntu noble-updates/multiverse Translation-en [3820 B]
Get:17 http://azure.archive.ubuntu.com/ubuntu noble-updates/multiverse amd64 c-n-f Metadata [552 B]
Get:18 http://azure.archive.ubuntu.com/ubuntu noble-backports/universe amd64 Packages [10.6 kB]
Get:1[9](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:10) http://azure.archive.ubuntu.com/ubuntu noble-backports/universe Translation-en [10.8 kB]
Get:20 http://azure.archive.ubuntu.com/ubuntu noble-backports/universe amd64 c-n-f Metadata [1[10](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:11)4 B]
Get:21 http://azure.archive.ubuntu.com/ubuntu noble-security/main amd64 Packages [410 kB]
Get:22 http://azure.archive.ubuntu.com/ubuntu noble-security/main Translation-en [90.4 kB]
Get:23 http://azure.archive.ubuntu.com/ubuntu noble-security/main amd64 c-n-f Metadata [5788 B]
Get:24 http://azure.archive.ubuntu.com/ubuntu noble-security/universe amd64 Packages [553 kB]
Get:25 http://azure.archive.ubuntu.com/ubuntu noble-security/universe Translation-en [147 kB]
Get:26 http://azure.archive.ubuntu.com/ubuntu noble-security/universe amd64 c-n-f Metadata [13.5 kB]
Get:27 https://packages.microsoft.com/ubuntu/24.04/prod noble/main armhf Packages [5057 B]
Get:28 https://packages.microsoft.com/ubuntu/24.04/prod noble/main amd64 Packages [12.2 kB]
Get:29 https://packages.microsoft.com/ubuntu/24.04/prod noble/main arm64 Packages [8451 B]
Fetched 3820 kB in 1s (7439 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
Package libicu70 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

Package libasound2 is a virtual package provided by:
  liboss4-salsa-asound2 4.2-build2020-1ubuntu3
  libasound2t64 1.2.[11](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:12)-1build2 (= 1.2.11-1build2)

E: Package 'libasound2' has no installation candidate
E: Package 'libicu70' has no installation candidate
E: Unable to locate package libffi7
E: Unable to locate package libx264-163
Failed to install browsers
Error: Installation process exited with code: 100
Error: Process completed with exit code 1.

flakey CI, re-run

edit: fail persisting after re-run and happening elsewhere #2583 (comment)

Definitely unrelated. We saw this once before when one of the browsers shifted underneath us. I reran the job and it persisted. It’s not a required job.

[gibson042]

Another thought: concise functions in Hermes may incorrectly have a prototype property, but bound functions do not:

$ eshost -se '[()=>{}, (()=>{}).bind()].map(fn => Object.hasOwnProperty.call(fn, "prototype"))'
#### engine262, GraalJS, JavaScriptCore, Moddable XS, QuickJS, SpiderMonkey, V8
false,false

#### Hermes
true,false

So any receiver-insensitive function that needs be presented as non-newable (which I think describes all functions that we want to appear native) can be wrapped with bind.

[legobeat]

Package libasound2 is a virtual package provided by:
 liboss4-salsa-asound2 4.2-build2020-1ubuntu3
 libasound2t64 1.2.[11](https://github.com/endojs/endo/actions/runs/11366289654/job/31616329403?pr=2563#step:9:12)-1build2 (= 1.2.11-1build2)

@leotm I believe this is because GitHub runner images switched from 22.04 to 24.04 (I see noble there).

