Fix event-loop hang when dlopen'd Go/cgo lib coexists with WASM on Linux

[robobun]

Fixes #31158.
Fixes #29843.

Repro

cat > native.go <<'GO'
package main
import "C"
//export GoAdd
func GoAdd(a, b C.int) C.int { return a + b }
func main() {}
GO
CGO_ENABLED=1 go build -buildmode=c-shared -o libgo.so native.go

bun -e '
import { dlopen, FFIType } from "bun:ffi";
dlopen("./libgo.so", { GoAdd: { args: [FFIType.i32, FFIType.i32], returns: FFIType.i32 } });
const bytes = new Uint8Array([0,97,115,109,1,0,0,0,1,5,1,96,0,1,127,3,2,1,0,7,5,1,1,102,0,0,10,34,1,32,1,1,127,65,0,33,0,2,64,3,64,32,0,65,1,106,33,0,32,0,65,144,206,0,72,13,0,11,11,32,0,11]);
(new WebAssembly.Instance(new WebAssembly.Module(bytes)).exports.f as () => number)();
await new Promise(r => setTimeout(r, 50));
console.log("alive");
'

Hangs after the WASM call; "alive" never prints. Linux x64 only. Reporter's strace shows a continuous tgkill(…, SIGPWR) storm (≈8500 signals/s) while the main thread pins a core.

Cause

JavaScriptCore's GC/code-cache flush suspends other JS threads by sending a per-thread signal (SIGPWR on Linux in our WebKit fork) and having the handler snapshot the interrupted context. signalHandlerSuspendResume in WTF/wtf/posix/ThreadingPOSIX.cpp sanity-checks that the snapshot is meaningful with:

void* approximateStackPointer = currentStackPointer();  // <- the handler's own SP
if (!thread->m_stack.contains(approximateStackPointer)) {
    thread->m_platformRegisters = nullptr;
    globalSemaphoreForSuspendResume->post();
    return;  // caller retries
}

Go's cgo runtime walks every signal in runtime.initsig when loaded as a c-shared library and, for any signal whose handler is non-default that it doesn't want to own, force-adds SA_ONSTACK so its own threads' synchronous faults stay on a managed alt stack. That includes WTF's SIGPWR handler. Because Bun's crash handler (or ASAN's runtime in debug builds) already has an alternate signal stack installed on the main thread, the very next JSC suspend delivers SIGPWR onto the alt stack, currentStackPointer() lands outside thread->m_stack, the sanity check fails, the handler posts with m_platformRegisters = nullptr, Thread::suspend() retries — forever. The event loop never gets another timer tick.

Any runtime that follows the same recipe (Mono, some JNI layouts, Rust async runtimes compiled as cdylibs) trips the same wire; this just happens to surface most loudly with Go because cshared Go is what most people reach for when they want a native helper.

Confirmed with a plain C test:

$ ./verify_bug
main stack near: 0x7ffdea86460c
alt stack range: [0x74fca3657010..0x74fca3697010]
Case 1 (no SA_ONSTACK): handler_sp=0x7ffdea8638a4 interrupted_sp=0x7ffdea8645a0
Case 2 (SA_ONSTACK):    handler_sp=0x74fca36963a4 interrupted_sp=0x7ffdea8645a0

Handler SP is in the alt stack when SA_ONSTACK is in effect; the ucontext-saved SP always tells the truth.

Fix

Root-cause fix is in WTF: read the interrupted thread's SP from the ucontext (kernel-saved register state) instead of the handler's own currentStackPointer(). That SP is stable regardless of whether the handler itself runs on the normal or the alternate signal stack, and the existing retry-on-alt-stack semantics still work — if the thread genuinely was on an alt stack when the signal arrived (e.g. a nested handler), the ucontext SP reflects that and the check backs off as before.

The WTF change ships in oven-sh/WebKit#235; this PR bumps WEBKIT_VERSION to that PR's preview autobuild. No per-dlopen sigaction scan on the Bun side — with the WTF fix in place it would be pure overhead, and chaining workarounds for workarounds is the wrong direction (as the reporter rightly pointed out).

Swap the preview-pr-235 tag for the merged autobuild hash once oven-sh/WebKit#235 lands.

