Root BuildMessage cells on the stack in Log.to_js

[robobun]

What does this PR do?

Fixes a GC crash when Bun.Transpiler().transform() rejects with multiple parse errors.

Log.to_js builds an AggregateError by allocating one BuildMessage/ResolveMessage JS cell per log entry. The Rust port collected those cells in a heap Vec<JSValue>:

let mut errors_stack: Vec<JSValue> = Vec::with_capacity(count);
for msg in &msgs[0..count] {
    errors_stack.push(msg_to_js(msg, global)?);
}

Only the Vec header is on the stack, so the conservative GC scan does not see the cell pointers stored in the heap buffer. Allocating the second BuildMessage can trigger a collection that sweeps the first one, and create_aggregate_error then hands the collector a zapped StructureID (ASSERTION FAILED: decontaminate() under debug WebKit; SEGV in SlotVisitor::visitChildren on release).

The Zig spec (logger_jsc.zig:44) used a stack [256]JSValue precisely so the scan keeps every cell rooted. This change restores that.

Fuzzilli fingerprint: 824b56d2fb4455bf — the fuzzer hit a variant of this via the TransformTask.then → log.toJS path.

How did you verify your code works?

Added test/js/bun/transpiler/transpiler-async-error-uaf.test.ts, which queues 500 failing async transform() calls and asserts the rejection carries the right nested error text.

• Debug/ASAN before fix: ~65% of runs (13/20) hit ASSERTION FAILED: decontaminate(); after: 30/30 pass.
• Release before fix at 20 k iterations: 9/10 runs SEGV in SlotVisitor::visitChildren; after: 10/10 pass.
• Existing test/js/bun/transpiler/ and test/bundler/transpiler/transpiler.test.js suites still pass.

[robobun]

^{Updated 1:05 PM PT - May 23rd, 2026}

❌ @robobun, your commit 8ddc9ac has 1 failures in Build #57343 (All Failures):

• test/regression/issue/8254.test.ts - SIGKILL on 🐧 25.04 x64
• test/regression/issue/8254.test.ts - SIGKILL on 🐧 13 x64
• test/regression/issue/8254.test.ts - SIGKILL on 🐧 13 x64-baseline
• test/regression/issue/8254.test.ts - SIGKILL on 🐧 25.04 x64-baseline

---

🧪   To try this PR locally:

bunx bun-pr 30671

That installs a local version of the PR into your bun-30671 executable, so you can run:

bun-30671 --bun

[coderabbitai]

Walkthrough

This PR deep-clones buffered transpiler log messages from a temporary MimallocArena into the default allocator before the arena is freed, and adds a regression test that repeatedly calls Bun.Transpiler().transform() with parse errors and asserts the final rejection and nested error message.

Changes

Async Transpiler Log Memory Safety Fix

Layer / File(s)

Summary

Deep-clone log messages and regression test src/runtime/api/JSTranspiler.zig, test/js/bun/transpiler/transpiler-async-error-uaf.test.ts

TransformTask.run adds a defer that deep-clones each this.log.msgs entry to bun.default_allocator before the local MimallocArena is deinitialized so JS-thread then() can safely read messages. A new regression test repeatedly invokes Bun.Transpiler().transform() with invalid syntax, yields to the event loop, collects the last rejection, and asserts the top-level AggregateError message "Transform failed" and the first nested error 'Expected ";" but found "b"'.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'Root BuildMessage cells on the stack in Log.to_js' directly references the technical fix implemented in the PR, which involves storing BuildMessage cells on the stack instead of in a heap Vec to ensure they remain visible to the GC.
Description check	✅ Passed	The description provides both required sections: 'What does this PR do?' clearly explains the GC crash fix with technical context and code examples, and 'How did you verify your code works?' describes testing across debug/ASAN/release builds with concrete pass rates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/js/bun/transpiler/transpiler-async-error-uaf.test.ts`:
- Around line 10-19: The test fires 500 async Bun.Transpiler().transform(...)
calls but never awaits them, causing flakiness; modify the loop to collect each
transform() Promise (e.g., push to an array) instead of just attaching a .catch
and then await Promise.all(...) on that array (after the loop and any interim
setImmediate yields) so all transform() calls and their catch handlers complete
before asserting on last.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b18aff0b-c90d-435b-b9cc-bb40e17e3995

📥 Commits

Reviewing files that changed from the base of the PR and between b8ecc78 and 4b485ec.

