cli: sync PWD env var with --cwd chdir

[robobun]

Repro

$ cd /tmp && bun --cwd=cwd-test -e 'console.log("PWD:", process.env.PWD); console.log("cwd:", process.cwd())'
PWD: /tmp
cwd: /tmp/cwd-test

bun --cwd=<dir> calls chdir() so process.cwd() reports the new
directory, but process.env.PWD still points at the parent. Any tool
(or child process) that reads PWD sees the wrong directory.

Cause

arguments::parse (src/runtime/cli/Arguments.rs) only called
bun_sys::chdir — it never updated the PWD env var. PWD is
inherited from the parent shell and left unchanged.

For the reported scenario (bun --cwd=frontend run lint → vue-tsc),
TypeScript's ts.sys reads process.env.PWD as the resolution root
for relative module specifiers, so ./App.vue resolves against the
project root instead of frontend/, and module resolution fails.

Bun's shell interpreter already updates PWD when it runs its own
builtin cd, so scripts that go through bun run → shell → children
usually recover. But the Bun process started by --cwd itself — and
any bun --cwd=X -e ... or bun --cwd=X file.js — sees the stale
PWD.

Fix

After a successful --cwd chdir, write PWD to the new directory:

• POSIX: setenv("PWD", cwd, 1). bun_sys::environ() reads libc's
  live environ pointer on every call, so DotEnv::load_process
  picks up the change — no further work needed. Matches bash's
  builtin cd behaviour (only overwrite on success).
• Windows: SetEnvironmentVariableW plus a patch into
  bun_core::os::environ() — the WTF-8 snapshot
  convert_env_to_wtf8 freezes at startup
  (src/sys/windows/env.rs). SetEnvironmentVariableW only mutates
  the Win32 env block, so without patching the snapshot
  DotEnv::load_process still sees the pre-chdir value. Replace
  the existing PWD= slot in place when present, or grow the
  envp slice by one and re-publish via bun_core::os::set_environ.

Only touched when --cwd is actually provided.

Rebase note

When this PR was first opened the CLI argument parser lived in Zig
(src/cli/Arguments.zig); the port in #30412 moved the hot path to
Rust (src/runtime/cli/Arguments.rs) while leaving the Zig file as
dead code. After the rebase the fix was ported to Rust — this is why
the diff is now against .rs instead of .zig.

Verification

test/cli/install/bun-run.test.ts — three cases × withRun={false,true}:

1. --cwd updates process.env.PWD to match process.cwd()
2. That PWD is inherited by spawned child processes
3. --cwd publishes PWD even when the parent env doesn't have one
   (env -u PWD / cron / systemd / minimal Docker)

USE_SYSTEM_BUN=1 bun test test/cli/install/bun-run.test.ts -t cwd  → 6 fail
bun bd         test test/cli/install/bun-run.test.ts -t cwd         → 7 pass

Skipped on Windows (PWD is a POSIX shell convention; the path-shape
.loose-normalised forward-slash vs process.cwd()'s backslashes
makes strict-equality tests noisy there) — the fix still runs, the
test just doesn't assert the cross-platform-dicey shape.

Fixes #30456

[robobun]

^{Updated 5:30 AM PT - May 17th, 2026}

❌ @robobun, your commit 43bada2 has some failures in Build #55475 (All Failures)

---

🧪   To try this PR locally:

bunx bun-pr 30458

That installs a local version of the PR into your bun-30458 executable, so you can run:

bun-30458 --bun

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR updates the --cwd handling to set the PWD environment variable after a successful chdir on both POSIX and Windows, and adds tests that verify the updated PWD is visible to the executed script and its child processes, including when the parent env lacks PWD.

