Upgrade WebKit to b5ba38a21e17

[Jarred-Sumner]

Merges upstream WebKit b5ba38a21e17 into oven-sh/WebKit@09f04cd5a489.

Bun-side changes

• NodeVM.cpp: compare against vm.propertyNames->globalThis (added to CommonIdentifiers in the fork) instead of allocating uid()->utf8(). Upstream's new operator==(CString, ASCIILiteral) overload made the old comparison ambiguous.

Note

CI will fail until the autobuild-09f04cd5a489b7c0b44aed255bfafce2a316eada release finishes building.

Notable JSC changes

Spec compliance / correctness

• Promise.resolve is no longer folded to identity for Promise subclasses WebKit/WebKit@0f5acb567be0
• Object.freeze / Object.seal now reify lazy/special properties before freezing WebKit/WebKit@357d3881fd8d
• String#replace / replaceAll / split RegExp paths now perform required observable side effects WebKit/WebKit@eff90f74db57
• DFG RegExpSearch constant folding no longer drops the TypeError for non-writable lastIndex WebKit/WebKit@21b46f50939e
• Iterator helper built-ins updated for Normative: use Numbers instead of reals as counters in Iterator builtins tc39/ecma262#3776 WebKit/WebKit@8310ec8b3200
• DFGClobberize: ToBoolean / TypeOfIsUndefined / TypeOfIsFunction / TypeOf / CompareEq def value no longer keyed on semantic origin (CSE correctness) WebKit/WebKit@c7fe05eb98f6

RegExp / Yarr

• Fix heap overflow in Yarr RegularExpression with duplicate named capture groups WebKit/WebKit@e5368156542a
• Fix Yarr JIT \B + unicode + surrogate producing corrupted JSString and crashing WebKit/WebKit@116394de195b
• RegExp.prototype[Symbol.split] moved from builtin JS to C++ WebKit/WebKit@0c18eb164fca

JIT / optimizer

• Reland global backward-liveness MovHint removal in DFG (replaces single-successor heuristic) WebKit/WebKit@4401bf8b0133
• DFG/FTL Spread now uses a runtime structure check for the fast path instead of requiring a proven AbstractValue WebKit/WebKit@4b8ee8d96bd1
• New DFG node for StringIteratorPrototype.next WebKit/WebKit@93518ed198a1
• for-of over a closure-captured const binding can now reach DFG/FTL WebKit/WebKit@85309cfe91e8
• Bytecode: emit ?? (nullish coalescing) in condition context WebKit/WebKit@0dde5cddb126
• Faster liveness analysis WebKit/WebKit@53209b2d1762

Temporal

• Cache ICU UCalendar per TimeZoneID, drop ucal_clone, use UCAL_TZ_TRANSITION_PREVIOUS_INCLUSIVE, and optimize several Temporal date operations WebKit/WebKit@7830cc6341b5 WebKit/WebKit@ba459bae8fa7 WebKit/WebKit@82b8665ef1c3 WebKit/WebKit@33ca7b8504a9

Wasm

• BBQ JIT: fix tail-call argument shuffle when stack slots overlap WebKit/WebKit@a6f42da10166
• Remove OMGIRGenerator::RootBlock WebKit/WebKit@b29dbe254948

Runtime / memory

• Move non-cell primitive structured-cloning into JavaScriptCore WebKit/WebKit@177aa8b796d4
• Pack ArrayBuffer boolean fields to remove padding WebKit/WebKit@660e785c5128
• Store usedRegisters only on RepatchingPropertyInlineCache WebKit/WebKit@3429f34cbda2

WTF / bmalloc

• libpas: new tagged_bmalloc_heap WebKit/WebKit@3f04665f12e8
• libpas: enable pleiades on Linux WebKit/WebKit@a484a181f9e1
• Borrow<T> constructor is now lifetimebound WebKit/WebKit@44c202a8ebfb
• New WTF::FormattedLogging (std::format-based logging helpers, requires GCC ≥ 13) WebKit/WebKit@a2495fb672e2

Other

• Build: Swift support in JSC for non-Production builds; CMake parallelizes LowLevelInterpreterLib; CMake codesigns JSC binaries; InlineCacheHandler static_assert fix for Windows ARM64
• Header / include hygiene and build-speed cleanups (centralized #includes, IWYU, inlines moved out of headers)
• Minor refactors: drop unnecessary std::optional initializers in JSC; libpas xctest timeout bump
• Feature-flag / WebCore-adjacent toggles touching WTF (object-view-box, Close Watcher, partitioned cookies, Spatial Backdrop removal, etc.) — not relevant to Bun

[robobun]

^{Updated 2:32 PM PT - Jun 16th, 2026}

✅ @Jarred-Sumner, your commit 0e5f9a062baa7f16c9c171252a9827ca677bd902 passed in Build #62871! 🎉

---

🧪   To try this PR locally:

bunx bun-pr 32414

That installs a local version of the PR into your bun-32414 executable, so you can run:

bun-32414 --bun

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3d90e861-fbb4-45d7-82f4-e724c894efe1

📥 Commits

Reviewing files that changed from the base of the PR and between 62cc078 and 4e4cc4c.