📒 Files selected for processing (2)

• src/runtime/api/JSTranspiler.zig
• test/js/bun/transpiler/transpiler-async-error-uaf.test.ts

[github-actions]

This PR may be a duplicate of:

1. Fix use-after-free in Bun.Transpiler.transform() error reporting #30309 - Fixes the same use-after-free of arena-allocated log messages in the async Bun.Transpiler.transform() error path by cloning before arena deallocation
2. Fix use-after-free in Bun.Transpiler async transform() errors #30263 - Addresses the identical UAF bug where error messages reference freed MimallocArena memory when the async transform promise is settled on the main thread
3. JSTranspiler: fix use-after-free of log messages in async transform() #30180 - Targets the same lifetime issue by deep-cloning log messages into bun.default_allocator before MimallocArena.deinit() in TransformTask.run()
4. Fix use-after-free in Bun.Transpiler async transform() errors #29958 - Fixes the same use-after-free where async transpiler error strings are invalidated after the thread-local arena is torn down

🤖 Generated with Claude Code

[robobun]

CI note: the only hard failure on #54236 is test/js/web/fetch/fetch-tcp-keepalive.test.ts (Expected "02", Received "00" for the SO_KEEPALIVE timer probe) on debian-13-x64-asan. That test is unrelated to this change — nothing here touches HTTP/sockets — and the same failure is currently showing on unrelated PR builds #54230, #54231, #54232, #54225, #54228. transpiler-async-error-uaf.test.ts passed on every shard.

[claude]

🟣 FYI / pre-existing: the same heap-Vec<JSValue> GC-rooting pattern this PR fixes (and now documents as broken) also exists at src/runtime/bake/production.rs:966-985 — css_chunk_js_strings: Vec<JSValue> is filled with freshly-allocated JSString cells, then six create_empty_array calls plus a per-route allocation loop run before the Vec is read at lines 1109/1127/1150, so any GC in that window can sweep the unrooted strings. Unlike here, css_chunks_count is unbounded so a stack [JSValue; 256] won't work — this needs MarkedArgumentBuffer or per-cell .protect(). Not blocking (the PR doesn't touch production.rs and the Zig spec at production.zig:541 has the same heap-alloc pattern), but worth batching with the already-flagged VirtualMachine.rs:2501 follow-up. Separately, the inline comment at src/runtime/server/mod.rs:896 claiming "the conservative GC scan reaches the heap allocation as well as the stack" is now directly contradicted by the new comment here and should be reworded (that site is incidentally safe only because the values are also stack-resident).

Extended reasoning...

What the bug is

The new comment this PR adds at lib.rs:2121-2123 documents that storing freshly-allocated JS cells in a heap Vec<JSValue> leaves them invisible to JSC's conservative stack scanner. An earlier review comment already flags src/jsc/VirtualMachine.rs:2501 as a sibling instance; another unfixed instance of the same bug class — with a substantially larger GC window — exists at src/runtime/bake/production.rs:966-1150.

The specific code path

// production.rs:966
let mut css_chunk_js_strings: Vec<JSValue> = vec![JSValue::ZERO; css_chunks_count];
...
for (output_file, str) in ... .zip(css_chunk_js_strings.iter_mut()) {
    *str = BunString::create_format(format_args!("{}{}", ...))
        .to_js(global)?;   // allocates a JSString cell
}

The fill loop (971-985) writes each BunString::create_format(...).to_js(global)? result — a freshly-allocated JSString cell — into a heap Vec slot via *str = .... The loop variable str is &mut JSValue pointing into the heap buffer, not a stack copy; the BunString temporary drops at end-of-statement, so its WTF::StringImpl's sole remaining owner is the JSString cell, and the JSString cell's sole reference lives in the malloc-heap Vec buffer.

