ffi: avoid copying the threadsafe callback wrapper on the calling thread

[Jarred-Sumner]

FFI_Callback_threadsafe_call runs on whatever thread the C library invokes the callback from, and captured the FFICallbackFunctionWrapper by value into the event-loop task, copy-constructing its two JSC::Strong members off the JS thread. This change makes the wrapper ThreadSafeRefCounted, captures a Ref<> in the task instead (an atomic increment), caches the ScriptExecutionContextIdentifier at construction time so the calling thread never reads through a Strong, and turns FFICallbackFunctionWrapper_destroy into a deref() so pending tasks keep the wrapper alive across JSCallback.close(). The wrapper is now non-copyable, so the by-value capture cannot come back.

Adds the first CI coverage for threadsafe JSCallbacks actually invoked from a foreign thread (via a TinyCC-compiled pthread fixture in cc.test.ts): one test delivers 200 invocations from a worker thread while the JS thread churns handle allocations, and one closes the callback while invocations are still queued and verifies they are all still delivered. These tests exercise and pin the new behavior; the underlying off-thread handle allocation was timing-dependent, so the change itself is verified by inspection (no JSC::Strong is constructed, copied, or destroyed off the JS thread on any reachable path) plus repeated local runs.

[robobun]

^{Updated 10:53 PM PT - May 24th, 2026}

✅ @Jarred-Sumner, your commit 5469dde536d82c7fdf2eb396bced08c050e605ed passed in Build #57587! 🎉

---

🧪   To try this PR locally:

bunx bun-pr 31332

That installs a local version of the PR into your bun-31332 executable, so you can run:

bun-31332 --bun

[coderabbitai]

Warning

Review limit reached

@Jarred-Sumner, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 2 reviews/hour. Refill in 26 minutes and 13 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d7ada302-2b17-4331-ac84-6f643b7ca21f

📥 Commits

Reviewing files that changed from the base of the PR and between 49c97de and 5469dde.

📒 Files selected for processing (2)

• src/jsc/bindings/JSFFIFunction.cpp
• test/js/bun/ffi/cc.test.ts

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Found 2 issues this PR may fix:

1. Segfault when native code repeatedly invokes JSCallback({ threadsafe: true }) #28113 - Segfault when native code repeatedly invokes JSCallback({ threadsafe: true }) from a worker thread, with stack trace in the exact threadsafe callback path this PR fixes
2. bun:ffi JSCallback invoked from different thread crashing after a while #24529 - JSCallback invoked from a foreign thread with threadsafe: true crashes intermittently, consistent with the FFICallbackFunctionWrapper data race eliminated by this PR

If this is helpful, copy the block below into the PR description to auto-close these issues on merge.

Fixes #28113
Fixes #24529

🤖 Generated with Claude Code

[github-actions]

This PR may be a duplicate of:

1. fix(ffi): segfault when threadsafe JSCallback invoked from multiple native threads #28115 - Same fix: makes FFICallbackFunctionWrapper inherit from ThreadSafeRefCounted and captures Ref instead of copying by value, to avoid the JSC::Strong race condition off the JS thread

🤖 Generated with Claude Code

[claude]

The core change looks sound, but this reworks cross-thread lifetime/refcounting of JSC Strong handles and changes close() semantics (pending invocations now outlive close), so it warrants a human pass on the concurrency edges.

Extended reasoning...

Overview

This PR changes FFICallbackFunctionWrapper from a plain heap object to ThreadSafeRefCounted, replaces the by-value capture in FFI_Callback_threadsafe_call with a Ref<> capture, caches the ScriptExecutionContextIdentifier at construction so the foreign thread never dereferences a Strong, and turns FFICallbackFunctionWrapper_destroy into a deref(). It also adds the first foreign-thread JSCallback coverage via a TinyCC-compiled pthread fixture in cc.test.ts.

Security risks

None in the traditional sense (no auth/input parsing). The risk surface is memory safety: this is a concurrency fix in a path that previously copy-constructed JSC::Strong handles off the JS thread. The new design must guarantee the wrapper's destructor (which tears down two Strongs) only ever runs on the JS thread — that holds when the posted task runs, but the edge where postTaskTo drops the lambda without executing it (context teardown) is worth a human sanity check.

Level of scrutiny

High. This is hand-written cross-thread lifetime management against JSC GC internals (HandleSet), and it intentionally changes user-visible semantics: JSCallback.close() now lets already-queued threadsafe invocations run instead of (previously) racing/UAF. The new tests pin that behavior. The pthread ABI is also hand-redeclared in the TinyCC fixture (unsigned long for pthread_t), which is platform-fragile enough to deserve a second look for the macOS/musl cases.

Other factors

The reasoning in the PR description and inline comments is thorough and the change is small and well-targeted; I didn't find correctness bugs in the C++ beyond the considerations above. The only inline finding is a test-diagnostics nit. Given the concurrency subtlety and the semantic change to close(), deferring to a human reviewer rather than auto-approving.