fix(test --isolate): repoint NapiEnv at new global during swap

[robobun]

Fixes #30205 (also the remaining half of #30191).

Repro

Any test suite that loads a NAPI module under bun test --isolate (or --parallel, which implies --isolate per worker). Minimal:

# 20 files, each: require(<.node addon with deferred finalizers>), napi_wrap a batch
bun test --isolate .

Release builds segfault at 0x68/0xD0/0xE00000020; debug builds assert isMarked(cell) in JSC::Heap::addToRememberedSet. The reporter's workglow-dev/libs suite hits it on every bun run test:bun:unit (the panics are masked by retry = 1 so the exit code stays 0).

Root cause

NapiEnv::m_globalObject is a raw Zig::GlobalObject*. Zig__GlobalObject__createForTestIsolation creates a new global and gcUnprotect()s the old one, but never touches the NapiEnvs the old global created. Those envs are kept alive by NapiEnv::Ref held in queued NapiFinalizerTasks (and by weak-handle owners that fire napi_internal_enqueue_finalizer when the old graph is swept on a later GC). When the deferred finalizer runs on the event loop:

NapiFinalizerTask.runOnJSThread
  → Finalizer.run
    → NapiHandleScope.open(env, false)
      → NapiHandleScope__open(env, false)
        → NapiHandleScope::open(env->globalObject(), …)   // stale raw pointer
          → globalObject->m_currentNapiHandleScopeImpl.set(vm, globalObject, impl)
            → vm.writeBarrier(globalObject, …)
              → Heap::addToRememberedSet(globalObject)     // cell is swept → ASSERT / segfault

Every process_dlopen in the Features: line of the reporter's panics is the fingerprint.

This is distinct from #29519 / PR #29573: that DeferGC protects the new global during finishCreation; this is the old global being written to long after the swap, via a raw pointer the swap never updated.

Fix

During the swap, move oldGlobal->m_napiEnvs into the new global and set each env's m_globalObject to the new global. This is done inside the existing DeferGC scope, before gcUnprotect(oldGlobal), so the envs never observe an unprotected pointer. The new global keeps them alive and reports their pending finalizers via hasNapiFinalizers(); every env->globalObject() caller (NapiHandleScope, Finalizer.run, napi_async_work::runFromJS, ThreadSafeFunction, toJS(napi_env)) now sees a live, gcProtect()'d global.

Verification

New regression test in test/regression/issue/30205.test.ts spawns bun test --isolate over 20 files that each require the existing test/napi/napi-app/async_finalize_addon (NAPI v8, deferred finalizers) and wrap 1000 objects with Buffer ballast rooted on globalThis, under BUN_JSC_collectContinuously=1.

build	before fix	after fix
debug (ASAN)	ASSERTION FAILED: isMarked(cell) — 10/10	20 pass, 0 fail — 3/3
release (system bun)	panic: Segmentation fault at address 0x68 — 8/8	—

The reporter's sharp repro (20 files, no collectContinuously) also passes 3/3 after the fix and 3/3 under --parallel=4 --retry=1 --max-concurrency=20.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4d436f80-2a7d-44da-affb-82197dcb65ba

📥 Commits

Reviewing files that changed from the base of the PR and between 810f6a8 and 4494b6b.

📒 Files selected for processing (1)

• test/regression/issue/30205.test.ts

---

Walkthrough

When running tests with bun test --isolate, newly created GlobalObjects now adopt existing N-API environments from the old global: each NapiEnv's m_globalObject is repointed and the container of envs is moved to the new global before the old global becomes collectable, preventing use-after-free during deferred finalizers.

