Repeated Bun v1.3.5 segfaults -- 78 crashes, root cause identified (Windows + WSL)
Repeated Bun Segfaults -- Comprehensive Report (Windows + WSL)
78 crashes documented | Jan 30 -- Feb 5, 2026 | Zero user-side mitigations effective
Claude Code's embedded Bun v1.3.5 segfaults repeatedly under normal usage on Windows x64. Crashes occur during active work, idle sessions, typing, right-clicking, and even on startup. No user-side configuration change prevents them.
This issue has been consolidated from 85 individual crash reports into a single structured document. Dump file analysis (ProcDump/WinDbg stack traces and variant classifications) will follow as a separate comment.
No further crash reports will be posted to this issue. We have documented 78 crashes across 7 days with full diagnostic data, identified root causes mapping to known Bun bugs, tested and eliminated every user-side mitigation, and provided 8 full memory dumps (7.5GB+). The evidence is comprehensive. The fix -- updating the embedded Bun version -- is on Anthropic's side.
---
Environment
| Component | Value |
|-----------|-------|
| OS | Windows 11 x64 (Build 26200) |
| CPU | Intel i9-14900HX (32 logical, sse42/avx/avx2) |
| RAM | 192GB |
| Claude Code | v2.1.x (multiple versions across reporting period, currently v2.1.31) |
| Embedded Bun | v1.3.5 (1e86cebd) -- 3 versions behind latest 1.3.8 |
| Node.js | v22.22.0 (clean install) |
| WSL (cross-platform test) | WSL2, kernel v6.6.87, glibc 2.39 |
Installation methods tested (crashes persisted across all four):
- Windows native install
- Windows npm install (
npm install -g @anthropic-ai/claude-code) - WSL native install
- WSL npm install
The embedded Bun v1.3.5 was the constant across every configuration. Currently running Windows native install.
---
Crash Families
Three distinct crash families identified through signature analysis:
Family 1: Worker Thread Cleanup (Use-After-Free)
- Thread: Worker (not main)
- Timing: Early in session (seconds to minutes)
- Stack signature:
KERNEL32.DLL+ntdll.dll - Addresses:
0x108,0x150,0x12300000007,0x20600000010 - Spawn counts: Low (41-130)
- Maps to: oven-sh/bun#18198 -- worker thread cleanup use-after-free (known since March 2025)
Family 2: Main Thread / JSC GC (Use-After-Free)
- Thread: Main
- Timing: Variable (seconds to 2+ hours)
- Mechanism: JSC garbage collector use-after-free during
MarkedBlocksweep afterabort_signalfreesWatchpointSets - Addresses:
0x0,0x6,0x7,0xA,0xFFFFFFFFFFFFFFFE,0xFFFFFFFFFFFFFFFF, and other near-null values - Correlation: Higher
abort_signalcounts and page faults track with higher spawn volumes - Maps to: JSC GC use-after-free documented across 6+ issues in Bun's tracker. Other Bun-based AI tools (opencode) trigger identical crashes.
Family 3: Heap Address Crashes
- Thread: Main
- Addresses: Non-null, non-near-null heap addresses (
0x28727DC0024,0x292288EB1E0,0x94E3800000,0xD731E00000,0x7EDD96561004, etc.) - Behavior: Pointer dereference into heap memory that's been freed or corrupted
- Overlap: Likely the same underlying GC corruption as Family 2, manifesting at different points in the object graph
---
Root Cause Analysis
Primary: N-API Async Cleanup Race Condition
Identified via ProcDump/WinDbg memory dump analysis:
- Main thread executes
napi_remove_async_cleanup_hook(destroying async resources) - 5+ worker threads simultaneously inside
napi_unref_threadsafe_function(using same resources) - A worker thread runs a second
uv_runevent loop insidenapi_unref_threadsafe_function - Cleanup frees/corrupts function pointer while workers still hold references
- TTY input processing follows corrupted pointer ->
ACCESS_VIOLATION
Secondary: NaN-Boxing Value Corruption
All 5 analyzed memory dumps share one pattern: JSC engine using NaN-boxed JavaScript values as raw memory pointers.
0xFFFE...prefix encodes type information in high bits (NaN-boxing)- When GC corrupts the tagged value, the engine dereferences type metadata as a memory address
- Manifests in both native runtime code and JIT-generated code
Contributing: TTY/SIMD Intersection
Both stack trace paths share uv_tty_get_vterm_state and simdutf::get_active_implementation. The interaction between terminal I/O handling and SIMD string processing creates an additional corruption vector. This explains why crashes can be triggered by typing or right-clicking.
---
Key Patterns Discovered
Idle Crashes
Terminals crash while completely idle -- no user activity needed.
- 133-minute idle session (Crash #33, 3,783 spawns)
- 102-minute idle session (Crash #15, 437 spawns)
- 16-minute idle with lowest-activity profile (Crash #36, 275 spawns)
Cascade Degradation
Repeated crashes cause accelerating time-to-crash on restart:
- Crash #21: 9.7 min -> #22: 37s -> #23: 1.9 min -> #24: 52s -> #25: 32s -> #26: 12s
- Peak RSS stays above 1.4GB across restarts despite minimal work
- Conversation transcript accumulation appears to compound GC pressure
Cross-Platform Confirmation
Crashes persist identically on WSL2/Linux (same Bun 1.3.5). This rules out Windows-specific causes. RSS reporting was corrupted on WSL (reported 0.02ZB).
Spawn Amplification
Our workflow uses multi-agent orchestration -- up to 6,165 JSC spawns per session (typical Claude Code usage: 10-50). High spawn volume widens the race condition window by orders of magnitude, but crashes also occur at low spawn counts (25 spawns in 5 seconds for Crash #52).
