module-loader: narrow TLA re-entrancy skip to dynamic-import initiator (#30651)

[robobun]

Fixes #30651. Supersedes #30639 — that PR drops the re-entrancy skip entirely, which regresses the Nitro self-deadlock tests (marked .todo there). This PR keeps both the deadlock avoidance and the new TDZ fix working.

Paired with oven-sh/WebKit#230; WEBKIT_VERSION points at its preview build.

Repro

// driver.mjs
const p1 = import("./entry1.mjs");
await new Promise(r => setTimeout(r, 10));
const p2 = import("./entry2.mjs");
await Promise.all([p1, p2]);

// entry1.mjs  +  entry2.mjs (each)
import { foo } from "./tla.mjs";
console.log(foo);

// tla.mjs
await new Promise(r => setTimeout(r, 100));
export const foo = 123;

On 1.3.14-canary.1+314ffe307 entry2 throws ReferenceError: Cannot access 'foo' before initialization; Node runs it correctly. User-reported variant: @lexical/react 0.44+ (#30634) and node-llama-cpp (#30651).

Cause

Same TDZ hole as #30259, but reached across two separate dynamic imports rather than static siblings inside one Evaluate(). The #30262 fix added three conditions to the Bun-specific re-entrancy skip at AbstractModuleRecord::innerModuleEvaluation 11.c.v:

• depWasAlreadyEvaluatingAsync
• asyncEvaluationOrder < asyncOrderWatermark
• pendingAsyncDependencies == 0

All three fire identically for the Nitro self-deadlock (skip needed — waiting would deadlock the import's own continuation) and the cross-Evaluate() parallel-dynamic-import bug (skip wrong — the spec wait is what we want; the dep's await is independent of our evaluation). The watermark check was designed for same-Evaluate() re-entrancy; it can't distinguish cross-Evaluate() cases where each dynamic import gets a fresh watermark.

Fix

Add a fourth discriminator: dep == dynamic-import-initiator. The initiator is the CyclicModuleRecord whose JS body is awaiting the current import's result. Only skip if the dep is that module.

• Nitro deadlock: target statically re-imports the initiator → match → still skip (back-compat preserved).
• Parallel dynamic imports: dep and initiator are unrelated modules → no match → spec wait fires → importer correctly blocks until the TLA dep settles post-await.

Plumbing (all #if USE(BUN_JSC_ADDITIONS)-gated; non-Bun JSC builds unchanged):

1. JSModuleLoader::requestImportModule resolves the referrer URL to a CyclicModuleRecord via the module registry.
2. loadModule (dynamic overload) stashes it on the freshly-created ModuleLoadingContext.
3. moduleLoadTopSettled copies it onto the ModuleLoaderPayload that outlives the context through the dynamic-import pipeline.
4. dynamicImportLoadSettled pushes it onto VM::m_modulesAwaitingDynamicImport (a HashCountedSet) immediately before the target's evaluate() call, and pops after.
5. innerModuleEvaluation 11.c.v reads vm.isModuleAwaitingDynamicImport(cyclic) as the fourth condition alongside the existing three.

The bun-side change (ZigGlobalObject::moduleLoaderImportModule) passes the sourceOrigin URL (converted to a file-system path, matching the module registry's key format) as the referrer to JSC::importModule. Previously we passed an empty Identifier, so the initiator was never resolvable.

Tests

test/js/bun/resolve/dynamic-import-tla-cycle.test.ts:

• NEW: parallel dynamic imports of the same TLA dep wait instead of running against TDZ bindings — fails on main, passes here.
• Existing dynamic import inside TLA whose target imports the awaiter back does not deadlock — still passes (Nitro back-compat preserved).
• Existing dynamic import inside TLA of a non-entry module whose target imports it back does not deadlock — still passes.
• Existing three static-sibling tests from Fix TLA sibling import running before shared dep settles (#30259) #30262 — still pass.

Rebase notes

This PR tracks a paired WebKit preview (oven-sh/WebKit#230), so WEBKIT_VERSION has to be re-pinned whenever main bumps WebKit. Most rebases only conflict on that one constant. The rebase onto the upstream WebKit 24362e675175 bump (oven-sh/WebKit#251) was the one non-trivial case: upstream dropped the JSGlobalObject* parameter from JSPromise::performPromiseThenWithInternalMicrotask. The two JSC commits were cherry-picked onto the new WebKit main with one manual resolution in JSModuleLoader.cpp::continueDynamicImport — kept the #if USE(BUN_JSC_ADDITIONS) routing via dynamicPayload (needed so dynamicImportLoadSettled can recover the initiator) while adopting the new no-globalObject signature. Everything else auto-merged.

[robobun]

^{Updated 4:22 PM PT - Jun 16th, 2026}

❌ @robobun, your commit 0302850 has 1 failures in Build #62990 (All Failures):

• Failed to create agent for 🐧 aarch64-musl - build-rust
• Failed to create agent for 🍎 x64 - build-rust
• Failed to create agent for 🪟 x64 - build-cpp
• Failed to create agent for 🐧 aarch64 - build-cpp
• Failed to create agent for 🐧 x64-android - build-rust
• Failed to create agent for 🐧 x64-asan - build-cpp
• Failed to create agent for 🐧 x64-android - build-cpp
• Failed to create agent for 🐧 x64 - build-cpp
• Failed to create agent for 🐧 x64-musl-baseline - build-cpp
• Failed to create agent for :freebsd: x64 - build-cpp
• Failed to create agent for 🐧 x64-musl - build-rust
• Failed to create agent for 🪟 x64 - build-rust
• Failed to create agent for 🐧 x64 - build-rust
• Failed to create agent for :freebsd: aarch64 - build-rust
• Failed to create agent for 🐧 x64-baseline - build-cpp
• Failed to create agent for 🍎 aarch64 - build-rust
• Failed to create agent for 🪟 aarch64 - build-cpp
• Failed to create agent for 🍎 aarch64 - build-cpp
• Failed to create agent for 🐧 x64-musl - build-cpp
• Failed to create agent for 🐧 aarch64 - build-rust
• Failed to create agent for 🪟 x64-baseline - build-rust
• Failed to create agent for 🐧 aarch64-musl - build-cpp
• Failed to create agent for :freebsd: x64 - build-rust
• Failed to create agent for 🐧 aarch64-android - build-cpp
• Failed to create agent for 🪟 aarch64 - build-rust
• Failed to create agent for :freebsd: aarch64 - build-cpp
• Failed to create agent for 🐧 x64-asan - build-rust
• Failed to create agent for 🐧 x64-musl-baseline - build-rust
• Failed to create agent for 🐧 x64-baseline - build-rust
• Failed to create agent for 🪟 x64-baseline - build-cpp
• Failed to create agent for 🐧 aarch64-android - build-rust
• Failed to create agent for 🍎 x64 - build-cpp
• Failed to create agent for 📦 binary-size

