Unsubscribe from imported promises dropped by userland

[mhofman]

What is the Problem Being Solved?

The memory consumption due to imported promises described in #6074 could be solved if liveslots could detect when the userland drops these promises (in particular if it never touches them). This requires engines to make the resolvers behave somewhat like a WeakRef.

Description of the Design

A promise's liveness cannot be observed by simply holding its resolvers. As such, the engine is technically free to collect promise instances that are not directly referenced by user code. However when simply following the spec text, the matching implementation would keep a strong reference from the resolver to the promise. This engine behavior is also the cause of the Promise.race leak worked around in endojs/endo#1222.

A better approach would be for engines to implement resolvers such that they only hold strongly onto promises if the promise has a pending reaction, and hold weakly onto them if not. That means that a resolver would no longer keep settled or unused promises alive.

At that point liveslots could setup a FinalizationRegistry to detect when imported promises are dropped before being used, unsubscribe from them and drop their inert resolvers. Unlike the other approached, this would be reactive and wouldn't require actively noticing if a promise was awaited to delay subscription, or explicitly refused by interface guards.

Security Considerations

Like virtual object representatives, it may be necessary to virtualize WeakMaps so that these promises used as keys cannot be used to sense GC. I'm not sure what guarantee we currently have when a new promise is created after being re-imported, and thus the stability of WeakMap entries keyed by imported promises.

[mhofman]

note that even if we switch to a model where we explicitly subscribe to promises, e.g. by detecting when they are thened like in #8469, we still need to detect when imported promises are dropped by userland to remove them from the clist.