Test

test/regression/issue/31158.test.ts — sets SA_ONSTACK on SIGPWR via bun:ffi (same shape as Go's initsig), triggers a fresh dlopen, compiles+invokes a WASM function, then awaits a setTimeout. Passes with the fix in ~800 ms; hangs to a 15 s test-runner timeout on system Bun. Skipped on non-glibc (musl Bun is static and doesn't have libc.so.6 to dlopen).

The exact repro from the issue (with Go) also passes end-to-end against this build.

[robobun]

^{Updated 7:38 AM PT - Jun 17th, 2026}

❌ @robobun, your commit 1f4deae has 1 failures in Build #63137 (All Failures):

• scripts/build/ci.ts - build failed on 🍎 aarch64 - build-cpp
• scripts/build/ci.ts - build failed on 🐧 aarch64 - build-cpp
• scripts/build/ci.ts - build failed on 🐧 x64-baseline - build-cpp
• scripts/build/ci.ts - build failed on 🐧 x64 - build-cpp
• scripts/build/ci.ts - build failed on 🍎 x64 - build-cpp
• scripts/build/ci.ts - build failed on 🐧 aarch64-android - build-cpp
• scripts/build/ci.ts - build failed on :freebsd: aarch64 - build-cpp
• scripts/build/ci.ts - build failed on 🐧 x64-android - build-cpp
• scripts/build/ci.ts - build failed on :freebsd: x64 - build-cpp
• scripts/build/ci.ts - build failed on 🪟 aarch64 - build-cpp
• scripts/build/ci.ts - build failed on 🪟 x64-baseline - build-cpp
• scripts/build/ci.ts - build failed on 🪟 x64 - build-cpp
• scripts/build/ci.ts - build failed on 🐧 aarch64-musl - build-cpp
• scripts/build/ci.ts - build failed on 🐧 x64-musl-baseline - build-cpp
• scripts/build/ci.ts - build failed on 🐧 x64-asan - build-cpp
• scripts/build/ci.ts - build failed on 🐧 x64-musl - build-cpp

---

🧪   To try this PR locally:

bunx bun-pr 31161

That installs a local version of the PR into your bun-31161 executable, so you can run:

bun-31161 --bun

[github-actions]

Found 1 issue this PR may fix:

1. bun:ffi dlopen of Go c-shared library hangs Prisma MariaDB adapter queries #29843 - Reports bun:ffi dlopen of a Go c-shared library hanging Prisma MariaDB adapter queries on Linux x64, with the same root cause: Go's cgo runtime corrupts JSC's SIGPWR handler via SA_ONSTACK, stalling the event loop

If this is helpful, copy the block below into the PR description to auto-close this issue on merge.

Fixes #29843

🤖 Generated with Claude Code

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a Unix-only post-dlopen repair that clears SA_ONSTACK from SIGPWR when present, exposes it via a C ABI, invokes it from JSC's dlopen binding, and adds a glibc-only regression test reproducing the original hang scenario.