Changes

N-API Environment Repointing for Test Isolation

Layer / File(s)	Summary
Public API Additions src/bun.js/bindings/napi.h, src/bun.js/bindings/ZigGlobalObject.h	Adds NapiEnv::setGlobalObject(Zig::GlobalObject*) and declares GlobalObject::adoptNapiEnvsForTestIsolation(GlobalObject* fromGlobal).
Data / State Repointing src/bun.js/bindings/ZigGlobalObject.cpp, src/bun.js/bindings/napi.h	New GlobalObject::adoptNapiEnvsForTestIsolation iterates existing NapiEnvs, asserts same VM, calls env->setGlobalObject(this), and prepares to transfer ownership of the env container.
Ownership Transfer src/bun.js/bindings/ZigGlobalObject.cpp	Moves m_napiEnvs from the source global into the new global using std::exchange, ensuring the new global becomes the owner of the N-API env collection.
Integration Point src/bun.js/bindings/ZigGlobalObject.cpp	In Zig__GlobalObject__createForTestIsolation, after gcProtect() on the newly created global, call adoptNapiEnvsForTestIsolation(oldGlobal) before the old global can be unprotected/collected.
Regression Test test/regression/issue/30205.test.ts	Adds a (Windows-skipped) regression test that builds an N-API addon and runs bun test --isolate across 20 generated test files with continuous collection enabled to assert no crashes and full pass summary.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the primary change: repointing NapiEnv to the new global during test isolation swap.
Description check	✅ Passed	The PR description provides comprehensive context including root cause analysis, fix details, and verification results, exceeding the template's minimal requirements.
Linked Issues check	✅ Passed	The code changes fully address issue #30205 by preventing use-after-free crashes in NAPI environments during test isolation via repointing and moving env ownership.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the NAPI env repointing issue: bindings implementation, header declarations, and a targeted regression test.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Review rate limit: 0/5 reviews remaining, refill in 50 minutes and 14 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[robobun]

^{Updated 8:52 PM PT - May 3rd, 2026}

❌ @robobun, your commit 4494b6b has 3 failures in Build #50753 (All Failures):

• test/js/node/http/node-http-backpressure.test.ts - SIGKILL on 🐧 25.04 aarch64
• test/js/bun/test/parallel/test-http-should-emit-close-when-connection-is-aborted.ts - timeout on 🪟 2019 x64-baseline
• test/js/bun/test/parallel/test-http-should-emit-close-when-connection-is-aborted.ts - timeout on 🪟 2019 x64
• test/js/bun/test/parallel/test-http-should-emit-close-when-connection-is-aborted.ts - timeout on 🪟 11 aarch64
• test/bake/dev-and-prod.test.ts - code 1 on 🪟 2019 x64-baseline
• test/bake/dev-and-prod.test.ts - code 1 on 🪟 11 aarch64

---

🧪   To try this PR locally:

bunx bun-pr 30214

That installs a local version of the PR into your bun-30214 executable, so you can run:

bun-30214 --bun

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/bun.js/bindings/napi.h`:
- Around line 383-388: Add a guard and restrict visibility for the env
retargeting: make inline void setGlobalObject(Zig::GlobalObject* globalObject) a
non-public mutator (move it out of the public section) and inside it assert that
globalObject->vm() (or equivalent accessor) equals m_vm to enforce the invariant
that m_vm is fixed at construction; document that
GlobalObject::adoptNapiEnvsForTestIsolation() is the only intended caller so
callers must also update ownership bookkeeping when retargeting NapiEnvs.

In `@test/regression/issue/30205.test.ts`:
- Around line 80-90: Replace the current separate assertions that read
stdout/stderr then check exitCode with a single, combined assertion that awaits
stdout, stderr and proc.exited together and asserts the child result object
(including exitCode and signalCode) at once; specifically, change the
Promise.all call to collect proc.stdout.text(), proc.stderr.text(), and
proc.exited into variables (e.g. stdout, stderr, exited) and then assert an
object containing stdout, stderr, exitCode (from exited) and signalCode (from
exited) instead of asserting streams first and exitCode separately so
crashes/segfaults produce actionable diffs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9cf4346a-739c-43a2-9089-42c5523dfba5

📥 Commits

Reviewing files that changed from the base of the PR and between 797dee4 and 8fb346d.

📒 Files selected for processing (4)

• src/bun.js/bindings/ZigGlobalObject.cpp
• src/bun.js/bindings/ZigGlobalObject.h
• src/bun.js/bindings/napi.h
• test/regression/issue/30205.test.ts

[robobun]

Superseded by #30216, which has the same adoptNapiEnvsForTestIsolation fix plus:

• the --parallel coordinator change (no retry; fatal-signal worker crash aborts the run) that was also requested for panic during tests with parallel #30205 — without it, the retry keeps masking the panic even after the NapiEnv fix goes in, so CI stays green on a real crash
• rare_data.cleanup_hooks[*].globalThis retarget so CleanupHook.eql() doesn't compare against a dead global
• a regression test that reproduces 8/8 on unpatched main (the async_finalize_addon.create_ref() + in-test ballast pattern here returns undefined so the wrapped objects are collected during the runner's own post-test tick(), before the swap — I ran it 10× on main and couldn't get it to assert)

Happy to fold anything from here into #30216 instead if preferred.