---

🧪   To try this PR locally:

bunx bun-pr 30656

That installs a local version of the PR into your bun-30656 executable, so you can run:

bun-30656 --bun

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Pass a computed non-empty referrer key from moduleLoaderImportModule into JSC::importModule so the import registry can coordinate parallel dynamic imports of the same top-level-await module; add a regression test reproducing the parallel TLA import case; update the WebKit prebuilt identifier; add missing include.

Changes

Module Import and Build Changes

Layer / File(s)	Summary
Module import referrer tracking src/jsc/bindings/ZigGlobalObject.cpp, test/js/bun/resolve/dynamic-import-tla-cycle.test.ts	moduleLoaderImportModule now computes a non-empty referrerKey from sourceOrigin.url() and passes it to JSC::importModule instead of an empty JSC::Identifier(). Adds a test that spawns two staggered parallel dynamic imports sharing a TLA dependency and asserts both entries receive foo = 123, with empty stderr and exit code 0.
Add assert include in WTF bindings src/jsc/bindings/wtf-bindings.cpp	Adds #include <cassert> so assert(...) is available for the file’s terminal/raw-mode helper code path.
WebKit prebuilt version update scripts/build/deps/webkit.ts	The exported WEBKIT_VERSION constant was changed to autobuild-preview-pr-230-783ba19a, updating the prebuilt WebKit release tag selection used by build scripts.

• Possibly related PRs:
  • oven-sh/bun#29770: Adds/updates dynamic-import/TLA cycle tests related to module-loader async sibling-import behavior.

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description includes detailed technical context but lacks explicit sections matching the repository's template (What does this PR do? and How did you verify your code works?).	Restructure the description to explicitly include the two required template sections: a concise 'What does this PR do?' summary and a 'How did you verify your code works?' section documenting test results.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: narrowing TLA re-entrancy skip to only the dynamic-import initiator, with the issue number reference.
Linked Issues check	✅ Passed	The PR's code changes directly implement the necessary fixes for #30651: restore TDZ-safe semantics for parallel dynamic imports while preserving Bun's deadlock avoidance via the new dynamic-import initiator discriminator.
Out of Scope Changes check	✅ Passed	All changes are scoped to the TLA re-entrancy issue: WebKit version bump for paired PR, module loader referrer resolution, TLA cycle test addition, and cassert include—no extraneous changes present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/js/bun/resolve/dynamic-import-tla-cycle.test.ts`:
- Around line 176-190: Replace the timer-based coordination with a deterministic
promise gate: in tla.mjs export a "entered" promise (and a resolver, e.g.,
enterResolve) that is resolved as soon as tla.mjs begins execution, and remove
the await new Promise(setTimeout...) there; in the test/driver where p1 and p2
are created (the code that does import("./entry1.mjs") and
import("./entry2.mjs")), await the exported entered promise from tla.mjs after
starting p1 and before starting p2 so the second import only begins once tla.mjs
has entered; reference the module symbol names (tla.mjs exported
entered/enterResolve, p1/p2, import("./entry2.mjs"), entry1.mjs/entry2.mjs) to
locate and update the code.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: bfb5d0bf-d81b-4707-bc3a-4963f93e7039

📥 Commits

Reviewing files that changed from the base of the PR and between b8ecc78 and 1f04780.

📒 Files selected for processing (3)

• scripts/build/deps/webkit.ts
• src/jsc/bindings/ZigGlobalObject.cpp
• test/js/bun/resolve/dynamic-import-tla-cycle.test.ts

[github-actions]

Found 1 issue this PR may fix:

1. Dynamic Import fails when multiple Vite plugins import same file #22367 - Parallel dynamic imports of the same file (from multiple Vite plugins) produce ReferenceError: Cannot access 'default' before initialization, matching the exact bug pattern this PR fixes

If this is helpful, copy the block below into the PR description to auto-close this issue on merge.

Fixes #22367

🤖 Generated with Claude Code

[github-actions]

This PR may be a duplicate of:

1. Fix TLA sibling dynamic-import TDZ regression (#30634) #30639 - Fixes the same TLA sibling dynamic-import TDZ regression ([1.3.14] ESM TDZ error when importing Lexical React modules that re-export through top-level await #30634), touching the same files (ZigGlobalObject.cpp, webkit.ts, dynamic-import-tla-cycle test); PR module-loader: narrow TLA re-entrancy skip to dynamic-import initiator (#30651) #30656 explicitly supersedes this one

🤖 Generated with Claude Code

[claude]

I didn't find any bugs, but this changes dynamic-import referrer plumbing in the core module loader and pins WEBKIT_VERSION to a preview build of an unmerged WebKit PR (oven-sh/WebKit#230) — worth a human look, and the version pin presumably needs to move to a real commit hash once #230 lands.

Extended reasoning...

