mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-02 15:08:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
13,773 Commits 2,370 Branches 251 Tags
8826b4f5f572f8a5bb159a33834759d8294737cb
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
robobun 8826b4f5f5 Fix WTFTimer issues with Atomics.waitAsync (#23442) 
## Summary

Fixes two critical issues in `WTFTimer` when `Atomics.waitAsync` creates
multiple timer instances.

## Problems

### 1. Use-After-Free in `WTFTimer.fire()`

**Location:** `/workspace/bun/src/bun.js/api/Timer/WTFTimer.zig:70-82`

```zig
pub fn fire(this: *WTFTimer, _: *const bun.timespec, _: *VirtualMachine) EventLoopTimer.Arm {
    this.event_loop_timer.state = .FIRED;
    this.imminent.store(null, .seq_cst);
    this.runWithoutRemoving();  // ← Callback might destroy `this`
    return if (this.repeat)     // ← UAF: accessing freed memory
        .{ .rearm = this.event_loop_timer.next }
    else
        .disarm;
}
```

When `Atomics.waitAsync` creates a `DispatchTimer` with a timeout, the
timer fires and the callback destroys `this`, but we continue to access
it.

### 2. Imminent Pointer Corruption

**Location:** `/workspace/bun/src/bun.js/api/Timer/WTFTimer.zig:36-42`

```zig
pub fn update(this: *WTFTimer, seconds: f64, repeat: bool) void {
    // Multiple WTFTimers unconditionally overwrite the shared imminent pointer
    this.imminent.store(if (seconds == 0) this else null, .seq_cst);
    // ...
}
```

All `WTFTimer` instances share the same
`vm.eventLoop().imminent_gc_timer` atomic pointer. When multiple timers
are created (GC timer + Atomics.waitAsync timers), they stomp on each
other's imminent state.

## Solutions

### 1. UAF Fix

Read `this.repeat` and `this.event_loop_timer.next` **before** calling
`runWithoutRemoving()`:

```zig
const should_repeat = this.repeat;
const next_time = this.event_loop_timer.next;
this.runWithoutRemoving();
return if (should_repeat)
    .{ .rearm = next_time }
else
    .disarm;
```

### 2. Imminent Pointer Fix

Use compare-and-swap to only set imminent if it's null, and only clear
it if this timer was the one that set it:

```zig
if (seconds == 0) {
    _ = this.imminent.cmpxchgStrong(null, this, .seq_cst, .seq_cst);
    return;
} else {
    _ = this.imminent.cmpxchgStrong(this, null, .seq_cst, .seq_cst);
}
```

## Test Plan

Added regression test at
`test/regression/issue/atomics-waitasync-wtftimer-uaf.test.ts`:

```javascript
const buffer = new SharedArrayBuffer(16);
const view = new Int32Array(buffer);
Atomics.store(view, 0, 0);

const result = Atomics.waitAsync(view, 0, 0, 10);
setTimeout(() => {
  console.log("hi");
}, 100);
```

