Report exceptions thrown by DeferredWorkTimer tasks as uncaughtException

[robobun]

What does this PR do?

Fixes a debug/ASAN assertion failure (releaseAssertNoException) when a FinalizationRegistry cleanup callback throws.

Fuzzilli fingerprint: 568b6f604bcb11d9

ASSERTION FAILED: Unexpected exception observed on thread ...
Error Exception: calling ArrayBuffer constructor without new is invalid
!exception()
ExceptionScope.h(62) : void JSC::ExceptionScope::releaseAssertNoException()

Root cause

Bun routes JSC's DeferredWorkTimer tasks through Bun__runDeferredWork → runPendingWork, which invoked job->task(ticket) with no exception handling. JSFinalizationRegistry::runFinalizationCleanup returns with the exception still pending when a user callback throws, so the validation scope in JSCDeferredWorkTask::run tripped releaseAssertNoException() in debug/ASAN builds. In release builds the pending exception was only caught accidentally by the post-task drainMicrotasks() call, which aborts the nextTick drain for that tick, and for node:vm-created registries it was silently dropped.

Fix

Mirror JSC's own DeferredWorkTimer::doWork(): wrap the task in a TopExceptionScope, clear any non-termination exception after it runs, and report it via Zig::GlobalObject::reportUncaughtExceptionAtEventLoop(defaultGlobalObject(realm), …) so it reaches process.on('uncaughtException') — matching Node.js — including when the registry lives in a node:vm context. Termination exceptions are left pending for the caller.

Repro

const registry = new FinalizationRegistry(() => {
  throw new Error("boom");
});
for (let i = 0; i < 1000; i++) registry.register({}, i);
for (let i = 0; i < 10; i++) {
  Bun.gc(true);
  await new Promise(r => setImmediate(r));
}

How did you verify your code works?

• Added test/js/bun/util/finalization-registry-throw.test.ts covering the plain-GC, generateHeapSnapshot, and node:vm context trigger paths; all assert the error reaches uncaughtException.
• Verified all three tests fail (assertion crash / caught: null) on a pre-fix binary and pass with the fix.
• Verified behavior matches Node.js.

Rebase notes

Rebased onto current main; dropped the earlier autofix.ci formatting commit (main now carries equivalent formatting) and the temporary bake-codegen.ts quoting workaround (no longer needed now that the define auto-quote recovery from #30679 is on main).

[robobun]

^{Updated 3:51 PM PT - May 22nd, 2026}

✅ @robobun, your commit a1720ccbfc26eb2e8bc81d2f721fd1141de805ec passed in Build #56942! 🎉

---

🧪   To try this PR locally:

bunx bun-pr 30846

That installs a local version of the PR into your bun-30846 executable, so you can run:

bun-30846 --bun

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: fe9456a1-6370-435d-b3fc-e755646f8a64

📥 Commits

Reviewing files that changed from the base of the PR and between 9f3472d and a1720cc.

📒 Files selected for processing (2)

• src/jsc/bindings/JSCTaskScheduler.cpp
• test/js/bun/util/finalization-registry-throw.test.ts

---

Walkthrough

This PR wraps deferred-work task execution in a top-level exception scope within the JSCTaskScheduler and reports uncaught exceptions at the event loop. Three integration tests verify that FinalizationRegistry cleanup callbacks which throw are properly surfaced via process uncaughtException across different contexts.