Overview

This PR narrows Bun's TLA re-entrancy skip in innerModuleEvaluation to only fire when the EvaluatingAsync dependency is the dynamic-import initiator module, fixing a TDZ bug where parallel dynamic imports sharing a suspended TLA dep ran the second importer too early. The Bun-side diff is small — ZigGlobalObject::moduleLoaderImportModule now derives a registry key from sourceOrigin (file-system path for file://, stripped prefix for builtin://, raw string otherwise) and passes it as the referrer to JSC::importModule instead of an empty Identifier. A regression test is added in dynamic-import-tla-cycle.test.ts, and WEBKIT_VERSION is bumped to autobuild-preview-pr-230-6f24f5f7.

Security risks

None apparent. The referrer key is derived from the already-trusted sourceOrigin of the calling module and is used only for a registry lookup inside JSC; it doesn't flow into resolution, file-system access, or anything user-observable.

Level of scrutiny

High. Module evaluation ordering / TLA / cycle handling is one of the most subtle areas in the runtime, with a recent history of regressions (#30259, #30262, #30639, #30651). The actual semantic change lives in oven-sh/WebKit#230 and isn't visible in this diff, so a reviewer needs to evaluate both PRs together. Additionally, every dynamic import() in Bun now passes a non-empty referrer where it previously passed empty — even though the WebKit side only uses it for the new initiator lookup, that's a behavior change on a very hot path that deserves human eyes.

Other factors

• WEBKIT_VERSION is set to a preview tag of an unmerged PR rather than a merged commit hash. That's fine for CI validation but presumably shouldn't land on main as-is — someone should confirm the intended sequencing (merge WebKit#230 → repoint to the real autobuild hash → merge this).
• Test coverage is good: the new parallel-dynamic-import test plus the five existing tests in the same file cover both the Nitro self-deadlock back-compat and the new TDZ case.
• The referrer-key derivation mirrors the existing resolve() path per the comment, but I didn't independently verify it matches every key format the registry uses (e.g. data URLs, virtual modules from plugins) — a mismatch would just mean the initiator isn't found and the skip stays disabled, which is the safe direction, but worth a glance.

[robobun]

Build-cpp failures on darwin-aarch64, darwin-x64, and windows-aarch64 are the WebKit preview-tarball-timing thing — WEBKIT_VERSION points at autobuild-preview-pr-230-298067bc and oven-sh/WebKit#230's build is still in_progress across all 39 lanes (started 03:04 UTC, ~30-45min per lane). Once the preview tarball publishes for each platform, bun CI can fetch and link. Same coordination pattern as #30639 → WebKit#228 → #30262 → WebKit#215.

Diff itself is green: all 6 tests in dynamic-import-tla-cycle.test.ts pass locally; under partial revert (src/ stashed while vendor/WebKit stays patched) the Nitro deadlock tests stay green too, thanks to VM::hasPendingDynamicImport() gating in the latest WebKit push.

[robobun]

WebKit PR #230's CI at 38/41 completed — new preview tarball autobuild-preview-pr-230-298067bc should publish in ~10min (typical gap between last build and release-publish step). A maintainer can retry Buildkite #54170 once that release lists its Linux/macOS/Windows assets. The diff itself is green — all 6 TLA tests pass locally with-fix, and under partial revert the existing Nitro deadlock tests still pass thanks to the VM::hasPendingDynamicImport() gate.

Handing off to a maintainer: all red lanes are *-build-cpp, same WebKit-tarball-404 pattern that blocks every cross-repo-coordinated PR on first push (see #30639/WebKit#228, #30262/WebKit#215). Not pushing another commit — CI will go green on the next build once WebKit publishes.

[robobun]

Current CI state at build #54351: WebKit preview tarball published (builds pass), but 8 lanes fail:

Unrelated to this diff:

• fetch-tcp-keepalive.test.ts fails on ~10 lanes (alpine/debian/ubuntu/darwin/windows). New test from http: enable TCP keepalive on fetch sockets #30627, reads /proc/<pid>/net/tcp — nothing to do with TLA module loading. PR Fix TLA sibling dynamic-import TDZ regression (#30634) #30639 shows the same failure pattern.
• package-binary-size — binary-size regression threshold, unaffected by the src change.

Possibly related to my WebKit preview build:

• linux-x64-baseline-verify-baseline: reports llint_op_enter_wide32 [RDPMC] (1 insns). Ran the verifier against the bun-webkit-linux-amd64-baseline.tar.gz from module-loader: narrow TLA re-entrancy skip to dynamic-import initiator WebKit#230 preview locally — no RDPMC found in the jsc binary itself. Suggests the violation is in how bun links the WebKit baseline .a into its bun-baseline binary (emitted from LLInt asm + bun-side linker config), not in WebKit's emitted .o files. Same WebKit PR builds that pass baseline-verify on Fix TLA sibling dynamic-import TDZ regression (#30634) #30639 suggest my WebKit preview shouldn't be categorically broken; reproducing needs the full bun baseline build.

Still handing off to a maintainer — the diff itself is green (6/6 TLA tests pass locally, gate-equivalent confirms without-fix fails with 1 expected failure, with-fix passes 6/6). The baseline-verify lane may need either (a) a merged WebKit#230 that triggers a fresh prebuilt, or (b) an allowlist entry, or (c) re-verification under the maintainer's release-build toolchain. Not pushing code — I've exhausted what I can diagnose from here.

[robobun]

Issue #30949 is the same bug reached via the Payload CMS @payloadcms/richtext-lexical barrel (which pulls @lexical/react + lexical). Reporter's diagnosis (no TLA in the graph) was based on the "module" entry; the "exports" map's node condition actually routes to Lexical.node.mjs, which is the TLA wrapper this PR fixes.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/build/deps/webkit.ts`:
- Line 6: The WEBKIT_VERSION constant was set to a non-existent preview tag
which will break downloads; update the value or guard its use: either revert
WEBKIT_VERSION back to a published release tag (replace the string in the
WEBKIT_VERSION export) or add a runtime fallback/validation before download that
checks the GitHub release exists and refuses to proceed (or uses an alternate
known-good tag) so code that references WEBKIT_VERSION (export const
WEBKIT_VERSION) will not attempt to download from a missing release.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d6850955-7744-4aee-bbb7-6c86b7c3595c

📥 Commits

Reviewing files that changed from the base of the PR and between 69d60ca and b71d858.

