On Jul 29, 2013, at 7:04 PM, David Bruant wrote:

> Le 30/07/2013 03:09, Allen Wirfs-Brock a écrit :
>> On Jul 29, 2013, at 5:11 PM, David Bruant wrote:
>> 
>>> Le 29/07/2013 20:41, Allen Wirfs-Brock a écrit :
>>>> The legacy [[Class]] internal property conflated these two concepts.  Sometimes it was used for to ensure that a built-in method was operating upon an instance that actually had the internal state or conformed to other implementation level invariants needed by the method. Other times, [[Class]] was tested  for basic external behavioral classification purposes that don't really care at all about implementation level object invariants.
>>>> 
>>>> In most cases, the ES6 spec. language such as  "if O is an exotic X object" or "does X have a [[XXX]] internal data property" works fine as a direct replacement of an ES5  [[Class]] test because there are a one-to-one correspond between a ES6 built-in that is represented by specific kind of exotic object or that has a specific internal data property and with a ES5 built-in with the corresponding [[Class]] value.
>>> Can all the [[Class]] replacement tests be passed by proxies in a way or another so that a proxy can impersonate a given "class" of exotic object? (most likely by having one of these objects as target)
>> Nope.  We would have had the same problems if we had kept [[Class]]. In ES<=5.1 [[Class]] is used to conflate situational specific testing for a number of independent characteristics of objects.  Some of those characteristics can not be transparently prloxied (for example this object reference directly refers a special object representation with some specific implementation dependent representation of some private state 0)
> By "this object reference", are you talking about the "this" keyword?

no special "this" here.  I'm just saying that at the implementation level, when you are doing  something with an object value what you really have is a "reference" (ie a pointer) to a heap allocated data structure.  If the implementation code is going to do something that depends on the data structures actual memory layout, then you better be sure that you have a pointer to the actual data structure you expect. 

> Even then, I wouldn't be sure to understand. Which part of ES5.1 are you referring to?
> I believe a code snippet to explain would make things easier to understand.

In ES5 some of this is subtle, for example  in the introduction to 15.9.5 (Properties of Date Prototuype Object) is this paragrpah:

In following descriptions of functions that are properties of the Date prototype object, the phrase “this Date object” refers to the object that is the this value for the invocation of the function. Unless explicitly noted otherwise, none of these functions are generic; a TypeError exception is thrown if the this value is not an object for which the value of the [[Class]] internal property is "Date". Also, the phrase “this time value” refers to the Number value for the time represented by this Date object, that is, the value of the [[PrimitiveValue]] internal property of this Date object.

and each Date.prototype method starts with a step like:
1.	Let t be this time value.

What this is really saying is that this method only works on object instances that have the internal layout created by the Date constructor. 

For a broader discussion of the use of [[Class]] in ES5 see https://docs.google.com/document/d/1sSUtri6joyOOh23nVDfMbs1wDS7iDMDUFVVeHeRdSIw/edit?hl=en&authkey=CI-FopgC&pli=1 


> 
>>> Also, I fail to understand the difference between "if O is an exotic X object" and "if O.[[Class]] === X".
>> There really isn't much.  But getting rid of [[Class]] enables us to separate the previously conflated characteristics.
> When you test for "if O is an exotic array object", what characteristic are you testing for, then?
> This still feels like branding to me.

It is exactly branding, but branding for the specific characteristics that are defined ES6 clause 8.4.2.  It doesn't include other things that [[Class]] was sometimes used for.

>>>>> If proxies for arrays do not pass such tests, some built-ins behave in unexpected ways.
>>>> What's expected?  Just because a proxy has an exotic array object as its target doesn't mean that is functions as an exotic array.
>>> This suggests that the opposite could be true, that is that a proxy with any target might impersonates an array as long as it passes some tests. I wonder how much of a good idea this is.
>> One of the goals for ES6 proxies was to enable self-hosting of built-ins.  In theory, there is no reason that a proxy couldn't be use buy an implementation to implement its "exotic array objects".  However, because the spec. explicitly distinguishes  "exotic array objects" from other built-in exotic object and from general proxies, such a host implementation would still have to have a way to identify the proxy-implemented exotic arrays as such and for test for them in every context where the spec. says an "exotic array object" is required. That branding test would be that implementations way of implementing "is O is an exotic Array object".
> Self-hosted code is privileged and may have some power not described by the ES spec (and as far as I know, that's actually the case both for SpiderMonkey and V8 self-hosted code). 

I'm not talking about existing self-hosted code that uses mechanisms other than Proxy.  Some self hosted code might be privileged but that isn't necessarily the case for everything that is self hosted.  For example, there is nothing that would need to be particularly privileged about an implementation of Set that is implemented by internally using a Map.  You wouldn't even need to use a Proxy for that.

