NEW299296
jsc shell's global write function has undocumented file system side effects and masks standard errors 
https://bugs.webkit.org/show_bug.cgi?id=299296
Summary jsc shell's global write function has undocumented file system side effects a...
Srinath
Reported 2025-09-22 09:31:24 PDT
The jsc command-line shell includes a non-standard global write function that poses a significant risk to developers and their environments. This function has two severe issues: It has undocumented side effects, creating and writing to files in the local file system. This behavior is completely unexpected for a core JavaScript function and could lead to accidental data loss or corruption. It completely masks ReferenceError exceptions. Existing in the global scope makes invalid code that should fail appear to execute successfully, which undermines the shell's reliability for any testing or debugging purpose.
Attachments
testcase (395 bytes, text/plain)
2025-09-22 15:52 PDT, Srinath 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2025-09-22 15:18:19 PDT
Thank you for the report. Could you please clarify which developers and what scenario this report is about? This bug says Hardware: "Mac", but on macOS, jsc is only present if you build WebKit yourself, it's a debugging tool for JavaScriptCore engineers. So I do not see what safety characteristics you expect from it.
Srinath
Comment 2 2025-09-22 15:51:26 PDT
Apologies for the lack of clarity. The purpose of improving write() would be to help standardize debugging across major JS engines' shells, including V8 and SpiderMonkey. Thank you for your prompt response to the report. I have added a small reproduction case as well. try { // This non-standard function call should immediately throw a ReferenceError. // Instead, it silently creates a file in the current directory. write('file_created_by_jsc.txt', 'This file should not exist.'); print("Success: The script ran without error (Unexpected Behavior)."); } catch (e) { print(`Failure: Caught a standard ${e.name} (Expected Behavior).`); }
Srinath
Comment 3 2025-09-22 15:52:08 PDT
Created attachment 476832 [details] testcase
Radar WebKit Bug Importer
Comment 4 2025-09-29 09:32:42 PDT
<rdar://problem/161576424>
Note You need to log in before you can comment on or make changes to this bug.