**Before:** Crashes with UAF under ASAN  
**After:** Runs cleanly

All existing atomics tests pass.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Bot <claude-bot@bun.sh>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Jarred Sumner <jarred@jarredsumner.com>
2025-10-10 03:47:38 -07:00
.buildkite
lsan: fix reporting on linux ci (#22806)
2025-09-24 00:47:52 -07:00
.claude
Update post-edit-zig-format.js
2025-10-04 06:07:38 -07:00
.cursor
Fix outdated doc
2025-10-07 20:08:57 -07:00
.github
fix(sqlite) enable order by and limit in delete/update statements on windows (#23227)
2025-10-04 02:48:50 -07:00
.vscode
lsan: fix reporting on linux ci (#22806)
2025-09-24 00:47:52 -07:00
bench
fix(benchmark): postgres benchmark was not performing any queries under deno and node (#22926)
2025-09-23 17:48:10 -07:00
cmake
Add Nix flake for development environment (#23406)
2025-10-10 02:13:28 -07:00
completions
Improve --reporter flag help and error messages (#22900)
2025-09-24 18:26:37 -07:00
dockerhub
Update docker images from debian:bullseye to debian:bookworm (#18278)
2025-04-12 06:17:53 -07:00
docs
Doc updates
2025-10-09 23:37:10 -07:00
misctools
test: break up node-http.test.ts (#23125)
2025-09-30 17:25:17 -07:00
packages
improve(node:http): uncork after flushing headers to ensure data is sent immediately (#23413)
2025-10-09 22:56:49 -07:00
patches
Upgrade libarchive to v3.8.1 (#21250)
2025-07-21 20:08:00 -07:00
scripts
scripts/runner: pass TEST_SERIAL_ID for proper parallelism handling (#23031)
2025-10-05 18:22:55 -07:00
src
Fix WTFTimer issues with Atomics.waitAsync (#23442)
2025-10-10 03:47:38 -07:00
test
Fix WTFTimer issues with Atomics.waitAsync (#23442)
2025-10-10 03:47:38 -07:00
.clang-tidy
Reapply "Convert build scripts to CMake (#13427)"
2024-09-11 08:24:50 -07:00
.clangd
meta: fix disabling of clangd auto header insertion (#17172)
2025-02-10 02:04:21 -08:00
.cursorignore
Update .cursorignore
2024-12-26 11:48:30 -08:00
.dockerignore
bump webkit (#15328)
2024-12-12 03:21:56 -08:00
.editorconfig
Bring uSockets & uWebSockets forks into Bun's repository (#4372)
2023-08-28 08:38:30 -07:00
.git-blame-ignore-revs
Update .git-blame-ignore-revs
2025-06-13 16:16:14 -07:00
.gitattributes
Use "module": "Preserve" (#19655)
2025-05-14 18:43:15 -07:00
.gitignore
Update .gitignore
2025-10-05 04:28:25 -07:00
.lldbinit
Move LLDB initialization commands to make attach configuration work (#20085)
2025-05-30 19:33:03 -07:00
.mailmap
do not print duplicate code (#16231)
2025-01-07 20:19:12 -08:00
.prettierignore
disable async in script tags in dev server (#17517)
2025-02-21 11:28:27 -08:00
.prettierrc
Add new bindings generator; port SSLConfig (#23169)
2025-10-03 17:10:28 -07:00
.typos.toml
ci: check for typos in documentation (#16235)
2025-01-08 07:23:54 +00:00
AGENTS.md
Make AGENTS.md a symlink to CLAUDE.md
2025-06-27 21:13:21 -07:00
build.zig
Add new bindings generator; port SSLConfig (#23169)
2025-10-03 17:10:28 -07:00
bun.lock
Add new bindings generator; port SSLConfig (#23169)
2025-10-03 17:10:28 -07:00
bunfig.node-test.toml
node:module compatibility pt 1 (#18106)
2025-03-12 15:47:41 -07:00
bunfig.toml
bun install: support for minimumReleaseAge (#22801)
2025-10-06 02:58:04 -07:00
CLAUDE.md
Update CLAUDE.md
2025-10-04 02:20:59 -07:00
CMakeLists.txt
feat: Update BoringSSL to latest upstream (Sept 2025) - Post-quantum crypto, Rust support, and major performance improvements (#22562)
2025-09-12 18:16:32 -07:00
CODE_OF_CONDUCT.md
Add a code of conduct
2022-09-03 20:54:15 -07:00
CONTRIBUTING.md
Add Nix flake for development environment (#23406)
2025-10-10 02:13:28 -07:00
entitlements.debug.plist
Faster debug builds (#16354)
2025-01-12 20:03:24 -08:00
entitlements.plist
New subcommand: bun upgrade. It upgrades bun to the latest version.
2021-10-28 05:34:38 -07:00
flake.lock
Add Nix flake for development environment (#23406)
2025-10-10 02:13:28 -07:00
flake.nix
Add Nix flake for development environment (#23406)
2025-10-10 02:13:28 -07:00
LATEST
Update LATEST
2025-10-09 18:28:48 -07:00
LICENSE.md
libdeflate (#12741)
2024-07-24 01:30:31 -07:00
oxlint.json
fix(lint): resolve no-unused-expressions errors (#23127)
2025-09-30 04:45:34 -07:00
package.json
Bump version to 1.3.0 (#23401)
2025-10-09 06:30:35 -07:00
README.md
bun.sh -> bun.com (#20909)
2025-07-10 00:10:43 -07:00
SECURITY.md
bun.sh -> bun.com (#20909)
2025-07-10 00:10:43 -07:00
shell.nix
Add Nix flake for development environment (#23406)
2025-10-10 02:13:28 -07:00
tsconfig.base.json
Add new bindings generator; port SSLConfig (#23169)
2025-10-03 17:10:28 -07:00
tsconfig.json
types: Rewrite to avoid conflicts and allow for doc generation (#18024)
2025-03-25 14:33:30 -07:00
workspace.code-workspace
go
2021-08-11 13:56:03 -07:00

README.md

Logo

Bun

stars Bun speed

Documentation   •   Discord   •   Issues   •   Roadmap

Read the docs →

What is Bun?

Bun is an all-in-one toolkit for JavaScript and TypeScript apps. It ships as a single executable called bun.

At its core is the Bun runtime, a fast JavaScript runtime designed as a drop-in replacement for Node.js. It's written in Zig and powered by JavaScriptCore under the hood, dramatically reducing startup times and memory usage.

bun run index.tsx             # TS and JSX supported out-of-the-box

The bun command-line tool also implements a test runner, script runner, and Node.js-compatible package manager. Instead of 1,000 node_modules for development, you only need bun. Bun's built-in tools are significantly faster than existing options and usable in existing Node.js projects with little to no changes.

bun test                      # run tests
bun run start                 # run the `start` script in `package.json`
bun install <pkg>             # install a package
bunx cowsay 'Hello, world!'   # execute a package

Install

Bun supports Linux (x64 & arm64), macOS (x64 & Apple Silicon) and Windows (x64).

Linux users — Kernel version 5.6 or higher is strongly recommended, but the minimum is 5.1.

x64 users — if you see "illegal instruction" or similar errors, check our CPU requirements

# with install script (recommended)
curl -fsSL https://bun.com/install | bash

# on windows
powershell -c "irm bun.com/install.ps1 | iex"

# with npm
npm install -g bun

# with Homebrew
brew tap oven-sh/bun
brew install bun

# with Docker
docker pull oven/bun
docker run --rm --init --ulimit memlock=-1:-1 oven/bun

Upgrade

To upgrade to the latest version of Bun, run:

bun upgrade

Bun automatically releases a canary build on every commit to main. To upgrade to the latest canary build, run:

bun upgrade --canary

View canary build

Quick links

Guides

Contributing

Refer to the Project > Contributing guide to start contributing to Bun.

License

Refer to the Project > License page for information about Bun's licensing.

Reference in New Issue View Git Blame Copy Permalink
Description
Bun is a fast, incrementally adoptable all-in-one JavaScript, TypeScript & JSX toolkit. Use individual tools like bun test or bun install in Node.js projects, or adopt the complete stack with a fast JavaScript runtime, bundler, test runner, and package manager built in. Bun aims for 100% Node.js compatibility.
Readme 847 MiB
Languages
Zig 60.6%
C++ 24.9%
TypeScript 8.3%
C 3.3%
JavaScript 1.4%
Other 1.1%