📒 Files selected for processing (1)

• scripts/build/deps/webkit.ts

[robobun]

Build #55708 fails on build-cpp across all platforms — same WebKit-preview-tarball-timing pattern as before. oven-sh/WebKit#230's CI is 41/42 complete, the final Build / release step (which publishes the tarballs) is still IN_PROGRESS (~10min ETA). Once it publishes autobuild-preview-pr-230-783ba19a, a maintainer can retry this build. Diff itself is still green: all 6 TLA tests pass locally, gate-sim confirms without-fix fails correctly and with-fix passes. Not pushing again.

[claude]

🔴 The new dep == initiator discriminator only matches the immediate dynamic-import initiator, so a depth-2 chain (M awaits import(T); T awaits import(U); U statically imports M) now deadlocks where pre-PR it did not — when U's DFS visits M, m_modulesAwaitingDynamicImport = {T} (M was popped when T.evaluate() returned), so condition 4 fails and U takes the spec wait, closing a wait-cycle. Both existing Nitro tests are depth-1 (chunk re-imports its own initiator), so this isn't covered; worth adding a 3-module M→T→U→M test to dynamic-import-tla-cycle.test.ts, and on the WebKit side either keeping the initiator pushed until its import promise settles or walking the pending chain transitively.

Extended reasoning...

What this is

The PR narrows the #30262 deadlock-avoidance skip at innerModuleEvaluation 11.c.v by adding a fourth condition: vm.isModuleAwaitingDynamicImport(dep). Per the PR description, m_modulesAwaitingDynamicImport is a HashCountedSet that dynamicImportLoadSettled pushes the initiator onto immediately before the target's evaluate() call, and pops after — i.e. a synchronous bracket around evaluate(). That means the set only ever contains the immediate initiator during its target's DFS; ancestors further up a dynamic-import chain have already been popped by the time a grand-child's evaluate() runs.

The depth-1 Nitro shape (entry awaits import(chunk); chunk statically imports entry back) still works because the chunk's back-edge target is its immediate initiator. But the depth-2 generalisation — entry → await import(T) → await import(U) → static import {x} from entry — now deadlocks, where pre-PR it completed.

Step-by-step proof

// M.mjs (entry)
export const x = 1;
await import('./T.mjs');

// T.mjs
await import('./U.mjs');

// U.mjs
import { x } from './M.mjs';
console.log(x);

1. M.evaluate(): body runs, x=1, hits await import(T) → M is EvaluatingAsync, pendingAsyncDependencies==0. moduleLoaderImportModule is called with sourceOrigin = M, so the new bun-side code at lines 3533–3545 computes referrerKey = M's file-system path.
2. T's load settles. dynamicImportLoadSettled pushes M onto m_modulesAwaitingDynamicImport (set = {M}), calls T.evaluate().
3. T has no static deps; T's body runs, hits await import(U) → T is EvaluatingAsync. moduleLoaderImportModule called with sourceOrigin = T, referrerKey = T.
4. T.evaluate() returns synchronously (DFS done, body suspended). M is popped (set = {}). M's await import(T) is still pending — p_T resolves only when T reaches Evaluated.
5. U's load settles (later macrotask, after async file I/O). dynamicImportLoadSettled pushes T (set = {T}), calls U.evaluate().
6. U's DFS visits M. The four conditions at 11.c.v:
   • (1) depWasAlreadyEvaluatingAsync — M was EvaluatingAsync before this pass ✓
   • (2) M.asyncEvaluationOrder < U's watermark — M's order assigned two Evaluate() passes earlier ✓
   • (3) M.pendingAsyncDependencies == 0 — M has no static async deps ✓
   • (4) vm.isModuleAwaitingDynamicImport(M) — set = {T}, M ∉ set → false ✗
7. Condition 4 fails → take the spec wait. U.pendingAsyncDependencies = 1, U registered as M's asyncParentModule.

Result: U waits on M; M's body is suspended on p_T; p_T resolves when T → Evaluated; T's body is suspended on p_U; p_U resolves when U → Evaluated; U waits on M. Cycle = deadlock.

Pre-PR: conditions (1)(2)(3) all hold for M at step 6, so the skip fires. U's body runs immediately, reads x=1, U → Evaluated, T resumes, M resumes. Works.

Why existing code doesn't prevent it

The VM::hasPendingDynamicImport() coarse fallback (per robobun's partial-revert observation and the existing claude[bot] review at line 3545) only fires when the initiator is unknown — empty referrer / registry-lookup miss. It cannot be an unconditional disjunct, because in the #30651 repro p1 = import(entry1) is still in flight when entry2.evaluate() visits tla.mjs; an unconditional fallback would re-break the very test this PR adds. Here U's initiator is known (T is file-backed, referrerKey non-empty after this PR's bun-side change), so the precise check is used and misses M.

Both existing Nitro tests ("dynamic import inside TLA whose target imports the awaiter back" and the non-entry variant) are depth-1: the chunk directly re-imports its own initiator, so dep == initiator holds trivially. There is no test where the back-edge target is two or more dynamic-import hops above.

Impact

This is a behavioral regression in Bun's deliberate divergence from spec for the Nitro self-deadlock class — depth-1 working while depth-2 hangs is an inconsistent surprise. Nested code-splitting (entry → lazy chunk → sub-chunk that imports a shared util from the entry) is a realistic Rollup/Nitro output shape, exactly the chunk-splitting pattern that produced the original Nitro deadlock just one level deeper. Node also deadlocks here (it's a spec deadlock), but Bun explicitly chose to break the cycle for this class per the test file's own header comment.

Caveat: I cannot directly inspect oven-sh/WebKit#230's source (vendor/WebKit not checked out here), so this rests on the PR description's stated push/pop semantics — but those are specific, internally consistent, and corroborated by the review thread.

