Upgrade WebKit to 51cc3feb7298

[sosukesuzuki]

Note

oven-sh/WebKit#248 is merged and WEBKIT_VERSION now points at the release autobuild-5851d4722e461bae1eb5537b091f4103e192a94a. Ready to merge once CI is green.

Bun-side changes

• src/jsc/JSType.rs: added Sentinel and shifted all object JSType values by +1 (upstream added SentinelType before ObjectType)
• C++ bindings: dropped the JSGlobalObject* argument from JSPromise::reject/fulfill/rejectAsHandled/rejectWithCaughtException call sites (upstream cross-realm fix changed the signatures)
• bindings.cpp: OrderedHashTableHelper.h → JSOrderedHashTableHelper.h (upstream header rename)

WebKit upgrade: 39d4ce1f12ea → 51cc3feb7298

155 commits touching Source/JavaScriptCore, Source/WTF, and Source/bmalloc.

Highlights (Bun-relevant)

• JSType.h changed — src/jsc/JSType.rs must be updated. "[JSC] Add foundation of handling builtin iterators in fast-iteration-protocol" (3d1bebd7930d, 315933) adds SentinelType immediately before ObjectType, shifting the numeric value of ObjectType and every JSType after it by one.
• JSPromise API signature changes. "[JSC] Promise jobs must not run with the realm of a cross-realm settle site" (51cc3feb7298, 316187): rejectPromise, fulfillPromise, performPromiseThenWithInternalMicrotask, reject, fulfill, and rejectWithCaughtException no longer take a JSGlobalObject* — promise jobs are now queued on the promise's own realm via JSPromise::realm(). Any embedder code calling these APIs needs the globalObject argument dropped.
• Header rename: OrderedHashTable.h → JSOrderedHashTable.h (and OrderedHashTableHelper.h → JSOrderedHashTableHelper.h), "Unreviewed, just making JSC::OrderedHashTable => JSC::JSOrderedHashTable" (54982d6c532d, 315420).
• queueMicrotask fast/slow path split. "[JSC] Fold microtask queueing slow path condition to m_canFastQueueMicrotask" (e88edb51fd50, 315743) introduces JSGlobalObject::queueMicrotaskSlow; the fast path checks a single m_canFastQueueMicrotask flag.
• Undefined-variable error message OOM hardening (69ec4dddc261, 315603) — createUndefinedVariableError now uses tryMakeString (interacts with Bun's custom "X is not defined" message).
• Module loader cleanup: ModuleRegistryEntry error fields merged (198caec02193, 315001) — touches the module registry that Bun's synchronous module loading builds on.

New language / runtime features

• Temporal: Intl.DateTimeFormat Temporal support and toLocaleString (5745eb4c8ff1, 315637); Temporal.Calendar object removed, JS layer updated to Stage 4 spec (b35d67a6fdad, 315608); TemporalTimeZone made destructible (4f41ed450183); third-party license files for temporal_rs / icu4x (3555ec26edc7).
• Iterator.prototype.includes throws RangeError when skippedElements > Number.MAX_SAFE_INTEGER (40a1acb199d9, 315920).

Performance

• Fast iteration protocol for builtin iterators: foundation (3d1bebd7930d), String fast iteration (4a781308731b, 315330), Map/Set iterators handled in DFG (300fd8c35ee7, 316074), iterator storage set at creation in DFG/FTL (0206365a0d08).
• String#matchAll (31e38187aad2) and String#search (c800622bab89) moved to C++.
• New DFG nodes: ArrayJoin (26b192b1d624), String.fromCodePoint (93a4fbeda183), NewWeakMap/NewWeakSet (d61d43e680e1) with inline cell allocation (8317f5c80ed4).
• BigInt: in-place JSBigInt for inc/dec (9923753ca3b3) and small-size calculations (c60baa450f96).
• Map/Set: gcSafeMemcpy fast path for cloning large Maps/Sets (253bd0c20582); JSOrderedHashTable over-allocation fix (f72ea56abf5c); Set prototype cleanup via forEachInSetStorage (6d826ae9d949).
• Intl: per-unit number formatter cache in Intl.DurationFormat (7e34b0157828); language-tag canonicalization cache in IntlCache (99cab5c03916); root-locale fast path for toLocaleLowerCase/toLocaleUpperCase (e14189a28e4c).
• Strings: improved rope-string comparison (e8eb62b22193); WTF::reverseFindDouble for Array#lastIndexOf (9a9fa471589e).
• FTL stack overflow check moved to prologue (1b422914d55f, 172456).
• ownPropertyKeys returns CoW arrays in the common case (a5760beba07c).
• YARR: variable-count parentheses in YarrJIT (6646c49f2a7b, 307145); shared lead-surrogate optimization (6eff2e74e048).
• NewTypedArrayWithSize zero-fills 8 bytes at a time (dcc2aea406e0).