Changes

Signal handler repair on dlopen

Layer / File(s)	Summary
Signal repair implementation and dlopen integration (Rust) src/sys/lib.rs	repair_jsc_gc_signal_after_dlopen() reads SIGPWR sigaction and, if SA_ONSTACK is set, re-installs the handler with SA_ONSTACK cleared (Unix only; stub on non-Unix). POSIX dlopen() calls it after libc::dlopen succeeds. Bun__repairJscGcSignalAfterDlopen() C-ABI wrapper exposes the repair.
JSC Process_functionDlopen hook src/jsc/bindings/BunProcess.cpp	Adds extern "C" void Bun__repairJscGcSignalAfterDlopen(); declaration and calls it immediately after a non-Windows dlopen() returns a non-null handle before continuing success handling.
Regression test for SA_ONSTACK signal repair test/regression/issue/31158.test.ts	Glibc-only test that spawns a Bun child, uses bun:ffi to set SA_ONSTACK on SIGPWR, performs a second dlopen to exercise the repair, compiles/instantiates a minimal WASM module, waits for a setTimeout sentinel, and asserts the child exits successfully with no stderr.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main fix: addressing an event-loop hang triggered by dlopen'd Go libraries coexisting with WASM on Linux due to SIGPWR signal handling issues.
Linked Issues check	✅ Passed	The code changes fully address the linked issues (#31158, #29843): prevent event-loop hang by detecting and clearing SA_ONSTACK on SIGPWR after dlopen in both bun:ffi and process.dlopen paths, with a regression test.
Out of Scope Changes check	✅ Passed	All changes are tightly scoped to fixing the SIGPWR/SA_ONSTACK hang: post-dlopen repair functions in sys/lib.rs, invocation in BunProcess.cpp, and a focused regression test; no unrelated modifications present.
Description check	✅ Passed	PR description comprehensively explains the issue, root cause, Bun-side mitigation, and testing approach, exceeding template requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/jsc/bindings/BunProcess.cpp`:
- Around line 538-539: Add a brief explanatory comment immediately above the
call to Bun__repairJscGcSignalAfterDlopen() (the code block that checks "if
(handle) ...") stating that this call repairs JSC's SIGPWR handler when foreign
libraries (e.g., Go cgo) have reinstalled SIGPWR with SA_ONSTACK, which can
cause a subtle event-loop hang; mention the signal name (SIGPWR), the SA_ONSTACK
flag, and that Bun__repairJscGcSignalAfterDlopen() restores the expected
handler/flags so the JSC GC signal handling and event loop remain stable after
dlopen of foreign libs.
- Around line 538-539: Wrap the call to Bun__repairJscGcSignalAfterDlopen behind
a Linux-only preprocessor guard so the Linux-specific SIGPWR repair only runs on
Linux; keep the existing if (handle) check and change it to only call
Bun__repairJscGcSignalAfterDlopen when the platform macro indicates Linux (e.g.,
surround the Bun__repairJscGcSignalAfterDlopen() invocation with an OS(LINUX) /
__linux__ preprocessor check) so the platform-specific behavior is explicit.
- Line 389: Add a short explanatory comment at the call site of
Bun__repairJscGcSignalAfterDlopen() clarifying that this extern "C" function
(matches Rust fn Bun__repairJscGcSignalAfterDlopen) is a post-dlopen fix for
JSC’s Linux SIGPWR handler: it clears SA_ONSTACK to avoid Thread::suspend()
retry/deadlock when an alternate signal stack is present; note that the Rust
implementation is a no-op on non-Linux Unixes so no OS(LINUX) guard is required
in the C++ caller.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: bbc2f969-d8d7-4554-a299-2d410570b2c4

📥 Commits

Reviewing files that changed from the base of the PR and between 753f1c4 and 76a38f7.

📒 Files selected for processing (3)

• src/jsc/bindings/BunProcess.cpp
• src/sys/lib.rs
• test/regression/issue/31158.test.ts

[github-actions]

This PR may be a duplicate of:

1. Restore Bun's signal handlers across dlopen() #29844 - Also restores Bun's signal handlers across dlopen() calls (bun:ffi and process.dlopen) to prevent Go c-shared libraries from clobbering JSC's signal infrastructure

🤖 Generated with Claude Code

[robobun]

Cross-referencing #29844 (flagged by the duplicate-finder): it's aimed at a related but distinct Go-dlopen signal problem — full handler replacement (Go calls sigaction with its own handler for signals where sigInstallGoHandler returns true: SIGPIPE, SIGCHLD, SEGV/ILL/BUS/FPE, etc.). That PR snapshots every sigaction before dlopen and restores any that changed, which as a byproduct also clears SA_ONSTACK from SIGPWR because sa_flags differs — so yes, #29844 would subsume this PR.

But the wire Go hits for SIGPWR is a different code path in cgo init: setsigstack keeps our handler and just OR-adds SA_ONSTACK. That's what causes the WASM event-loop hang in #31158. #29844 was opened for #29843 (Prisma adapter hang — WASM inside the adapter); both issues share the same root cause and would be fixed together by #29844 if it lands.

