Switch Linux LTO builds to ThinLTO (stacked on #244)

[dylan-conway]

Switches the Linux LTO build variants (glibc and musl, all arches) from -flto=full to ThinLTO, mirroring the exact flag set the macOS and Windows ThinLTO lanes already use: -flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables. Also switches the ICU build flags in build.ts from full to thin so the link doesn't mix a serial full-LTO partition into an otherwise ThinLTO build.

Why now

#208 tried this and was closed: ThinLTO on Linux exploited undefined double→int conversions in JSC and miscompiled the overflow guards (visible symptom: parseInt("80000000", 16) returning a sign-wrapped negative int32 once call sites tiered up). #244 fixes that entire class at the source (7 sites made defined-behavior). This branch is stacked on #244 to test whether those fixes were the only thing blocking ThinLTO on Linux.

Differences from #208

• Adds -fno-split-lto-unit (the macOS/Windows thin lanes use it; Switch from full LTO to ThinLTO #208 predated them)
• Applied to the current matrix from Cross-compile the Windows JSC artifacts on Linux, add LTO variants #239: 6 Linux lto_flag entries + both Dockerfile LTO_FLAG defaults + 4 ICU flags in build.ts; no -flto=full remains anywhere

Validation

• CI: all Linux LTO lanes must go green
• The stress tests from the parseInt investigation (dfg-parseIntResult-should-not-wrap-above-int32.js, switch-imm-scrutinee-above-int32.js) are the regression check for the original miscompile — run them against the ThinLTO artifacts (manually until the stress-test workflow from Run JSC stress tests on PRs #243 lands)
• Before shipping prebuilts from this config, run the original parseInt repro loop on linux-x64 against the new artifact

Stacked on #244 — contains its commits; rebase or merge after #244 lands.

[coderabbitai]

Walkthrough

This PR makes two independent updates: build infrastructure configuration switches from full LTO to ThinLTO compilation across workflows and Dockerfiles, and JavaScriptCore numeric conversions are refactored to use dedicated truncation functions instead of direct C++ casts, with improved argument validation semantics in number formatting.

Changes

ThinLTO Configuration Across Build Infrastructure

Layer / File(s)	Summary
ThinLTO flag updates in all build configurations .github/workflows/build-reusable.yml, Dockerfile, Dockerfile.musl, build.ts	LTO_FLAG defaults change from -flto=full to -flto=thin with supporting vtable flags (-fno-split-lto-unit, -fwhole-program-vtables, -fforce-emit-vtables) in workflow matrix variants, Docker build arguments, and TypeScript build flags for Windows and non-Windows targets.

JavaScriptCore Numeric Conversion Semantics

Layer / File(s)	Summary
Replace direct casts with truncation functions in conversion paths Source/JavaScriptCore/dfg/DFGOperations.cpp, Source/JavaScriptCore/llint/LLIntSlowPaths.cpp, Source/JavaScriptCore/runtime/JSCJSValue.h, Source/JavaScriptCore/runtime/LiteralParser.cpp, Source/JavaScriptCore/runtime/StringConstructor.cpp	Core numeric conversion paths replace direct C++ static_cast with truncateDoubleToInt32, truncateDoubleToUint32, and clampTo<unsigned> functions to explicitly control conversion semantics in DFG operations, switch statement matching, JSValue type conversion, JSONP array index parsing, and code point construction.
Fix numeric argument validation with proper conversion order Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp, Source/JavaScriptCore/runtime/NumberPrototype.cpp	Snapshot sizing functions and number formatting methods now validate arguments by checking double/numeric bounds before casting to integer types; unsafe conversions use clamping functions for safe unsigned conversion.

Possibly related PRs

• oven-sh/WebKit#239: Both modify the same workflow file to configure LTO variants; the related PR adds Windows cross-compilation artifacts with full LTO while this PR switches builds to ThinLTO.

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description is comprehensive and detailed. It explains the motivation, references prior attempts and related PRs, describes differences from previous work, and provides validation steps. However, it does not follow the WebKit template format (bug reference, Bugzilla link, commit message structure).	Consider adding a Bugzilla bug reference and link at the beginning, and formatting as a proper commit message following the WebKit template guidelines.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: switching Linux LTO builds to ThinLTO, and notes it is stacked on #244.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Source/JavaScriptCore/runtime/NumberPrototype.cpp (1)

441-444: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Apply the same UB fix to toFixed for consistency.