> So self-hosted code can distinguish an actual array from a proxy, that's not an issue.
> Non-privileged code being able to distinguish an array and a proxy for an array is more worrisome.

I go the other way, in general there should be nothing special about  "self-hosting code".  Perhaps the phrase is even misleading. What I'm really saying that there should be no particular reason that anything other than the most primitive elements of the the ES built-ins can't be expressed in ES code.

A proxy with an Array as its target is not an Array.  Whether such an object is substitutable for an Array instance is high dependent on the details of its handler and other aspects of its implementation.   Also please see http://wiki.ecmascript.org/doku.php?id=harmony:virtual_object_api which address related issues.  In general, you can't assume that Proxy(x, {}) is substitutable for x.  It just doesn't work that way.



> 
>>> The (granted implicit) model of "a proxy for exotic object X is seen by all algorithms as an exotic object X" feels simpler even if it means that a proxy might not act as an internal algorithm expects.
>> memory safety hazard.  Every place that checks for "is O an exotic X object" would have to have a subsequent "is O a Proxy whose target is an exotic X" and take different code paths.  If you screw it up, you may have memory safety issues.
> That's an implementation hazard; not sure what your point is here.

The major of such test in the spec. are abstracting over such implementation hazards.  That's why they are there. Most of the other uses are simply for backwards compatibility with spec. legacy usages.

> Note that the design of proxies (can only be new objects, are limited to an immutable {target, handler} data structure, stratified API, etc.) go a long way in preventing memory safety issues. It sounds reasonable to think that implementors will do the necessary rest of work to prevent these issues in already implemented algorithms.

No, the design actually creates potential safety issues that must be carefully guarded against.  For example, the default delegation semantics for [[Invoke]]  (it would be the same if [[Get]]/[[Ca]] is used) calls a method on the target object with the proxy object as its this value. If the target object is exotic or has implementation specific private state (eg, [[DateValue]])  the this value (the Proxy) is the wrong kind of object for the method to operate upon.  Any implementation level optimization must include some sort of guard.

> Actually, if the stratification is respected and there is no free bypass, there is no reason to have memory safety issues.

Don't know what you mean by free bypass, but it fact that is not a bad description of the default delegation semantics.


> 
>>> In any case, regardless of how many tests a proxy passes, it has always a way  to wrongly behave after having passed the test.
>> The key things are hard dependencies between native code built-in methods that expect specific fixed object layouts and the actual instances of those objects.
> I don't think you're answering my point.
> All tests that methods can pass are pre-conditions.
> If a proxy can pass the test, it can fake it and then behave mistakenly.
> If a proxy can't pass the test, then user-land code can distinguish an object from its target.

Here is a simple way Proxies fail your expectations. 

let brandRegistry = new WeakSet();
class Branded {
   [@@create]() {
       let obj = super();
       brandRegistry.add(obj);
       return obj
   }
   doSomething() {
       if (! Branded.isBranded(this)) throw TypeError("wrong kind of object");
       /...
    }
   static isBranded(obj) {
      return brandRegistry.has(obj)
    }
}

let obj = new Branded;
let pObj = new Proxy (obj, {P });

Branded.isBranded (obj);//true
Branded.isBranded(pObj); //false

obj.doSomething();  //returns
pObj.doSomething();  //throws


None of the has anything to do with the presence of absence of the ES<=5.1 [[Class]] internal property.   Instead it is much more fundamental to the semantics of Proxy.


> Something has to be given up. And giving up on indistinguishability would defeat the purpose of proxies (and the expectation as feedback on Tom's library suggests).

You suggestion is?  My point is ES internal branding, whether you call it "check for exotic XXX object", "check for the[[XXX]] internal data property" or check if [[Class]] == "Array" h does not work with the Direct Proxy default handler semantics.

> 
>>>> However, this would be a breaking change for existing code explicitly wires their prototype chain to inherit from Array.prototype.
>>> Saving existing code from proxies is a dead end in my opinion.
>> This has nothing to do with Proxies.
>> 
>> Consider:
>> 
>> var x = [__proto__: Array.prototype].
>> 
>> In ES<=5.1
>>    Object.prototype.toString(x)  //returns "[object Object]"
>> 
>> If in ES6, Array.prototype has an built-in @@toStringTag property whose value is "Array" then:
>>    Object.prototype.toString(x)  //returns "[object Array]"
> oh ok. Sorry about that, I had completely misinterpreted your point here.
> 
>>>>> * Array.isArray
>>>> We've discussed the meaning of this in the past and have agreed that it should be considered a test for exotic array-ness and in particular the length invariant. A Proxy whose target is an exotic array may or may not qualify.
>>> I don't really understand what you're testing here to checking the length invariant.
>> It's an implementation internal test.  It is what it means to be "an exotic array object". See 8.4.2 of the current ES6 draft for the complete specification of what it means to be an "exotic array object"
>>> Can a proxy be written to pass this test?
>> no, not with portable ES code.  The logic is within Array.isArray, not within the object it is applied to.
> If some code contains an Array.isArray test, it will behave differently if running against a membrane or normal objects. I don't think that's desirable.
> For membranes to be transparent, a proxy must be able to behave the *exact* same way its target would. Clearly if the logic of some built-in is within the built-in not within the object it is applied to, this is plain impossible.

