Cross-realm serialization/deserialization issues

[ethanresnick]

I just wanted to open a dedicated issue for the conversation here, so that it doesn't get lost.

[caridy]

Identity discontinuity is a real pain. I don't think providing expansion slots of any kind will help here because we also serialize functions, and if those functions are parsed and evaluated in a different realm, the objects that they produce (imagine that the function returns a regexp) will always exhibit different identity. The solution must be in user-land by evaluating the code in the correct sandbox, or work around the identity discontinuity problems.

[ethanresnick]

The solution must be in user-land by evaluating the code in the correct sandbox, or work around the identity discontinuity problems.

This sounds like the third option I mentioned here, right? I.e., the user should just make sure to eval the serialized result in a realm with globals that come from the same realm that serialize-js is running in.

If so, that seems suboptimal to me. Of course, I agree that this library can't control the identity of the objects produced during deserialization. Still, during serialization, it does seem like the library could correctly identify objects as RegExps or Dates, even if those objects come from a different realm. I think that would be a good thing to do, probably using the second option I mentioned in #27:

We can switch to user-land implementations of util.isDate and util.isRegExp that work around the cross-realm issue (idk how reliably), like https://github.com/ljharb/is-regex and https://github.com/ljharb/is-date-object

[caridy]

Still, during serialization, it does seem like the library could correctly identify objects as RegExps or Dates

Yeah, I'm fine with that. My only concern is the performance of the serialization. @ljharb's packages seem to be optimized (I can probably raise this question next week when I see him in person) but I haven't try them. Remember that we will have to do that for every non-function object node in the object graph.

[ethanresnick]

My only concern is the performance of the serialization. @ljharb's packages seem to be optimized (I can probably raise this question next week when I see him in person) but I haven't try them.

Makes perfect sense. I'll let you raise it with him and decide what's best.

[ljharb]

All of my "is-*" libraries are "optimized" in the sense that they have as many fast paths as possible - they return false as early as they can, and in environments that are pre-Symbol.toStringTag, they use Object.prototype.toString.call - but in modern environments, they always have to use a try/catch around a brand-checking prototype method.

If you want to do fast brand checking, the proper path is likely to be https://github.com/jasnell/proposal-istypes (which my packages could help to polyfill).