Bun Rust Component Exposes Undefined Behavior via Invalid Pointer Provenance and Dangling References

A GitHub issue in the Bun repository reveals critical Undefined Behavior within its Rust codebase due to incorrect pointer provenance management. The vulnerability, flagged by the Miri interpreter, permits safe Rust code to trigger a dangling reference access on deallocated memory.

Miri Flags Provenance Violation in PathString API

A critical vulnerability has been disclosed in the Rust codebase of the Bun project (issue #30719, opened by user AwesomeQubic on May 14, 2026). The issue highlights a fundamental violation of Rust's safety guarantees within the `PathString` implementation. When analyzed under Miri, the interpreter detects Undefined Behavior (UB) during the construction of a byte slice from a raw pointer.

The execution fails with a provenance error: "encountered a dangling reference (0x20933[noalloc] has no provenance)." The failure occurs specifically in `src/main.rs` at line 97 during the execution of:

`unsafe { core::slice::from_raw_parts(ptr as *const u8, self.len()) }`

The diagnostic output demonstrates that the raw pointer passed to `core::slice::from_raw_parts` lacks valid memory provenance. This occurs because the backing memory allocation has already been deallocated, rendering any subsequent slice construction over that address space invalid under the Rust abstract machine.

Analysis of the Lifetime Bypass Vector

The reproduction code provided in the issue showcases how safe Rust code can easily trigger this memory unsafety. The minimal reproducible example is structured as follows:

```rust fn main() { let test = Box::new(*b"Hello World"); let init = PathString::init(&*test); drop(test); println!("{:?}", init.slice()); } ```

In this sequence, `PathString::init` accepts a reference to a heap-allocated byte array wrapped in a `Box`. It appears to internally store the address of this slice as a raw pointer or an integer representation without binding the lifetime of the returned `PathString` instance to the borrow of `test`.

When `drop(test)` is explicitly called, the heap allocation containing "Hello World" is deallocated. The subsequent call to `init.slice()` attempts to reconstruct a slice from the retained pointer. Because the API allows this sequence to compile in safe Rust, it violates the core contract of safe Rust: safe code must never be able to trigger Undefined Behavior.

Architectural and Quality Assurance Implications

The issue author notes that this defect indicates a systemic lack of rigorous verification, asserting that the codebase fails even basic Miri execution checks. The report criticizes the integration of automated code generation tools, warning against "vibe coding" Rust using AI tools that struggle with the nuances of Rust's ownership and lifetime semantics.

The presence of this vulnerability suggests that the lifetimes within the `PathString` struct were either improperly elided or deliberately bypassed using unsafe blocks without establishing the necessary invariants to keep the backing memory alive. Related issues #30876 and #30728 suggest ongoing triage and potential structural refactoring of the affected modules. For systems engineers relying on Bun's performance-critical components, this defect highlights the necessity of integrating Miri checks directly into continuous integration pipelines to prevent the leak of unsafe pointer manipulations into safe user-facing APIs.