JSC: PerformPromiseThenOneHandler for single-handler .then()
c3276f4
+function fulfillOnly(p) { return p.then(v => v + 1); }
+function rejectOnlyUndefined(p) { return p.then(undefined, e => 'caught:' + e); }
+function bothHandlers(p) { return p.then(v => 'ok:' + v, e => 'err:' + e); }
PerformPromiseThen is the generic four-child DFG IR node (promise, fulfill handler, reject handler, result capability) and is conservative because either handler can be callable or null/undefined at runtime. The Abstract Interpreter propagates type predictions using SpeculatedType bit sets — SpecFunction for callables, SpecOther for null/undefined. When DFGConstantFoldingPhase proves one handler slot is SpecOther, it converts the node to PerformPromiseThenOneHandler, encoding handler kind in a flag and emitting direct flag-and-slot writes instead of allocating a reaction cell.
Significance
This puts JIT-emitted code directly into promise handler dispatch — a security-sensitive path where a misclassified handler can silently drop or misroute a callback.
Audit directions
a Aaaaaaaaaaaaaaaa Aaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaa Aaaaa Aa Aa Aa Aaaaaaaaaa Aaaa Aaa Aaaaaaa Aa Aaaaaaaaaaaa Aa Aaa Aa Aaaaaaaaaaa Aa Aaaaaaaaaaaaa a Aaaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaaa Aaaa Aaaaa Aaaa a Aaaaaaa Aaaa Aaaa Aa Aaaaaaaa Aaaaaaaaa Aaaaaaaa Aaaaaaaa Aa Aaaaaaaaaa Aaa Aaaaaaaa
a Aaaaaaaa Aaaaaaaaaa Aaaaaaaaaaaaaa Aaa Aaaa Aaaa Aaaaaa Aaaaaaa Aaaaaaaa Aaaaa Aaa Aaaaaa Aaa Aaaaaaa Aaaaa Aaaaaaaaa Aa Aaa Aaaa Aaaaaaaa Aa Aaaa Aaaaaa Aaaaaaaa Aaaa Aaaa Aaa Aaaa Aaaa Aa Aa Aaaaaaaa Aa Aaaaaaaa Aaaaaaa Aaaaa Aa Aaaa Aaaa Aaaaaaa Aa Aaaa Aaaaaaaaa Aaaaaa Aaaaa Aaaaaaa
a Aaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaaaa Aaaaaa Aaaaa Aaaaaaaa Aaa Aaa Aaa Aaaa Aaaaa Aaaaaaa Aaaaaaaa Aaa Aaa Aa Aaaa Aaaaa Aaa Aaaaaaa Aaaa Aaaaaaa Aaaaaaaaa a a Aaa Aa Aaaaaaaaaaaa Aaaaaa
a Aaaaaaaaaaaaa Aaaaaaaaaaa Aaa Aaa Aaaaa Aaa Aaaa Aaaa Aaaaa Aa Aaa Aaaaaaa Aaaaa Aaaaaaaa Aaaaaaaaaaaaaaa Aaaaaaaa Aaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaa Aaaaaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaa Aaa Aaaa Aaa Aaaaaaaa Aaaaaaaaaa Aaaaa Aa a Aaaaaa Aaa Aaaaaaaaa Aaaaaaaa Aa Aaa Aaaa Aaaaa
🔒New JIT fast path for promise handler dispatch — type proof boundaries and inline write correctness are worth security investigation.
더 확인하려면 구독해 주세요