This Week in WebKit — May 16 - May 22, 2026

DFGValueRepReductionPhase lowers MultiGetByOffset nodes into unboxed double chains when the use site demands DoubleRepUse, reading the IC's per-case constants directly. But the IC's structure observation and the value profile's type prediction are populated by independent streams that can disagree. When a case slot held a Constant:Function inherited from the prototype while the profile predicted Number, the function-cell bit pattern was reinterpreted as an IEEE-754 double inside FTL-compiled code. That is the canonical seed for the JSC type-confusion-to-R/W escalation path.

TC39's Deferred Module Evaluation separates module linking from execution: import.defer(specifier) loads the whole graph, evaluates only the transitive top-level-await dependencies, and hands back a namespace proxy whose body only runs on the first non-Symbol property access. The dynamic form reuses JSPromiseCombinatorsGlobalContext as an AND-join counter cell across two new internal microtasks, with the spec constraint that .then must never be looked up on the dependency promises. The importPhase value threads through five layers — JSGlobalObjectFunctions, JSModuleLoader, ScriptModuleLoader, JSDOMGlobalObject, JSAPIGlobalObject — and any defaulting or wrong forward silently executes a module that should remain deferred.

Gigacage's Primitive region is meant for user payloads — TypedArray storage, ArrayBuffer contents — so that a write primitive constrained to the cage cannot escape it. ScopedArgumentsTable's m_arguments held ScopeOffset values, the indices that map named arguments to slots in JSLexicalEnvironment::variables(), in that very cage. A Primitive-cage write primitive could therefore overwrite a ScopeOffset and convert it into an unchecked index into a lexical environment — an OOB read/write the cage was supposed to prevent. The fix moves the table to a plain Vector and quietly drops a stale resize() that had been mutating a 'locked' (immutable) table.

A prior change introduced a slow path through operationSpreadSet for Sets that no longer carry the original structure, walking the full JS iterator protocol — including any Symbol.iterator the user installed. The abstract interpreter was never updated: it kept calling didFoldClobberWorld() for every SetObjectUse, declaring the spread free of observable effects. A user iterator that calls Object.defineProperty on a live object during [...set] could therefore transition structures the AI still considered proven. Downstream GetByOffset reads at folded-away CheckStructure sites then read slots at the wrong type.

Under Site Isolation each cross-origin iframe lives in its own WebContent process, and Network.getResponseBody — historically a synchronous CachedResource lookup — could no longer reach them. This commit introduces BackendResourceDataStore in every WebProcess to buffer inspector response bodies, promotes the protocol method to async, and adds UIProcess routing in ProxyingNetworkAgent that parses a frontend-supplied requestId to pick a destination WebProcess. The commit itself FIXMEs that reverse-parsing of frontend-controlled strings is the weak link.