📒 Files selected for processing (2)

• scripts/build/deps/webkit.ts
• src/jsc/bindings/NodeVM.cpp

---

Walkthrough

The PR bumps the default WEBKIT_VERSION commit hash in the build script and changes two globalThis property-name comparisons in NodeVM.cpp from UTF-8 string equality checks to JSC interned property name identifier comparisons (vm.propertyNames->globalThis).

Changes

WebKit Version Bump

Layer / File(s)	Summary
WEBKIT_VERSION hash update scripts/build/deps/webkit.ts	WEBKIT_VERSION constant is updated from 9cb85a0716065c461bea14a0de9fe7139e5323aa to 09f04cd5a489b7c0b44aed255bfafce2a316eada, changing the default WebKit revision used when --webkit-version is not supplied.

NodeVM globalThis Identifier Comparison

Layer / File(s)	Summary
globalThis detection via interned property name src/jsc/bindings/NodeVM.cpp	In both NodeVMSpecialSandbox::getOwnPropertySlot (line 940) and NodeVMGlobalObject::getOwnPropertySlot (line 966), the globalThis property check is replaced from propertyName.uid()->utf8() == "globalThis" to propertyName == vm.propertyNames->globalThis, using JSC's interned identifier instead of a UTF-8 string comparison.

Possibly related PRs

• oven-sh/bun#31796: Directly updates the same WEBKIT_VERSION export in scripts/build/deps/webkit.ts as part of a WebKit upgrade.
• oven-sh/bun#31724: Also bumps the WEBKIT_VERSION commit hash in scripts/build/deps/webkit.ts.
• oven-sh/bun#31169: Updates the same WEBKIT_VERSION constant to a new WebKit commit hash for the default prebuilt selection.

🚥 Pre-merge checks | ✅ 2 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions upgrading WebKit but references commit b5ba38a21e17, while the actual WEBKIT_VERSION change is to commit 09f04cd5a489b7c0b44aed255bfafce2a316eada, creating a mismatch with the implementation.	Update the title to reference the actual WebKit commit being merged (09f04cd5a489b7c0b44aed255bfafce2a316eada), or clarify that b5ba38a21e17 is the upstream target and 09f04cd5a489 is the fork commit being merged into.
Description check	⚠️ Warning	The PR description provides comprehensive details about the WebKit merge and notable changes, but does not follow the required template structure with 'What does this PR do?' and 'How did you verify your code works?' sections.	Restructure the description to include the required template sections: explicitly answer 'What does this PR do?' and 'How did you verify your code works?' as outlined in the repository template.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

The Bun-side changes look correct (the vm.propertyNames->globalThis comparison is equivalent and avoids the allocation), but since this is a JSC engine bump it should get a human sign-off once CI is green on the new autobuild.

Extended reasoning...

Overview

Two files changed in this repo: a WEBKIT_VERSION hash bump in scripts/build/deps/webkit.ts, and two one-line edits in src/jsc/bindings/NodeVM.cpp swapping propertyName.uid()->utf8() == "globalThis" for propertyName == vm.propertyNames->globalThis. The NodeVM change is semantically equivalent (interned-identifier pointer compare vs. allocating a CString), avoids the new upstream operator==(CString, ASCIILiteral) ambiguity, and is arguably safer since it can't accidentally match a Symbol whose description happens to be "globalThis".

Security risks

None introduced by the Bun-side diff. The upstream merge does include security-relevant JSC fixes (Yarr heap overflow, corrupted JSString from \\B+unicode), but those are fixes flowing in, not new exposure.

Level of scrutiny

The in-repo diff is trivial, but the effective change is a JavaScriptCore engine upgrade — the most critical code path in the runtime. The PR description itself notes CI will fail until the autobuild-09f04cd5… release finishes building, so there's no green signal yet that the new engine passes Bun's test suite. That alone makes it inappropriate for bot auto-approval.

Other factors

No prior human reviews and no outstanding comments beyond the build-bot status. The bug-hunting pass found nothing in the Bun-side changes, which matches my read. Routine WebKit bumps like this are typically gated on CI rather than line-by-line review, so deferring until a human can confirm the build/test results is the right call.