The toFixed function still uses the old pattern where toIntegerOrInfinity is cast to int before range validation. If the argument converts to ±Infinity, the static_cast<int> on line 441 exhibits undefined behavior before the range check on line 443 can reject it.

The same fix applied to toExponential and toPrecision should be applied here: store the result in a double, validate the range on the double, then cast to int.

🔧 Proposed fix matching toExponential/toPrecision pattern

-    int decimalPlaces = static_cast<int>(callFrame->argument(0).toIntegerOrInfinity(globalObject));
+    double decimalPlacesDouble = callFrame->argument(0).toIntegerOrInfinity(globalObject);
     RETURN_IF_EXCEPTION(scope, { });
-    if (decimalPlaces < 0 || decimalPlaces > 100)
+    if (decimalPlacesDouble < 0 || decimalPlacesDouble > 100)
         return throwVMRangeError(globalObject, scope, "toFixed() argument must be between 0 and 100"_s);
+    int decimalPlaces = static_cast<int>(decimalPlacesDouble);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Source/JavaScriptCore/runtime/NumberPrototype.cpp` around lines 441 - 444,
The toFixed implementation in NumberPrototype.cpp currently casts
callFrame->argument(0).toIntegerOrInfinity(globalObject) directly to int
(static_cast<int>) which UB if the value is ±Infinity; change it to first store
the result in a double (e.g. double decimalPlacesDouble =
callFrame->argument(0).toIntegerOrInfinity(globalObject)), check for exceptions,
validate the double is within 0..100 (and not ±Infinity) and only then cast to
int (int decimalPlaces = static_cast<int>(decimalPlacesDouble)); update
references to decimalPlaces accordingly in the toFixed function to match the
toExponential/toPrecision pattern.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@build.ts`:
- Around line 197-198: The Windows LTO flags in the build config are incomplete:
update the CMake flag strings for CMAKE_C_FLAGS and CMAKE_CXX_FLAGS so they
match the workflow by using the /clang: prefixed ThinLTO flags and include
-fno-split-lto-unit; specifically replace the "-flto=thin" entry in the
CMAKE_C_FLAGS string and the "/clang:-fno-c++-static-destructors -flto=thin"
portion in the CMAKE_CXX_FLAGS string with "/clang:-flto=thin
/clang:-fno-split-lto-unit" (keeping existing tokens like
/DU_STATIC_IMPLEMENTATION and /clang:-fno-c++-static-destructors) so local
Windows builds use the same "/clang:-flto=thin /clang:-fno-split-lto-unit" flags
as CI.
- Around line 203-204: Update the non-Windows CMake LTO flags so they match
CI/Docker configuration: replace the current "-DCMAKE_C_FLAGS=-flto=thin" and
"-DCMAKE_CXX_FLAGS=-flto=thin" entries with flags that include "-flto=thin
-fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables"; ensure you
change both the C and CXX flag strings in the same place where these options are
added so local non-Windows builds use the identical LTO settings as CI.

In `@Dockerfile`:
- Line 4: The ARG LTO_FLAG value contains a trailing space; update the
Dockerfile ARG LTO_FLAG definition to remove the trailing whitespace from the
flag string (the symbol to change is ARG LTO_FLAG) so the value ends with
"-fforce-emit-vtables" without the extra space.

In `@Dockerfile.musl`:
- Line 4: The ARG LTO_FLAG value in Dockerfile.musl contains a trailing space;
remove the trailing space from the string assigned to ARG LTO_FLAG (the
"-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables "
value) so the flag list is clean and consistent while keeping the same flags and
spacing between them.

---

Outside diff comments:
In `@Source/JavaScriptCore/runtime/NumberPrototype.cpp`:
- Around line 441-444: The toFixed implementation in NumberPrototype.cpp
currently casts callFrame->argument(0).toIntegerOrInfinity(globalObject)
directly to int (static_cast<int>) which UB if the value is ±Infinity; change it
to first store the result in a double (e.g. double decimalPlacesDouble =
callFrame->argument(0).toIntegerOrInfinity(globalObject)), check for exceptions,
validate the double is within 0..100 (and not ±Infinity) and only then cast to
int (int decimalPlaces = static_cast<int>(decimalPlacesDouble)); update
references to decimalPlaces accordingly in the toFixed function to match the
toExponential/toPrecision pattern.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9e5b66ab-7ae1-4f14-900b-ee7ba3490247

📥 Commits

Reviewing files that changed from the base of the PR and between 48460d8 and 499040f.

