Upgrade WebKit to 6d586e29

[dylan-conway]

Bumps WEBKIT_VERSION from 963f8758 to 6d586e29, the current head of oven-sh/WebKit main. The prebuilt release autobuild-6d586e293f008f0e74e5697611a379b1b24815c9 is published with all platform tarballs.

This range is a fast-forward of 6 fork-local commits — no upstream WebKit merge:

• 27f4e7a9 Fix UB in double-to-int conversions across JSC (Fix UB in double-to-int conversions across JSC WebKit#244)
• f18cf9c2 FreeList::forEach: bound the interval assert by MarkedBlock::blockSize (FreeList::forEach: bound the interval assert by MarkedBlock::blockSize WebKit#247)
• 48460d87 Compile out the JIT disassembler in release builds (Compile out the JIT disassembler in release builds WebKit#241)
• 6d586e29 windows cross: add the bun-webkit-windows-amd64-asan variant (windows cross: add the bun-webkit-windows-amd64-asan prebuilt WebKit#240)
• c787a5a7 windows cross: add the amd64-baseline ThinLTO variant
• c591a185 windows: update xwin to 0.9.0 (windows: update xwin to 0.9.0 WebKit#242)

Checks:

• No Source/JavaScriptCore/runtime/JSType.h changes in the range, so no src/jsc/JSType.rs update needed.
• The workflow change (node and deno benchmark links are inversed #240) only adds a new bun-webkit-windows-amd64-asan.tar.gz asset; all tarball names prebuiltSuffix() produces are present in the release.

[robobun]

^{Updated 3:01 PM PT - Jun 2nd, 2026}

❌ @dylan-conway, your commit c17326d has 8 failures in Build #59960 (All Failures):

• test/regression/issue/21311.test.ts - code 1 on 🍎 14 x64
• test/js/web/websocket/autobahn.test.ts - code 1 on 🍎 14 x64
• test/js/sql/sql-prepare-false.test.ts - code 1 on 🍎 14 x64
• test/js/web/websocket/websocket-proxy.test.ts - code 1 on 🍎 14 x64
• test/js/sql/sql.test.ts - code 1 on 🍎 14 x64
• test/js/sql/sql-postgres-datetime-roundtrip.test.ts - code 1 on 🍎 14 x64
• test/cli/install/bun-install-proxy.test.ts - code 1 on 🍎 14 x64
• test/js/third_party/@duckdb/node-api/duckdb.test.ts - pid 6117 segmentation fault on 🐧 13 x64

---

🧪   To try this PR locally:

bunx bun-pr 31724

That installs a local version of the PR into your bun-31724 executable, so you can run:

bun-31724 --bun

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 898795a3-fe1f-475e-b367-3c6dd7f6e0a8

📥 Commits

Reviewing files that changed from the base of the PR and between f58d146 and c17326d.

📒 Files selected for processing (1)

• scripts/build/deps/webkit.ts

---

Walkthrough

This PR updates the WEBKIT_VERSION constant in the build configuration to a new WebKit commit hash, which changes the prebuilt download tag identity and any downstream build selections derived from this version value.

Changes

WebKit version update

Layer / File(s)	Summary
WebKit version bump scripts/build/deps/webkit.ts	WEBKIT_VERSION constant updated from commit hash 963f8758c29e965471c191668d5776a1a1b014b6 to 6d586e293f008f0e74e5697611a379b1b24815c9.

Possibly related PRs

• oven-sh/bun#26449: Updates WebKit commit/version configuration used to derive the WEBKIT_VERSION-based download identity via the same scripts/build/deps/webkit.ts source.
• oven-sh/bun#31649: Updates upgrade documentation explaining how to compute and pin the correct WEBKIT_VERSION target using the same configuration source.

Suggested reviewers

• Jarred-Sumner

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description provides detailed context about what was changed and verification steps, but does not follow the repository's required template structure with explicit 'What does this PR do?' and 'How did you verify your code works?' sections.	Restructure the description to explicitly match the template sections: add 'What does this PR do?' and 'How did you verify your code works?' as separate sections, or confirm if the current format is acceptable.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: upgrading WebKit to a specific commit (6d586e29), which matches the primary purpose of the pull request.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Found 1 issue this PR may fix:

1. Number map keys are truncated to int32 in canary #31080 - Number Map keys outside int32 range are truncated to -2147483648, which is the textbook symptom of UB in double-to-int conversions — directly addressed by the JSC fix in Fix UB in double-to-int conversions across JSC WebKit#244 included in this upgrade.

If this is helpful, copy the block below into the PR description to auto-close this issue on merge.

Fixes #31080

🤖 Generated with Claude Code

[github-actions]

This PR may be a duplicate of:

1. Bump WebKit to 6d586e293f #31706 - Also bumps WebKit to the same commit (6d586e29) by updating WEBKIT_VERSION in scripts/build/deps/webkit.ts

🤖 Generated with Claude Code

[claude]

LGTM — routine WebKit pin bump with thorough range notes; the inline nit about the now-stale windows-baseline LTO gate in config.ts is worth a follow-up but non-blocking.

Extended reasoning...

Overview

This PR changes a single line: the WEBKIT_VERSION constant in scripts/build/deps/webkit.ts, bumping the pinned oven-sh/WebKit commit from 963f8758 to 6d586e29. The range is 6 fork-local commits with no upstream WebKit merge, and the PR description enumerates each one along with the standard bump checks (no JSType.h changes → no JSType.rs update; all prebuiltSuffix() tarball names present in the published release).

