bake: fix dev server crashes in SCB dependency tracing and route syntax error reporting

[robobun]

Fixes three bake dev server crashes. The first two correspond to crash reports BUN-3DYH (Panic: index out of bounds: the len is 23 but the index is 23 in finalize_bundle) and BUN-3DP9 / BUN-3D8F (SIGSEGV in on_router_syntax_error → print); the third is a use-after-free introduced by #31647 that is not in any shipped canary yet.

1. finalize_bundle OOB: iterator invalidation on client_components_affected

Repro: a separateSSRGraph server-components project with 3+ "use client" boundaries sharing a client-side dependency; edit the shared file so one hot update invalidates every boundary.

Cause: finalize_bundle clears the graph-trace bits and then loops for index in &dev.incremental_result.client_components_affected. Each trace_dependencies(index, NoStop) call re-appends the boundary it visits to that same Vec (its trace bit was just cleared), so the list grows by one per iteration. Once a push crosses the capacity, the Vec reallocates and the loop's slice::Iter keeps walking the freed buffer. Under ASAN this is an immediate use-after-free at the exact Sentry stack (finalize_bundle ← finish_from_bake_dev_server ← on_parse_task_complete ← ServerComponentParseTask on_complete). In release, the freed block is promptly recycled by the framework_routes_affected pushes in the same loop — those store (route_index << 1) | recurse_flag u32s, so the stale iterator yields small odd numbers (e.g. 23) as file indexes, and trace_dependencies dies with index out of bounds: the len is 23 but the index is 23 (len = server-graph file count). The Zig original (for (…items) |index|) had the identical latent bug.

Fix: iterate by index against the live Vec. Entries appended mid-loop already had their trace bit set when pushed, so visiting them is a no-op — semantics are unchanged.

2. Segfault printing a router syntax error

Repro: start the dev server with a route path containing more than 64 [params] (bun build/debug/bun-debug main.ts with routes/[p0]/…/[p64]/index.tsx). Before the fix: panic: range start index 4294967295 out of range for slice of length 396 (the Zig-era ReleaseFast equivalent of this unchecked slice was the reported SIGSEGV).

Cause: TinyLog::empty() initializes cursor_at = u32::MAX as an "unset" sentinel; only TinyLog::fail() sets a real cursor. The param_count > 64 error path called log.write(...) without ever setting the cursor, and TinyLog::print sliced rel_path[cursor_at..] with the sentinel. A user's route-file typo would kill the dev server while it tried to report the error.

Fix: give the 64-param error a whole-path cursor, clamp cursor_at in print so no producer state can index out of bounds, and make the cursor rebase in the scan loop saturating so fail()-less error paths (e.g. OOM) keep the sentinel instead of wrapping.

3. Watcher use-after-poison on arena-backed paths (regression from #31647)

Found while stress-testing the above. #31647 made dupe_alloc allocate the disjoint text\0pretty\0 case from the per-bundle arena — which is every ssr:-prefixed SSR-graph path. The bundler's watcher registration used add_file::<{ cfg!(windows) }>, i.e. stored the path slice on POSIX, so the watchlist could point into the freed bundle arena once the bundle completed; the next file event crashed the watcher thread (ASAN: use-after-poison in DevServer::on_file_update). Always clone — every other add_file caller already passes true, and the watcher dedups by hash so it's one copy per watched file.

Verification

• New test test/bake/dev/bundle.test.ts "hot update touching multiple client component boundaries does not crash": fails on unmodified main (ASAN abort, "DevServer crashed"), passes with the fix. Exercises crashes 1 and 3.
• New test test/bake/framework-router.test.ts "dev server reports route syntax errors without crashing": on unmodified main the server dies before startup; with the fix it prints both router errors and serves requests. Exercises crash 2.
• test/bake/framework-router.test.ts (36 pass), test/bake/dev/bundle.test.ts (21), test/bake/dev/hot.test.ts (9), test/bake/dev/esm.test.ts (16) all green on the debug/ASAN build. The two css.test.ts failures (assertion failed: !chunk.content.is_css()) reproduce on unmodified main and are unrelated.
• A 5-minute randomized stress run (concurrent requests + edits/deletes/SCB demotions of client components and CSS under separateSSRGraph) survives with zero sanitizer reports; before the fixes it crashed within seconds.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 595ea10e-7e6b-4884-bc07-670c81b74af2

📥 Commits

Reviewing files that changed from the base of the PR and between a047ebe and 3e24bc8.

