Upgrade WebKit to 24362e675175

[sosukesuzuki]

Note

Stacked on #31796 (base branch is claude/webkit-upgrade-51cc3feb7298). Retarget to main after #31796 merges.

WEBKIT_VERSION currently points at the preview build autobuild-preview-pr-251-10fc0cab from oven-sh/WebKit#251. After that PR merges, bump it to the merge commit's autobuild-<sha> release before merging this PR.

Bun-side changes

• VM::getHostFunction gained an unsigned length parameter (name/length now live on the NativeExecutable), and JSFunction::finishCreation(VM&, NativeExecutable*, unsigned, const String&) was deleted upstream. Updated JSWrappingFunction, JSFFIFunction, NapiClass, and JSSQLStatementConstructor to pass length/name through getHostFunction and use the default finishCreation(VM&).

WebKit-fork-side changes (in the merge, oven-sh/WebKit#251)

• Ported the USE(BUN_JSC_ADDITIONS) AsyncLocalStorage context wrapping to upstream's reworked internals: InternalMicrotask::AsyncGeneratorResumeNext → AsyncGeneratorAwaitReturn, and Promise.prototype.finally contexts now use JSSlimPromiseReaction instead of JSPromiseCombinatorsGlobalContext.
• Cross-compile fixes: mig lookup falls back to find_program when WebKitXcodeSDK.cmake isn't included (Linux-hosted macOS build); the new InlineCacheHandler::offsetOfUid() == 40 layout-drift static_assert is skipped on Windows, where the MSVC ABI ignores [[no_unique_address]] and the offset is 48.

Verification

• Full debug build against local WebKit; smoke-tested async generator return/throw, AsyncLocalStorage across await/.finally()/for await, Promise.prototype.finally semantics, sqlite, and expect.extend.
• Test runs: AsyncLocalStorage.test.ts, async-local-storage-thenable.test.ts, AsyncLocalStorage-tracking.test.ts (74 pass), ffi.test.js, napi name tests — all green.

WebKit upgrade: 51cc3feb7298 → 24362e675175

83 commits touching Source/JavaScriptCore, Source/WTF, and Source/bmalloc.

Highlights (Bun-relevant)

• JSType.h is unchanged in this range — no JSType additions or reordering, so Bun's JSType-based checks need no updates.

• NativeExecutable gains name/length, JSFunction finishCreation overloads deleted (a633a8abfee7, 316443). NativeExecutable now stores name and length the same way FunctionExecutable does, so bind on native functions stops hitting the slow path. Embedder-visible API changes:

  • NativeExecutable::create(...) and both VM::getHostFunction(...) overloads take a new unsigned length parameter before name.
  • JSFunction::finishCreation(VM&, NativeExecutable*, unsigned length, const String& name) (and the ASSERT-only finishCreation(VM&)) are deleted, replaced by DECLARE_DEFAULT_FINISH_CREATION. Subclasses that called the old overload must pass length/name through NativeExecutable instead.
  • JSNativeStdFunction::create / JSFunctionWithFields::create no longer take separate length/name arguments where the executable already carries them. New NativeExecutable::length() and nameJSString(VM&) accessors.

• Async generators rewritten to current spec (d096ff9cfae1, 316447). InternalMicrotask::AsyncGeneratorResumeNext is renamed to AsyncGeneratorAwaitReturn (enum in Microtask.h; corresponding link-time constant removed). The generator state machine replaces AwaitingReturn with a new DrainingQueue state and adds a YieldNoAwait suspend reason (reason bit-field widened from 1 to 2 bits). %AsyncGeneratorPrototype%.return/.throw move from JS builtins to C++ host functions. Fixes re-entrancy confusion when Object.prototype.then is patched.

• Promise internals cleanup (7b0aff184802, 316553). JSPromiseCombinatorsGlobalContext is no longer used as a generic cell holder: Promise.prototype.finally now stores its context in a JSSlimPromiseReaction instead. The combinator context itself now uses a uint64_t remaining-elements count. (Builds on a633a8abfee7, which already touched the same finally host functions.)

• GC / Heap changes:

  • e69c47917811 (311420): Heap now protects StringImpls swapped out by JSString::swapToAtomString while a GCOwnedDataScope is on the stack — m_possiblyAccessedStringsFromConcurrentThreads becomes a (JSString*, String) pair list pruned via conservative-root discovery instead of cleared wholesale. Fixes a dangling-buffer bug.
  • c8e53c74403f (316635): Heap::clearConcurrentRetainedDataIfPossible() no longer runs while concurrent marking is active — fixes a collector-thread use-after-free on racily-loaded StringImpls.
  • 441e3da20428 (316713): deleteUnmarkedCompiledCode now runs with an unset AtomStringTable in Heap::runEndPhase.
  • 4d73bc11dd6c (316385): FreeList::forEach interval assert bounded by MarkedBlock::blockSize.