After the fill loop, lines 989-1015 perform six consecutive JSValue::create_empty_array(global, ...) allocations, followed by a per-route loop (1018-1158) containing many more JSC allocations (create_empty_array at 1086/1087, preload_bundled_module, put_index), before css_chunk_js_strings[...] is first read at lines 1109/1127/1150.

Why existing safeguards don't help

JSC's conservative scanner walks the machine stack and registers; it sees the Vec's {ptr, len, cap} triple on the stack, but ptr points at a mimalloc allocation, not a JSC MarkedBlock, so the scanner does not follow it. There is no .protect(), no MarkedArgumentBuffer, and — unlike server/mod.rs:898 — no separate stack local that incidentally roots the cells. Contrast with the safe create_array_from_iter pattern (JSValue.rs) where each cell is immediately put_index-ed into a stack-rooted JSArray before the next allocation.

Step-by-step proof

1. A bake production / static-site build (bun build --app) produces ≥2 CSS chunks, so css_chunks_count >= 2.
2. Fill-loop iteration 0: BunString::create_format(...).to_js(global) allocates JSString cell A; *str = A stores it at css_chunk_js_strings[0] (heap). The BunString temporary drops; nothing on the stack now references A.
3. Fill-loop iteration 1: .to_js(global) allocates B. Even within the fill loop, this allocation can already trigger GC and sweep A. Either way, the loop completes with all cells rooted only by the heap Vec.
4. Line 989: create_empty_array(global, navigatable_routes.len()) allocates a JSArray. Suppose this triggers a full GC.
5. The conservative scanner walks the stack/registers, finds css_chunk_js_strings's {ptr, len, cap}, recognises ptr as non-JSC-heap, and does not follow it. A and B have no roots and are swept.
6. Lines 990-1087 perform ~7 more allocating calls; the per-route loop runs preload_bundled_module (which evaluates JS).
7. Line 1109: styles.put_index(global, css_file_count, css_chunk_js_strings[idx]) reads a zapped cell and installs it into a live JSArray → ASSERTION FAILED: decontaminate() (debug) / SEGV in SlotVisitor::visitChildren (release) — the same crash signature this PR fixes for Log::to_js.

Impact

A bun build --app / bake static-site build with multiple CSS chunks under GC pressure can crash with a zapped-StructureID assertion or segfault when populating per-route stylesheet arrays. The window is large (six guaranteed allocations plus an unbounded per-route loop including JS evaluation between fill and read), so it is more exposed than the Log::to_js instance.

Why pre-existing, not blocking

This is flagged as pre-existing rather than normal severity because: (1) the PR does not touch, call into, or otherwise interact with src/runtime/bake/production.rs (different crate, different subsystem); (2) unlike the VirtualMachine.rs:2501 sibling, this is not a Rust-port deviation — the Zig spec at production.zig:541 also heap-allocates via try allocator.alloc(JSValue, css_chunks_count), so the Rust port faithfully reproduces a latent Zig-side hazard; (3) the directly-related, in-crate, same-consumer sibling (VirtualMachine.rs:2501) is already flagged separately. It's surfaced here so it can be batched into the same follow-up.

How to fix

css_chunks_count is unbounded, so the fixed-size stack-array fix from this PR does not directly apply. Either:

• Use MarkedArgumentBuffer (already exposed at bun_jsc::MarkedArgumentBuffer) to hold the cells, or
• .protect() each cell after to_js() and unprotect via a drop guard (the VirtualMachine.rs:5840 pattern), or
• Build the strings directly into a stack-rooted JSArray via create_array_from_iter and index into that instead of a Rust Vec.