UI Event Triggers
- Right-click to copy (Crash #40)
- Typing input (Crashes #41, #42, #59, #62)
- Explained by the TTY handling path identified in dump analysis
Silent Crashes (FAST_FAIL)
Bun detects corruption internally and calls __fastfail(FATAL_APP_EXIT). No "oh no: Bun has crashed" message, no bun.report URL. Process just disappears. Unknown number of additional silent crashes may have gone unreported.
ProcDump Bypass
Bun's internal crash handler intercepts segfaults before Windows' AeDebug mechanism fires. External crash dump tools cannot capture Bun crashes via normal means. Workaround: ProcDump live-attach (first-chance exception monitor).
Thread Count Escalation
Across analyzed dumps, thread counts escalated: 22 -> 26 -> 36 -> 37 threads, with napi_unref_threadsafe_function instances growing from 5 to 10.
---
Unique Crash Addresses (~35 distinct)
| Address | Category | Notes |
|---------|----------|-------|
| 0x0 | Null deref | Most common on WSL |
| 0x6 | Near-null | Corrupted vtable |
| 0x7 | Near-null | Most common on Windows |
| 0xA | Near-null | Both platforms |
| 0x10 | Near-null | |
| 0x20 | Near-null | Worker thread |
| 0x48 | Low offset | |
| 0x8C | Low offset | |
| 0x108 | Family 1 | Worker, KERNEL32+ntdll |
| 0x150 | Family 1 | Worker, KERNEL32+ntdll |
| 0x1E2 | Low | |
| 0x1E3B5 | Low | Null + struct offset |
| 0xCEEE | Low | Null + struct offset |
| 0x24018 | Struct | Use-after-free struct |
| 0x3FFFFF01 | Mid-range | |
| 0xFFFFFFFFFFFFFFFE | Sentinel | Second most common overall |
| 0xFFFFFFFFFFFFFFFF | Sentinel | Third most common overall |
| 0x650063006D | Unknown | Original Crash #1 |
| 0x12300000007 | Family 1 | Worker |
| 0x20600000010 | Family 1 | Worker |
| 0x26C19AF3800 | Heap | Startup crash |
| 0x28727DC0024 | Heap | |
| 0x292288EB1E0 | Heap | |
| 0x94E3800000 | Heap | |
| 0x103010000 | Heap | Startup, 181ms |
| 0xD731E00000 | Heap | |
| 0x1AB0BCF9BB0 | Heap | ProcDump bypassed |
| 0x1DE0F6B53B1 | Heap | |
| 0x7EDD96561004 | Heap | WSL |
| 0x7DE1D7400000 | Heap | WSL |
| 0x7830E686D640 | Heap | WSL |
| 0x708DA96CCA64 | Heap | WSL |
| 0x000001FF00000003 | Variant E | Partial pointer corruption |
| 0xFFFE0000000003D2 | JIT | NaN-boxed integer 978 |
---
Mitigation Attempts -- All Failed
Every user-side mitigation was tested systematically. None prevented crashes.
| Mitigation | Result |
|------------|--------|
| Hook consolidation (9 -> 4 entries, 7 -> 2 spawns/op) | Crash still occurred within 45 min |
| Further hook stripping (4 -> 3, zero spawns on read ops) | Crash #52: 25 spawns in 5 seconds |
| npm install (bypass embedded Bun, use Node.js) | Different stability issues (crashes to command prompt) |
| Single instance, single terminal | Crash #55: crashed anyway |
| Chrome MCP disabled | Crash #56: crashed anyway |
| WSL migration | Same crashes, cross-platform confirmed |
| Clean Node.js install (v22.22.0) | No effect |
| Hook path format (backslash -> forward slash) | No effect |
Three-Factor Resolution -- Posted Then Immediately Retracted
A resolution was claimed combining: (1) reduced subprocess spawns, (2) hook path format fix, (3) clean Node.js. Evidence: 5+ crash-free sessions including a 124-second agent run.
Retracted within hours. Three crashes occurred immediately after posting. Quote: "Hook migration had zero effect on crash prevention. Three-factor resolution is fully retracted."
Theories Systematically Eliminated
| Theory | Evidence Against |
|--------|-----------------|
| Multi-instance resource contention | Crash #55: single instance, single terminal |
| VS Code terminal infrastructure | Same crashes in PowerShell and cmd |
| Hook/subprocess spawn volume | Crash #52: 25 spawns in 5 seconds |
| Memory accumulation | Crashes at 0.73-0.99GB RSS (192GB system) |
| Chrome MCP overhead | Crash #56: Chrome MCP disabled |
| Windows-only | WSL crashes identical |
Conclusion: Bun 1.3.5 on x64 segfaults under normal single-instance usage. No user-side configuration change mitigates it.
---
Investigation Timeline
| Date | Phase | Crashes | Key Events |
|------|-------|---------|------------|
| Jan 30 | Discovery | ~13 | Initial 3 crashes, then 10 more. Crash families identified. |
| Jan 30-31 eve | Cascade | ~18 | 15 crashes in one evening. Idle crash discovery. Cascade degradation (9.7min -> 12s). |
| Jan 31 day | Escalation | ~18 | 18 crashes in single day. Root cause research published. npm workaround attempted. |
| Feb 1 | WSL migration | ~20 | Moved to WSL2. Crashes persisted (cross-platform confirmed). Hook consolidation applied. |
| Feb 1-2 | WSL intensive | ~10 | Heavy null-deref pattern. 0.02ZB RSS anomaly. |
| Feb 3 | Windows return | ~4 | UI event triggers discovered (right-click, typing). |
| Feb 3-4 | Resolution attempt | ~5 | Three-factor resolution posted, immediately retracted. |
| Feb 4 early | Elimination | ~15 | Hook stripping, single-instance testing. All user-side theories eliminated. |
| Feb 4 afternoon | ProcDump analysis | ~8 | Full memory dump captures. WinDbg analysis. N-API race condition and NaN-boxing corruption identified. |
| Feb 5 | Final analysis | 3 | New Variant E (partial pointer corruption). JIT crash sub-variant confirmed. |
Total: ~78 crash events across 7 days.
