JSC: cache isDefinitelyNonThenable on Structure
cdf77b6
Source/JavaScriptCore/runtime/Structure.h
+enum class NonThenableStatus : uint8_t { Unknown, NonThenable, MaybeThenable, Uncacheable };
+NonThenableStatus nonThenableStatus() const { return m_nonThenableStatus; }
+void setNonThenableStatus(NonThenableStatus status) { m_nonThenableStatus = status; }
ECMAScript requires Promise.resolve and await to detect thenables by walking the prototype chain for a callable .then. JSC's isDefinitelyNonThenable() did this walk on every call. This commit caches the result on each Structure using a 2-bit lazy state (Unknown, NonThenable, MaybeThenable, Uncacheable). The NonThenable state is trusted only while the realm's promiseThenWatchpointSet is intact — now extended to cover then-absence on Object.prototype as well. Chains deeper than [self, Object.prototype] or [self] (null proto) are marked Uncacheable; dictionary structures are excluded.
Significance
This change sits directly on the thenable-detection path, where a misclassification turns a thenable into a plain value — a potential capability bypass if promise-guarded objects can be smuggled through as non-thenables.
Audit directions
a Aaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaaa Aaa Aaaaaaaaaaaaa Aaaaa Aa Aaaaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaa Aaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaa Aaaaa Aaa Aaa Aaaaaaaa Aaaaa Aaaa Aa Aaaa Aaaaaaa Aaaaa Aaaaaaaaaaa Aaaaaaa a Aaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaa Aaa Aaaa Aaaa Aaa Aaaaa Aaaaa
a Aaaaaaaaaaaaa Aaaaaaaa Aaa Aaaaa Aaaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaa a Aaaaaaaaa Aaaaaaa Aa Aaaaa a Aaaaaaaaa Aa Aaaaa Aaa Aaaaaaa Aaaaaaaa Aaaa Aaaa Aaaa Aaaaaa Aaaaaaa Aaaa Aaaaaaaaaa Aa Aaaaaaa Aaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaa Aaaaaa Aaaaaa Aaaaa Aaa Aaaaaaaaaaa Aaaaaaa Aaaaaaa
a Aaaaaaaaaaaa Aaaaaaaaaa Aaaaa Aaaaaaaaaa a Aaaaaaaaa Aaaaaa Aaaaaaaaaaaaaa Aaaa Aaaaaaaaaaaaaaaaa Aa Aaaaa Aaaaaaaa Aaaaaaaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaa Aaa Aaaa Aaaaaaaaaaaa Aaaaaaa Aa Aaaaa a Aaa Aaaaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaaaa Aaaaaaa Aaaaaaa Aaa Aaa Aaaaaaaaaa Aaaaa Aaaa Aaa Aaaaaa Aaaaaaaaaaaaa Aaa Aaaaa Aaaaaaaaa Aa Aaaaa Aaaaaaaaaa
a Aaaaaaaaaaaa Aaaa Aaaaaaaa Aaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaa Aaaaaa Aaaaaa Aaaaaaaa a Aaa Aaaaaaaaa Aaaaaa Aaaa Aaaaaaaa Aa Aaaaaa Aaaaa Aaaaa Aaaaa a Aaaaa Aaaaaaaaaaaaa Aaa Aa a Aaaaaaaaaaaa Aaaaaaa
🔒The watchpoint-to-cache trust chain, realm boundary enforcement, and structure mutation edge cases are worth security investigation.
더 확인하려면 구독해 주세요