Suggested fix

WebKit-side, either (a) keep the initiator pushed until its dynamic-import promise settles (not just until evaluate() returns), so the set accumulates the whole pending dynamic-import chain; or (b) check transitively — if dep ∉ set but dep is suspended at an await import whose target's initiator chain leads back into the set. At minimum, add a depth-2 regression test (the 3-module M→T→U→M chain above) to dynamic-import-tla-cycle.test.ts to pin behavior — it would either confirm the regression or document that the actual implementation handles it.

[robobun]

The trace is correct — pushing the initiator only around evaluate() leaves the depth-2 chain (M → T → U → M static) and the depth-1 criss-cross variant (midA/midB awaiting swapped chunks that back-edge into each other, see the follow-up thread below) regressing relative to pre-PR behavior.

Deliberately out of scope for this PR. The ask here is narrow: stop the #30651 TDZ read for parallel dynamic imports of a shared TLA dep (Vite / Nitro / Payload users hit this), without reopening the Nitro self-deadlock #30262 fixed. The four-condition discriminator does exactly that: the reported repro now waits, the existing Nitro depth-1 tests still skip.

The cases you describe — depth-≥2 chains and criss-cross sibling back-edges — are spec deadlocks everywhere except Bun (Node deadlocks them too, per the test file's own header note about our deliberate divergence). They're also not drawn from the user reports driving this PR. Closing them properly takes a larger WebKit-side change (tracking the full set of EvaluatingAsync modules with outstanding dynamic-import promises, keyed off execution context rather than lexical sourceOrigin) that I'd rather do as a follow-up with its own test matrix.

For now: added the 3-module M→T→U→M chain and the 5-module criss-cross to my local todo for the follow-up, linked from a tracking issue once the main fix lands. Happy to pin them as .skip-d fixtures in this PR if that helps — LMK.

[claude]

Scoping makes sense — agreed the proper fix needs the larger WebKit-side change you describe (execution-context-keyed set, held until each import promise settles), and that belongs in its own PR with a dedicated test matrix.

Re the offer: yes please — pinning the 3-module M→T→U→M chain and the 5-module criss-cross as test.todo fixtures in dynamic-import-tla-cycle.test.ts would help. That gives the follow-up concrete in-tree repros to flip active, and documents the known gap right next to the file's header note about Bun's deliberate spec divergence — more durable than a tracking-issue todo that can drift from the actual fixture shapes. test.todo over .skip so CI surfaces it if a future WebKit bump happens to close one of them.

[robobun]

WebKit CI for oven-sh/WebKit#230 at d57ee3d2 failed on the Linux arm64 Release lane (all other Linux builds were cancelled as a consequence), so no autobuild-preview-pr-230-d57ee3d2 tarball was published. All bun-side build-cpp lanes fail with HTTP 404 when fetching the tarball — same cross-repo coordination pattern as before. Diff is green locally (6/6 TLA tests pass on local-built debug-asan against my vendor/WebKit branch). Maintainer can either retry the Linux arm64 Release job on WebKit#230 to unblock the tarball build, or diagnose the arm64 failure if it's real. Not pushing another commit.

[robobun]

Status: all 29 build-cpp lanes failed fetching autobuild-preview-pr-230-36cc1283.tar.gz — the WebKit preview build (PR #230) hit GPG key not reachable at https://apt.llvm.org/llvm-snapshot.gpg.key in the Linux arm64 Debug Dockerfile step, which cancelled the other Linux builds and blocked the tarball from publishing. Pure infra transient.

Triggered preview workflow Attempt 2 via gh run rerun; once it succeeds the tarball publishes and a retry of this PR's CI (empty push or re-run) will complete build-cpp. No code change needed from this side.

[claude]

🔴 Two more regression shapes for the depth-2 finding above, which together rule out both fixes that comment proposed: (1) depth-1 criss-cross siblings — entry imports midA+midB; midA awaits import(chunkA) which back-edges to midB; midB awaits import(chunkB) which back-edges to midA. At chunkA's DFS, set={midA} so condition (4) misses midB; symmetric for chunkB → wait cycle. This is depth-1 (so the earlier comment under-scopes the regression) and rules out fix (b) "walk the pending chain transitively" — midA/midB are siblings with no ancestor relationship. (2) delegated import() — router.mjs: export const loadFoo = () => import('./foo.mjs'); app.mjs: await loadFoo(); foo.mjs back-edges to app. sourceOrigin identifies the module lexically containing the import() keyword (router), not the module whose TLA body awaits the result (app), so set={router} during foo.evaluate() and app ∉ {router} → spec wait → deadlock. This is a set-identity bug orthogonal to the set-lifetime bug in the depth-2/criss-cross cases, and fix (a) "keep initiator pushed until promise settles" does NOT fix it since router (not app) is what gets pushed. Suggest adding both as fixtures alongside the depth-2 test, and on the WebKit side tracking the set of all EvaluatingAsync modules with an outstanding dynamic-import promise, independent of which file the import() keyword sits in.

Extended reasoning...

What this is

This extends the depth-2 finding already posted at this line (inline comment id 3256858258). That comment established that the new dep == initiator discriminator only matches the immediate dynamic-import initiator, and proposed two WebKit-side fixes: (a) keep the initiator pushed until its import promise settles, or (b) walk the pending chain transitively. Two further regression shapes — both of which worked pre-PR and deadlock under the PR description's stated push/pop-around-evaluate() semantics — show that neither fix as stated is sufficient, and together constrain the WebKit-side fix to something stronger than either.

This is filed as an addendum to the existing 🔴 comment rather than a fully independent finding: same root cause (the fourth condition's set under-approximates the modules whose progress depends on the current evaluate()), same code location, same WebKit-side fix area. The added value is (i) two distinct test fixtures the existing tests don't cover, and (ii) ruling out both of the earlier comment's suggested fixes, which materially shapes the WebKit#230 design.