---
The Ask
- Update the embedded Bun version. v1.3.5 is 3 versions behind. v1.3.6 fixes an integer overflow crash path. v1.3.7 includes a JSC upgrade addressing the GC issues in Family 2.
- Acknowledge the scope. 78 crashes, 35 unique addresses, 8 full memory dumps (7.5GB), root cause identified via ProcDump/WinDbg to N-API async cleanup race conditions and NaN-boxing value corruption. Zero Anthropic responses across 86 comments over 7 days.
- No further reports. We consider this issue comprehensively documented. Every user-side mitigation has been tested and eliminated. The fix is a Bun version bump, which only Anthropic can apply.
---
Closing Statement
This issue has been consolidated from 85 individual crash report comments into this single structured document. The original per-crash comments have been removed to improve readability. Dump file analysis (27 full memory dumps, F1-F6 crash family classifications, unified root cause model) has been posted as a follow-up comment below.
We will not be posting additional Bun crash reports. After 78 documented crashes with full diagnostic data across Windows native and WSL, with root causes identified and mapped to known Bun bugs, we believe the evidence is sufficient. Continued reporting would be redundant. The ball is in Anthropic's court.
---
Note
This consolidated report was written by Claude (Opus 4.5) on behalf of @balandari as part of our AI-assisted development workflow.
27 Comments
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
Dump Analysis Follow-Up: 27 Full Memory Dumps (Feb 4-5, 2026)
This follows the consolidation report that condensed 85 individual crash report comments into a structured analysis identifying 3 crash families and a suspected N-API race condition root cause. Since that report, we captured 27 full-memory dumps via ProcDump and analyzed them with cdb (WinDbg command-line debugger). The new data confirms a single root cause across four crash families and provides disassembly-level evidence for the corruption mechanism.
Environment
-maflag)Family Distribution (27 dumps)
| Family | Count | % | Exception | Mechanism |
|--------|-------|---|-----------|-----------|
| F2: Main Thread / JSC GC | 22 | 81.5% | C0000005 (Access Violation) | Corrupted vtable indirect call; NaN-boxing sentinel fault addresses |
| F4: FAST_FAIL | 3 | 11.1% | C0000409 | Bun internal corruption detection ->
__fastfail(7)|| F5: Partial Pointer | 1 | 3.7% | C0000005 (Access Violation) | Partial pointer corruption (
0x000001FF00000003) || F6: Heap Corruption | 1 | 3.7% | C0000374 | Windows heap manager detects double-free |
| F1: Worker Thread | 0 | 0% | -- | Not observed in this batch |
Process uptimes ranged from 35 seconds to 1 hour 13 minutes -- the crash is a race condition with no time threshold.
---
Key Finding 1: All Families Share One Code Path
Disassembly and stack analysis across F2, F4, and F6 show all three pass through the same code regions (symbol names are nearest-export artifacts; RVA offsets identify the actual code):
napi_remove_async_cleanup_hook->simdutf::get_active_implementation->uv_tty_get_vterm_state+0x11d3a8-> RIP = 0x7node_module_register->simdutf::get_active_implementation->uv_tty_get_vterm_state->uv_getnameinfo+0x5c029(int 29h)uv_tty_get_vterm_state+0xd32e6->uv_getnameinfo+0x7968c->RtlFreeHeap-> HEAP_FAILURE_SEGMENT_LFH_DOUBLE_FREEThe F2 crash site disassembly at
uv_tty_get_vterm_state+0x11d3a8:This is a C++ virtual function call or function-pointer dispatch. At crash time,
[rcx]contains0x7-- a corrupted vtable entry from a freed object. The small value 0x7 is consistent with free-list metadata or a zeroed pointer that replaced the valid vtable when the GC reclaimed the object prematurely.Register fingerprint across all F2 dumps:
r12 = fffe000000000002(NaN-boxed booleantruein JSC encoding), confirming crashes occur during active JS execution in the JSC interpreter loop -- not during startup or shutdown.Thread state is identical across all families. Every dump shows:
napi_unref_threadsafe_function->RtlWaitOnAddresssimdutf::get_active_implementation->SleepConditionVariableSRW(worker pool)uv_runevent loop insidenapi_unref_threadsafe_functionThe napi_unref thread count stabilizes at 7-9 regardless of total thread count (26-42), crash family, or process uptime.
---
Key Finding 2: FAST_FAIL Trigger Decoded
The consolidation report noted "silent crashes" where the process disappears without a crash dialog. This is now explained. Disassembly at the F4 crash site (
uv_getnameinfo+0x5c029):This is a two-stage validation sequence. Stage 1 calls a check function and tests a flag. Stage 2 calls through a function pointer and checks the result. If both indicate corruption, Bun fires
__fastfail(7)(FAST_FAIL_FATAL_APP_EXIT) -- the Windows equivalent ofabort().The
int 29hinstruction raises a non-continuable second-chance exception (C0000409) that bypasses SEH entirely. The process is terminated by the kernel without invoking any exception handlers or crash reporters. This is why the process "just disappears" -- Bun detects corruption, calls abort, and the kernel kills the process before any crash UI can appear.F4 is the same corruption as F2, detected by a different code path. The race is between: (a) dereferencing the corrupted pointer directly (produces F2 segfault at 0x7), and (b) Bun's validation check catching the invalid state first (produces F4 FAST_FAIL). Which fires first depends on CPU scheduling.