This should fix it:

• ci: fix browser-tests ubuntu 24.04 compat #2587

[leotm]

Another thought: concise functions in Hermes may incorrectly have a prototype property, but bound functions do not:

$ eshost -se '[()=>{}, (()=>{}).bind()].map(fn => Object.hasOwnProperty.call(fn, "prototype"))'
#### engine262, GraalJS, JavaScriptCore, Moddable XS, QuickJS, SpiderMonkey, V8
false,false

#### Hermes
true,false

So any receiver-insensitive function that needs be presented as non-newable (which I think describes all functions that we want to appear native) can be wrapped with bind.

good point ^ same with normal functions

# Hermes release version: 0.12.0, HBC bytecode version: 89
>> [function(){}, (function(){}).bind()].map(fn => Object.hasOwnProperty.call(fn, "prototype"))
[ true, false, [length]: 2 ]

so binding the intrinsic works too after restoring the permits
https://github.com/endojs/endo/tree/ses-hermes-completePrototypes-bind
instead of setting the prototype to undefined

[erights]

Please explain the Hermes bug you're bypassing below, in addition to the commit link.

[leotm]

TODO: add explanation pending investigation how lockdown / harden / %InitialGetStackString% are defined in SES

• if (object literal) concise method, commit link is correct
  • likely harden
  • likely %InitialGetStackString%
• if concise (arrow) function, facebook/hermes@c42491d
  • likely lockdown

[leotm]

just clarifying the above (how these three are defined in SES)

• lockdown: arrow fn
  • harden: arrow fn
• getStackString: (object literal) concise (shorthand) method

endo/packages/ses/src/lockdown-shim.js

Lines 15 to 18 in 4ca4028

	globalThis.lockdown = options => {
	const hardenIntrinsics = repairIntrinsics(options);
	globalThis.harden = hardenIntrinsics();
	};

endo/packages/ses/src/lockdown.js

Line 408 in 4ca4028

const hardenIntrinsics = () => {

endo/packages/ses/src/error/tame-error-constructor.js

Lines 21 to 23 in 4ca4028

	// Use concise methods to obtain named functions without constructors.
	const tamedMethods = {
	getStackString(error) {

so added commit earlier updating documentation in permits.js and intrinsics.js 575cd60

[erights]

Likewise. Is there an issue for this Hermes bug?

[leotm]

for concise (arrow) functions

• no issue was raised
• facebook/hermes@c42491d fixed in Hermes v0.13.0

but yes for (object literal) concise (shorthand) methods

• Short-hand methods don't have prototype / construct facebook/hermes#1371
• facebook/hermes@00f18c8 fixed in Static Hermes (unreleased)

[erights]

Why exactly these three?

[leotm]

it's these three intrinsics ^ that throw at

endo/packages/ses/src/intrinsics.js

Lines 101 to 104 in 7a991aa

	const namePrototype = permit.prototype;
	if (!namePrototype) {
	throw TypeError(`${name}.prototype property not whitelisted`);
	}

when calling lockdown() on Hermes VM (surfaced in React Native)

[leotm]

on Hermes v0.12.0 it's all three ^
on v0.13.0 for RN0.75.x only harden and %InitialGetStackString%

otherwise on Static Hermes (unreleased) none of these are an issue
which atm can only be tested by building and running either sh_stable or static_h

after #2334 lands, adding v0.13.0 to CI is up next (it's not on npm, so will need to wget the .tar.gz)
followed by Static Hermes after (no distro yet so in CI will need to build and run from scratch)

[leotm]

the initial approach was minimal and to ignore these three, but it doesn't remove them

the proposed change expects undefined and sets undefined which seems better

or calling .bind() on these three instead which also works (repro)

[erights]

I'm confused. Why doesn't #1221 make this a non-issue, setting the .prototype to undefined itself?

[leotm]

side note: looks like all of the hermes releases have been published to GitHub now?! (but still not npmjs, if planned)

but it remains there's no need for SES to support these older versions
since metamask-mobile is now on React Native 0.72.15
whereas Hermes v0.11.0 for RN0.68.x has been unsupported for years

[leotm]

But AFAICT lockdown is defined as an arrow function. So why is it more problematic than a zillion other arrow functions? Or, perhaps, is it the only intrinsic defined by us as an arrow function?

this part's been puzzling me too...
why is completing the lockdown prototype a problem on Hermes v0.12.0 (and older)...
but not on Hermes v0.13.0+ 🤔
(and the a zillion other arrow functions)

If all this is true, then it makes sense to permit prototype: undefined on these three. So I'll approve on that basis. But before merging, please let us know if this is indeed all true.

sure ^ i'll keep digging to find the answer to these last couple questions (and #1221)

[leotm]

I'm confused. Why doesn't #1221 make this a non-issue, setting the .prototype to undefined itself?