Shape (1): depth-1 criss-cross siblings

entry.mjs:  import "./midA.mjs"; import "./midB.mjs";
midA.mjs:   export const a = 1; await import("./chunkA.mjs");
midB.mjs:   export const b = 2; await import("./chunkB.mjs");
chunkA.mjs: import { b } from "./midB.mjs"; export const handler = () => b;
chunkB.mjs: import { a } from "./midA.mjs"; export const handler = () => a;

Step-by-step trace (per the PR description's "push immediately before target's evaluate(), pop after"):

1. entry.evaluate() DFS: midA's body runs (a=1), hits await import(chunkA) → midA EvaluatingAsync, pendingAsyncDependencies=0. midB's body runs (b=2), hits await import(chunkB) → midB EvaluatingAsync, pendingAsyncDependencies=0. entry has pendingAsyncDependencies=2.
2. chunkA's load settles → dynamicImportLoadSettled pushes midA, set={midA}. chunkA.evaluate() DFS visits midB. Conditions: (1) midB was already EvaluatingAsync ✓; (2) midB.asyncOrder < chunkA's watermark ✓; (3) midB.pendingAsync==0 ✓; (4) midB ∈ {midA}? NO → spec wait. chunkA.pendingAsyncDependencies=1. Pop midA, set={}.
3. chunkB's load settles → push midB, set={midB}. chunkB.evaluate() DFS visits midA. (4) midA ∈ {midB}? NO → spec wait. chunkB.pendingAsyncDependencies=1. Pop midB.

Cycle: chunkA waits midB; midB awaits import(chunkB); chunkB waits midA; midA awaits import(chunkA). Deadlock.

Pre-PR: at both step 2 and step 3, conditions (1)(2)(3) alone fire → both skip → chunkA reads b=2 (initialized before midB's await), chunkB reads a=1 → all complete.

Why this isn't covered by the existing comment: The depth-2 comment says "Both existing Nitro tests are depth-1 (chunk re-imports its own initiator), so this isn't covered" — implying depth-1 is safe. The criss-cross is depth-1 (each await import is one hop) and also regresses, so the regression is broader than "depth ≥ 2". More importantly, it rules out fix (b) "walk the pending chain transitively": at step 2, midB's await target is chunkB whose initiator chain is {midB}, disjoint from {midA}. midA and midB are siblings with no ancestor relationship, so no transitive walk along the dynamic-import chain from chunkA reaches midB. Only fix (a) handles this shape: if midA stays pushed until import(chunkA) settles, then at step 3 set={midA, midB}, midA matches → skip → chunkB completes → midB completes → chunkA's wait on midB resolves.

Shape (2): delegated import()

// router.mjs — synchronous, no TLA
export const loadFoo = () => import("./foo.mjs");

// app.mjs — entry, TLA awaiter
import { loadFoo } from "./router.mjs";
export const app = 1;
await loadFoo();              // awaits import() that is *textually* in router.mjs

// foo.mjs
import { app } from "./app.mjs";   // back-edge to the awaiter
console.log(app);

Step-by-step trace:

1. app.evaluate() DFS visits router (static dep). router's body runs synchronously → router Evaluated.
2. app's body runs (app=1), calls loadFoo(). The import() expression executes with sourceOrigin = router.mjs — per ES spec, HostLoadImportedModule's referrer is the Script/Module Record where the import() CallExpression is lexically located (this is what makes () => import('./x') resolve ./x relative to where the arrow is defined, not where it's called). JSC captures this from the containing SourceProvider's origin. moduleLoaderImportModule at lines 3559-3560 computes referrerKey = /abs/router.mjs. requestImportModule resolves router's CyclicModuleRecord (router IS in the registry — it was loaded as a regular ESM static dep) and stashes it. app awaits the returned promise → app EvaluatingAsync, pendingAsync=0.
3. foo's load settles. dynamicImportLoadSettled pushes router → set={router}. Calls foo.evaluate().
4. foo's DFS visits app. Conditions: (1) app was already EvaluatingAsync ✓; (2) app.asyncOrder < foo's watermark ✓; (3) app.pendingAsync==0 ✓; (4) app ∈ {router}? NO → spec wait. foo.pendingAsyncDependencies=1. Pop router.

Cycle: foo waits on app; app's body is suspended on loadFoo()'s promise; that promise resolves when foo → Evaluated. Deadlock.

Pre-PR: conditions (1)(2)(3) alone fire → skip → foo reads app=1 → completes → app resumes.

Why this isn't covered by the existing comment or shape (1): The depth-2 chain and the criss-cross both assume import() is textually inside the module whose TLA body awaits it; their root cause is the push/pop bracket being too narrow (set-lifetime). Shape (2) is a set-identity bug: the wrong module is pushed in the first place. The PR description defines the initiator as "the CyclicModuleRecord whose JS body is awaiting the current import's result", but sourceOrigin does not give you that; it gives you where import() was written. Critically, fix (a) does NOT fix this: router would stay pushed until the promise settles, but app is never pushed at all. So shape (2) rules out fix (a) as a complete solution, just as shape (1) rules out fix (b).

Realistic? Route-table loaders (export const routes = {'/x': () => import('./x.mjs')}), React.lazy-style helpers in a shared util module, barrel re-export thunks, and any "one file owns the import map" pattern. The back-edge shape is identical to the existing Nitro tests, just with one level of function indirection.

Why existing safeguards don't catch either

The VM::hasPendingDynamicImport() coarse fallback (per the PR thread) fires only when the initiator is unresolvable — empty referrerKey or registry-lookup miss. In both shapes the initiators are file-backed ESM modules that resolve cleanly via the new bun-side referrerKey at lines 3555-3567, so the precise check is used and misses. Neither existing Nitro test exercises sibling back-edges or delegation: in both, await import(...) appears textually in the awaiter and the chunk back-edges to its own immediate initiator.