• Module loader fixes:

  • 5c64352cd6cc (316615): GatherAvailableAncestors / AsyncModuleExecutionRejected in CyclicModuleRecord made iterative — no more stack overflow on deep async module graphs (top-level-await chains).
  • e46667fac721 (316610): deferred module namespace objects (import defer) no longer leak the synthetic "then" into Object.keys.

• WTF changes embedders may feel:

  • aae76637c06f (316554): URLParser/IDNA — ASCII domains can no longer fail IDNA mapping, even when they start with xn--. Affects WTF::URL host parsing behavior.
  • 59604007e4c6 (316511): clampToInteger<T> in MathExtras.h now correctly clamps values below INT_MIN.
  • 3997b5c96e77 (316692): revert of an AutomaticThread change that introduced a race permanently inflating the active thread count (affected JIT/Wasm worklist threads).
  • 6667782c52fa (316510): missing return statements fixed in LazyRef.h/LazyUniqueRef.h.
  • Removed files: wtf/MainThreadData.h, wtf/StatisticsManager.{h,cpp} (dead-code sweeps 012c64ce3ab1, 5101cdc679ab); JSC drops dfg/DFGPropertyTypeKey.h and the unused TemporalTimeZone* classes.

• Codebase-wide C++ modernization that can affect Bun's C++ bindings compile: ab23e0e34b7c (304023) uses C++20 concepts across JSC (touches WriteBarrier.h, CagedBarrierPtr.h); f582e488dbf4 (316055) replaces C-style arrays with WTF::toArray(); 66a98ce83600 (316364) guards Platform.h defines with !defined() checks.

New language / runtime features

• Temporal.ZonedDateTime implemented (27ac373783f0, 315939) — ~7.5k lines; the largest change in the range. Follow-ups: carry non-primary time zones (c39b3d4d67cb, 316517), spec-aligned option helpers / Duration internals and removal of the obsolete TemporalTimeZone classes (063066dc87c7, 316370), destroy function for TemporalZonedDateTime (1c8ae9884a85, 316334).
• Class-field anonymous function names are now set at parse time instead of via the SetFunctionName bytecode (b6a9b84dae1f, 316646).
• Wasm: Table constructor fills funcref tables correctly when the default value is a wrapper function (7a35a1699bc9, 316280).

Performance

• New DFG MultiGetByVal / MultiPutByVal nodes for polymorphic array access (8f6bc9a16adf, 315832).
• RegExp.prototype[Symbol.match] moved from JS builtin to C++ with DFG intrinsic support (e922a2cecfac, 316509).
• YARR regexp engine: auto-possession optimization (2a8223d802c8, 316491), optimized ParenContext save/restore (eef93d3c2048, 316555), FixedCount model changed from save-at-END to save-at-BEGIN (a92d79b27748, 316275), ParenthesesSubpatternFixedCount now supports captures (3f58e2018a6b, 316599).
• Struct-layout optimizations: Parser and Lexer (8243c6b69d66, 316211), InlineCacheHandler (8cb7e38ecdc8, 316163); Wasm FuncRefTable entry size reduced (8abf5256fdcb, 316305).
• Promise combinators presize the result array from the iterable's size hint (c6900eb69893, 316548); redundant eager length definition removed from JSPromiseConstructor (deb8f86fbe49, 316478).
• Temporal: ICU UCalendar cached per CalendarID (7636f6149708, 316569).

Fixes

Spec correctness / runtime:

• Map/Set iteration fast paths perform IteratorClose when the callback throws (84a71a9868ed, 316495).
• String#split RegExp fast path missed side effects of ToString(this) / ToUint32(limit) (b4b15818d650, 316508).
• isDefinitelyNonThenable Structure cache could go stale when the prototype belongs to another realm (8d6b11214830, 316506) — affects promise resolution fast paths.
• "Singleton" invalidation now propagates to the originating SymbolTable (6da8ead481eb, 316472).
• Fixed opcode assert on Array.prototype.sort OSR exit (e7d51d19e065, 316296).
• YARR: string-list fast path dropped a non-final empty alternative (e6d0f57f8d04, 316288); interpreter greedy backtracking now tries up to max count (5fe4838cb7d1, 316378).

Wasm:

• Name section parsing made thread-safe (24362e675175, 309538).
• IPInt memory.atomic.notify/wait and memory.grow mishandled dirty upper bits of i32 operands (a0d2eebf9e13, 316507).
• OMG tail-call patchpoint clobbers late pinned registers (c18d1e3571f4, 316227).