Side note: misleading comment at server/mod.rs:896

src/runtime/server/mod.rs:896-897 carries an inline comment asserting "The conservative GC scan reaches the heap allocation as well as the stack, so a small Vec is sound." That claim is directly contradicted by this PR's new lib.rs:2121-2123 comment and by the crash this PR fixes. That particular site happens to be safe — prepared.js_request and the extra_args it copies from are stack-resident — but the stated rationale is wrong and will mislead future readers into thinking heap Vec<JSValue> is generally OK. Worth correcting the comment when the follow-up lands.

[claude]

All prior feedback is addressed and the stack-array fix matches the Zig spec at both sites — looks correct to me, but since this is GC-rooting in the JSC bindings I'd like a human to give it a final glance before merge.

Extended reasoning...

Overview

Two product-code changes plus a regression test:

• src/jsc/lib.rs (Log::to_js): replace heap Vec<JSValue> with a stack [JSValue::UNDEFINED; 256] so freshly-allocated BuildMessage/ResolveMessage cells stay visible to JSC's conservative stack scanner while the loop allocates the next one.
• src/jsc/VirtualMachine.rs (process_fetch_log multi-error arm): identical fix, applied in 546cc6b after I flagged it as a sibling instance.
• test/js/bun/transpiler/transpiler-async-error-uaf.test.ts: new subprocess-based regression test using BUN_JSC_useZombieMode=1 (+ collectContinuously on non-Windows) that drives 256 BuildMessages through Log::to_js 20× and verifies none are corrupted.

Both code changes are 1:1 restorations of the Zig spec's stack [256]JSValue (logger_jsc.zig / VirtualMachine.zig), reverting a Rust-port deviation; create_aggregate_error already takes &[JSValue] so the slice-of-stack-array signature lines up.

Security risks

None. This is a GC-rooting correctness fix with no auth/crypto/permissions/input-handling surface. The 2 KiB stack array is fixed-size and bounded by min(len, 256), matching the existing Zig behaviour.

Level of scrutiny

Moderate-to-high. The change itself is small and mechanical, but it lives in memory-safety-critical JSC binding code where mistakes manifest as UAF/crashes. The fact that it restores documented Zig-spec behaviour (rather than introducing new logic) lowers the risk substantially, and the bug-hunting system found nothing on the current revision — but I'd still prefer a maintainer familiar with the Rust JSC port to confirm.

Other factors

• All earlier review threads (CodeRabbit's test-await concern; my JSTranspiler.zig leak, sibling process_fetch_log instance, and stale-description notes) are resolved. The remaining open inline is my own 🟣 FYI about production.rs, which I explicitly marked pre-existing/non-blocking and suitable for a follow-up.
• The test was rewritten (fdd51f9) to a deterministic subprocess with GC-stress env vars and follows house style (using tempDir, stderr-on-failure guard, exitCode asserted last, explicit timeout justified by subprocess + collectContinuously).
• github-actions flagged four potential duplicate PRs, but those targeted the pre-rewrite Zig JSTranspiler.zig arena-lifetime bug, which no longer applies after main's Rust rewrite — this PR now fixes a different (GC-rooting) bug on the same user-visible path.
• No CODEOWNERS entry covers src/jsc/.

[robobun]

Build #54262: same unrelated fetch-tcp-keepalive.test.ts failure on 13 x64-asan (also on #54255, #54257, #54259, #54261), plus v8-heap-snapshot.test.ts SIGKILL on 25.04 x64 (also on #54255). Neither touches the Log.to_js path; transpiler-async-error-uaf.test.ts passed on every shard.

[robobun]

Fuzzing hit this same root cause again, this time through the module loader: a Worker whose module failed to build with multiple errors crashed with a heap-use-after-free while the unhandled AggregateError was being printed (print_error_from_maybe_private_data reading BuildMessage.logged after the wrapper had been finalized). The process_fetch_log half of this PR is exactly what fixes it — reproduced with import() of a module with ~80 build errors under BUN_JSC_collectContinuously=1, and verified it no longer crashes with this branch.