It depends upon the type of handler you use for the Proxy's that are form your membrane.  The default delegating handler behavior isn't what you want. But a ForwardingHanlder should work for you.  At least that's what MarkM and TomVC tell me.



> 
> 
>>>>> It's worth noting that I hit upon these issues because users of my harmony-reflect shim, which are using direct proxies today in ES5, have reported them (see [1],[2]). This adds some evidence that users expect the above built-ins to behave transparently w.r.t. proxies for their use cases. My library patches some of these built-ins to recognize my own emulated proxies, but this is just an ad hoc solution. ES6 users will obviously not be able to do this.
>>>> They may expect this, but I don't see what generalizations we can make.  Whether a proxy over a built-in is behaviorally substitutable for the built-in completely dependent upon the the definition of the specific proxy.
>>> Again, this seems to suggest that a proxy could pretend to be a Date to one algorithm, an Array to another and a RegExp to another. I'm not sure what good comes out of that.
>> What do you mean to "be a Date".
> I wrote "pretend to be a Date". That's at least to the algorithms testing, no matter how they do it.

My question still stands.  What do you mean when you say "x is a Date".  What characteristics of Date are you actually trying to test.  Is this a Date according to what you have in mind:

let obj = new Date();
obj.__proto__ = null;

> 
>> The ES6 spec. defines Dateness very specifically.  It is an ordinary object (ie, not a Proxy) that has a [[DateValue]] internal data property that can be recognized as such by an implementation.  The only way the ES6 spec. provides for creating such an object is via the Date[[@@create]] method defined in 15.9.3.5 of the current draft.  This method is inherited by subclass constructors so  instances of subclasses of the Date constructor, by default, also will pass the Dateness test.
> Same problem than above about membrane transparency.
This one I have specifically discussed with Tom and Mark.  It depends upon using the right kind of handlers for you membrane.

> 
> Aside, but related: instead of passing a target (an already built object), it might be an interesting idea to have a Proxy constructor that takes an @@create so that the target passes the @@create-related tests.

I don't think is makes any different.  That's not the source of the problems.
     new Proxy(new Array() , { })
has a target that is an exotic array object created via Array[[@@create]] the problem is that the Proxy (and it is what carries identify) is not can not be an exotic array object.  

Allen


> 
> David
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130729/427067c9/attachment-0001.html>

On Jul 29, 2013, at 7:04 PM, David Bruant wrote:

> By "this object reference", are you talking about the "this" keyword?

no special "this" here.  I'm just saying that at the implementation level, when you are doing  something with an object value what you really have is a "reference" (ie a pointer) to a heap allocated data structure.  If the implementation code is going to do something that depends on the data structures actual memory layout, then you better be sure that you have a pointer to the actual data structure you expect. 

> Even then, I wouldn't be sure to understand. Which part of ES5.1 are you referring to?
> I believe a code snippet to explain would make things easier to understand.

In ES5 some of this is subtle, for example  in the introduction to 15.9.5 (Properties of Date Prototuype Object) is this paragrpah:

In following descriptions of functions that are properties of the Date prototype object, the phrase “this Date object” refers to the object that is the this value for the invocation of the function. Unless explicitly noted otherwise, none of these functions are generic; a TypeError exception is thrown if the this value is not an object for which the value of the [[Class]] internal property is "Date". Also, the phrase “this time value” refers to the Number value for the time represented by this Date object, that is, the value of the [[PrimitiveValue]] internal property of this Date object.

and each Date.prototype method starts with a step like:
1.	Let t be this time value.

What this is really saying is that this method only works on object instances that have the internal layout created by the Date constructor. 

For a broader discussion of the use of [[Class]] in ES5 see https://docs.google.com/document/d/1sSUtri6joyOOh23nVDfMbs1wDS7iDMDUFVVeHeRdSIw/edit?hl=en&authkey=CI-FopgC&pli=1 


> When you test for "if O is an exotic array object", what characteristic are you testing for, then?
> This still feels like branding to me.

It is exactly branding, but branding for the specific characteristics that are defined ES6 clause 8.4.2.  It doesn't include other things that [[Class]] was sometimes used for.

> Self-hosted code is privileged and may have some power not described by the ES spec (and as far as I know, that's actually the case both for SpiderMonkey and V8 self-hosted code). 