Temporal / Intl hardening (mostly crash and OOB fixes in the new Temporal code):

• OOB read in ISO8601::parseDate on short invalid strings (d58bad697e50, 316366); crash in PlainMonthDay.from with very large strings (221dcc89aba8, 316805); double-throw crash in Temporal constructors (19e18af9f088, 316793); PlainDate add/subtract day-range assertion (2c290815d421, 316368).
• Stricter ICU error handling (178eab311235, 316346); toIntegerWithTruncation for Temporal conversions (66267990831b, 316369); Japanese era fast-path validation (31e50e893a11, 316477); date-spec invariants (544a3bff9b31, 316440).
• Intl.DateTimeFormat with Temporal types: era width preserved (9cd3289437d5, 316048); calendar passed to ICU in BCP47 form (45b638378595, 315984).

Build / misc:

• Non-unified and unified build fixes (ee637a607df2, 316381; 6c8b20e9f7b2, 316374); PlayStation SIMDUTF AVX-512 build fix (08e30f68509b, 316649).
• Build-parallelism work landed, was reverted, and re-landed (c9e9995641cc → 653a36adb39a → 09f89f078e7d, 316232); assorted CMake configuration changes (Apple SDK/ICU handling, configure-time probe skipping).
• Dead-code removal sweeps (012c64ce3ab1, 316520; 5101cdc679ab, 316502); libpas test harness changes (e7665a906ab0, 316595; 1a8a72a5bc1a, 316457).
• Remaining commits in the range are Web Inspector / Site Isolation protocol work, CSS calc-mix(), MediaSession, and visionOS test changes that only incidentally touch generated inspector code under Source/JavaScriptCore/inspector.

[robobun]

^{Updated 9:27 AM PT - Jun 11th, 2026}

❌ @sosukesuzuki, your commit d39bacb has 1 failures in Build #61917 (All Failures):

• 📦 Binary size — 7 over 0.50 MB

target	this build	canary: main #61851
		size	Δ
bun-darwin-aarch64	54.69 MB	54.22 MB	+485.0 KB
❌ bun-darwin-x64	60.96 MB	60.25 MB	+722.1 KB
bun-linux-aarch64	68.17 MB	67.67 MB	+512.0 KB
❌ bun-linux-x64	71.20 MB	70.39 MB	+832.0 KB
❌ bun-linux-x64-baseline	70.28 MB	69.45 MB	+848.0 KB
bun-linux-aarch64-musl	61.48 MB	61.17 MB	+320.0 KB
bun-linux-x64-musl	65.09 MB	64.73 MB	+368.0 KB
bun-linux-x64-musl-baseline	64.44 MB	64.08 MB	+368.0 KB
bun-linux-aarch64-android	76.51 MB	76.07 MB	+447.7 KB
❌ bun-linux-x64-android	79.30 MB	78.75 MB	+560.0 KB
❌ bun-freebsd-x64	81.95 MB	81.30 MB	+656.0 KB
bun-freebsd-aarch64	82.93 MB	82.45 MB	+496.0 KB
❌ bun-windows-x64	73.97 MB	73.40 MB	+581.0 KB
❌ bun-windows-x64-baseline	72.99 MB	72.42 MB	+581.5 KB
bun-windows-aarch64	68.35 MB	67.95 MB	+412.0 KB

Add [skip size check] to the commit message if this increase is intentional.

---

🧪   To try this PR locally:

bunx bun-pr 32105

That installs a local version of the PR into your bun-32105 executable, so you can run:

bun-32105 --bun

[github-actions]

Found 7 issues this PR may fix:

1. Temporal support (TC39 stage 3 proposal) #15853 - Upstream JSC now implements Temporal.ZonedDateTime (~7.5k lines), advancing Temporal API support
2. Node.js is 300x faster than Bun at isbot regexp #5197 - YARR auto-possession optimization reduces catastrophic backtracking in regexps
3. Character set intersection of complement classes in v-mode regular expressions not considered #30183 - YARR fixes address character set intersection of complement classes in v-mode regexps
4. Regex with unicode property behaves differently on certain CJK strings #24457 - YARR unicode property handling improvements may fix incorrect behavior on CJK strings
5. Async generator function are not properly identified in console.log #18324 - Upstream async generator rewrite to spec (AwaitingReturn → DrainingQueue) may fix identification in console.log
6. Crash with Typescript Compiler API #18960 - Module loader stack overflow fix (GatherAvailableAncestors/AsyncModuleExecutionRejected made iterative)
7. Segfault in JSFFIFunction::trampoline on Windows standalone executable after sustained FFI polling #31941 - JSFFIFunction is directly modified in this PR; trampoline/finishCreation changes may fix this Windows segfault

If this is helpful, copy the block below into the PR description to auto-close these issues on merge.

Fixes #15853
Fixes #5197
Fixes #30183
Fixes #24457
Fixes #18324
Fixes #18960
Fixes #31941

🤖 Generated with Claude Code