[webkit-changes] [WebKit/WebKit] 8d6b11: [JSC] `isDefinitelyNonThenable` Structure cache ca...

Mon, 08 Jun 2026 19:22:50 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 8d6b11214830b69bad2f02f552a64d9f972ef698
      
https://github.com/WebKit/WebKit/commit/8d6b11214830b69bad2f02f552a64d9f972ef698
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-06-08 (Mon, 08 Jun 2026)

  Changed paths:
    A 
JSTests/stress/promise-resolve-non-thenable-structure-cache-cross-realm-proto.js
    M Source/JavaScriptCore/runtime/JSPromise.cpp

  Log Message:
  -----------
  [JSC] `isDefinitelyNonThenable` Structure cache can go stale when the 
prototype belongs to another realm
https://bugs.webkit.org/show_bug.cgi?id=316506

Reviewed by Yusuke Suzuki.

A cached NonThenable is guarded by structure->realm()'s
promiseThenWatchpointSet, but the cacheability check compared the prototype
against the caller's objectPrototype(). Once a realm-A structure holds realm
B's Object.prototype and the first resolution happens in realm B, the cache
survives `then` being added to realm B's Object.prototype. That fires only
realm B's watchpoint set. So realm A treats a genuine thenable as a plain value:

    const other = createGlobalObject();
    function make() {
        const o = { a: 1 };
        Object.setPrototypeOf(o, other.Object.prototype);
        return o;
    }
    other.Promise.resolve(make()); // caches NonThenable on the realm-A 
structure
    drainMicrotasks();
    other.Object.prototype.then = function (resolve) { resolve(42); };
    const v = await Promise.resolve(make()); // v is the object, should be 42

Compare against structure->realm()->objectPrototype() instead; mixed-realm
chains become Uncacheable and take the per-call walk.

Test: 
JSTests/stress/promise-resolve-non-thenable-structure-cache-cross-realm-proto.js

* 
JSTests/stress/promise-resolve-non-thenable-structure-cache-cross-realm-proto.js:
 Added.
(shouldBe):
(asyncTest.async localStructureForeignProto.make):
(asyncTest.async localStructureForeignProto.other.Function):
(asyncTest.async localStructureForeignProto):
(asyncTest.async foreignStructureLocalProto.Object.prototype.then):
(asyncTest.async foreignStructureLocalProto):
* Source/JavaScriptCore/runtime/JSPromise.cpp:
(JSC::isDefinitelyNonThenable):

Canonical link: https://commits.webkit.org/314775@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to