📒 Files selected for processing (11)

• .github/workflows/build-reusable.yml
• Dockerfile
• Dockerfile.musl
• Source/JavaScriptCore/dfg/DFGOperations.cpp
• Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
• Source/JavaScriptCore/runtime/JSCJSValue.h
• Source/JavaScriptCore/runtime/LiteralParser.cpp
• Source/JavaScriptCore/runtime/NumberPrototype.cpp
• Source/JavaScriptCore/runtime/StringConstructor.cpp
• build.ts

💤 Files with no reviewable changes (1)

• Source/JavaScriptCore/dfg/DFGOperations.cpp

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Incomplete ThinLTO flags for Windows.

The Windows LTO configuration is missing flags compared to the workflow configuration. The workflow uses /clang:-flto=thin /clang:-fno-split-lto-unit (lines 185, 205 of the workflow file), but this uses only -flto=thin without the /clang: prefix or -fno-split-lto-unit.

This inconsistency means local Windows LTO builds will differ from CI builds, potentially missing the benefits of -fno-split-lto-unit that the PR objectives specifically mention adding.

🔧 Proposed fix to match workflow configuration

       flags.push(
-          "-DCMAKE_C_FLAGS=/DU_STATIC_IMPLEMENTATION -flto=thin",
-          "-DCMAKE_CXX_FLAGS=/DU_STATIC_IMPLEMENTATION /clang:-fno-c++-static-destructors -flto=thin",
+          "-DCMAKE_C_FLAGS=/DU_STATIC_IMPLEMENTATION /clang:-flto=thin /clang:-fno-split-lto-unit",
+          "-DCMAKE_CXX_FLAGS=/DU_STATIC_IMPLEMENTATION /clang:-fno-c++-static-destructors /clang:-flto=thin /clang:-fno-split-lto-unit",
           "-DCMAKE_MSVC_RUNTIME_LIBRARY=MultiThreaded"
         );

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"-DCMAKE_C_FLAGS=/DU_STATIC_IMPLEMENTATION -flto=thin",
	"-DCMAKE_CXX_FLAGS=/DU_STATIC_IMPLEMENTATION /clang:-fno-c++-static-destructors -flto=thin",
	flags.push(
	"-DCMAKE_C_FLAGS=/DU_STATIC_IMPLEMENTATION /clang:-flto=thin /clang:-fno-split-lto-unit",
	"-DCMAKE_CXX_FLAGS=/DU_STATIC_IMPLEMENTATION /clang:-fno-c++-static-destructors /clang:-flto=thin /clang:-fno-split-lto-unit",
	"-DCMAKE_MSVC_RUNTIME_LIBRARY=MultiThreaded"
	);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build.ts` around lines 197 - 198, The Windows LTO flags in the build config
are incomplete: update the CMake flag strings for CMAKE_C_FLAGS and
CMAKE_CXX_FLAGS so they match the workflow by using the /clang: prefixed ThinLTO
flags and include -fno-split-lto-unit; specifically replace the "-flto=thin"
entry in the CMAKE_C_FLAGS string and the "/clang:-fno-c++-static-destructors
-flto=thin" portion in the CMAKE_CXX_FLAGS string with "/clang:-flto=thin
/clang:-fno-split-lto-unit" (keeping existing tokens like
/DU_STATIC_IMPLEMENTATION and /clang:-fno-c++-static-destructors) so local
Windows builds use the same "/clang:-flto=thin /clang:-fno-split-lto-unit" flags
as CI.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Incomplete ThinLTO flags for non-Windows platforms.

The non-Windows LTO configuration is missing flags compared to the Dockerfile and workflow configurations. Those use -flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables, but this uses only -flto=thin.

The PR objectives specifically mention adding -fno-split-lto-unit as a key difference from the previous attempt, but it's missing here. This inconsistency means local non-Windows LTO builds will differ from CI builds.