[github-actions]

Found 8 issues this PR may fix:

1. SEGV after upgrading to 1.3.13 #29547 - SEGV in RegExpInlines.h during regex operations — the Yarr heap overflow fix for duplicate named capture groups is a direct candidate for this crash
2. Regex with unicode property behaves differently on certain CJK strings #24457 - Regex with unicode property behaves differently on CJK strings — the Yarr JIT fix for \B + unicode + surrogate producing corrupted JSString matches CJK supplementary-plane surrogate pair handling
3. Object.seal is extremely slow when applying it in big array or object #6360 - Object.seal extremely slow on big arrays/objects — the fix that reifies lazy/special properties before freezing/sealing directly addresses this
4. Overriding Array.prototype[Symbol.iterator] with typed array logic causes RangeError in Bun #20345 - Overriding Array.prototype[Symbol.iterator] causes RangeError — the DFG/FTL Spread runtime structure check fix addresses stale fast-path structure assumptions
5. String.raw Iterator encoding error #18115 - String.raw iterator encoding error with non-ASCII — the new DFG node for StringIteratorPrototype.next and observable side-effect fixes are relevant
6. Some legacy time zone IDs not supported in Intl.DateTimeFormat on Linux #30618 - Legacy time zone IDs not supported in Intl.DateTimeFormat on Linux — the Temporal ICU UCalendar cache-per-TimeZoneID change may resolve alias resolution
7. Number map keys are truncated to int32 in canary #31080 - Number map keys truncated to int32 in canary — the relanded backward-liveness MovHint removal touches value representation in DFG IR
8. [1.3.14] ESM TDZ error when importing Lexical React modules that re-export through top-level await #30634 - ESM TDZ error importing modules with top-level await — the fix for for-of over closure-captured const bindings reaching DFG/FTL is relevant

If this is helpful, copy the block below into the PR description to auto-close these issues on merge.

Fixes #29547
Fixes #24457
Fixes #6360
Fixes #20345
Fixes #18115
Fixes #30618
Fixes #31080
Fixes #30634

🤖 Generated with Claude Code

[github-actions]

This PR may be a duplicate of:

1. Bump WebKit to 6d586e293f #31706 - Also bumps WEBKIT_VERSION in scripts/build/deps/webkit.ts (to a different WebKit commit 6d586e293f)
2. Bump WebKit: align V8 heap snapshot output with Chrome DevTools expectations #29557 - Also bumps WEBKIT_VERSION in scripts/build/deps/webkit.ts (to WebKit commit b173a72ad722, aligning V8 heap snapshot output)

🤖 Generated with Claude Code

[claude]

The Bun-side changes look correct (the PropertyName == vm.propertyNames->globalThis comparison is the idiomatic JSC pattern and strictly better than the old uid()->utf8() allocation), but deferring since a JSC engine upgrade is inherently high-impact and should land with human sign-off once CI is green across platforms.

Extended reasoning...

Overview

This PR bumps WEBKIT_VERSION in scripts/build/deps/webkit.ts to pull in a new oven-sh/WebKit build (merging upstream WebKit b5ba38a21e17), and adjusts two property-name comparisons in src/jsc/bindings/NodeVM.cpp from propertyName.uid()->utf8() == "globalThis" to propertyName == vm.propertyNames->globalThis. The Bun-side diff is 3 lines.

Correctness of the NodeVM.cpp change

The new form is the standard JSC idiom: PropertyName::operator==(const Identifier&) compares interned UniquedStringImpl* pointers, so this is a cheap pointer-equality check against the CommonIdentifiers entry rather than allocating a CString. It is semantically equivalent to the old string comparison for the public "globalThis" identifier, and it resolves the overload ambiguity introduced by upstream's new operator==(CString, ASCIILiteral). No behavior change expected here.

Security risks

The Bun-side diff itself introduces no new security surface. However, the WebKit bump pulls in upstream changes that are security-relevant (e.g., the Yarr heap-overflow fix for duplicate named capture groups, and the Yarr JIT \B+unicode corruption fix). Those are fixes rather than regressions, but they underscore that this is a JS-engine-level change.

Level of scrutiny

Although the visible diff is tiny and mechanical, the effective change is a JavaScriptCore engine upgrade spanning JIT/DFG optimizer changes, Yarr, Temporal/ICU caching, libpas, and Wasm BBQ JIT. That is core, production-critical code where regressions surface as crashes or subtle JS semantics changes. WebKit-bump PRs in this repo are routine, but they're routinely gated on full multi-platform CI and a maintainer's eye — not something a bot should rubber-stamp, especially while the autobuild release (and therefore CI) is still pending.

Other factors

• No bugs were found by the bug-hunting system.
• No prior claude[bot] reviews on this PR.
• No outstanding human reviewer comments.
• CI is expected to fail until the autobuild-09f04cd5... WebKit release finishes; merging should wait on green CI regardless.