WebSocket: release pending-activity ref when close()/terminate() called during CONNECTING

[robobun]

Repro

const net = require('net');
const server = net.createServer(() => {}).listen(0, '127.0.0.1', () => {
  const ws = new WebSocket(`ws://127.0.0.1:${server.address().port}`);
  ws.onclose = () => { server.close(); console.log('closed'); };
  ws.close();
});

On current main this script never prints closed and never exits. ws.readyState stays CLOSING (2) forever and the WebSocket is never garbage-collected — heapStats() shows every such instance pinned indefinitely. Same for terminate().

Cause

connect() takes a pending-activity ref (incPendingActivityCount(), WebSocket.cpp:667) that is balanced only by didConnect / didFailWithErrorCode / didClose.

When close()/terminate() is called while m_state == CONNECTING, the handler sets m_state = CLOSING, calls Bun__WebSocketHTTP{S,}Client__cancel on the upgrade client, and returns. The Zig cancel() (WebSocketUpgradeClient.zig:439) clears outgoing_websocket without calling didAbruptClose — by design, since C++ initiated the cancel. But C++ never finishes the close either, so none of the completion callbacks fire, m_state never reaches CLOSED, m_pendingActivityCount stays ≥ 1, and hasPendingActivity() returns true permanently — the JS wrapper is a GC root forever and the native ref() is never deref()ed.

As a visible side effect, the existing #16995 test leaves ~4096 WebSocket instances in heapStats() on current main.

Fix

Extract the CONNECTING branch of close()/terminate() into failConnectingWebSocket(). After cancelling the upgrade client it posts a task that:

1. Sets m_state = CLOSED
2. Fires an error event followed by a close event with code 1006, wasClean = false — per the spec's "fail the WebSocket connection" steps; matches Chrome/Firefox and Node ws
3. Calls disablePendingActivity() to release the ref taken in connect()

The native-callback path (m_native.onClose) is handled the same way as didClose.

Verification

New tests in test/js/web/websocket/websocket-close-connecting.test.ts for both close() and terminate():

• fires error + close events and transitions to CLOSED — TCP server that never responds keeps the socket in CONNECTING; after close() an error event fires, then a close event with {code: 1006, wasClean: false}, and readyState === CLOSED.
• does not leak — creates 64 sockets, closes each during CONNECTING, verifies via heapStats().objectTypeCounts.WebSocket that they are collected.

All four time out on the unpatched build (close event never fires).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 999baa81-2b7c-42a6-a2bc-be9700595100

📥 Commits

Reviewing files that changed from the base of the PR and between 9079d5b and 81bd2a9.

📒 Files selected for processing (3)

• src/bun.js/bindings/webcore/WebSocket.cpp
• src/bun.js/bindings/webcore/WebSocket.h
• test/js/web/websocket/websocket-close-connecting.test.ts

---

Walkthrough

Introduces a dedicated failConnectingWebSocket() helper method to centralize handling of WebSocket shutdown during the CONNECTING state. Includes new tests validating event ordering and memory behavior for both close() and terminate() operations on connecting WebSockets.

Changes

Cohort / File(s)	Summary
WebSocket Connection Failure Handler src/bun.js/bindings/webcore/WebSocket.cpp, src/bun.js/bindings/webcore/WebSocket.h	Introduces private failConnectingWebSocket() method to unify duplicate shutdown logic in close() and terminate(). Handles state transitions via scheduled tasks, emits error and close events with code 1006 and wasClean false, and balances pending activity references from initialization.
WebSocket CONNECTING State Tests test/js/web/websocket/websocket-close-connecting.test.ts	New test suite validating both ws.close() and ws.terminate() during CONNECTING state. Verifies event ordering (error before close), close event properties (readyState, code, wasClean), and absence of memory leaks under forced garbage collection with batch operations.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and specifically describes the main change: releasing the pending-activity reference when close()/terminate() is called during CONNECTING state.
Description check	✅ Passed	The description comprehensively covers both required sections: detailed explanation of what the PR does (root cause, fix approach, verification) and how it was verified (new tests for event order and leak detection).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[robobun]

^{Updated 11:49 PM PT - Apr 28th, 2026}

❌ @Jarred-Sumner, your commit 8a5dc8c has 6 failures in Build #48949 (All Failures):