🔧 Proposed fix to match Dockerfile configuration

       } else {
         flags.push(
-          "-DCMAKE_C_FLAGS=-flto=thin",
-          "-DCMAKE_CXX_FLAGS=-flto=thin"
+          "-DCMAKE_C_FLAGS=-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables",
+          "-DCMAKE_CXX_FLAGS=-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables"
         );

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"-DCMAKE_C_FLAGS=-flto=thin",
	"-DCMAKE_CXX_FLAGS=-flto=thin"
	} else {
	flags.push(
	"-DCMAKE_C_FLAGS=-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables",
	"-DCMAKE_CXX_FLAGS=-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables"
	);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build.ts` around lines 203 - 204, Update the non-Windows CMake LTO flags so
they match CI/Docker configuration: replace the current
"-DCMAKE_C_FLAGS=-flto=thin" and "-DCMAKE_CXX_FLAGS=-flto=thin" entries with
flags that include "-flto=thin -fno-split-lto-unit -fwhole-program-vtables
-fforce-emit-vtables"; ensure you change both the C and CXX flag strings in the
same place where these options are added so local non-Windows builds use the
identical LTO settings as CI.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Minor: trailing space in flag string.

The flag string has a trailing space. This is harmless but could be cleaned up for consistency.

✨ Proposed cleanup

-ARG LTO_FLAG="-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables "
+ARG LTO_FLAG="-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ARG LTO_FLAG="-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables "
	ARG LTO_FLAG="-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 4, The ARG LTO_FLAG value contains a trailing space;
update the Dockerfile ARG LTO_FLAG definition to remove the trailing whitespace
from the flag string (the symbol to change is ARG LTO_FLAG) so the value ends
with "-fforce-emit-vtables" without the extra space.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Minor: trailing space in flag string.

The flag string has a trailing space. This is harmless but could be cleaned up for consistency.

✨ Proposed cleanup

-ARG LTO_FLAG="-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables "
+ARG LTO_FLAG="-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ARG LTO_FLAG="-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables "
	ARG LTO_FLAG="-flto=thin -fno-split-lto-unit -fwhole-program-vtables -fforce-emit-vtables"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile.musl` at line 4, The ARG LTO_FLAG value in Dockerfile.musl
contains a trailing space; remove the trailing space from the string assigned to
ARG LTO_FLAG (the "-flto=thin -fno-split-lto-unit -fwhole-program-vtables
-fforce-emit-vtables " value) so the flag list is clean and consistent while
keeping the same flags and spacing between them.

[github-actions]

Preview Builds

Commit	Release	Date
499040f7	autobuild-preview-pr-246-499040f7	2026-06-02 04:26:12 UTC

[Jarred-Sumner]

Tested in bun — the parseInt fix is not sufficient; closing for now (2026-06-02)

Tested end-to-end via oven-sh/bun#31705: bun pinned to autobuild-preview-pr-246-499040f7 with the bun side switched to ThinLTO on linux to match (-flto=thin, -fno-split-lto-unit, --lto-whole-program-visibility, per-CGU Rust bitcode).

The DFG-tier miscompile this PR aimed to unblock is still present on linux-x64 glibc: bun -e 'require("axobject-query")' throws TypeError: undefined is not an object (evaluating 'def.relatedConcepts'). BUN_JSC_useDFGJIT=0 and BUN_JSC_useJIT=0 make it pass; BUN_JSC_useFTLJIT=0 alone does not — same tier signature as before this PR's fix. So the int32 parseInt UB was not the (only) root cause of the linux ThinLTO miscompile.

Also: the aarch64-musl bun link segfaulted in rust-lld once per-CGU ThinLTO Rust bitcode rejoined the link (the old globalopt-crash shape) — bun gated cross-language LTO off on musl as a workaround.

For the next attempt: the failure persists at every LTO opt level above --lto-O0, with cross-module importing disabled, ICF and WPD ruled out — so the suspect is the per-module ThinLTO backend pipeline on the JSC side (DFG TUs first). Plan: -opt-bisect-limit through the thin backends or --save-temps + diff full-vs-thin post-opt bitcode on suspect modules, and retry on a newer LLVM. The UB fix itself (parseInt result int32 handling) is still worth landing independently — it's real UB even if it isn't this miscompile.