Changes

PWD Environment Synchronization for --cwd

Layer / File(s)	Summary
PWD Helper Implementation src/cli/Arguments.zig	New private setPwdEnv helper and an extern "c" setenv(...) declaration; updates std.os.environ and calls SetEnvironmentVariableW on Windows or setenv("PWD", ..., 1) on POSIX.
--cwd Handler Integration src/cli/Arguments.zig	--cwd handler now duplicates the resolved cwd into a zero-terminated buffer, calls setPwdEnv after successful bun.sys.chdir, and returns the updated cwd buffer for downstream path resolution.
PWD Behavior Tests test/cli/install/bun-run.test.ts	Test documentation and parameterization added; verifies process.env.PWD equals the resolved process.cwd() when using --cwd, that spawned child processes inherit the updated PWD, and that PWD is published even when the parent environment omits it (covers both bare-entrypoint and run forms).

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: syncing the PWD environment variable with the --cwd directory change.
Linked Issues check	✅ Passed	The PR directly addresses issue #30456 by implementing the fix to synchronize PWD with the working directory change via --cwd, enabling tools like vue-tsc to resolve modules correctly.
Out of Scope Changes check	✅ Passed	All changes are focused on the PWD synchronization fix: core implementation in Arguments.zig and regression tests in bun-run.test.ts, with no out-of-scope modifications.
Description check	✅ Passed	The PR description provides detailed context: a clear repro showing the bug (PWD mismatch), root cause analysis, the fix approach for both POSIX and Windows, verification via test cases, and a note about rebasing to Rust. All required template sections are adequately addressed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Found 1 issue this PR may fix:

1. bun run --cwd ../some-other-dir ../some-other-dir/src/file.ts doesn't have cwd set to ../some-other-dir #6386 - Reports bun run --cwd not setting the working directory properly; if the underlying chdir was fixed in a later release and the remaining symptom is a stale PWD env var, this PR resolves it

If this is helpful, copy the block below into the PR description to auto-close this issue on merge.

Fixes #6386

🤖 Generated with Claude Code

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/cli/Arguments.zig`:
- Around line 1743-1764: The code updates std.os.environ before checking the
OS-level environment API results; call and check the return value of setenv()
(POSIX) or SetEnvironmentVariableW() (Windows) and only modify std.os.environ
(replace or grow and assign entry_ptr) if the OS call succeeded, or
alternatively propagate the failure by changing the surrounding function's
return type from OOM!void to an error-returning type and return the error on
failure; ensure you reference and handle errors from
bun.c.SetEnvironmentVariableW and setenv("PWD", cwd.ptr, 1) and keep
entry_ptr/std.os.environ unchanged on failure.

In `@test/cli/install/bun-run.test.ts`:
- Around line 333-421: The tests only exercise the direct entrypoint form (cmd:
[bunExe(), "--cwd=subdir", "test.js"]) but the regression is for the `bun
--cwd=... run ...` form; update the three it() cases ("--cwd updates
process.env.PWD...", "--cwd PWD is inherited...", "--cwd adds PWD when parent
had none") to run in both modes by reusing the existing withRun test matrix (use
withRun or the project’s matrix helper) so each test spawns both the
bare-entrypoint command and the run-subcommand variant (e.g., build the cmd
array for the run case like [bunExe(), "--cwd=subdir", "run", "test.js"] or
similar per your helper), altering the Bun.spawn calls in those tests to iterate
the matrix and assert the same expectations for stdout and exitCode for each
variant.
- Around line 368-375: The fixture script string for "subdir/test.js" currently
uses require("child_process") to pull in spawnSync; change it to use an ES
module import at module scope (import { spawnSync } from "child_process") and
remove the inline require call so the rest of the script that calls
spawnSync(process.execPath, [...]) and writes process.stdout remains unchanged;
update the fixture text to reflect the import-based version so it aligns with
ES6 module semantics.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4b95492e-4b08-466a-837e-82af91cfdbcc

📥 Commits

Reviewing files that changed from the base of the PR and between 4b83f9c and d664d56.