• scripts/build/ci.ts - build failed on 🍎 aarch64 - build-cpp
• test/js/web/fetch/fetch-http2-client.test.ts - code 1 on 🪟 11 aarch64
• test/js/bun/test/parallel/test-integration-rspack.ts - pid 6428 segmentation fault at address 0x7ff821beb9c8 on 🪟 11 aarch64
• test/js/bun/http/serve-stream-reject-flush-leak.test.ts - pid 6336 internal assertion failure: allocators do not match�[0m on 🪟 11 aarch64
• test/js/bun/http/serve-stream-reject-flush-leak.test.ts - pid 2408 internal assertion failure: allocators do not match�[0m on 🪟 2019 x64-baseline
• test/js/bun/http/serve-stream-reject-flush-leak.test.ts - pid 5860 internal assertion failure: allocators do not match�[0m on 🪟 2019 x64
• test/bake/dev-and-prod.test.ts - code 1 on 🪟 11 aarch64
• test/bake/dev-and-prod.test.ts - code 1 on 🪟 2019 x64
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🐧 13 x64-asan
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🪟 2019 x64-baseline
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🪟 11 aarch64
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🪟 2019 x64
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🐧 25.04 x64-baseline
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🐧 13 x64-baseline
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🐧 13 aarch64
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🐧 3.23 aarch64
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🐧 3.23 x64
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🐧 25.04 x64
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🐧 13 x64
• test/js/workerd/html-rewriter-leak.test.ts - code 1 on 🍎 14 x64

---

🧪   To try this PR locally:

bunx bun-pr 29918

That installs a local version of the PR into your bun-29918 executable, so you can run:

bun-29918 --bun

[github-actions]

Found 1 issue this PR may fix:

1. Random breakage on WebSocket closure #17111 - Random breakage on WebSocket closure: terminate() on a connection that may still be in CONNECTING state causes a crash. This PR adds proper handling for terminate()/close() during CONNECTING state.

If this is helpful, copy the block below into the PR description to auto-close this issue on merge.

Fixes #17111

🤖 Generated with Claude Code

[claude]

Thanks for addressing both nits — the error→close ordering now matches spec/Chrome/Firefox/ws and the test timeout is gone. The change looks correct to me, but since it alters user-visible event behavior and touches the pending-activity refcounting path (and CI is currently red on build-zig/build-bun), I'd like a human to give it a final look.

Extended reasoning...

Overview

This PR fixes a leak where calling close() or terminate() on a WebSocket while readyState === CONNECTING left the socket permanently in CLOSING with m_pendingActivityCount > 0, pinning the JS wrapper as a GC root and never firing a close event. The fix extracts the duplicated CONNECTING-branch logic from close()/terminate() into a new failConnectingWebSocket() helper (WebSocket.cpp:923-972) that cancels the upgrade client, then posts a task which transitions to CLOSED, dispatches error → close (per WHATWG "fail the WebSocket connection"), and calls disablePendingActivity() to balance the ref taken in connect(). A new test file covers event ordering, close-event properties, and a 64-socket heap-stats leak check for both close() and terminate().

I previously left two inline nits on an earlier revision — (1) missing error event before close, and (2) an explicit test timeout — both of which the author has addressed and resolved. I verified the Zig-side cancel() (WebSocketUpgradeClient.zig:439-459) clears outgoing_websocket before closing the TCP socket, so no completion callback can race the posted task; the m_state == CLOSED early-return guard in the task is defensive and effectively unreachable.

Security risks

None identified. No new untrusted-input parsing, no auth/crypto/permissions surface. The error message string is a fixed literal. The change is purely internal lifecycle/event sequencing.

Level of scrutiny

Moderate-to-high. This is core C++ in the WebSocket client touching refcounting (disablePendingActivity() performs a deref()) and introducing a user-visible behavior change: code that previously saw no events when closing during CONNECTING will now receive error then close. That's spec-correct and matches browsers/npm ws, but it's the kind of observable change that benefits from a maintainer's sign-off. The postTask + Ref { *this } + disablePendingActivity() pattern mirrors the existing m_upgradeClient == nullptr failure path in connect() and the tail of didFailWithErrorCode(), which gives confidence it's idiomatic for this file.

Other factors

• CI (Build #48938) is red on build-zig / build-bun across several targets. The C++ looks syntactically consistent with surrounding code (e.g., createErrorEventInit(protectedThis, ...) matches the existing call in the connect() failure path), so the failures may be infra-related, but I can't confirm without the logs.
• New tests are well-targeted and would have caught the original leak (they time out on the unpatched build per the PR description).
• The github-actions bot suggests this may also fix #17111 (crash on terminate() during CONNECTING), which raises the value of human review to confirm that linkage.