---
Key Finding 3: Double-Free Confirmed
The F6 dump provides the most direct evidence of the corruption mechanism. The
!heap -soutput:This is textbook double-free. The N-API race condition causes two code paths to free the same memory:
napi_remove_async_cleanup_hookfrees the async resourceThe crash stack passes through the same code regions as F2 and F4:
The Windows heap manager caught the double-free during
RtlFreeHeapbefore the corruption could propagate to a segfault.---
Unified Model
All four crash families are the same bug detected by four different mechanisms:
0x000001FF00000003-- partial pointer corruption)RtlFreeHeapThe underlying corruption is a race condition between
napi_remove_async_cleanup_hookand concurrentnapi_unref_threadsafe_functionoperations. When cleanup hook removal and threadsafe function operations interleave, an object gets freed while still referenced (or freed twice). Fix the N-API lifecycle race and all four families should disappear.---
Open Questions
__fastfailbypasses SEH, so ProcDump must catch it as an unhandled exception. Our 11.1% F4 rate is likely a lower bound -- some FAST_FAIL crashes may not produce dumps.r12 = fffe000000000002) is indistinguishable from v2.1.31 dumps.---
<details>
<summary>Full Dump Inventory (27 dumps)</summary>
| # | Dump File | Uptime | Threads | Fault Address | AV Type | Family | Version |
|---|-----------|--------|---------|---------------|---------|--------|---------|
| 1 | 260204_094147 | 3:47 | 38 | 0x7 | Execute | F2 | 2.1.31 |
| 2 | 260204_095059 | 4:52 | 35 | FAST_FAIL (int 29h) | C0000409 | F4 | 2.1.31 |
| 3 | 260204_095537 | 4:21 | 36 | 0xFFFFFFFFFFFFFFFE | Read | F2 | 2.1.31 |
| 4 | 260204_095936 | 1:51 | 37 | 0xA | Read | F2 | 2.1.31 |
| 5 | 260204_103149 | 24:03 | 34 | 0xFFFFFFFFFFFFFFFF | Read | F2 | 2.1.31 |
| 6 | 260205_000334 | 1:40 | 34 | 0xFFFFFFFFFFFFFFFF | Read | F2 | 2.1.31 |
| 7 | 260205_001841 | 13:46 | 32 | 0x0 | Read | F2 | 2.1.31 |
| 8 | 260205_002154 | 3:02 | 38 | 0xFFFFFFFFFFFFFFFF | Read | F2 | 2.1.31 |
| 9 | 260205_092138 | 6:00 | 38 | 0x6 | Read | F2 | 2.1.31 |
| 10 | 260205_092443 | 2:44 | 39 | FAST_FAIL (int 29h) | C0000409 | F4 | 2.1.31 |
| 11 | 260205_100709 | 42:18 | 34 | 0xFFFFFFFFFFFFFFFE | Read | F2 | 2.1.31 |
| 12 | 260205_102340 | 12:47 | 30 | 0x000001FF00000003 | Read | F5 | 2.1.31 |
| 13 | 260205_103137 | 7:43 | 35 | 0xFFFFFFFFFFFFFFFF | Read | F2 | 2.1.31 |
| 14 | 260205_104800 | 11:59 | 40 | 0x7 | Execute | F2 | 2.1.31 |
| 15 | 260205_105502 | 13:52 | 32 | 0xFFFFFFFFFFFFFFFE | Read | F2 | 2.1.31 |
| 16 | 260205_105547 | 0:35 | 40 | FAST_FAIL (int 29h) | C0000409 | F4 | 2.1.31 |
| 17 | 260205_105736 | 0:49 | 38 | 0xFFFFFFFFFFFFFFFE | Read | F2 | 2.1.31 |
| 18 | 260205_110114 | 5:15 | 33 | Heap corruption (C0000374) | RtlReportFatalFailure | F6 | 2.1.31 |
| 19 | 260205_111011 | 8:33 | 34 | 0xFFFFFFFFFFFFFFFF | Read | F2 | 2.1.31 |
| 20 | 260205_112647 | 26:14 | 28 | 0xFFFFFFFFFFFFFFFF | Read | F2 | 2.1.31 |
| 21 | 260205_113329 | 1:13:23 | 26 | 0xFFFFFFFFFFFFFFFE | Read | F2 | 2.1.31 |
| 22 | 260205_115948 | 32:47 | 28 | 0x7 | Execute | F2 | 2.1.31 |
| 23 | 260205_120718 | 30:12 | 29 | 0x7 | Execute | F2 | 2.1.31 |
| 24 | 260205_121446 | 7:13 | 32 | 0xFFFFFFFFFFFFFFFE | Read | F2 | 2.1.31 |
| 25 | 260205_122153 | 5:20 | 37 | 0xFFFFFFFFFFFFFFFF | Read | F2 | 2.1.31 |
| 26 | 260205_132149 | 59:48 | 34 | 0x0 | Read | F2 | 2.1.31 |
| 27 | 260205_133922 | 11:04 | 42 | 0x7 | Execute | F2 | 2.1.32 |
Uptime format is
minutes:secondsexcept dump 21 which ishours:minutes:seconds.</details>
<details>
<summary>Disassembly Evidence</summary>
1. F2: Vtable corruption (crash site)
From dump
claude.exe_260205_115948.dmp, disassembly atclaude!uv_tty_get_vterm_state+0x11d3a8:Register state at crash:
Note:
r12 = fffe000000000002is a NaN-boxed booleantruein JSC's encoding scheme. This value is consistent across all F2 dumps, confirming the crash occurs during active JavaScript execution in the JSC interpreter loop.2. F4: FAST_FAIL trigger (validation and abort sequence)
From dump
claude.exe_260204_095059.dmp, disassembly atclaude!uv_getnameinfo+0x5c029(obtained viaub-- unassemble backward):3. F6: Heap analysis (double-free detection)
From dump
claude.exe_260205_110114.dmp,!heap -soutput:The double-free confirms the race condition: one code path (N-API cleanup) frees the resource, then another code path (JSC GC sweep) attempts to free the same backing memory.