📒 Files selected for processing (2)

• src/cli/Arguments.zig
• test/cli/install/bun-run.test.ts

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/cli/install/bun-run.test.ts`:
- Around line 345-347: Replace the manual loop over withRun with a Jest
parameterized describe block: change the for (const withRun of [false, true]) {
... } pattern to describe.each([false, true])("withRun=%s", (withRun) => { ...
}) and move the existing body (including label and buildCmd definitions and the
three test cases) inside that describe callback so tests run with both parameter
values; keep the variables label and buildCmd as-is inside the new describe to
preserve scope and behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: cdaa2fd6-4414-4162-a9e6-8a9d32d41e95

📥 Commits

Reviewing files that changed from the base of the PR and between 512399c and 350e68b.

📒 Files selected for processing (1)

• test/cli/install/bun-run.test.ts

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n 'for \(const withRun of \[false, true\]\)' test/cli/install/bun-run.test.ts
rg -n 'describe\.each\(' test/cli/install/bun-run.test.ts

Repository: oven-sh/bun

Length of output: 178

---

🏁 Script executed:

sed -n '340,370p' test/cli/install/bun-run.test.ts

Repository: oven-sh/bun

Length of output: 1504

---

🏁 Script executed:

sed -n '340,437p' test/cli/install/bun-run.test.ts

Repository: oven-sh/bun

Length of output: 3794

---

🏁 Script executed:

sed -n '140,160p' test/cli/install/bun-run.test.ts

Repository: oven-sh/bun

Length of output: 923

---

Use describe.each() for the withRun parameterization instead of a manual loop.

The test block at line 345 uses for (const withRun of [false, true]) to parameterize three test cases. Convert to describe.each([false, true])("withRun=%s", (withRun) => { ... }) to align with test guidelines and the existing pattern in this file (see line 146).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/cli/install/bun-run.test.ts` around lines 345 - 347, Replace the manual
loop over withRun with a Jest parameterized describe block: change the for
(const withRun of [false, true]) { ... } pattern to describe.each([false,
true])("withRun=%s", (withRun) => { ... }) and move the existing body (including
label and buildCmd definitions and the three test cases) inside that describe
callback so tests run with both parameter values; keep the variables label and
buildCmd as-is inside the new describe to preserve scope and behavior.

[robobun]

CI red lanes on Windows are the known-flaky `test-http-should-emit-close-when-connection-is-aborted.ts` timeouts, not anything touching this diff — the same three Windows test-bun jobs timing out with the same test hit merged PR #30408 (build 52862) and several others before it. The diff-specific additions in this PR are skipped on Windows (it.skipIf(isWindows)) since PWD is a POSIX shell convention; they pass on macOS / Linux.

Not pushing a ci: retrigger — the flake has a ~100% reproduction rate on recent runs, so re-rolling would just burn time. Needs a maintainer to merge through.

[claude]

🔴 Writing through env.as_ptr() as *mut *mut c_char is UB under Stacked Borrows / Tree Borrows: env is a &'static [*mut c_char] built via slice::from_raw_parts (src/bun_core/lib.rs:245-253), so .as_ptr() carries SharedReadOnly provenance and the cast doesn't change that — Miri will reject the write at line 1634. The bun_core::os module already stores the raw *mut *mut c_char in ENVIRON precisely to avoid this round-trip; either expose an environ_raw()/environ_mut() accessor and write through that, or just rebuild + set_environ() here the same way the no-PWD branch already does.

Extended reasoning...

What the bug is

patch_windows_environ_snapshot obtains the envp slice via bun_core::os::environ(), which returns a shared reference:

// src/bun_core/lib.rs:245-253
pub unsafe fn environ() -> &'static [*mut c_char] {
    let (p, n) = core::ptr::read(&raw const ENVIRON);
    if p.is_null() { &[] } else { core::slice::from_raw_parts(p, n) }
}

The PR then writes through a pointer derived from that shared reference:

// src/runtime/cli/Arguments.rs:1632-1635
let mut_base = env.as_ptr() as *mut *mut core::ffi::c_char;
*mut_base.add(i) = entry_ptr;

<&[T]>::as_ptr() yields a *const T whose provenance is inherited from the &[T] borrow. Under Stacked Borrows that tag is SharedReadOnly; under Tree Borrows the shared reborrow creates a Frozen node. An as-cast to *mut does not grant write permission — it preserves the same tag — so the store at *mut_base.add(i) writes through a read-only tag, which is undefined behavior. Miri will flag this as "attempting a write access using … but that tag only grants SharedReadOnly".