I'm not talking about existing self-hosted code that uses mechanisms other than Proxy.  Some self hosted code might be privileged but that isn't necessarily the case for everything that is self hosted.  For example, there is nothing that would need to be particularly privileged about an implementation of Set that is implemented by internally using a Map.  You wouldn't even need to use a Proxy for that.

> So self-hosted code can distinguish an actual array from a proxy, that's not an issue.
> Non-privileged code being able to distinguish an array and a proxy for an array is more worrisome.

I go the other way, in general there should be nothing special about  "self-hosting code".  Perhaps the phrase is even misleading. What I'm really saying that there should be no particular reason that anything other than the most primitive elements of the the ES built-ins can't be expressed in ES code.

A proxy with an Array as its target is not an Array.  Whether such an object is substitutable for an Array instance is high dependent on the details of its handler and other aspects of its implementation.   Also please see http://wiki.ecmascript.org/doku.php?id=harmony:virtual_object_api which address related issues.  In general, you can't assume that Proxy(x, {}) is substitutable for x.  It just doesn't work that way.


> That's an implementation hazard; not sure what your point is here.

The major of such test in the spec. are abstracting over such implementation hazards.  That's why they are there. Most of the other uses are simply for backwards compatibility with spec. legacy usages.

> Note that the design of proxies (can only be new objects, are limited to an immutable {target, handler} data structure, stratified API, etc.) go a long way in preventing memory safety issues. It sounds reasonable to think that implementors will do the necessary rest of work to prevent these issues in already implemented algorithms.

No, the design actually creates potential safety issues that must be carefully guarded against.  For example, the default delegation semantics for [[Invoke]]  (it would be the same if [[Get]]/[[Ca]] is used) calls a method on the target object with the proxy object as its this value. If the target object is exotic or has implementation specific private state (eg, [[DateValue]])  the this value (the Proxy) is the wrong kind of object for the method to operate upon.  Any implementation level optimization must include some sort of guard.

> Actually, if the stratification is respected and there is no free bypass, there is no reason to have memory safety issues.

Don't know what you mean by free bypass, but it fact that is not a bad description of the default delegation semantics.


> I don't think you're answering my point.
> All tests that methods can pass are pre-conditions.
> If a proxy can pass the test, it can fake it and then behave mistakenly.
> If a proxy can't pass the test, then user-land code can distinguish an object from its target.

Here is a simple way Proxies fail your expectations. 

```js
let brandRegistry = new WeakSet();
class Branded {
   [@@create]() {
       let obj = super();
       brandRegistry.add(obj);
       return obj
   }
   doSomething() {
       if (! Branded.isBranded(this)) throw TypeError("wrong kind of object");
       /...
    }
   static isBranded(obj) {
      return brandRegistry.has(obj)
    }
}

let obj = new Branded;
let pObj = new Proxy (obj, {P });

Branded.isBranded (obj);//true
Branded.isBranded(pObj); //false

obj.doSomething();  //returns
pObj.doSomething();  //throws
```

None of the has anything to do with the presence of absence of the ES<=5.1 [[Class]] internal property.   Instead it is much more fundamental to the semantics of Proxy.


> Something has to be given up. And giving up on indistinguishability would defeat the purpose of proxies (and the expectation as feedback on Tom's library suggests).

You suggestion is?  My point is ES internal branding, whether you call it "check for exotic XXX object", "check for the[[XXX]] internal data property" or check if [[Class]] == "Array" h does not work with the Direct Proxy default handler semantics.

> If some code contains an Array.isArray test, it will behave differently if running against a membrane or normal objects. I don't think that's desirable.
> For membranes to be transparent, a proxy must be able to behave the *exact* same way its target would. Clearly if the logic of some built-in is within the built-in not within the object it is applied to, this is plain impossible.

It depends upon the type of handler you use for the Proxy's that are form your membrane.  The default delegating handler behavior isn't what you want. But a ForwardingHanlder should work for you.  At least that's what MarkM and TomVC tell me.



> I wrote "pretend to be a Date". That's at least to the algorithms testing, no matter how they do it.

My question still stands.  What do you mean when you say "x is a Date".  What characteristics of Date are you actually trying to test.  Is this a Date according to what you have in mind:

```js
let obj = new Date();
obj.__proto__ = null;
```

> Same problem than above about membrane transparency.

This one I have specifically discussed with Tom and Mark.  It depends upon using the right kind of handlers for you membrane.

> Aside, but related: instead of passing a target (an already built object), it might be an interesting idea to have a Proxy constructor that takes an @@create so that the target passes the @@create-related tests.

I don't think is makes any different.  That's not the source of the problems.

```js
new Proxy(new Array() , { })
```

has a target that is an exotic array object created via Array[[@@create]] the problem is that the Proxy (and it is what carries identify) is not can not be an exotic array object.