Pushed one commit adding a regression test for that path (test/js/bun/resolve/build-error.test.ts), so both call sites that build the AggregateError are covered. Closing #31284 as a duplicate of this PR.

[claude]

All prior feedback has been addressed and the new build-error.test.ts regression looks good — deferring only because this is a GC-rooting change in src/jsc/ and memory-safety fixes there warrant a human sign-off.

Extended reasoning...

Overview

The PR replaces heap Vec<JSValue> with stack [JSValue; 256] arrays in two places — Log::to_js (src/jsc/lib.rs) and process_fetch_log (src/jsc/VirtualMachine.rs) — so freshly-allocated BuildMessage/ResolveMessage cells stay visible to JSC's conservative stack scanner while subsequent cells are allocated. Two regression tests cover both call sites (transpiler async error path and module-loader multi-error import path). Since my last review, the only new change is the added test/js/bun/resolve/build-error.test.ts case, which follows established subprocess-test conventions.

Security risks

None in the traditional sense (no auth/input-validation surface). The change fixes a memory-safety bug (use-after-free of GC'd cells); it does not introduce new unsafe blocks or widen any trust boundary. The 2 KiB stack array is fixed-size and matches the Zig spec's [256]JSValue.

Level of scrutiny

High. src/jsc/ is the core JavaScriptCore binding layer, and correctness here depends on understanding JSC's conservative GC root-scanning semantics. The fix is small (~20 net lines of product code) and faithfully restores the Zig spec's stack-allocation pattern, but GC-rooting changes in the runtime are exactly the kind of thing a human with JSC expertise should confirm rather than a bot auto-approving.

Other factors

All four of my earlier inline concerns were addressed (sibling process_fetch_log fix applied, PR description updated, test made deterministic via Promise.allSettled → later reworked into a subprocess fixture with useZombieMode/collectContinuously, stale Zig comment resolved). The remaining unresolved inline (production.rs / server/mod.rs comment) was explicitly flagged as pre-existing/non-blocking follow-up work. CI passed on all shards for the new tests; the only failures noted were pre-existing flakes unrelated to this path. No CODEOWNERS concerns surfaced. The bug-hunting system found nothing this round.

[claude]

🟡 Nit: this test sets BUN_JSC_collectContinuously: "1" unconditionally, but every other test in the repo that uses this env var — including this PR's own sibling test at transpiler-async-error-uaf.test.ts:38-44 — gates it behind !isWindows with the rationale "Windows + collectContinuously is prohibitively slow in CI and the code path is platform-agnostic." The workload here is small so it may not actually time out, but for consistency consider spreading the env conditionally (e.g. ...(isWindows ? {} : { BUN_JSC_collectContinuously: "1" })) to match the convention.

Extended reasoning...

What the issue is

The new process_fetch_log regression test added in commit 45e8e72 (test/js/bun/resolve/build-error.test.ts:38) passes env: { ...bunEnv, BUN_JSC_collectContinuously: "1" } to its spawned subprocess unconditionally, with no Windows guard and no explicit per-test timeout. This is inconsistent with the established repo convention and — notably — with the PR's own sibling test added earlier in the same PR.

The repo convention

I checked every test file in test/ that references BUN_JSC_collectContinuously. All eight other usages guard against Windows in one of two ways:

• Conditional env var (if (!isWindows) gcEnv.BUN_JSC_collectContinuously = "1"): transpiler-async-error-uaf.test.ts:44 (this PR), require-esm-gc-roots.test.ts:47-49, jest-each-gc-root.test.ts:99
• test.skipIf(isWindows) / describe.skipIf(isWindows): sourcetextmodule-link-gc.test.ts:19, module-children-concurrent-gc.test.ts:27, 29519.test.ts:16, 30205.test.ts:90/113/144, message-event-init-gc.test.ts:23

Each carries an inline comment explaining why — e.g. require-esm-gc-roots.test.ts says collectContinuously is ">60s for a single subprocess on x64-baseline" on Windows. The new build-error.test.ts test is the sole exception in the codebase.