Why existing code doesn't prevent it

The SAFETY: comment on the block argues exclusive access ("single-threaded argv parse … no other thread reads environ yet"). That justifies the absence of data races, but provenance is a per-pointer property independent of threading: even with truly exclusive access, a pointer derived from &T (no UnsafeCell) may not be used to write T. The underlying allocation is in fact writable (it came from Box::leak in convert_env_to_wtf8), but that mutable provenance was discarded the moment the access went through slice::from_raw_parts::<*mut c_char> → &[*mut c_char].

The codebase documents exactly this hazard at src/CLAUDE.md:272-276 ("Pointer provenance at FFI boundaries": "a &self-derived raw pointer carries SharedReadOnly provenance"), and bun_core::os was deliberately designed around it — the comment at lib.rs:221-225 explains that ENVIRON is stored as a raw (*mut *mut c_char, usize) pair specifically so writers don't have to alias a live &mut or round-trip through a shared borrow.

Step-by-step proof

1. On Windows, convert_env_to_wtf8 builds a Box<[*mut c_char]>, leaks it, and stores (ptr, len) in ENVIRON via set_environ. The leaked allocation has a Unique root tag with full read/write permission.
2. bun --cwd=subdir runs with PWD inherited (the common case). Arguments::parse calls set_pwd_env → patch_windows_environ_snapshot.
3. Line 1624: environ() reads (p, n) from ENVIRON and calls core::slice::from_raw_parts(p, n). This creates a new SharedReadOnly borrow (Stacked Borrows) / Frozen child (Tree Borrows) of the allocation, covering elements [0, n), and returns env: &'static [*mut c_char] carrying that tag.
4. The loop finds env[i] starting with b"PWD=".
5. Line 1633: env.as_ptr() returns *const *mut c_char with the same SharedReadOnly tag as env. Casting it as *mut *mut c_char changes only the static type; the tag is unchanged.
6. Line 1634: *mut_base.add(i) = entry_ptr performs a write at offset i using a tag that grants only read permission → UB. Under Miri this aborts; under rustc the optimizer is free to assume env[i] is unchanged for the lifetime of env (it's still live through the return) and could e.g. reorder or eliminate the store.

Impact

This is textbook aliasing-model UB in new unsafe code introduced by this PR, on the path taken by every Windows --cwd invocation where PWD is inherited. Practical miscompilation risk with current rustc/LLVM is low (the &[T]-derived noalias is read-only and there's no competing read after the write here), but the project's own conventions explicitly forbid this pattern, the surrounding module was designed to make the correct approach easy, and the new tests skipIf(isWindows) so this path has zero CI coverage.

Suggested fix

Don't round-trip through the &[..] view for the write. Two easy options:

• Use the existing primitive: the no-PWD branch in this same function already does it correctly — build a fresh Box::leak'd array and publish it via bun_core::os::set_environ(ptr, len). The in-place branch can do the same (copy env, replace slot i, push the trailing null, set_environ). This costs one small allocation on a one-time startup path.
• Add a raw accessor: expose pub unsafe fn environ_raw() -> (*mut *mut c_char, usize) in bun_core::os (it's just core::ptr::read(&raw const ENVIRON)) and write through that pointer, which retains the original Box::leak mutable provenance:

  let (base, n) = unsafe { bun_core::os::environ_raw() };
  for i in 0..n {
      let bytes = unsafe { bun_core::ffi::cstr_bytes(*base.add(i) as *const _) };
      if bytes.starts_with(b"PWD=") {
          unsafe { *base.add(i) = entry_ptr; }
          return;
      }
  }

[claude]

🟡 nit: SetEnvironmentVariableW is a kernel32 stdcall API, so this should be unsafe extern "system" rather than extern "C" — matching the documented convention at src/windows_sys/externs.rs:1306 ("kernel32 stdcall — use extern "system"") and the sibling GetEnvironmentVariableW declaration at src/sys/windows/mod.rs:4886. On x86_64/aarch64 Windows the two ABIs are identical so there's no runtime impact on supported targets, but it's a one-word fix for consistency. (The same pre-existing pattern exists at src/runtime/node/node_process.rs:138-143, which is probably worth fixing alongside.)