📒 Files selected for processing (3)

• src/runtime/bake/DevServer.rs
• src/runtime/bake/FrameworkRouter.rs
• test/bake/framework-router.test.ts

---

Walkthrough

Unconditionally clone watched file paths for watcher ownership, make hot-update dependency tracing robust to vector growth by using an index-based loop, and fix route-parse error reporting by clamping/rebasing cursor positions and setting explicit spans for over-limit parameter patterns.

Changes

Dev Server Robustness Fixes

Layer / File(s)	Summary
Watcher file path ownership src/bundler/bundle_v2.rs	File registration in on_parse_task_complete now always clones watched paths so the watcher owns path bytes rather than borrowing source_path.
Hot-update dependency tracing src/runtime/bake/DevServer.rs, test/bake/dev/bundle.test.ts	finalize_bundle uses an index-based while loop to traverse client_components_affected allowing trace_dependencies to append safely; added regression test exercising hot updates across multiple client component boundaries.
Route parsing error handling and cursor safety src/runtime/bake/FrameworkRouter.rs, test/bake/framework-router.test.ts	TinyLog::print clamps cursor indexes, scan_inner rebases cursor offsets from rel_path to full_rel_path on parse errors (skipping sentinel), and param-count (>64) errors now set explicit cursor spans; tests expanded to verify error formatting and resilience.

Possibly related PRs

• oven-sh/bun#31106: Fixes similar watcher path lifetime issues by switching directory watches to watcher-owned registration (add_directory::<true>) instead of borrowed paths.

Suggested reviewers

• Jarred-Sumner
• RiskyMH
• dylan-conway

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: fixes to dev server crashes in dependency tracing and route error reporting.
Description check	✅ Passed	The description comprehensively covers both required template sections with detailed information about what the PR does and how it was verified.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[robobun]

^{Updated 6:40 PM PT - Jun 9th, 2026}

@robobun, your commit e72355b is building: #61674

[github-actions]

Found 4 issues this PR may fix:

1. Bun Crashes when changing client.js javascript code. #18003 - Stack trace shows finalizeBundle crash when editing client JS in bake dev server, directly matches Bug 1 (iterator invalidation in finalize_bundle)
2. Crash on HMR #22533 - Crash in finishFromBakeDevServer during HMR file save, matches the finalize_bundle / bundle completion code path fixed by Bug 1 or Bug 3
3. Segmentation fault when using hot reload on the react template #17752 - Segfault in bundle_v2 thread pool task during repeated HMR reloads in bake dev server, consistent with Bug 3 (watcher use-after-free on arena-backed paths)
4. bug: when tried to run bun run dev (shadcn + tailwind) react template #21017 - Segfault in watcher threadMain in bake dev server, matches Bug 3 (watcher accessing freed arena memory)

If this is helpful, copy the block below into the PR description to auto-close these issues on merge.

Fixes #18003
Fixes #22533
Fixes #17752
Fixes #21017

🤖 Generated with Claude Code

[robobun]

Checked each suggested issue against the fixed mechanisms — none is a confident match, so not adding Fixes # links:

• Bun Crashes when changing client.js javascript code. #18003 (v1.2.4): array_list.deinit internal assertion in finalizeBundle, plain HTML + client.js project. The iterator-invalidation fix here requires client component boundaries (client_components_affected is only populated with server-components frameworks); an HTML-routes project never enters that block, and a deinit allocator assertion is a different failure mode.
• Crash on HMR #22533 (v1.2.21): "attempt to use null value" in ensureTotalCapacityPrecise inside finishFromBakeDevServer — not in finalize_bundle, no SCBs involved (HTML type: "text" import). Different bug.
• Segmentation fault when using hot reload on the react template #17752 (v1.2.5-canary): segfault in a bundle_v2 thread-pool RunnerTask on a worker thread — not the watcher thread and not the finalize path. The watcher-path fix in this PR addresses a regression introduced by bundler: stop re-interning module paths into FilenameStore on every Bun.build() #31647 (June 2026), which did not exist in 1.2.x.
• bug: when tried to run bun run dev (shadcn + tailwind) react template #21017 (v1.2.18, Windows): segfault in Watcher threadMain — superficially closest, but on Windows watcher paths were already cloned (clone_file_path = isWindows), so the dangling-slice mechanism fixed here cannot be that crash.

This PR is scoped to the Sentry reports it was built from (BUN-3DYH, BUN-3DP9, BUN-3D8F) plus the #31647 watcher regression.

