fix: prevent assertion crash when SharedArrayBuffer-backed views reach unsharedBuffer()

[robobun]

Crash

Assertion failure in JSArrayBufferView::unsharedBuffer() when a typed array backed by a SharedArrayBuffer is passed through a code path that assumes unshared buffers.

Reproduction

const sab = new SharedArrayBuffer(8);
const view = new Uint8Array(sab);
const stream = new ReadableStream({
  start(controller) {
    controller.enqueue(view);
    controller.close();
  }
});
const resp = new Response(stream);
const clone = resp.clone();
await clone.arrayBuffer();

Root Cause

structuredCloneForStream in StructuredClone.cpp calls bufferView->unsharedBuffer() without checking whether the view is backed by a SharedArrayBuffer. The unsharedBuffer() method asserts !result || !result->isShared(), so passing a shared-buffer-backed view triggers a crash. The same pattern exists in BunIDLConvert.h's IDLArrayBufferRef converter, which is used by the bindgen system for APIs accepting ArrayBuffer arguments.

Fix

• In StructuredClone.cpp: check bufferView->isShared() before calling unsharedBuffer() and throw a DataCloneError if shared.
• In BunIDLConvert.h: check isShared() on JSArrayBufferView and JSDataView before calling unsharedBuffer(), returning std::nullopt (conversion failure) if shared.

Verification

• Reproduction no longer crashes (throws DataCloneError instead)
• Added regression test at test/js/web/streams/shared-array-buffer-clone.test.ts

[robobun]

^{Updated 9:21 PM PT - Feb 20th, 2026}

❌ @autofix-ci[bot], your commit 9ff0462 has 13 failures in Build #37795 (All Failures):

• test/integration/next-pages/test/dev-server.test.ts - 1 failing on 🍎 14 aarch64
• vendor/elysia/test/response/stream.test.ts - 1 failing on 🐧 13 x64-asan
• test/cli/hot/watch-many-dirs.test.ts - pid 3771 segmentation fault on 🐧 3.23 x64-baseline
• test/cli/hot/watch-many-dirs.test.ts - 1 failing on 🐧 25.04 x64-baseline
• test/js/node/http/node-http-backpressure.test.ts - SIGKILL on 🐧 25.04 x64
• test/js/node/http/node-http-backpressure.test.ts - SIGKILL on 🐧 13 x64
• test/js/node/http/node-http-backpressure.test.ts - SIGKILL on 🐧 13 x64-baseline
• test/js/valkey/reliability/protocol-handling.test.ts - 1 failing on 🐧 25.04 aarch64
• test/js/valkey/reliability/protocol-handling.test.ts - 1 failing on 🐧 13 x64-asan
• test/js/valkey/reliability/protocol-handling.test.ts - 1 failing on 🐧 3.23 aarch64
• test/js/valkey/reliability/protocol-handling.test.ts - 1 failing on 🐧 3.23 x64
• test/js/valkey/reliability/protocol-handling.test.ts - 1 failing on 🐧 25.04 x64
• test/js/valkey/reliability/protocol-handling.test.ts - 1 failing on 🐧 13 x64
• test/js/valkey/reliability/protocol-handling.test.ts - 1 failing on 🐧 3.23 x64-baseline
• test/js/valkey/reliability/protocol-handling.test.ts - 1 failing on 🐧 25.04 x64-baseline
• test/js/valkey/reliability/protocol-handling.test.ts - 1 failing on 🐧 13 x64-baseline
• test/js/valkey/reliability/protocol-handling.test.ts - 1 failing on 🐧 13 aarch64
• test/js/valkey/reliability/error-handling.test.ts - 1 failing on 🐧 13 aarch64
• test/js/valkey/reliability/error-handling.test.ts - 1 failing on 🐧 25.04 aarch64
• test/js/valkey/reliability/error-handling.test.ts - 1 failing on 🐧 3.23 aarch64
• test/js/valkey/reliability/error-handling.test.ts - 1 failing on 🐧 3.23 x64
• test/js/valkey/reliability/error-handling.test.ts - 1 failing on 🐧 25.04 x64
• test/js/valkey/reliability/error-handling.test.ts - 1 failing on 🐧 13 x64
• test/js/valkey/reliability/error-handling.test.ts - 1 failing on 🐧 3.23 x64-baseline
• test/js/valkey/reliability/error-handling.test.ts - 1 failing on 🐧 13 x64-asan
• test/js/web/fetch/fetch.test.ts - 1 failing on 🪟 2019 x64-baseline
• test/js/web/fetch/fetch.test.ts - 1 failing on 🪟 2019 x64
• test/js/web/fetch/fetch.test.ts - 1 failing on 🐧 3.23 aarch64
• test/js/web/fetch/fetch.test.ts - 1 failing on 🐧 3.23 x64
• test/js/web/fetch/fetch.test.ts - 1 failing on 🐧 3.23 x64-baseline
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🪟 2019 x64
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🪟 2019 x64-baseline
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🐧 25.04 aarch64
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🐧 13 aarch64
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🐧 3.23 aarch64
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🐧 3.23 x64
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🐧 25.04 x64
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🐧 13 x64
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🐧 3.23 x64-baseline
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🐧 13 x64-asan
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🐧 25.04 x64-baseline
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🐧 13 x64-baseline
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🍎 14 aarch64
• test/js/third_party/mongodb/mongodb.test.ts - 1 failing on 🍎 13 aarch64
• test/js/web/fetch/fetch.tls.test.ts - 5 failing on 🪟 2019 x64
• test/js/web/fetch/fetch.tls.test.ts - 5 failing on 🪟 2019 x64-baseline
• test/js/web/fetch/fetch.tls.test.ts - 5 failing on 🐧 3.23 aarch64
• test/js/web/fetch/fetch.tls.test.ts - 5 failing on 🐧 3.23 x64
• test/js/web/fetch/fetch.tls.test.ts - 5 failing on 🐧 3.23 x64-baseline
• test/js/workerd/html-rewriter.test.js - 1 failing on 🪟 2019 x64
• test/js/workerd/html-rewriter.test.js - 1 failing on 🪟 2019 x64-baseline
• test/js/workerd/html-rewriter.test.js - 1 failing on 🐧 3.23 aarch64
• test/js/workerd/html-rewriter.test.js - 1 failing on 🐧 3.23 x64
• test/js/workerd/html-rewriter.test.js - 1 failing on 🐧 3.23 x64-baseline
• test/js/node/http2/node-http2.test.js - 6 failing on 🪟 2019 x64-baseline
• test/js/node/http2/node-http2.test.js - 6 failing on 🪟 2019 x64
• test/js/node/http2/node-http2.test.js - 6 failing on 🐧 3.23 aarch64
• test/js/node/http2/node-http2.test.js - 6 failing on 🐧 3.23 x64
• test/js/node/http2/node-http2.test.js - 6 failing on 🐧 3.23 x64-baseline
• test/js/bun/test/parallel/test-https-should-work-when-sending-request-with-agent-false.ts - code 1 on 🪟 2019 x64
• test/js/bun/test/parallel/test-https-should-work-when-sending-request-with-agent-false.ts - code 1 on 🪟 2019 x64-baseline
• test/js/bun/test/parallel/test-https-should-work-when-sending-request-with-agent-false.ts - code 1 on 🐧 3.23 aarch64
• test/js/bun/test/parallel/test-https-should-work-when-sending-request-with-agent-false.ts - code 1 on 🐧 3.23 x64
• test/js/bun/test/parallel/test-https-should-work-when-sending-request-with-agent-false.ts - code 1 on 🐧 3.23 x64-baseline
• test/js/bun/http/proxy.test.js - 4 failing on 🪟 2019 x64
• test/js/bun/http/proxy.test.js - 4 failing on 🪟 2019 x64-baseline
• test/js/bun/http/proxy.test.js - 4 failing on 🐧 3.23 aarch64
• test/js/bun/http/proxy.test.js - 4 failing on 🐧 3.23 x64
• test/js/bun/http/proxy.test.js - 4 failing on 🐧 3.23 x64-baseline