</details>
<details>
<summary>Analysis Methodology</summary>
Capture:
-maflag for full memory dumpsclaude.exefor unhandled exceptionsAnalysis tools:
cdbX64.exefrom WinDbg Store package (command-line debugger).exr -1(exception record),!analyze -v(verbose analysis),~*kn(all thread stacks with frame numbers),!heap -s(heap summary),ub(unassemble backward from address),dps(display pointer-sized values with symbols)Process:
analyze-all.ps1) -- extracted exception code, fault address, AV type, process uptime, thread count, and Claude Code version from all 27 dumps~*kn), register state, and code pathsLimitations:
</details>
---
Note
This comment was written by Claude (Opus 4.6) on behalf of @balandari as part of our AI-assisted development workflow.
First npm/Node.js Crash Dump Captured
After switching from Bun to npm (Node.js v22.22.0) to escape the NaN-boxing crashes, we've now captured the first Node.js crash. Different runtime, different crash mechanism.
Environment
procdump -ma -e -w node.exeException
0xC0000005(Access Violation -- INVALID_POINTER_WRITE)mov dword ptr [rdi], ebxat0x0000033d9b1e20240x0000000000011a18(near-null, unmapped)Registers
Multiple registers (
rax,rbx,rdi,r8,r11) contain similarly low addresses (0x119a8,0x119b0,0x11a18,0x11a28) -- offsets from a null base object.Call Stack (Key Frames)
Analysis
Root cause: V8 JIT null object dereference during recursive execution.
The faulting IP is on the heap (JIT-compiled JavaScript). A recursive function with a decrementing counter (visible in args: 0xc, 0xb, 0xa... 0x5) was executing when it hit a null object reference. The ~72KB offset (
0x11a18) suggests access to a field deep in a large object or indexed array that had been garbage collected while JIT code still held a stale reference.The trigger path is: libuv pipe I/O -> NAPI callback -> V8 Function::Call -> JIT recursion -> null deref. This is Claude Code's IPC mechanism triggering JavaScript execution.
Comparison to Bun Crashes
| Characteristic | Bun crashes (30+ dumps) | This Node.js crash |
|---|---|---|
| Exception code |
0xC0000005|0xC0000005|| Pointer pattern |
0xfffe/0xffffNaN-boxed |0x00011a18near-null || Faulting location | Bun/Zig runtime | V8 JIT JavaScript |
| Root cause | NaN-boxed value misinterpreted as pointer | GC'd object still referenced by JIT code |
| Deep recursion | Not typically present | 9+ recursive frames |
This is a completely different crash family. No NaN-boxed pointers, no Zig runtime involvement. This is a V8 JIT compiler bug -- the generated code doesn't guard against a null reference during optimized recursive execution.
Implications
The npm switch eliminated the Bun NaN-boxing crashes (zero Bun crashes since switching), but Node.js/V8 has its own crash vector. Same symptom (unexpected termination during heavy usage at high context), different engine, different mechanism. The common factor across both runtimes appears to be Claude Code's usage pattern: sustained heavy computation with high context and active IPC.
Note
This comment was written by Claude (Opus 4.6) on behalf of @balandari as part of our AI-assisted development workflow.
Additional Data: npm ~80% Context Crash Pattern
Adding another data point to the Node.js crash pattern documented in my Feb 6 comment.
New incident (Feb 10, 2026):
/analyze(heavy multi-file analysis) with context at ~80%+SyntaxError: Too many arguments in function call (only 65535 allowed)atcli.js:2026during ESM module compilation. Restart failed repeatedly before eventually succeeding. Filed separately as #24874.Pattern strengthening: This is now the second documented npm/Node.js crash at ~80% context during heavy workload. The common factors:
The restart failure (#24874) appears to be a secondary issue -- the bundled
cli.jshitting a V8 bytecode compilation limit, possibly influenced by system state after the primary crash.Note
This comment was written by Claude (Opus 4.6) on behalf of @balandari as part of our AI-assisted development workflow.
ProcDump Analysis -- 5 Full Dumps on Canary v1.3.9-canary.51 (Windows x64)
Five crashes within 22 minutes, all captured with ProcDump (
-e 1 -ma). First canary dump analysis with full memory.Triage Results
| Dump | Family | Exception | Fault Address | Threads | Uptime |
|------|--------|-----------|---------------|---------|--------|
| 100738 | F4 | c0000409 (FAST_FAIL) | n/a (
int 29h) | 40 | 5:46 || 102058 | F4 | c0000409 (FAST_FAIL) | n/a | 46 | 12:54 |
| 102303 | F2 | c0000005 | 0xFFFFFFFFFFFFFFFF (read) | 50 | 1:56 |
| 102516 | F2 | c0000005 | 0xFFFFFFFFFFFFFFFF (read) | 44 | 1:41 |
| 102945 | F2-new | c0000005 | 0x1CACC793F40 (execute) | 37 | 3:55 |
Distribution: F4 (FAST_FAIL) 40%, F2 (NaN-boxing) 40%, F2-variant (execute AV) 20%.
F4 Stack Trace -- N-API Cleanup Path Confirmed
Dump #1 (100738) stack trace via cdb:
Three frames through
napi_close_callback_scopebefore theFAST_FAIL_FATAL_APP_EXIT(__fastfail(7)). Bun's internal corruption check fires during N-API callback scope cleanup. This supports the root cause identified in our previous dump analyses: N-API race condition during cleanup triggers use-after-free, Bun detects the corruption and aborts.New Variant: Execute AV at Heap Address
Dump #5 (102945) -- a new crash pattern not seen in our previous 40+ dump analyses:
The stack is completely trashed -- JSC NaN-boxed tagged values (
0xFFFE0000000000A3,0xFFFE0000000000006) mixed with heap pointers. This is a corrupted function pointer/vtable: JSC tried to call through a pointer that had been freed and reallocated as heap data. Different from the standard F2 NaN-boxing sentinel crashes -- those read from an obviously invalid address, this one tried to execute at a plausible heap address.Crash Context and Memory Correlation
claude.exeprocesses from previous crashes remained in memory (Windows crash handler doesn't reliably terminate the process)Orphaned Process Feedback Loop (Windows-Specific)
On Windows, when Bun crashes, the
claude.exeprocess often isn't fully terminated. Closing the terminal window also doesn't reliably kill the child process. Each crash-and-restart cycle can leave an orphan holding hundreds of MB. Monitoring command:During this session, 7
claude.exeprocesses were found when only 2 terminals were active. The 5 orphans consumed ~4.5GB combined. The oldest had been running 6+ hours at 1.16GB.bun.report Links Broken for Canary Builds
None of the
bun.reportlinks resolve for canary v1.3.9-canary.51. They return either:{"error":"Could not find debug info for this version of Bun."}Example links:
https://bun.report/1.3.9/e_2d5628dbmgkgEuhogCA2u//Bvuy1+lDhttps://bun.report/1.3.9/e_2d5628dbmgkgEugogC_A2DDDebug symbols are not published for canary builds. This means canary testers cannot use the standard Bun crash reporting path.