If the maintainer would rather land the broader #29844 (covers SIGPIPE restoration etc. too) that one supersedes this PR and I'll close it. If they prefer a narrow targeted fix while #29844 is still in review (it's been open since last fall with stale CI), this one is smaller and ships immediately.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/regression/issue/31158.test.ts`:
- Around line 77-82: Remove the harness-side watchdog: delete the
setTimeout(...) that assigns watchdog and calls proc.kill("SIGKILL") as well as
the clearTimeout(watchdog) usage so the test relies on the existing "await using
proc = Bun.spawn(...)" scoped cleanup and the outer test timeout instead; ensure
no leftover references to the watchdog variable remain.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7a652d8c-4f42-47eb-9ef6-a54ce21cd981

📥 Commits

Reviewing files that changed from the base of the PR and between 76a38f7 and efe6944.

📒 Files selected for processing (1)

• test/regression/issue/31158.test.ts

[gogakoreli]

Thanks for the fast turnaround on this. The fix works — but stepping back, the layering is getting hard to follow:

1. SIGPWR was chosen because SIGUSR1 conflicts with npm packages (workaround Fix ?? operator  #1)
2. Go's setsigstack adds SA_ONSTACK to the SIGPWR handler during dlopen (external behavior you can't control)
3. This PR clears SA_ONSTACK after every dlopen (workaround Fix calling #private() functions in classes #2, patching around Fix ?? operator  #1)

This is a workaround for a workaround. The next runtime that does something unexpected to signal flags will need another repair_* function.

The real fix is what you mentioned as the follow-up: use the interrupted SP from ucontext in signalHandlerSuspendResume instead of currentStackPointer(). That makes the handler correct regardless of SA_ONSTACK, regardless of alt stacks, regardless of what any dlopen'd library does to signal flags. It's a one-line change that eliminates the entire class of bug.

Would it be feasible to ship the WebKit handler fix directly instead of (or alongside) this band-aid? Then the repair_jsc_gc_signal_after_dlopen code can be deleted — no per-dlopen scanning, no signal-number hardcoding, no comments explaining why a Rust function is clearing Linux signal flags after every library load.

Longer term, cooperative safepoint polling (V8's approach) would eliminate signal-based suspension entirely — but that's a bigger architectural change and the ucontext fix is sufficient.

[robobun]

You're right — shipping both is the cleanest landing. Opened oven-sh/WebKit#235 with the ucontext-SP fix; once the preview autobuild finishes (~1h) I'll bump WEBKIT_VERSION in this PR, delete repair_jsc_gc_signal_after_dlopen, and the same regression test exercises the real fix.

Agree on cooperative safepoint polling being the cleaner endgame — separate track, much bigger lift.

[claude]

I didn't find any bugs, but this rewrites process-wide signal disposition (SIGPWR) on a hot path that JSC's GC depends on, and there's an open call in the thread about landing this narrow fix vs the broader #29844 — both feel like they want a maintainer's eyes.

Extended reasoning...

Overview

The PR adds a post-dlopen repair step that reads the current sigaction for SIGPWR on Linux and clears SA_ONSTACK if a freshly-loaded shared library (Go cgo's runtime.setsigstack being the canonical case) added it. The repair is implemented in Rust (src/sys/lib.rs) with a C-ABI wrapper, called from both sys::dlopen (the bun:ffi path) and Process_functionDlopen in BunProcess.cpp (the process.dlopen path). A glibc-gated regression test reproduces the hang shape via bun:ffi + WASM without needing Go in CI.

Security risks

No injection, auth, or data-exposure surface. The change does mutate process-wide signal disposition for SIGPWR, which is the signal JSC uses to suspend threads for GC and code-cache flushes. The mutation is narrowly scoped (only clears one flag bit, only when it's set, only on Linux) and preserves the existing handler/mask/restorer, so the attack surface is minimal. The hardcoded SIGPWR = 30 is correct for x86_64/aarch64 (Bun's supported Linux targets).

Level of scrutiny

This warrants maintainer review rather than auto-approval. Signal handling that interacts with JSC's stop-the-world GC mechanism is exactly the kind of code where a subtle mistake produces hard-to-reproduce hangs or crashes, and the fix is explicitly framed as a stopgap pending a proper WTF-side fix. The regression test also embeds architecture-specific assumptions about glibc's userspace struct sigaction layout (sa_flags at offset 136) that hold on x86_64/aarch64 glibc but are worth a human glance.