Correctness / security fixes

• Cross-realm promise realm fix (51cc3feb7298, see Highlights).
• YARR: NonGreedy backtracking fix (95d80761e676, 316180); putRange() missing Unicode canonical equivalents U+017F/U+212A (faf717c136d1); named group omitted from indices.groups on backtrack (e1cdfab158f3, 312688).
• DFG: GetByStatus::computeFor must not constant-fold prototype loads on dictionary structures (73689f543082); dictionary structures rejected in tryEnsureAbsence (177d2cad35bf, 78c04ea7a1bc); object allocation sinking PutByVal fix (cdfa73fdc391); StringAt CSE arrayMode fix (1f4e4caab01b); no bytecode advance when reifying inline frames at a checkpoint (4e802a14cac6).
• Array: Array.prototype.join skipping prototype elements added during toString (f181acea4464); rematerialization preserving double-array holes when "having a bad time" (a82eb9dd7fab, eba64ef44de3); ClonedArguments::copyToArguments loop condition with non-zero offset (5099a4a8958e); Array ToPrimitive fast path ignoring valueOf override (8a7e39c2bf81).
• matchAll fast path must not skip SpeciesConstructor when the species watchpoint is invalidated (66b61320dbd7); missing exception in replaceAllWithCacheUsingRegExpSearchThreeArguments (18a2c9a10033).
• Map/Set iterator fast path: IteratorClose on callback throw (87547f94b76e); missing exception check in Set fast path (b67282ad890b).
• Proxy construct trap throws TypeError from the current realm per spec (26cc47d853a8).
• UB fix in double-to-int conversions (3825a1a93bbf).
• Concurrency: WaiterListManager::unregister data race (21ab50e40f06); JSLock m_hasOwnerThread concurrency issue (aed1fddc0be2); RegExp::byteCodeCompileIfNecessary made threadsafe (dcf25ed3c992).
• Wasm: Table.grow with default value (36a3e59badd1); missing exception check after rope resolution (57df341619ed); WebAssemblyCompileOptions::tryCreate OOM throw (d8b63073f0c5); Wasm::InstanceAnchor unregistration order (76b34686210f).
• B3/Air: AirFixObviousSpills early-def modeling (fa0214fe9a50); dominance analysis in B3CanonicalizePrePostIncrements (81aa535db3c9).
• Baseline write barrier handling in OpDelBy{Id,Val} (1cdc540e6ebe).

GC / memory

• OSR exits' ScratchBuffers are now scanned (87b4375777a3, 309599).
• GC safety for sunk contiguous array materialization in FTL (e638840dd2cd).
• GC deferred while using the direct-eval CacheLookupKey (32f1bfb84129).
• Structure-heap reservation scales with physical memory (cffeaa6ccbf4).
• libpas: guard page in front of the compact-heap reservation (ba26b5242151); pas_enumerator_create validity check (ed57dc0915ee).
• Removed unused WasmGC cell-types (b9019a00056e).

WTF / build

• WTF::Variant GCC 15 build fix (3917eb489bf7); std::to_array() → WTF::toArray() (f1df550f3723).
• Unified/jumbo build work: larger bundles (8916f524a78a), @cost weighting (9816b1440ae4), prefix-header tuning (9238babac42c) — source of many #include-style churn conflicts.
• "Apply C-preprocessor to JS builtin files" landed (17e27ee7cfd3) then was reverted (8ed5bbe28206); JS builtins for next() restored (0047d9699435).
• JIT helper threads get QOS_UTILITY on less powerful devices (371f7ad0ed89).