[github-actions]

This PR may be a duplicate of:

1. Fix four file-watcher crash signatures (kevent panic, dangling watch paths, unlocked Windows scan, watchFile join overflow) #31695 - Both fix the same watcher use-after-free on arena-backed dupe_alloc paths in bundle_v2.rs (switching add_file::<cfg!(windows)> to add_file::<true>); PR Fix four file-watcher crash signatures (kevent panic, dangling watch paths, unlocked Windows scan, watchFile join overflow) #31695 calls it BUN-3EAD, this PR calls it BUN-3D8F

🤖 Generated with Claude Code

[robobun]

Re the duplicate-PR flag: the overlap with #31695 is exactly one hunk — the add_file::<true> clone fix (fix 3 here, BUN-3EAD there), found independently and semantically identical in both PRs. Everything else is disjoint: #31695 fixes three additional watcher crashes this PR doesn't touch; this PR fixes the finalize_bundle iterator invalidation and the router-syntax-error print crash, which #31695 doesn't touch. Keeping the hunk here so this PR's regression tests pass independently of merge order; whichever lands second resolves a comment-only conflict in bundle_v2.rs.

[claude]

LGTM — thanks for addressing the off-by-one and pinning the caret column in the test.

Extended reasoning...

Overview

Three targeted crash fixes in the bake dev server, each with a regression test:

1. DevServer.rs (finalize_bundle): replaces for index in &vec with index-based while i < vec.len() iteration over client_components_affected. I verified in incremental_graph.rs:1168-1171 that trace_dependencies does push to this Vec when it visits an SCB, and the gts-bit check at the top of trace_dependencies (line 1135) guarantees revisited entries early-return — so the index-based loop is semantically equivalent but iterator-safe.
2. FrameworkRouter.rs: clamps TinyLog::print's cursor_at to rel_path.len(), switches the 64-param error from log.write() to log.fail() so the cursor is set, and makes the cursor rebase saturating with the u32::MAX sentinel preserved. Includes the off-by-one correction from my earlier inline comment, now test-pinned at the exact column.
3. bundle_v2.rs: add_file::<{ cfg!(windows) }> → add_file::<true> so the watcher always owns its path copy instead of borrowing arena-backed storage.

Security risks

None. These are dev-server crash fixes; no auth, crypto, network-input parsing, or privilege boundaries are touched. Each change is strictly defensive (clamp, own-instead-of-borrow, index-instead-of-iterator).

Level of scrutiny

Moderate — the changes touch bundler/dev-server internals with memory-lifetime reasoning, but each hunk is small (< 20 effective LOC), well-commented, and covered by a regression test that the PR description confirms fails on unmodified main and passes with the fix. The author also ran a 5-minute ASAN stress test. None of the touched files are under CODEOWNERS.

Other factors

• I previously reviewed and left one inline nit (cursor-rebase off-by-one); it was fixed in 3c48d77 and the thread is resolved.
• The current bug-hunting pass found no issues.
• The one-hunk overlap with #31695 is acknowledged and benign (whichever lands second resolves a comment-only conflict).
• Worst-case downside of any individual change is benign: an extra string clone per watched file, extra no-op loop iterations, or a clamped cursor position.

[claude]

Thanks for addressing the cursor-rebase off-by-one — the fixes all look correct and strictly defensive to me, but since this touches finalize_bundle / incremental-graph tracing and watcher path lifetimes, I'd like a bake maintainer to confirm the index-loop is bounded (i.e. the gts-bit-already-set claim) before merge.

Extended reasoning...

Overview

Three targeted crash fixes in the bake dev server, each with a regression test:

• DevServer.rs: replaces for index in &vec with a while i < vec.len() index loop over client_components_affected to avoid iterator invalidation when trace_dependencies appends to that same Vec mid-iteration.
• FrameworkRouter.rs: clamps TinyLog::print's cursor_at to rel_path.len(); switches the 64-param error from log.write to log.fail so a cursor is set; rebases the cursor with saturating arithmetic, guarding the u32::MAX sentinel and applying the -1 correction from my earlier inline comment (now resolved and pinned by a stderr-alignment assertion in the new test).
• bundle_v2.rs: changes add_file::<{ cfg!(windows) }> to add_file::<true> so the watcher always owns its path copy instead of borrowing arena-backed slices on POSIX.