Security risks

None introduced by the bun-side diff itself — it only changes which prebuilt tarball is fetched from the oven-sh/WebKit GitHub releases (same trusted origin, same fetch mechanism). The pulled-in WebKit commits are bug fixes (UB in double→int conversions, a debug-assert bound), a release-build code-size reduction (compile out JIT disassembler), and CI/packaging changes (new Windows ASAN and baseline-LTO artifacts, xwin update). Nothing in the range touches auth, crypto, or permission surfaces.

Level of scrutiny

Version-pin bumps are explicitly in the "mechanical" category, and WebKit bumps are routine maintenance in this repo. The real validation is CI (build #59960), which exercises the new prebuilts across platforms. The author has already done the manual checks that CI cannot (JSType.h diff, release-asset presence). I treated this as low-scrutiny on the bun side while spot-checking that the constant is the only consumer-visible change.

Other factors

The bug-hunter flagged one nit: commit c787a5a7 in this range adds the windows-amd64-baseline-lto artifact, so the hard lto = false override for (windows && baseline) at scripts/build/config.ts:769 — and the two comments justifying it — are now stale. I verified those lines still exist as described. This is a missed-optimization / stale-comment issue, not a correctness regression (builds still succeed, just without LTO for that one config), so it does not block approval and can be cleaned up in a follow-up.

[claude]

🟡 This bump includes c787a5a7 ("windows cross: add the amd64-baseline ThinLTO variant"), so bun-webkit-windows-amd64-baseline-lto.tar.gz now exists in the pinned release. However, scripts/build/config.ts:769 still hard-forces lto = false for (windows && baseline), and the comments at config.ts:746-748 and config.ts:767-768 still claim the pinned WEBKIT_VERSION lacks/predates the -baseline-lto variant — both are now factually wrong. Consider dropping || baseline from the gate (or at minimum updating the comments) alongside this bump.

Extended reasoning...

What the issue is

scripts/build/config.ts contains a hard override that forces LTO off for Windows baseline builds, with an inline rationale tied directly to the pinned WebKit version:

// config.ts:765-771
// Windows arm64 / baseline: same — oven-sh/WebKit ships no
// bun-webkit-windows-arm64-lto (LLVM's CodeView emitter aborts on ARM64
// NEON tuple registers during LTO codegen), and the pinned WEBKIT_VERSION
// predates the -baseline-lto variant.
if ((asan && lto) || abi === "android" || (windows && (arm64 || baseline))) {
  lto = false;
}

And earlier:

// config.ts:746-748
// Resolved early because the LTO defaults below need it (the windows
// -baseline WebKit prebuilt has no -lto variant).
const baseline = partial.baseline ?? false;

Both comments assert that the pinned WebKit release lacks a windows-amd64-baseline-lto artifact. That was true at 963f8758, but this PR bumps WEBKIT_VERSION to 6d586e29, whose range includes commit c787a5a7 "windows cross: add the amd64-baseline ThinLTO variant". The release autobuild-6d586e29… therefore does publish bun-webkit-windows-amd64-baseline-lto.tar.gz.

Step-by-step proof

1. Before this PR, WEBKIT_VERSION = "963f8758…". The autobuild-963f8758… release has no …-windows-amd64-baseline-lto.tar.gz, so the gate at config.ts:769 is necessary — without it, prebuiltSuffix() would emit -baseline-lto and the download would 404.
2. This PR changes WEBKIT_VERSION to "6d586e29…". Per the PR description, that range includes c787a5a7 "windows cross: add the amd64-baseline ThinLTO variant", and the linked release page now contains the -baseline-lto asset.
3. config.ts is not touched by this PR, so line 769 still reads (windows && (arm64 || baseline)) and line 768 still says "the pinned WEBKIT_VERSION predates the -baseline-lto variant".
4. A user runs a Windows amd64 baseline cross build with an explicit --lto=on. The condition windows && baseline matches, so lto is silently forced to false. prebuiltSuffix() (webkit.ts:62-74) then returns -baseline instead of -baseline-lto, fetching the non-LTO artifact even though the LTO one exists.
5. The PR's own check — "all tarball names prebuiltSuffix() produces are present in the release" — cannot catch this, because the gate makes the -baseline-lto suffix unreachable from any config.

Why nothing else justifies the gate

The ThinLTO miscompile concern at config.ts:750-760 only removes Windows from the LTO default (ltoDefault); explicit --lto=on is still permitted for non-baseline Windows x64. So the only documented reason for the baseline-specific hard override is the missing artifact — and that reason is invalidated by this exact bump. The arm64 half of the gate has its own separate (still-valid) rationale about the CodeView emitter.

Impact

No correctness regression — builds still succeed and produce a working binary. The effects are:

• An explicit --lto=on for Windows amd64 baseline is silently downgraded with no warning, even though the matching prebuilt now exists.
• Two comments in config.ts make a factual claim about the pinned WEBKIT_VERSION that becomes false the moment this PR lands, which will confuse the next person reading this code.

Suggested fix

Alongside this bump, either:

• Drop || baseline from the (windows && (arm64 || baseline)) clause at config.ts:769 and update both comments accordingly, or
• At minimum, rewrite the comments at config.ts:746-748 and config.ts:767-768 so they no longer claim the pinned version lacks the artifact (and explain why the gate remains, if it should).