Changes

Exception Handling for Task Scheduler

Layer / File(s)	Summary
Task scheduler exception reporting src/jsc/bindings/JSCTaskScheduler.cpp	Headers for top-level exception scope and deferred-work inline details are added; pending task execution is wrapped with DECLARE_TOP_EXCEPTION_SCOPE(vm), and thrown exceptions are reported via the global object's uncaught-exception path (except termination exceptions).
FinalizationRegistry exception tests test/js/bun/util/finalization-registry-throw.test.ts	Three concurrent subprocess tests spawn Bun processes that register FinalizationRegistry objects with cleanup callbacks that throw errors directly, during heap snapshots, and within node:vm contexts; each test forces GC cycles, captures the uncaught exception, and validates the parent process sees the error on stdout with empty stderr and zero exit code.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: routing exceptions from DeferredWorkTimer tasks to uncaughtException, which matches the core fix in the PR.
Description check	✅ Passed	The description fully covers both required template sections with comprehensive detail: 'What does this PR do?' explains the fix, root cause, and mirror of JSC's approach; 'How did you verify your code works?' documents test coverage and verification across all trigger paths.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/js/bun/util/finalization-registry-throw.test.ts`:
- Around line 48-70: The test can pass without exercising the throwing cleanup
path; change the FinalizationRegistry cleanup function to perform a detectable
side-effect (e.g., set globalThis.__finalizerRan = true or write a distinct
message via console.error) and after calling registry.register, Bun.gc(true),
and Bun.generateHeapSnapshot(), wait for the event loop tick
(setImmediate/Promise.resolve) and assert that globalThis.__finalizerRan is true
(or the stderr contains the message). Update references in this test around
FinalizationRegistry, registry.register, Bun.generateHeapSnapshot and the
GC/setImmediate sequence so the assertion verifies the cleanup callback actually
ran.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a18c25f0-33bb-4533-8080-400c1911e364

📥 Commits

Reviewing files that changed from the base of the PR and between 314d044 and 8fe5c6c.

📒 Files selected for processing (2)

• src/jsc/bindings/JSCTaskScheduler.cpp
• test/js/bun/util/finalization-registry-throw.test.ts

[github-actions]

This PR may be a duplicate of:

1. Report exceptions from DeferredWorkTimer tasks as uncaught #30835 - Same fix: adds TopExceptionScope in JSCTaskScheduler.cpp's runPendingWork to catch FinalizationRegistry callback exceptions and route them through reportUncaughtExceptionAtEventLoop
2. Report exceptions thrown from DeferredWorkTimer tasks #30844 - Same fix: catches exceptions after DeferredWorkTimer task execution in runPendingWork and reports them as uncaughtException

🤖 Generated with Claude Code

[coderabbitai]

♻️ Duplicate comments (1)

test/js/bun/util/finalization-registry-throw.test.ts (1)

48-70: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Assert that the throwing finalizer path is actually exercised.

This can pass without proving the cleanup callback ran, so it may miss regressions in the intended heap-snapshot path.

Suggested tightening

-          process.on("uncaughtException", () => {});
+          let sawUncaught = false;
+          process.on("uncaughtException", () => {
+            sawUncaught = true;
+          });
           const registry = new FinalizationRegistry(() => {
             ArrayBuffer();
           });
@@
-          Bun.gc(true);
-          Bun.generateHeapSnapshot();
-          Bun.gc(true);
-          setImmediate(() => {});
+          (async () => {
+            for (let i = 0; i < 20 && !sawUncaught; i++) {
+              Bun.gc(true);
+              Bun.generateHeapSnapshot();
+              Bun.gc(true);
+              await new Promise(r => setImmediate(r));
+            }
+            console.log(JSON.stringify({ sawUncaught }));
+          })();
@@
-    expect(stdout).toBe("");
+    expect(JSON.parse(stdout.trim())).toEqual({ sawUncaught: true });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/js/bun/util/finalization-registry-throw.test.ts` around lines 48 - 70,
The test currently swallows the finalizer-thrown exception with
process.on("uncaughtException", () => {}), so it never proves the
FinalizationRegistry finalizer ran; change the uncaughtException handler used
with FinalizationRegistry to record/emit a visible marker (e.g.,
process.stdout.write or console.log a unique string like "FINALIZER_THROWN")
when invoked, keep the registry callback that throws (FinalizationRegistry(() =>
{ ArrayBuffer(); })), run the same sequence (register, nullify, Bun.gc,
Bun.generateHeapSnapshot, Bun.gc) and then assert the marker appears in
stdout/stderr (or assert a flag) so the test actually verifies the throwing
finalizer path was exercised.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@test/js/bun/util/finalization-registry-throw.test.ts`:
- Around line 48-70: The test currently swallows the finalizer-thrown exception
with process.on("uncaughtException", () => {}), so it never proves the
FinalizationRegistry finalizer ran; change the uncaughtException handler used
with FinalizationRegistry to record/emit a visible marker (e.g.,
process.stdout.write or console.log a unique string like "FINALIZER_THROWN")
when invoked, keep the registry callback that throws (FinalizationRegistry(() =>
{ ArrayBuffer(); })), run the same sequence (register, nullify, Bun.gc,
Bun.generateHeapSnapshot, Bun.gc) and then assert the marker appears in
stdout/stderr (or assert a flag) so the test actually verifies the throwing
finalizer path was exercised.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 856726fc-386b-468a-94ea-dfbdd43c6153