Security risks

None. All inputs are local filesystem paths and developer route files; the changes are defensive (clamping, saturating arithmetic, owned copies, index-based iteration) and only affect dev-server-local error reporting and HMR bookkeeping. No auth, network, crypto, or untrusted-input parsing is touched.

Level of scrutiny

Medium-high. Each individual change is small and strictly safer than what it replaces — there is no realistic way for a clamp, a saturating add, an owned clone, or an index-vs-iterator loop to regress correctness relative to the prior code. However, the surrounding subsystem is the bundler's incremental-rebuild core (finalize_bundle, graph trace bits, watcher lifetimes), where invariants are subtle and a Rust-port-of-Zig is in flight. The index-loop fix in particular relies on the claim that mid-loop-appended entries already have their gts bit set (so the loop can't grow unboundedly); that's stated in the comment and PR description but is the kind of invariant a maintainer who owns incremental_graph.rs should confirm.

Other factors

• My one prior inline nit (cursor rebase off-by-one) was addressed in 3c48d77 and the regression test now pins the exact caret column, so that thread is closed.
• The bug-hunting pass on the latest revision found nothing.
• One hunk overlaps with PR #31695 (the add_file::<true> change); the author has acknowledged this and the overlap is comment-only on conflict.
• robobun reported a ❌ on build #59822 for 3c48d77; the latest commit (c1cdd4f) is a CI retrigger and I don't have the updated status — worth confirming green before merge.
• The new framework-router.test.ts assertion matches exact stderr whitespace/formatting from TinyLog::print, which is somewhat brittle but intentional (it pins the caret alignment fix).

Deferring rather than approving because of the critical-path location and the unverified CI status, not because of any specific concern with the diff.

[robobun]

Re the boundedness of the index loop, the invariant is structural in trace_dependencies (src/runtime/bake/dev_server/incremental_graph.rs):

if gts.bits(SIDE).is_set(file_index.get() as usize) {
    return Ok(());                                   // dedup guard
}
gts.bits(SIDE).set(file_index.get() as usize);       // bit set FIRST …
...
if is_scb {
    … client_components_affected.push(…);            // … push only AFTER the bit is set
}

• The only client_components_affected.push in the codebase is this one, and it is dominated by the gts bit being set for that same index.
• ctx.gts.clear() runs once, before the loop (DevServer.rs:4509); bits are never cleared during it.
• Therefore each server-graph file index can be appended at most once for the whole loop: the first visit sets its bit and may push; any later visit (including via the appended tail) hits the guard and returns without pushing.
• Worst case the Vec grows to (seeded entries + number of distinct SCB files), both finite, and every appended entry's trace is an immediate no-op — so the loop terminates and the extra iterations do no graph work.

The pre-existing for loop relied on the exact same invariant for termination (Zig's for (…items) also iterated a once-captured slice); the change only removes the dangling-pointer read, not any behavior the old code depended on.

[robobun]

CI status for merge: the diff is green on every lane that executed — 70/70 including linux x64/aarch64 (glibc+musl), ASAN, baseline, and all Windows test lanes, plus Format and clippy. The only red checks across both runs (59822, 59859) are darwin-14-aarch64-test-bun, darwin-14-x64-test-bun, and darwin-26-aarch64-test-bun, each Expired after 0s — they never started. The same three lanes are currently expiring identically on unrelated PRs (#31695, #31693), so this is macOS agent-pool capacity, not this change (which is platform-independent Rust, exercised hardest by the ASAN lane that passes). Already spent one retrigger; not pushing more. Ready for maintainer review/merge.

[robobun]

CI status update (final): on the retried build, darwin-14-x64-test-bun eventually got an agent and exited 2 — but the same lane fails with the same exit status 2 on unrelated PRs (e.g. the build for #31693, a parser fix that has since merged), and the other two darwin lanes still expire in queue. So the darwin test lanes are currently red across the board on Buildkite, independent of this change. Everything that is specific to this PR remains green: all Linux (glibc/musl/baseline/ASAN) and Windows test lanes, Format, and clippy — 70 passing checks. No further retriggers from me; this needs a maintainer merge (or a darwin-lane rerun once those agents are healthy).

