From 993be3f931694fd8dbf3753e60189b8322dfe27a Mon Sep 17 00:00:00 2001 From: robobun Date: Wed, 11 Feb 2026 23:14:43 -0800 Subject: [PATCH] fix(plugin): set virtualModules to nullptr after delete in clearAll (#26940) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Fix double-free in `Bun.plugin.clearAll()` by setting `virtualModules = nullptr` after `delete` - In `jsFunctionBunPluginClear` (`BunPlugin.cpp:956`), `delete global->onLoadPlugins.virtualModules` freed the pointer without nullifying it. When the `OnLoad` destructor later runs (during Worker termination or VM destruction), it checks `if (virtualModules)` — the dangling non-null pointer passes the check and is deleted again, corrupting the heap allocator. ## Test plan - [ ] New test `test/regression/issue/plugin-clearall-double-free.test.ts` spawns a subprocess that registers a virtual module, calls `Bun.plugin.clearAll()`, and exits with `BUN_DESTRUCT_VM_ON_EXIT=1` to trigger the destructor path - [ ] Verified the test fails on the system bun (pre-fix) with `pas panic: deallocation did fail ... Alloc bit not set` - [ ] Verified the test passes with the debug build (post-fix) - [ ] Existing plugin tests (`test/js/bun/plugin/plugins.test.ts`) all pass (29/29) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Bot Co-authored-by: Claude Co-authored-by: Jarred Sumner --- src/bun.js/bindings/BunPlugin.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/src/bun.js/bindings/BunPlugin.cpp b/src/bun.js/bindings/BunPlugin.cpp index c14c8bf33c..d330fba8f4 100644 --- a/src/bun.js/bindings/BunPlugin.cpp +++ b/src/bun.js/bindings/BunPlugin.cpp @@ -954,6 +954,7 @@ BUN_DEFINE_HOST_FUNCTION(jsFunctionBunPluginClear, (JSC::JSGlobalObject * global global->onResolvePlugins.namespaces.clear(); delete global->onLoadPlugins.virtualModules; + global->onLoadPlugins.virtualModules = nullptr; return JSC::JSValue::encode(JSC::jsUndefined()); }