[robobun]

^{Updated 8:36 PM PT - Jun 15th, 2026}

❌ @sosukesuzuki, your commit c4794e7 has 1 failures in Build #62748 (All Failures):

• 📦 Binary size — 7 over 0.50 MB

target	this build	canary: main #62713
		size	Δ
bun-darwin-aarch64	54.68 MB	54.19 MB	+501.1 KB
❌ bun-darwin-x64	60.94 MB	60.24 MB	+722.1 KB
bun-linux-aarch64	68.17 MB	67.67 MB	+512.0 KB
❌ bun-linux-x64	71.20 MB	70.39 MB	+832.0 KB
❌ bun-linux-x64-baseline	70.26 MB	69.45 MB	+832.0 KB
bun-linux-aarch64-musl	61.48 MB	61.17 MB	+320.0 KB
bun-linux-x64-musl	65.08 MB	64.72 MB	+368.0 KB
bun-linux-x64-musl-baseline	64.42 MB	64.06 MB	+368.0 KB
bun-linux-aarch64-android	76.45 MB	76.07 MB	+383.7 KB
❌ bun-linux-x64-android	79.28 MB	78.75 MB	+544.0 KB
❌ bun-freebsd-x64	81.93 MB	81.29 MB	+656.0 KB
bun-freebsd-aarch64	82.91 MB	82.43 MB	+496.0 KB
❌ bun-windows-x64	73.96 MB	73.39 MB	+580.5 KB
❌ bun-windows-x64-baseline	72.98 MB	72.42 MB	+581.0 KB
bun-windows-aarch64	68.34 MB	67.94 MB	+412.0 KB

Add [skip size check] to the commit message if this increase is intentional.

---

🧪   To try this PR locally:

bunx bun-pr 31796

That installs a local version of the PR into your bun-31796 executable, so you can run:

bun-31796 --bun

[github-actions]

Found 1 issue this PR may fix:

1. Temporal support (TC39 stage 3 proposal) #15853 - This WebKit upgrade includes multiple Temporal-related commits (Stage 4 spec compliance, Intl.DateTimeFormat Temporal support, TemporalTimeZone made destructible, Temporal.Calendar removal per spec) that directly advance Temporal API support.

If this is helpful, copy the block below into the PR description to auto-close this issue on merge.

Fixes #15853

🤖 Generated with Claude Code

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5b1e2548-001e-4f99-bc4b-ec409ba80003

📥 Commits

Reviewing files that changed from the base of the PR and between b452482 and c4794e7.

📒 Files selected for processing (1)

• scripts/build/deps/webkit.ts

---

Walkthrough

Bumps the WebKit build target, inserts a JSType Sentinel (shifting subsequent JSType discriminants by +1), and updates many JSPromise reject/fulfill call sites to use vm-first overloads (removing globalObject arguments) across bindings and runtime backends.

Changes

WebKit upgrade and JavaScriptCore API alignments

Layer / File(s)	Summary
JSType discriminant reindexing with Sentinel src/jsc/JSType.rs	Insert Sentinel (JSType(32)) and shift subsequent JSType discriminants upward by 1 across object, function, boxed-primitive, arguments, array/typed-array, iterator/collection, wasm, and string-wrapper constants.
JSPromise API migration in core bindings infrastructure src/jsc/bindings/bindings.cpp	Swap ordered-hash-table header and update core promise helper and module-eval rejection/settlement call sites to vm-first JSPromise overloads (drop globalObject).
JSPromise API migration in module loading systems src/jsc/bindings/BunAnalyzeTranspiledModule.cpp, src/jsc/bindings/ModuleLoader.cpp, src/jsc/bindings/NodeVM.cpp	Update promise reject/fulfill call sites in module analysis, loader internals, and dynamic-import paths to use vm-first overloads and rejectWithCaughtException(vm, scope) where applicable.
JSPromise API migration in remaining binding and runtime layers src/jsc/bindings/JSBundlerPlugin.cpp, src/jsc/bindings/JSSecrets.cpp, src/jsc/bindings/ZigGlobalObject.cpp, src/jsc/bindings/webcore/JSDOMPromiseDeferred.cpp, src/jsc/bindings/webcore/JSWorker.cpp, src/runtime/bake/BakeGlobalObject.cpp, src/runtime/webview/ChromeBackend.cpp, src/runtime/webview/JSWebView.cpp, src/runtime/webview/WebKitBackend.cpp	Update promise rejection/fulfillment call sites across bundler plugin, secrets job, ZigGlobalObject wasm streaming, DOM deferred promises, Worker heap-snapshot, Bake runtime import helpers, and WebView/Chrome backends to use vm-first JSPromise overloads (remove global/globalObject parameters).
WebKit autobuild-preview version target scripts/build/deps/webkit.ts	WEBKIT_VERSION updated to a new autobuild-preview tag used to select prebuilt WebKit downloads and local-mode identity.