Why this is internally inconsistent within the PR

The most telling point is that this PR's own other test, transpiler-async-error-uaf.test.ts:38-44, explicitly documents and applies the guard:

// Windows + collectContinuously is prohibitively slow in CI and the code
// path is platform-agnostic, so rely on zombie mode alone there.
const gcEnv: Record<string, string | undefined> = {
  ...bunEnv,
  BUN_JSC_useZombieMode: "1",
};
if (!isWindows) gcEnv.BUN_JSC_collectContinuously = "1";

So the author was clearly aware of the convention when writing the first test but did not apply it when adding the second test in the later commit (45e8e72).

Step-by-step proof

1. On a Windows CI shard, build-error.test.ts runs the new test with no skipIf(isWindows).
2. Bun.spawn launches bunExe() index.js with BUN_JSC_collectContinuously=1 in the environment (line 38).
3. The subprocess parses bad.js (120 lines → ~80 build errors), constructs the AggregateError via process_fetch_log, and prints it as an unhandled rejection — all while JSC's collector runs continuously.
4. Per the repo's own documented experience (">60s for a single subprocess on x64-baseline"), continuous collection on Windows is dramatically slower than on POSIX. The test has no explicit timeout, so it relies on the default per-test timeout.
5. If the subprocess exceeds that default, the test fails as a timeout on Windows CI even though the product code is correct — i.e. a platform-specific flake on a UAF regression test.

Impact / why this is a nit

This is a test-quality / CI-reliability concern, not a product bug. The workload is much lighter than the sibling test (one subprocess, one import() of a 120-line file producing ~80 errors, then exit — vs. the sibling's 20×300-error transformSync loop that needed a 60s timeout), so it may well finish within the default timeout even on Windows. But the inconsistency with a unanimous repo convention and with the PR's own sibling test is worth fixing.

How to fix

Match the sibling test's pattern — import isWindows from harness and gate the env var:

env: { ...bunEnv, ...(isWindows ? {} : { BUN_JSC_collectContinuously: "1" }) },

Or, equivalently, build the env object the same way transpiler-async-error-uaf.test.ts does (and optionally add BUN_JSC_useZombieMode: "1" so Windows still gets deterministic dangling-access detection).

[robobun]

Addressed — the env var is now gated behind !isWindows (with useZombieMode kept unconditionally), matching the sibling test's pattern.

[robobun]

Additional data point: Fuzzilli independently hit this same use-after-free through the module loader path (process_fetch_log) — a Worker whose entry module fails to transpile with multiple parse errors crashes on the worker thread when the aggregated error is printed, reading the freed native BuildMessage (logged flag at offset 144 of the 152-byte allocation).

Deterministic reproduction on an ASAN debug build (crashes every run without this fix, passes with it):

# many-errors.js: ~60 lines like `v0: 1 2 3`, each a recoverable parse error
BUN_JSC_collectContinuously=1 bun-debug -e 'new Worker("./many-errors.js").addEventListener("error", () => {});'

The direct run (BUN_JSC_collectContinuously=1 bun-debug many-errors.js) reproduces it on the main thread too. Verified the stack-array change in this PR fixes both.

[robobun]

Superseded by #31874. This branch is conflicting with main after the comment rewrites in #31783, and the fuzzer independently re-found the same bug through the module loader path (process_fetch_log), which prompted a fresh fix on current main. #31874 carries the same two stack-array changes, includes this PR's transpiler regression test (as transpiler-error-gc-uaf.test.ts), adds an import-path regression test, and fixes one more instance of the same unrooted-heap-Vec shape in bake's production build.