mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-16 13:51:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
b93c216e92c0f001c6bf82c55cd4d8fa1dd3c229
bun.sh/src/codegen
History
robobun 315e822866 fix(bindgen): prevent use-after-free for optional string arguments (#26717) 
## Summary
- Fix a use-after-free bug in the bindgen code generator where string
arguments with default values would have their underlying WTF::String
destroyed before the BunString was used
- The issue occurred because for optional string parameters with
defaults, a WTF::String was created inside an `if` block, converted to
BunString, then the if block closed and destroyed the WTF::String while
the BunString was still in use
- This manifested as a segfault in `Bun.stringWidth()` and potentially
other functions using optional string arguments

## Details

The crash stack trace showed:
```
Segmentation fault at address 0x31244B0F0
visible.zig:888: string.immutable.visible.visible.visibleUTF16WidthFn
BunObject.zig:1371: bindgen_BunObject_dispatchStringWidth1
GeneratedBindings.cpp:242: bindgen_BunObject_jsStringWidth
```

The generated code before this fix looked like:
```cpp
BunString argStr;
if (!arg0.value().isUndefinedOrNull()) {
    WTF::String wtfString_0 = WebCore::convert<...>(...);
    argStr = Bun::toString(wtfString_0);
}  // <-- wtfString_0 destroyed here!
// ... argStr used later, pointing to freed memory
```

The fix declares the WTF::String holder outside the if block:
```cpp
BunString argStr;
WTF::String wtfStringHolder_0;  // Lives until function returns
if (!arg0.value().isUndefinedOrNull()) {
    wtfStringHolder_0 = WebCore::convert<...>(...);
}
if (!wtfStringHolder_0.isEmpty()) argStr = Bun::toString(wtfStringHolder_0);
// argStr now points to valid memory
```

This fix applies to both:
- Direct string function arguments with defaults (e.g.,
`t.DOMString.default("")`)
- Dictionary fields with string defaults

## Test plan
- [x] Existing `stringWidth.test.ts` tests pass (105 tests)
- [x] Manual testing with GC stress shows no crashes
- [x] `os.userInfo()` with encoding option works correctly

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Bot <claude-bot@bun.sh>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 17:44:13 -08:00
..
bindgenv2
Upgrade WebKit to d5bd162d9ab2 (#25958)
2026-01-15 10:26:43 -08:00
bake-codegen.ts
ssg 3 (#22138)
2025-09-30 05:26:32 -07:00
bindgen-lib-internal.ts
Fix formatters not running in CI + delete unnecessary files (#19433)
2025-05-08 23:22:16 -07:00
bindgen-lib.ts
Add new bindings generator; port SSLConfig (#23169)
2025-10-03 17:10:28 -07:00
bindgen.ts
fix(bindgen): prevent use-after-free for optional string arguments (#26717)
2026-02-03 17:44:13 -08:00
buildTypeFlag.ts
framework api: init / work in progress (#13215)
2024-09-12 16:44:03 -07:00
builtin-parser.ts
internal: remove secret hidden internals and introduce new way to call native code from js (#8166)
2024-03-29 21:47:11 -07:00
bundle-functions.ts
Upgrade WebKit to d5bd162d9ab2 (#25958)
2026-01-15 10:26:43 -08:00
bundle-modules.ts
runtime: implement CompressionStream/DecompressionStream (#24757)
2025-11-20 17:14:37 -08:00
ci_info.ts
Update ci_info with more CI detection (#23708)
2025-11-10 19:58:02 -08:00
class-definitions.ts
codegen: Add WriteBarrierEarlyInit support for classes with values and valuesArray (#23624)
2025-10-13 19:15:38 -07:00
client-js.ts
node:net rework (#18962)
2025-05-28 17:04:37 -07:00
cppbind.ts
Update WebKit (#26381)
2026-01-25 10:38:13 -08:00
create_hash_table
4 less values for the global object to visit (#23368)
2025-10-08 01:14:00 -07:00
create-hash-table.ts
Fix formatters not running in CI + delete unnecessary files (#19433)
2025-05-08 23:22:16 -07:00
generate-classes.ts
Update WebKit (#26381)
2026-01-25 10:38:13 -08:00
generate-compact-string-table.ts
Shrink MimeType list (#21004)
2025-07-15 22:37:09 -07:00
generate-js2native.ts
zig: fix missing uses of bun.callmod_inline (#24738)
2025-11-15 16:36:15 -08:00
generate-jssink.ts
safety: a lot more exception checker progress (#20956)
2025-07-16 00:11:19 -07:00
generate-node-errors.ts
Enable breaking_changes_1_3 (#23308)
2025-10-07 12:07:29 -07:00
generate-unified-source-bundles.rb
helpers.ts
Add new bindings generator; port SSLConfig (#23169)
2025-10-03 17:10:28 -07:00
internal-module-registry-scanner.ts
module pr 2 (#18266)
2025-03-20 00:45:44 -07:00
process_windows_translate_c.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
replacements.ts
Add new bindings generator; port SSLConfig (#23169)
2025-10-03 17:10:28 -07:00
shared-types.ts
zig: handle termination exception from promise fulfullment/rejection (#23285)
2025-10-14 19:48:25 -07:00