---

🧪   To try this PR locally:

bunx bun-pr 27318

That installs a local version of the PR into your bun-27318 executable, so you can run:

bun-27318 --bun

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

Walkthrough

Adds checks to reject cloning of shared ArrayBufferViews in two conversion paths: IDL conversion rejects them during conversion, and structured cloning throws a DataCloneError. Includes a test verifying Response.clone() handles SharedArrayBuffer-backed views without crashing.

Changes

Cohort / File(s)	Summary
SharedArrayBuffer rejection guards src/bun.js/bindings/BunIDLConvert.h, src/bun.js/bindings/webcore/StructuredClone.cpp	Add early-return guards to reject cloning of shared ArrayBufferViews. BunIDLConvert.h rejects shared views during IDL conversion by returning std::nullopt; StructuredClone.cpp throws a DataCloneError for shared views in structured cloning.
Test coverage test/js/web/streams/shared-array-buffer-clone.test.ts	New test file verifying Response.clone() does not crash when processing a ReadableStream containing SharedArrayBuffer-backed Uint8Array, expecting a DataCloneError instead.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main fix: preventing assertion crashes when SharedArrayBuffer-backed views reach unsharedBuffer(), which aligns with the primary changes in the codebase.
Description check	✅ Passed	The PR description follows the template with clear sections covering what the PR does (Crash, Root Cause, Fix) and verification details, though it exceeds the template structure slightly.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

✅ 9ff04 — Looks good!

Reviewed 3 files across src/bun.js/bindings/ and test/js/web/streams/: adds isShared() checks before calling unsharedBuffer() in StructuredClone.cpp and BunIDLConvert.h to prevent assertion crashes when SharedArrayBuffer-backed typed arrays are used in stream cloning, throwing DataCloneError instead of crashing.