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/bake/framework-router.test.ts`:
- Around line 169-197: The test currently only reads proc.stdout incrementally
and waits to consume proc.stderr after killing the process, which can cause pipe
backpressure deadlocks; modify the test around the Bun.spawn usage so stderr is
drained concurrently with stdout (e.g., kick off an async reader/collector for
proc.stderr into a string while the existing for-await loop reads proc.stdout
and matches the URL), ensure both streams are being consumed before proc.kill()
and before awaiting proc.exited, and keep variables like stdout, stderr,
decoder, and proc references (proc.stdout / proc.stderr) intact so the final
assertions still use the collected stderr text.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 55e48fbd-0cc0-431e-b97b-d85ed09fcf3a

📥 Commits

Reviewing files that changed from the base of the PR and between a988615 and a047ebe.

📒 Files selected for processing (5)

• src/bundler/bundle_v2.rs
• src/runtime/bake/DevServer.rs
• src/runtime/bake/FrameworkRouter.rs
• test/bake/dev/bundle.test.ts
• test/bake/framework-router.test.ts

[claude]

All prior review feedback has been addressed and the bug hunter found nothing new, but these are memory-safety fixes (iterator invalidation, use-after-free, OOB slice) in core bundler/dev-server hot paths — worth a human pass on the invariant reasoning before merge.

Extended reasoning...

Overview

This PR fixes three independent dev-server crashes across src/bundler/bundle_v2.rs, src/runtime/bake/DevServer.rs, and src/runtime/bake/FrameworkRouter.rs, with regression tests in test/bake/dev/bundle.test.ts and test/bake/framework-router.test.ts. The fixes are: (1) switch a for &vec loop to index-based iteration because trace_dependencies appends to the same Vec mid-loop; (2) clamp TinyLog::cursor_at and give the 64-param error a real cursor so print can't slice OOB, plus correct the cursor rebase offset; (3) always clone watcher paths since dupe_alloc can hand out per-bundle-arena storage.

Security risks

None in the conventional sense — no auth, crypto, network-input parsing, or permission surface. The changes are crash-hardening of internal data structures. The watcher-path clone and the index-based loop strictly reduce UB exposure relative to the previous code.

Level of scrutiny

High. These are memory-safety fixes in production-critical paths (finalize_bundle, the file watcher registration in on_parse_task_complete, and the route scanner). The correctness of fix 1 hinges on the invariant that trace_dependencies sets the gts bit before pushing (so the index loop is bounded), and fix 3 changes lifetime ownership semantics for every watched file on POSIX. The reasoning in the PR description and the author's follow-up comment on boundedness is detailed and looks sound to me, but this is exactly the kind of subtle invariant a maintainer familiar with incremental_graph.rs should sign off on.

Other factors

• Both of my earlier inline comments (off-by-one in the cursor rebase; comment-style per CLAUDE.md) were addressed in 3c48d77 and 3e24bc8 respectively, and the CodeRabbit stderr-drain concern was addressed in 25a3391. All inline threads are resolved.
• The bug-hunting system found nothing on the current revision.
• New regression tests cover all three crashes and pin the corrected caret alignment; CI is green on every lane that ran (the darwin/musl failures are documented as fleet-wide and unrelated).
• There is a one-hunk overlap with #31695 (the add_file::<true> fix), already acknowledged in-thread.

I'm deferring rather than approving because the changes, while small in line count, alter iteration-under-mutation and storage-lifetime behavior in hot bundler code — not the kind of mechanical change appropriate for bot auto-approval.

[robobun]

CI triage for build 61332 (head 3e24bc8): three red test lanes, none related to this diff.

• debian-13-x64-asan-test-bun: single failure, test/cli/install/bunx.test.ts:518 "should handle package that requires node 24" (exit 0 expected, got 3). The identical failure appears on unrelated concurrent builds (e.g. build 61330, a different branch touching different files), so it is an environment/registry-dependent flake, not this change. Nothing in this PR touches bunx or version resolution.
• windows-2019-x64-test-bun / windows-2019-x64-baseline-test-bun: same bunx failure plus test/js/bun/test/test-retry-repeats-basic.test.ts (test-runner retry/repeats internals, untouched by this PR).

Everything this PR touches remains green: the bake suites pass on the ASAN lane, Format/clippy pass, and all Linux build+test lanes are green. One retrigger was already spent earlier; leaving the rest to a maintainer.

[robobun]

Build 61674 (after the branch was updated with main) carries no test signal: the darwin and linux build-cpp jobs expired in the agent queue without starting, cascading waiting_failed to every downstream test job — nothing was executed. The branch now includes #32042 (skips the flaky bunx test that failed the previous run), so the next triggered build should be clean. Not pushing a retrigger; a Buildkite rebuild by anyone with access will do.