Crash Reports (Bun Panic Handler Output)
All five crashes on Bun Canary v1.3.9-canary.51 (d5628db2), Windows x64,
claude.exe -c --dangerously-skip-permissions:Crash 1 (0x7FF79A0A9B19 -- code-space):
Crash 2 (0xFFFFFFFFFFFFFFFF):
Crash 3 (0xFFFFFFFFFFFFFFFF):
Crash 4 (0x1CACC793F40 -- heap-space execute):
Summary
napi_close_callback_scopedirectly in the call chain.Addendum: Two Additional Crashes (Same Session, Post-Restart)
Two more crashes after the original five, same canary build. CDB analysis on full ProcDump captures.
New evidence -- F2 shares the N-API cleanup path with F4:
Dump at 11:53 (F2, 0xFFFFFFFFFFFFFFFF read, 3 min uptime) produced a clean stack trace:
napi_close_callback_scope->pas_system_heap_free-> bmalloc crash on garbage pointer. This is the same entry point as the F4 stack traces above, but F4 catches the corruption early (FAST_FAIL abort) while F2 lets it propagate to the allocator. Direct evidence that F2 and F4 are the same root cause with different detection timing.Memory pressure ruled out as necessary condition:
System state at time of both crashes: 191.7GB total RAM, 167.5GB free (12.6% used), zero orphaned
claude.exeprocesses. The orphan feedback loop documented above makes crashes worse, but is not required to trigger them. These crashes occur on a completely clean system.Note
Embedded Bun version: v1.3.9-canary.51 (d5628db2). Latest stable Bun: v1.3.9. Canary is a pre-release of the same version family -- these crashes are not fixed in stable either.
This comment was written by Claude (Opus 4.6) on behalf of @balandari as part of our AI-assisted development workflow.
Cross-Runtime Analysis: Same Root Cause on Both Node.js and Bun
Connecting the dots between the Bun crash data (original report + canary analysis above) and the Node.js crash data (Feb 6 and Feb 11 comments).
Shared Crash Signatures Across Runtimes
| Indicator | Bun (v1.3.5, v1.3.9-canary.51) | Node.js (v22.22.0) |
|-----------|--------------------------------|---------------------|
|
napi_close_callback_scope| In F2 and F4 stack traces | In crash path ||
uv_getnameinfo| Multiple dumps | In crash path ||
v8::Value::StrictEquals| Canary dumps 3, 4 | Node dump (Feb 10) || Fault address
0xFFFFFFFFFFFFFFFF| Dominant F2 pattern | Feb 10 dump || Exception | ACCESS_VIOLATION (c0000005) | ACCESS_VIOLATION (c0000005) |
Reframed Root Cause
The original report attributed this to Bun's N-API implementation. The Node.js crashes were documented separately as a potentially distinct issue. They aren't.
Both runtimes crash through the same N-API cleanup path (
napi_close_callback_scope), produce the same freed-memory sentinel (0xFFFFFFFFFFFFFFFF) as the fault address, and involve the same V8-compatible API surface (v8::Value::StrictEquals). The native addon code loaded by Claude Code goes through N-API on either runtime, and the race condition between async cleanup and active threads causes use-after-free regardless of the underlying JS engine (JSC or V8).This is not a Bun bug or a Node bug. It's a native addon lifecycle bug in Claude Code's N-API usage that manifests on both runtimes. Bun's JSC produces NaN-boxing corruption signatures. Node's V8 produces heap corruption signatures. Same cause, different symptoms.
Practical Impact
There is no stable runtime for Claude Code on Windows x64. Switching between npm (Node.js) and native (Bun) temporarily resets accumulated state, but both paths crash within the same session patterns:
Updating the embedded Bun version will not resolve this if the native addon code itself has the race condition.
Note
This comment was written by Claude (Opus 4.6) on behalf of @balandari as part of our AI-assisted development workflow.
Bun was bumped to v1.3.10 — crashes with the same signatures continue.
Two newer issues report identical fault patterns on the updated runtime:
0xFFFFFFFFFFFFFFFF— same F2 sentinel address from the original analysis. Stack:uv__process_pipe_write_req->uv_run.0x4B750B20520— F3 heap address family.This is consistent with the cross-runtime analysis posted Feb 14 above, where the same crash path appeared on Node.js v22.22.0. If the root cause is in the native addon's cleanup ordering (as that analysis suggests), runtime version bumps alone may not resolve this.
Filed #27356 to track the cross-runtime hypothesis separately.
Your Root Cause Analysis Matches My 17 Reproductions
@balandari — your N-API race condition analysis (double-free, vtable corruption at 0x7) is consistent with everything I'm seeing on #21576.
My crash data (17 reproductions in 27 days):
0x18(same null-pointer-deref family as your0x7)[I[OCSI focus codesWindows event log from the overnight lockup (Feb 23):
Orphaned Bun processes from TUI escapes consumed all RAM + page file until Windows couldn't run its own services.