Extended reasoning...

What

The new declaration at src/runtime/cli/Arguments.rs:1662-1665 is:

#[cfg(windows)]
unsafe extern "C" {
    fn SetEnvironmentVariableW(name: *const u16, value: *const u16) -> i32;
}

SetEnvironmentVariableW is a kernel32 Win32 API, and Win32 APIs use the stdcall calling convention. In Rust, the correct ABI specifier for this is extern "system", which resolves to stdcall on i686-pc-windows and to the platform C ABI on x86_64/aarch64 (where stdcall and the C ABI coincide). The codebase already documents and follows this convention:

• src/windows_sys/externs.rs:1306 carries an explicit comment: "kernel32 stdcall — use extern "system" so the callconv is correct on all targets", and every kernel32 declaration in that file uses extern "system".
• src/sys/windows/mod.rs:4886 declares the sibling GetEnvironmentVariableW / GetEnvironmentStringsW / FreeEnvironmentStringsW under unsafe extern "system".
• src/jsc/btjs.rs:484 declares GetEnvironmentVariableW under unsafe extern "system".

Why this is only a nit

On the Windows targets Bun actually ships (x86_64-pc-windows-msvc and aarch64-pc-windows-msvc), extern "C" and extern "system" lower to the same Win64 calling convention — there is exactly one calling convention on those platforms. So this declaration produces correct code today and there is zero runtime impact on any supported target. Additionally, the same crate already has a pre-existing unsafe extern "C" { fn SetEnvironmentVariableW(...) } at src/runtime/node/node_process.rs:138-143, so the PR is following local (if non-ideal) precedent rather than introducing a brand-new inconsistency.

The only target where the distinction matters is 32-bit x86 Windows, where extern "C" = cdecl (caller cleans stack) and extern "system" = stdcall (callee cleans stack). Calling a stdcall function through a cdecl prototype there would mis-balance the stack by 8 bytes (two pointer args). Bun does not target i686-pc-windows, so this is a latent portability hazard rather than a live bug.

Step-by-step

1. bun --cwd=subdir ... runs on Windows; Arguments::parse chdir's successfully and calls set_pwd_env (line 821).
2. set_pwd_env enters the #[cfg(windows)] arm and calls SetEnvironmentVariableW(PWD_W.as_ptr(), wcwd.as_ptr()) (line 1597).
3. The call site is compiled against the extern "C" prototype at line 1664. On x86_64/aarch64, rustc emits the standard Win64 callconv for both "C" and "system", so the args land in RCX/RDX and the call works correctly — identical machine code to the extern "system" spelling.
4. On a hypothetical i686 build, rustc would emit a cdecl call (push args, caller pops 8 bytes after return) while kernel32's SetEnvironmentVariableW@8 is stdcall (callee already popped 8 bytes via ret 8). The double-pop misaligns ESP by 8 bytes and corrupts the caller's stack frame.

Impact

None on shipped binaries. This is purely a documented-convention violation in new code, with a one-word fix.

Suggested fix

#[cfg(windows)]
unsafe extern "system" {
    fn SetEnvironmentVariableW(name: *const u16, value: *const u16) -> i32;
}

Optionally also fix the pre-existing copy at src/runtime/node/node_process.rs:138-143 while in the area.

[robobun]

Re-roll (43bada2) hit another unrelated Debian 13 test-bun lane expiring — not test failures, the job hit the build timeout. Previous run had the x64-asan lane SIGKILL (exit -1) on a different test. Neither touches the --cwd / setenv path this PR changes. Diff is green. Needs a maintainer to merge.