📥 Commits

Reviewing files that changed from the base of the PR and between 8fe5c6c and b252abb.

📒 Files selected for processing (11)

• src/crash_handler/lib.rs
• src/errno/lib.rs
• src/perf/tracy.rs
• src/runtime/cli/Arguments.rs
• src/runtime/cli/run_command.rs
• src/runtime/cli/upgrade_command.rs
• src/runtime/jsc_hooks.rs
• src/runtime/webview/ChromeProcess.rs
• src/spawn/process.rs
• src/spawn_sys/spawn_process.rs
• test/js/bun/util/finalization-registry-throw.test.ts

[claude]

Thanks — both earlier concerns are addressed (direct Zig::GlobalObject::reportUncaughtExceptionAtEventLoop(defaultGlobalObject(...)) call covers node:vm, and the heap-snapshot test now positively asserts the caught error). Deferring to a maintainer mainly so this can be reconciled with the two duplicate PRs (#30835 / #30844) flagged above.

Extended reasoning...

Overview

The substantive change is ~7 lines in src/jsc/bindings/JSCTaskScheduler.cpp: runPendingWork now wraps the deferred-work task in a TopExceptionScope, clears any non-termination exception, and reports it via Zig::GlobalObject::reportUncaughtExceptionAtEventLoop(defaultGlobalObject(realm), …) so FinalizationRegistry cleanup throws reach process.on('uncaughtException'). A new test file covers the GC, generateHeapSnapshot, and node:vm trigger paths. bake-codegen.ts gets a one-line JSON.stringify around the OVERLAY_CSS define. The remaining ~9 Rust files are pure rustfmt/autofix reflow of #[cfg(...)] / cfg_attr attributes with no semantic change.

Security risks

None identified. No new inputs are parsed, no auth/crypto/permission surfaces touched; the change only routes an already-thrown JS exception to the existing uncaught-exception reporter.

Level of scrutiny

Moderate. The diff is small and mirrors JSC's own DeferredWorkTimer::doWork(), but it sits on the core JSC↔Bun event-loop boundary and changes user-observable behavior (exceptions from FinalizationRegistry / WASM-streaming callbacks now fire uncaughtException). That plus the bot-flagged duplicate PRs (#30835 / #30844) implementing the same fix means a maintainer should pick the canonical one rather than me auto-approving.

Other factors

Both inline comments I left on the previous revision have been addressed: the node:vm method-table gap is closed by calling the Zig implementation directly on defaultGlobalObject(...) (commit 853321d, with a dedicated test), and the heap-snapshot test now registers 1000 objects, loops, and asserts the captured message contains ArrayBuffer instead of only checking for empty stderr. The Buildkite failures listed by robobun are pre-existing lint/build warnings on main unrelated to this diff. No new issues found in this pass.

[robobun]

CI status: the only failing test is node-http-backpressure.test.ts SIGKILL on ubuntu-25.04-aarch64, a pre-existing flake also hitting unrelated PRs #30845 and #30850 in the same window. The previous run's flakes (worker_threads.test.ts SIGTRAP on darwin-26-aarch64, dev-and-prod.test.ts on Windows — both also seen on unrelated PRs #29709, #30784, #30817) did not recur after retrigger. finalization-registry-throw.test.ts passes on all platforms.

Duplicates: #30835 and #30844 implement the same core fix; this one additionally covers the node:vm context path via defaultGlobalObject().