Possibly related PRs

• oven-sh/bun#31724: Also updates scripts/build/deps/webkit.ts WEBKIT_VERSION pin.
• oven-sh/bun#31169: Overlapping WebKit/JSType reindex and version target edits.
• oven-sh/bun#30705: Related WEBKIT_VERSION constant update affecting prebuilt URL generation.

Suggested reviewers

• Jarred-Sumner
• alii

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title mentions upgrading WebKit to a specific commit hash, but the actual changes primarily involve updating JSPromise API call sites and JSType enum values to match upstream changes, with only one file (webkit.ts) directly related to the WebKit version update.
Description check	✅ Passed	The PR description comprehensively covers the changes, upstream motivations, and Bun-side adjustments required. While it doesn't strictly follow the template's 'What does this PR do?' and 'How did you verify your code works?' sections, it provides extensive technical detail about the WebKit upgrade and all required code changes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

This PR may be a duplicate of:

1. Bump WebKit to 6d586e293f #31706 - Also bumps WebKit version (to 6d586e293f), superseded by this PR's bump to 51cc3feb7298
2. Bump WebKit: align V8 heap snapshot output with Chrome DevTools expectations #29557 - WebKit bump for V8 heap snapshot alignment, superseded by this newer version
3. build: WebKit bump for bytecode-cache source-string fix #29506 - WebKit bump for bytecode-cache source-string fix, superseded by this newer version
4. Bump WebKit to autobuild-preview-pr-185-309b1951 #29421 - WebKit bump to autobuild-preview-pr-185, superseded by this newer version
5. build: test WebKit preview autobuild-preview-pr-187-0c3c8e5a #29580 - WebKit preview build test (explicitly marked do-not-merge), superseded by this newer version

🤖 Generated with Claude Code

[claude]

The Bun-side adaptations look mechanically correct, but a JSC engine upgrade (155 commits, JSType renumbering, cross-realm promise semantics change) warrants a human sign-off — and per the description, WEBKIT_VERSION still points at the preview tag.

Extended reasoning...

Overview

This PR upgrades the vendored WebKit/JavaScriptCore from 39d4ce1f12ea to 51cc3feb7298 (155 upstream commits) and applies the required Bun-side adaptations:

• scripts/build/deps/webkit.ts: WEBKIT_VERSION bumped to autobuild-preview-pr-248-cf784902 (preview build — explicitly flagged as needing a follow-up bump before merge).
• src/jsc/JSType.rs: inserted Sentinel = 32 and shifted every value from Object through InternalFieldTuple by +1. Range checks (is_object, typed-array bounds) reference the named constants, so they shift correctly.
• 13 C++ files: dropped the JSGlobalObject* argument from JSPromise::reject / fulfill / rejectAsHandled / rejectWithCaughtException call sites to match the upstream signature change; one header rename (OrderedHashTableHelper.h → JSOrderedHashTableHelper.h).

Security risks

No new attack surface is introduced by the Bun-side diffs themselves — they are signature adaptations and constant renumbering. The pulled-in WebKit range does include several upstream correctness/security fixes (DFG constant-folding, YARR, GC scanning of OSR scratch buffers, etc.), which is net positive but also means a large body of new engine code is being adopted.

Level of scrutiny

High. This is a JS engine upgrade — the most foundational dependency in the project. Even though each Bun-side edit is mechanical, the upstream changes alter promise-realm semantics (jobs now queue on the promise's own realm via JSPromise::realm()), which interacts with Bun's multi-global setups (node:vm, workers, Bake, WebView). The JSType renumbering must exactly match the C++ enum across the FFI boundary; a one-off error would be a silent miscompile.

Other factors

• The PR description itself states WEBKIT_VERSION must be bumped from the preview tag to the real autobuild-<sha> before merge, so this is not yet in a mergeable state by the author's own criteria.
• No bugs were flagged by the bug-hunting pass, and spot-checking the JSType.rs shift and the reject/fulfill call-site edits shows them to be consistent and complete.
• CI build is still in progress; engine upgrades typically need the full test matrix to validate.

[dylan-conway]

this can point at main now?