On the duplicate objection

One reviewer argued shape (1) is a duplicate of the existing depth-2 comment because both reduce to "the discriminator only matches the immediate initiator". The root cause is shared, and this is intentionally filed as an extension of that comment at the same line, not an independent finding. But the additions are not redundant: (i) shape (1) corrects the depth-2 framing's implication that depth-1 is safe; (ii) shape (1) demonstrates that one of the two fixes the earlier comment proposed is insufficient; (iii) shape (2) demonstrates that the other proposed fix is also insufficient, via a mechanism (lexical sourceOrigin ≠ awaiting module) that the earlier comment does not mention at all; (iv) both need distinct test fixtures. A reply that only said "here's another shape that breaks" would be noise; a reply that says "neither of your two proposed fixes is sufficient, here's why, and here's what the fix actually needs to track" is actionable.

Caveat (shared with the depth-2 comment)

All three shapes rest on the PR description's stated push/pop-around-evaluate() semantics; vendor/WebKit is not checked out here so oven-sh/WebKit#230's source cannot be inspected directly. If WebKit#230 happens to filter the resolved initiator by state (e.g. "only stash if EvaluatingAsync; otherwise treat as unresolved → coarse fallback"), router (Evaluated) would be dropped in shape (2) and the coarse gate would preserve pre-PR behavior — though a trivially modified repro where router has its own unrelated TLA would bypass any such filter. The PR description mentions no such filter, and the depth-2 comment at this line was posted under the same assumption. Either way, both shapes are worth pinning as test fixtures.

Suggested fix

On the WebKit side, the discriminator needs to track the set of all EvaluatingAsync modules with an outstanding dynamic-import promise — independent of which file the import() keyword sits in, and held until each promise settles (not just until evaluate() returns). Concretely: at await import() time, push the currently executing CyclicModuleRecord (the one whose async body is about to suspend — available from the running execution context, not from sourceOrigin); pop when the import's promise settles. That covers depth-2 (M stays pushed through U's evaluate()), criss-cross (midA and midB both pushed at step 3), and delegation (app pushed instead of router). On the bun side, add the 5-file criss-cross and 3-file delegated-import fixtures to dynamic-import-tla-cycle.test.ts alongside the suggested depth-2 test.

[robobun]

Both traces are correct — shape (1) pins the gap at depth-1 rather than the earlier comment's implied depth-≥2, and shape (2) shows that lexical sourceOrigin is the wrong key for delegated () => import() helpers. Agreed that neither of the two fixes my prior design iteration considered (push-until-promise-settles / walk the pending chain) is complete on its own; a correct fix needs both a longer push lifetime AND execution-context-derived identity rather than sourceOrigin.

Per the reply on the parent thread: deliberately out of scope for this PR, which is narrowly fixing the #30651 TDZ read for parallel dynamic imports of a shared TLA dep. Shape (2) in particular (router has () => import(), app awaits it, foo back-edges to app) is a realistic framework pattern and worth prioritizing on the follow-up. Tracking both as regression fixtures for that follow-up.

[claude]

Additional findings (outside current diff — PR may have been updated during review):

• 🟡 src/jsc/bindings/ZigGlobalObject.cpp:3555-3569 — 🟡 (pre-existing, follow-up note) The false-positive dual of the delegated-import case above: a fire-and-forget import() still pushes the lexical caller, so a 2-file repro — M does import('./T.mjs') (NOT awaited) then await setTimeout(50); export const x = 42; T statically imports x from M — has T read x in TDZ (Node prints 42, since M never awaits T so the spec wait terminates). Not a regression (the 3-condition pre-PR skip fires identically), but worth noting because it constrains the follow-up redesign: even "push the currently-executing module, pop on promise settle" would still push M here, so that fix additionally needs to verify the initiator's suspension point is the import's continuation. At minimum the PR description's "the CyclicModuleRecord whose JS body is awaiting the current import's result" should say "lexical caller" — what's actually pushed may not be awaiting at all.

  Extended reasoning...

  What this is

  The PR description defines the initiator as "the CyclicModuleRecord whose JS body is awaiting the current import's result", but what referrerKey (lines 3555–3567) actually identifies is the lexical caller — the module where the import() expression is textually written. The thread at this line already established that the lexical caller can be a module that is not the awaiter (delegated import → false negative → new deadlock). This is the dual: the lexical caller can be a module that is pushed and matched but is not awaiting the result at all — fire-and-forget — so condition (4) fires when the spec wait would have been safe (false positive → pre-existing TDZ).

  Step-by-step proof

  // M.mjs (entry)
  import("./T.mjs");                          // fire-and-forget, NOT awaited
  await new Promise(r => setTimeout(r, 50));   // M suspends here, unrelated to T
  export const x = 42;
  
  // T.mjs
  import { x } from "./M.mjs";
  console.log(x);

  1. M.evaluate(): body runs, import(T) calls moduleLoaderImportModule with sourceOrigin = M; lines 3559–3560 compute referrerKey = /abs/M.mjs; requestImportModule finds M's record and stashes it. M then hits await setTimeout(50) → EvaluatingAsync, pendingAsyncDependencies = 0.
  2. T's load settles (~1 ms file I/O, well before M's 50 ms timer). dynamicImportLoadSettled pushes M → set = {M}. Calls T.evaluate().
  3. T's DFS visits M. The four conditions at 11.c.v: (1) depWasAlreadyEvaluatingAsync ✓; (2) M.asyncEvaluationOrder < T's watermark ✓ (M's order assigned in the prior Evaluate() pass); (3) M.pendingAsync == 0 ✓; (4) vm.isModuleAwaitingDynamicImport(M) → M ∈ {M} ✓. All four hold → skip the wait.
  4. T's body runs immediately, reads x → TDZ ReferenceError.

  Spec / Node: T waits on M; M's 50 ms timer fires; x = 42; M → Evaluated; T resumes and prints 42. No deadlock — M never awaits import(T)'s promise, so its progress is independent of T.