Is it because the test in intrinsics.js is inconsistently stricter than the #1221 test in permit-intrinsics.js and runs first?

exactly the current order and strictness on master is

• intrinsics.js > completePrototypes
  • isObject(intrinsic)
  • objectHasOwnProperty(intrinsic, 'prototype')
  • typeof permit === 'object'
  • !permit.prototype
    • throw TypeError(`${name}.prototype property not whitelisted`);
• permit-intrinsics.js > whitelistIntrinsics
  • prop in obj
  • typeof obj === 'function' && prop === 'prototype'
    • obj.prototype = undefined (not reached)
    • fix: tolerate empty func.prototype #1221

[leotm]

Separately, it looks like a bug that

the test in intrinsics.js is inconsistently stricter than the #1221 test in permit-intrinsics.js and runs first

Could you file an issue on that and assign it to me? Thanks.

• Function prototype set to undefined inconsistently too late #2598

[leotm]

So why is it more problematic than a zillion other arrow functions?

for example checking: permits.js > Appendix B > Annex B

endo/packages/ses/src/permits.js

Lines 1613 to 1650 in 4ca4028

	// Appendix B
	// Annex B: Additional Properties of the Global Object
	escape: fn,
	unescape: fn,
	// Proposed
	'%UniqueCompartment%': {
	'[[Proto]]': '%FunctionPrototype%',
	prototype: '%CompartmentPrototype%',
	toString: fn,
	},
	'%InertCompartment%': {
	'[[Proto]]': '%FunctionPrototype%',
	prototype: '%CompartmentPrototype%',
	toString: fn,
	},
	'%CompartmentPrototype%': {
	constructor: '%InertCompartment%',
	evaluate: fn,
	globalThis: getter,
	name: getter,
	import: asyncFn,
	load: asyncFn,
	importNow: fn,
	module: fn,
	'@@toStringTag': 'string',
	},
	lockdown: fn,
	harden: { ...fn, isFake: 'boolean' },
	'%InitialGetStackString%': fn,
	};

these aren't problematic on Hermes
since they're not proposed by SES
so already implemented correctly in Hermes natively:

function escape() { [native code] }
function unescape() { [native code] }

however our three functions proposed by SES are problematic
since we are adding them to Hermes as buggy arrow functions and concise methods:

function (a0) { [bytecode] } // lockdown
function harden(a0) { [bytecode] } // harden
function getStackString(a0) { [bytecode] } // intrinsic: %InitialGetStackString%

[erights]

LGTM module suggestions, especially #2563 (comment)

[boneskull]

I'm too unfamiliar with this to feel comfortable approving it. But here I am anyway!

@leotm Are we testing against Hermes in CI somewhere? Can you point me to it?

[boneskull]

I don't know what "Static Hermes" is. add reference to comment?

[leotm]

added here 1d4bd35

[leotm]

@leotm Are we testing against Hermes in CI somewhere? Can you point me to it?

both proposed 2 changes (permits.js, intrinsics.js) can be verified working against Hermes CI in
https://github.com/endojs/endo/tree/ses-hermes-whitelistIntrinsics-repro
running yarn build:hermes && yarn test:hermes where completePrototypes is now fixed on Hermes

otherwise final changes to #2334 nearly ready for official Hermes CI feedback

[leotm]

LGTM module suggestions, especially #2563 (comment)

If all this is true, then it makes sense to permit prototype: undefined on these three. So I'll approve on that basis. But before merging, please let us know if this is indeed all true.

all questions answered and addressed ^ in comments and commits