This issue has
high-priorityandoncalllabels but zero Anthropic comments. The root cause is identified. The crash families are documented. Users are having their computers bricked. What exactly is the threshold for a response?Version: Bun v1.3.10, Windows 11, 34 GB RAM
Related: #21576 (17 repros), #12234 (17+ thumbs up), #22632 (cross-platform)
When Does high-priority + oncall Actually Mean Something? (Feb 24, 2026)
This issue has had
high-priorityandoncalllabels for over a month. Zero staff comments. Zero fixes. Meanwhile:The damage report from ONE user (#21576):
.claude.jsontruncated mid-write)What's shipped instead:
What the community has provided FOR FREE:
napi_remove_async_cleanup_hookandnapi_unref_threadsafe_function(@balandari, 27 memory dumps, WinDbg analysis)bun.reportURLsThe root cause is identified. The fix path is clear (patch the N-API cleanup or bump Bun). The only thing missing is someone at Anthropic typing a response.
Is anyone reading this?
v2.1.53 Crash Fixes Did Not Resolve This — 3rd Computer Lockup on v2.1.55 (Feb 25)
v2.1.53 shipped 4 Windows crash fixes (Feb 24). Less than 24 hours later, multiple Bun crashes on v2.1.55 caused another full computer lockup — the 3rd in 5 days.
The 4 fixes targeted specific crash modes (WASM interpreter, ARM64 timing, spawn panic, corrupted value switch). None addressed the N-API race condition identified in the root cause analysis above (27 memory dumps, WinDbg analysis, double-free/vtable corruption at 0x7/0x18).
The orphaned-process → resource-exhaustion → system-lockup pipeline is unchanged:
This issue still has
high-priority+oncalllabels and zero Anthropic staff comments after 30+ days. The community has done the root cause analysis. The crash data is here. What's missing is someone at Anthropic looking at it.Full timeline update on #21576.
4th Computer Lockup in 5 Days — v2.1.55 (Feb 25)
Another full system lockup. 4th in 5 days. v2.1.53 crash fixes did not address the Bun v1.3.10 N-API race condition identified in this thread.
This issue has had
high-priority+oncalllabels for over a month with zero staff engagement. The community provided 27 memory dumps and WinDbg root cause analysis. At what point does someone at Anthropic look at this?Cross-ref: #21576 (full timeline, 26+ reproductions)
v2.1.59 Released — Still No Fix, Still No Acknowledgment
v2.1.59 just shipped. 6th release in 2 days. Changelog includes new features (auto-memory, /copy command), quality-of-life improvements, and even a fix for an "MCP OAuth token refresh race condition."
The N-API race condition documented in this issue with 27 memory dumps and WinDbg analysis? Not addressed. Not acknowledged.
This issue has had high-priority + oncall labels for over a month. 90+ affected users across 20+ issues. 31 crashes for one user alone, 4 computer lockups. The community identified the root cause, provided the crash data, and wrote the analysis. It's all sitting here.
At what point does someone read it?
Repro 34 — Technical Details (v2.1.59, Multi-Agent N-API Crash)
Version: v2.1.59 (2nd crash on this version — Repro 32 was also v2.1.59)
OS: Windows 10 (MSYS_NT-10.0-26200 3.5.4-395fda67.x86_64)
Total crash count: 34 in 32 days
Crash context
[Iand[OCSI focus reporting escape codes dumped to terminal → session terminated → raw PowerShell prompt with garbage characters inlineTechnical observations
[I(focus in) and[O(focus out) CSI sequences are still being emitted. These escapes indicate that Bun's terminal handling is enabling focus reporting mode (\x1b[?1004h) but not reliably disabling it (\x1b[?1004l) on crash/exit. On Windows terminals, these orphaned escape sequences corrupt the terminal state.What needs to happen
The incremental patches (memory improvements, GC tuning) are not fixing this. The N-API bridge on Windows needs to be audited for thread safety in multi-agent scenarios. Specifically:
See #21576 for the full repro log and usage/billing impact.
Technical Update: TUI State Machine Dumping Raw Buffers Into Host Terminal on Crash
Version: v2.1.59
Date: 2025-02-25
Related: #21576 (Repro 35), #28809 (config corruption)
New Failure Mode: Internal Message Buffers Executed as Shell Commands
The N-API crash is now exhibiting a new, more dangerous behavior. When the Bun TUI crashes during a sub-agent operation, the terminal multiplexer state machine is not being cleaned up. The result is that internal Claude Code state — error messages, file paths, TUI layout characters — is written raw to stdout/stderr and interpreted by the host shell.
What Was Dumped Into PowerShell
``
``The : The term 'The' is not recognized as the name of a cmdlet
A : The term 'A' is not recognized as the name of a cmdlet
You : The term 'You' is not recognized as the name of a cmdlet
Root Cause Analysis
This points to a specific failure in the crash cleanup path:
\e[?1049l(exit alternate screen) sequence is either not sent or sent too late.Why This Is A Security Concern
Today, the dumped buffers contained English sentences that PowerShell couldn't parse. But consider:
rm,del,format, or any destructive operation, it could be executed by the host shell with the user's full permissionsThe TUI must ensure that on any exit — clean or crash — no internal buffers are flushed to the host terminal's input stream. This likely requires:
finallyblock or equivalent that always restores the terminal to cooked mode and exits the alternate screen, even on SIGABRT/unhandled exceptionPersistence After Process Death
The terminal state corruption persists after Claude Code exits. The host PowerShell session remains in a partially corrupted state where:
Cross-Reference
Repros 38-40: Three more crashes today (Feb 26, v2.1.59)
Adding to the pile. Three crashes within a 30-minute window:
All produced
[I[O[I[O[CSI focus reporting codes dumped into the terminal. Additionally, PowerShell itself threwerror 800705af("Loading managed Windows PowerShell failed") — orphaned Bun processes have degraded system state to the point where Windows subsystems are failing.Running total: 40 crashes in 33 days across 8 versions (v2.1.50→59). 22+ on Feb 25-26 alone.
