script: Add support for creating globals in isolated compartments (#38236)

to use the [SpiderMonkey Debugger API](https://firefox-source-docs.mozilla.org/js/Debugger/), we need to call it from an internal debugger script that we will supply. this script must run in the same runtime as the debuggee(s), but in a separate [compartment](https://udn.realityripple.com/docs/Mozilla/Projects/SpiderMonkey/Compartments) ([more details](https://hacks.mozilla.org/2020/03/future-proofing-firefoxs-javascript-debugger-implementation/)). when creating two globals in the same runtime, Servo will generally try to reuse an existing compartment for the second global, and there are other places in script where we rely on this reuse. but for the debugger script, we can’t do this. this patch adds a `use_system_compartment` flag to global object descriptors, which isolates the global in its own compartment in both possible directions: - it forces the global to create a new compartment, preventing the reuse of any debuggee’s compartment - it fails the check in select_compartment(), preventing future debuggees from reusing the global’s compartment Testing: manually tested working in devtools debugger patch (#37667), where it will undergo automated tests --------- Signed-off-by: Delan Azabani <dazabani@igalia.com> Co-authored-by: atbrakhi <atbrakhi@igalia.com>
2025-07-29 10:10:34 +01:00 · 2025-07-23 19:34:37 +08:00 · 2025-07-23 19:34:37 +08:00 · 52f53f61e1
commit 52f53f61e1
parent d9f8fc505f
3 changed files with 26 additions and 6 deletions
--- a/components/script_bindings/codegen/codegen.py
+++ b/components/script_bindings/codegen/codegen.py
@ -3213,7 +3213,8 @@ create_global_object::<D>(
    raw.as_ptr() as *const libc::c_void,
    {TRACE_HOOK_NAME}::<D>,
    obj.handle_mut(),
-    origin);
+    origin,
+    {"true" if self.descriptor.useSystemCompartment else "false"});
 assert!(!obj.is_null());

 let root = raw.reflect_with(obj.get());
--- a/components/script_bindings/codegen/configuration.py
+++ b/components/script_bindings/codegen/configuration.py
@ -252,6 +252,7 @@ class Descriptor(DescriptorProvider):
        self.outerObjectHook = desc.get('outerObjectHook', 'None')
        self.proxy = False
        self.weakReferenceable = desc.get('weakReferenceable', False)
+        self.useSystemCompartment = desc.get('useSystemCompartment', False)

        # If we're concrete, we need to crawl our ancestor interfaces and mark
        # them as having a concrete descendant.
--- a/components/script_bindings/interface.rs
+++ b/components/script_bindings/interface.rs
@ -17,10 +17,10 @@ use js::jsapi::{
    HandleObject as RawHandleObject, IsSharableCompartment, IsSystemCompartment,
    JS_AtomizeAndPinString, JS_GetFunctionObject, JS_GetProperty, JS_IterateCompartments,
    JS_NewFunction, JS_NewGlobalObject, JS_NewObject, JS_NewStringCopyN, JS_SetReservedSlot,
-    JS_WrapObject, JSAutoRealm, JSClass, JSClassOps, JSContext, JSFUN_CONSTRUCTOR, JSFunctionSpec,
-    JSObject, JSPROP_ENUMERATE, JSPROP_PERMANENT, JSPROP_READONLY, JSPROP_RESOLVING,
-    JSPropertySpec, JSString, JSTracer, ObjectOps, OnNewGlobalHookOption, SymbolCode,
-    TrueHandleValue, Value, jsid,
+    JS_SetTrustedPrincipals, JS_WrapObject, JSAutoRealm, JSClass, JSClassOps, JSContext,
+    JSFUN_CONSTRUCTOR, JSFunctionSpec, JSObject, JSPROP_ENUMERATE, JSPROP_PERMANENT,
+    JSPROP_READONLY, JSPROP_RESOLVING, JSPropertySpec, JSString, JSTracer, ObjectOps,
+    OnNewGlobalHookOption, SymbolCode, TrueHandleValue, Value, jsid,
 };
 use js::jsval::{JSVal, NullValue, PrivateValue};
 use js::rust::wrappers::{
@ -142,15 +142,33 @@ pub(crate) unsafe fn create_global_object<D: DomTypes>(
    trace: TraceHook,
    mut rval: MutableHandleObject,
    origin: &MutableOrigin,
+    use_system_compartment: bool,
 ) {
    assert!(rval.is_null());

    let mut options = RealmOptions::default();
    options.creationOptions_.traceGlobal_ = Some(trace);
    options.creationOptions_.sharedMemoryAndAtomics_ = false;
+    if use_system_compartment {
+        options.creationOptions_.compSpec_ = CompartmentSpecifier::NewCompartmentAndZone;
+        options.creationOptions_.__bindgen_anon_1.comp_ = std::ptr::null_mut();
+    } else {
        select_compartment(cx, &mut options);
+    }

+    // “System or addon” principals control JIT policy (IsBaselineJitEnabled, IsIonEnabled) and WASM policy
+    // (IsSimdPrivilegedContext, HasSupport). This is unrelated to the concept of “system” compartments, though WASM
+    // HasSupport describes checking this flag as “check trusted principals”, which seems to be a mistake.
+    // Servo currently creates all principals as non-system-or-addon principals.
    let principal = ServoJSPrincipals::new::<D>(origin);
+    if use_system_compartment {
+        // “System” compartments are those that have all “system” realms, which in turn are those that were
+        // created with the runtime’s global “trusted” principals. This influences the IsSystemCompartment() check
+        // in select_compartment() below [1], preventing compartment reuse in either direction between this global
+        // and any globals created with `use_system_compartment` set to false.
+        // [1] IsSystemCompartment() → Realm::isSystem() → Realm::isSystem_ → principals == trustedPrincipals()
+        JS_SetTrustedPrincipals(*cx, principal.as_raw());
+    }

    rval.set(JS_NewGlobalObject(
        *cx,