  Relationship to the existing comments at this line

  Comments #3256858258 / #3297797470 (depth-2, criss-cross, delegated import) are all false negatives on condition (4): the dep ≠ what was pushed → spec wait → new deadlock regression. Comments #3243246404 / #3292821227 are referrer-resolution misses: registry lookup fails → coarse fallback. This is the only false positive: referrer resolves correctly, condition (4) matches, but the match is semantically wrong because lexical-caller ≠ awaiter (here, there is no awaiter). Together with the delegated-import shape, this shows the lexical caller is neither necessary nor sufficient for "module whose completion depends on this import settling".

  Addressing the duplicate/out-of-scope objection

  One reviewer argued this is (a) pre-existing by construction since condition (4) is conjunctive, (b) substantively the same insight as the delegated-import comment ("sourceOrigin identifies lexical caller, not awaiter"), and (c) indistinguishable from the intentional Nitro skip at the discriminator's observable granularity. All three are correct, and (a)+(c) are exactly why this is filed as a nit rather than a blocker — at import() call time it's unknowable whether the promise will be awaited at top level, so this is the precision ceiling of any lexical-initiator approximation and not fixable within this PR's scope.

  What's not already covered by the thread, and the reason this is worth noting for the follow-up robobun scoped at #3297869824/#3297870655: the proposed redesign there — "push the currently executing CyclicModuleRecord (execution-context-derived, not sourceOrigin), pop when the import's promise settles" — would still push M here. M is the currently-executing module when import(T) fires, and import(T)'s promise is outstanding when T's DFS visits M. So that redesign fixes depth-2, criss-cross, and delegated-import, but still false-positives on fire-and-forget. Closing this hole requires the follow-up to additionally verify that the initiator's suspension point is the import's continuation (e.g. by inspecting the promise reaction the module body is parked on), not just that it called import() and the promise hasn't settled.

  Why nothing prevents it

  The push/pop bracket in dynamicImportLoadSettled keys purely on who called import(), not who awaits the result. The 3-condition pre-PR skip also fires here (same trace minus condition 4), so the PR's narrowing simply doesn't reach it — from condition (4)'s perspective, "T's static back-edge target IS T's dynamic-import lexical initiator" is exactly the Nitro depth-1 shape it intentionally preserves the skip for.

  Impact / fix

  Nit — pre-existing (not a regression), narrower pattern than the user-reported #30651/#22367 shapes, and the author has already scoped the redesign as a follow-up. Actionable bits: (1) tighten the PR description's definition of "initiator" from "module awaiting the result" to "lexical caller"; (2) carry this 2-file repro forward as a fixture for the follow-up so the redesign's test matrix includes a case where "push currently-executing module until promise settles" is insufficient on its own.

[robobun]

Rebased onto latest main (resolved the WEBKIT_VERSION conflict — main had advanced its WebKit to 963f8758 + the Windows cross-compile work in #239).

• WebKit PR #230 rebased onto the new WebKit main (clean, 2 commits) → new preview tarball autobuild-preview-pr-230-d8ec41d5 published (42 assets).
• WEBKIT_VERSION in this PR points at that tag.
• All 6 TLA tests pass locally (debug ASAN) against the rebased WebKit.
• test/bake/dev/production.test.ts 8/8 (the Bake referrer plumbing stays reverted — it is documentation-only vs main).

Earlier build-cpp 404s were the tarball not being published yet (a transient Ubuntu-24.04.4 runner-image failure on WebKit's FreeBSD Docker step delayed it; re-run cleared it). Fresh CI build triggered now that the tarball is live.

[robobun]

Rebased again onto latest main (main re-advanced its WebKit to 6d586e29 with several JSC PRs: #240, #247, #242, #244, #241).

• WebKit PR #230 cherry-picked onto the new WebKit main → preview tarball autobuild-preview-pr-230-c7f29140 published (43 assets).
• WEBKIT_VERSION points at the new tag.
• All 6 TLA tests pass locally (debug ASAN) against the re-rebased WebKit.

Only conflict both times was WEBKIT_VERSION (expected — this PR tracks a WebKit preview that has to be re-pinned whenever main bumps WebKit). Fresh CI build triggered now that the tarball is live.

[robobun]

CI build #60104 (after re-rolling the expired darwin agents — those now pass): 70 checks green including all build-cpp. The 2 remaining failures are unrelated flake, different from the previous build's:

1. test/js/third_party/@duckdb/node-api/duckdb.test.ts — SIGILL (illegal instruction) segfault in the DuckDB native addon. DuckDB is loaded via CJS require + process.dlopen (a native .node binary), not ESM dynamic import — this PR only touches the ESM dynamic-import referrer path, so it cannot affect it. The SIGILL is a CPU-instruction/native-binary mismatch on the runner.
2. test/js/bun/http/serve-body-leak.test.ts — memory-leak threshold, flagged flaky (1 retry), end_memory 542MB vs 512MB limit.

Both are physically disconnected from the diff (module loader + TLA test). All 6 TLA tests pass locally in debug+release against the re-rebased WebKit c7f29140. Already spent my one re-roll on the expired darwin lanes. Ready for a maintainer to merge.

[robobun]

Superseded by #32437 (merged), which fixes the same bug via a cleaner mechanism: moduleLoaderImportModule looks up the referrer's asyncEvaluationOrder through the new JSModuleLoader::asyncEvaluationOrderForKey() and threads it to JSC::importModule as referrerAsyncOrder, rather than plumbing the referrer identifier and a VM-level initiator set as this PR did. That approach supersedes oven-sh/WebKit#228 (and this PR's paired oven-sh/WebKit#230).

Verified the #30651 repro is fixed on current main (eae803811b, WebKit cd821fec):

$ bun-debug driver.mjs   # two parallel dynamic imports of a shared TLA dep
entry1 foo: 123
entry2 foo: 123

No ReferenceError: Cannot access 'foo' before initialization. test/js/bun/resolve/dynamic-import-tla-cycle.test.ts passes 6/6 on main, including the sibling dynamic imports sharing a TLA wrapper wait for its post-await exports regression test #32437 added.

Closing as superseded. The paired oven-sh/WebKit#230 will be closed too.