The N-API race condition identified in this thread remains the root cause. v2.1.53's fixes addressed WASM, ARM64, and spawn panics — none of which are the N-API vtable corruption that shows up in the WinDbg dumps posted earlier in this thread.
Meanwhile, 5 new
.claude.jsoncorruption issues were filed TODAY by other users (#29023, #29050, #29051, #29053, #29075) — including one where Claude Code deleted an entire Windows user profile. The non-atomic write pattern and the crash-without-cleanup pattern are causing real damage to real users.End of Day: 30 Crashes Today, Switching to Node.js (Feb 26)
This issue has
high-priorityandoncalllabels. It has had them for over a month. Zero Anthropic staff have commented.Today: 30 Bun crashes on v2.1.59/v2.1.61. The v2.1.61 config corruption fix shipped today (thank you stevenpetryk on #28847) but the underlying Bun N-API crash is completely unaddressed.
The user has switched from the native Bun binary to npm install (Node.js runtime) as a last resort. The fact that a paying Max subscriber has to swap out the runtime to make the product usable tells you everything about the state of Windows support.
The N-API root cause analysis in this thread — with WinDbg dumps, vtable corruption patterns, and crash family classification — has been available since January. The Bun team has a comprehensive bug at oven-sh/bun#27471 filed today with 49 reproductions.
49 crashes. 33 days. 5 computer lockups.
high-priority+oncallfor a month. Zero responses.What do these labels mean if not "someone should look at this"?
I have alternated between native and npm for a few weeks now. I actually have them both installed and switch when one starts giving me fits.
Update: 251+ Crash Dumps, Both Engines, Hardware Ruled Out
Since the original report, we've continued collecting crash data on both runtimes:
Current crash dump inventory:
Hardware ruled out: Tested across three RAM configurations -- 192GB (4-stick DDR5), 48GB (single-stick DDR5), and currently 96GB (2-stick DDR5). Crash frequency is identical across all three. This is not a memory pressure or IMC thermal issue.
Node.js is NOT stable either. In response to comments suggesting switching to Node.js as a workaround -- our cross-engine analysis at #27575 documents that Node.js/V8 produces the same category of GC corruption (pointer compression failures, use-after-free, heap corruption) under the same Claude Code workload. We have 136 V8 crash dumps with 10 distinct signatures across 7 categories to prove it. The crash mechanism differs (V8 pointer compression vs JSC NaN-boxing) but the outcome is identical: session-destroying crashes that scale with context fullness.
Crash distribution (last 6 days, Node.js only):
| Date | Crashes |
|------|---------|
| Feb 22 | 57 |
| Feb 23 | 5 |
| Feb 24 | 5 |
| Feb 25 | 3 |
| Feb 26 | 8 |
| Feb 27 | 58 |
Heavy build days (Feb 22, 27) produce 10x the crashes of light days. The context-fullness model from #27575 holds: more subprocess spawning and deeper context = more GC pressure = more crashes.
The common denominator is Claude Code's workload, not the runtime. Swapping engines changes the crash signature but not the crash rate.
Note
This comment was written by Claude (Opus 4.6) on behalf of @balandari as part of our AI-assisted development workflow.
I'm having similar issues. I've identified that my CPU microcode is on version 0x120, which is significantly outdated and apparently can cause these issues. I have the same 14900 HX CPU. Is your BIOS version the same? I have been informed 0x12F fixes the issues.
Interesting, I am just now exploring the same issue with the CPU microcode
being outdated. My i9-14900HX is on microcode 0x11F. it is not supposed to
affect laptop CPU's, according to Intel, and MSI doesn't have an updated
BIOS for this laptop listed on their website. I am about to call them and
see if they have an update they can share with me. According to Claude, the
microcode fix is 0x12B. I am willing to try just about anything right now.
So tired of all these crashes. MSI does have the BIOS 0x12B released for
their desktops. Fingers crossed. I will give an update if anything changes.
On Mon, Mar 2, 2026 at 10:25 AM Joe Brown @.***> wrote:
--
Mike Ramsey Jr.
Full-Stack Web Developer
(316) 200-6729 | mikeramseyjr.com
React • Next.js • TypeScript • Vercel
6 production sites shipped in 10 weeks
"Apparently" being the key word. Intel said it didn't affect the portable chips but loads of users on forums etc complained of the issue. This said it's a separate issue from the bun segfault stuff - Claude Code/Bun (I believe Bun is now owned by Anthropic) needs to fix this still.
My laptop is PC Specialist. Have had to ask them for the BIOS update too. Let me know how you get on because I'm ripping my hair out atm 😂
It's a bit temperamental but you can also try running Claude Code in a devcontainer. There's docs on it on Anthropic - it's kinda temperamental but at least no BSODs
Nothing available... Going to send it to the engineering department and see
if they have anything and should get back to me in a couple days... I am
not holding my breath...
On Tue, Mar 3, 2026 at 1:24 PM MIKE RAMSEY JR @.***> wrote:
--
Mike Ramsey Jr.
Full-Stack Web Developer
(316) 200-6729 | mikeramseyjr.com
React • Next.js • TypeScript • Vercel
6 production sites shipped in 10 weeks
You can try this as well maybe as an interim measure - didn't work for me but might do for you:
https://rog-forum.asus.com/t5/rog-strix-series/intel-how-to-update-your-microcode-for-intel-hx-13-14th-cpus/td-p/1034755
I'm suspicious that it's a microcode issue. I have a Snapdragon(R) X 12-core X1E80100, which is an ARM processor, not Intel, and I also get BUN crashes.
Closing — Bun has shipped multiple fixes for WSL segfaults since v1.3.5. No longer reproducing on current versions.
Closing — Bun has shipped multiple WSL segfault fixes since v1.3.5. No longer reproducing on current versions. Can be reopened if it recurs.
Closing — Bun has shipped multiple WSL segfault fixes since v1.3.5. No longer reproducing on current versions.