Other factors

The author (robobun) explicitly surfaced an open decision in the thread: PR #29844 takes a broader snapshot-and-restore approach across all signals and would subsume this fix. A maintainer should decide whether to land this targeted patch now or wait for/prefer #29844. All CodeRabbit nitpicks have been addressed or reasonably declined, and no bugs were found by the bug-hunting system. CI build #56544 is in progress.

[robobun]

Ready for maintainer review (rebased on current main, WebKit pin cd821fec).

The fix is in WebKit: oven-sh/WebKit#235 makes JSC's signalHandlerSuspendResume read the interrupted thread's stack pointer from the ucontext instead of currentStackPointer(). That keeps GC thread-suspension working when a dlopen'd runtime (Go cgo's initsig, Mono, some JNI layouts) sets SA_ONSTACK on the handler; without it Thread::suspend() spins forever and the event loop dies. Fixes #31158 and #29843.

This PR is Bun-side only:

• scripts/build/deps/webkit.ts: WEBKIT_VERSION bumped to the WebKit#235 preview autobuild autobuild-preview-pr-235-3593e2cc, rebased on the current main pin cd821fec so the JSC/ICU ABI and artifact set match.
• test/regression/issue/31158.test.ts: glibc-only regression test. Passes with the fix, hangs to a 15s timeout without it.

WebKit#235 addresses all review feedback (the interruptedStackPointer() helper carries a sync note tying it to JSC::MachineContext::stackPointerImpl, since WTF can't include JSC headers and the per-arch SP accessors are duplicated).

To land this: merge oven-sh/WebKit#235, then pin WEBKIT_VERSION here to its merge commit. That's the same WebKit-PR-then-bump workflow as the recent #32437 / #32414 WebKit upgrades. Until then each main bump that touches WEBKIT_VERSION re-conflicts this line and needs a fresh preview rebase, and CI here stays red until the per-push preview tarball publishes. The regression proof is unchanged across rebases (same patch, newer base).

[claude]

No new issues at this revision, but the actual fix lives in oven-sh/WebKit#235 and this pins WEBKIT_VERSION to a preview-tag autobuild of that unmerged PR — a maintainer should sign off on landing main against a preview WebKit build (and confirm 0eedb192's parent is 963f8758c29e so nothing on WebKit main is dropped).

Extended reasoning...

Overview

The Bun-side diff is two files: a one-line WEBKIT_VERSION change in scripts/build/deps/webkit.ts (from the 40-char SHA 963f8758c29e… to the preview tag autobuild-preview-pr-235-0eedb192) and a new glibc-only regression test at test/regression/issue/31158.test.ts. The substantive fix — reading the interrupted thread's SP from ucontext in WTF's signalHandlerSuspendResume — is entirely in oven-sh/WebKit#235, which is not part of this repo and is not yet merged. The earlier Bun-side repair_jsc_gc_signal_after_dlopen band-aid was removed during review, so this PR now ships only the version pin and the test.

Security risks

None introduced by the Bun-side diff itself. The regression test does poke sigaction(SIGPWR, …) via bun:ffi inside a spawned child, but that's contained to the test subprocess and gated to glibc Linux. The real risk surface is the WebKit binary swap: changing which prebuilt JSC/WTF is linked affects every code path in the runtime, and I cannot inspect oven-sh/WebKit#235's diff from here.

Level of scrutiny

High. Although the textual diff is tiny, a WEBKIT_VERSION bump replaces the JS engine for every build. This particular bump points at a preview autobuild of an unmerged PR rather than a merged commit, which (a) the inline comment itself flags as temporary ("Swap back to the merged hash once #235 lands"), (b) breaks documented invariants in sync-webkit-source.ts and depVersionsHeader.ts (author acknowledged, accepted as temporary), and (c) requires trusting that 0eedb192 is genuinely rebased on 963f8758c29e so no intervening WebKit-main changes are silently dropped — the same class of concern I raised on an earlier tag. That's a maintainer judgment call, not a mechanical change.

Other factors

All prior inline comments (mine and CodeRabbit's) are resolved. The bug-hunting pass found nothing new at this revision. The regression test looks correct and well-scoped. The author has explicitly marked the PR "Ready for maintainer review" / "Needs a maintainer to merge," and there is an open question of whether to land this against the preview tag now or wait for oven-sh/WebKit#235 to merge and use the real SHA. Deferring to a human for that decision.