Install @scratch/paper failed on windows.

[nakasyou]

How can we reproduce the crash?

It is very simple to reproduce it, and there is no files to provide, so I just describe about it.

1. Create empty package.json.
2. Run bun add @scratch/paper.

Bun has not crashed on Ubuntu. I guess it crashes on Windows only.

Relevant log output

Bun v1.1.42 (50eec002) Windows x64
Windows v.win10_fe
CPU: sse42 avx avx2
Args: "C:\Users\syout\.bun\bin\bun.exe" "add" "@scratch/paper"
Elapsed: 320ms | User: 15ms | Sys: 0ms
RSS: 80.55MB | Peak: 80.55MB | Commit: 0.14GB | Faults: 19912

panic(thread 24200): Internal assertion failure src/install/npm.zig:2339:66
oh no: Bun has crashed. This indicates a bug in Bun, not your code.

To send a redacted crash report to Bun's team,
please file a GitHub issue using the link below:

 https://bun.report/1.1.42/wI150eec00AA+vg2HouivCgvsvGip53GqypsMCYKERNEL32.DLL65yECSntdll.dllwz3WA0eNrzzCtJLcpLzFFILC5OLSr
JzM9TSEvMzCktSlUoLkrWz8wrLknMydHPK8jVq8pMtzIyNra0MjMDADhtE28

Stack Trace (bun.report)

Bun v1.1.42 (50eec00) on windows x86_64 [UpdateCommand]

panic: Internal assertion failure src/install/npm.zig:2339:66

• npm.zig:2306: parse
• npm.zig:485: getPackageMetadata
• atomic.zig:40: load

_{Sentry Issue: BUN-7MX}

[Jarred-Sumner]

Debug stack trace:

PS C:\tmp\ok> C:\bun\build\debug\bun-debug.exe add @scratch/paper
bun add v1.1.42 (22d354d2)
  🔍 Resolving [1/1] ============================================================
Bun Debug v1.1.42 (22d354d2) Windows x64
Windows v.win10_fe
CPU: sse42 avx avx2 avx512
Args: "C:\bun\build\debug\bun-debug.exe" "add" "@scratch/paper"
Elapsed: 118ms | User: 15ms | Sys: 15ms
RSS: 88.64MB | Peak: 88.64MB | Commit: 0.15GB | Faults: 21931

panic(thread 18680): reached unreachable code
  🔍 @scratch/paper [2/2] C:\bun\src\bun.zig:3533:43: 0x7ff6dc4e7a8d in assertWithLocation (bun-zig.o)
        if (comptime Environment.isDebug) unreachable;
                                          ^
C:\bun\src\install\npm.zig:2339:51: 0x7ff6dc86e1ed in parse (bun-zig.o)
                            bun.assertWithLocation(order == .gt, @src());
                                                  ^
C:\bun\src\install\npm.zig:485:38: 0x7ff6dc885fd4 in getPackageMetadata (bun-zig.o)
        if (try PackageManifest.parse(
                                     ^
C:\bun\src\install\install.zig:723:73: 0x7ff6dc89c916 in callback (bun-zig.o)
  🔍 @scratch/paper [2/2]                 const package_manifest = Npm.Registry.getPackageMetadata(
                                                                        ^
C:\bun\src\thread_pool.zig:680:32: 0x7ff6ddd55c81 in run (bun-zig.o)
                (task.callback)(task);
                               ^
C:\bun\vendor\zig\lib\std\Thread.zig:408:13: 0x7ff6dd5ebffc in callFn__anon_142698 (bun-zig.o)
            @call(.auto, f, args);
            ^
C:\bun\vendor\zig\lib\std\Thread.zig:518:30: 0x7ff6dcf433ce in entryFn (bun-zig.o)
                return callFn(f, self.fn_args);
                             ^
???:?:?: 0x7ffccaa7259c in ??? (KERNEL32.DLL)
???:?:?: 0x7ffcccb6af37 in ??? (ntdll.dll)

[RiskyMH]

When I run bun i @scratch/paper@latest on linux it indeed works, however it has strange results. It seems to overflow the "patch" part of semver to 0 (which also isn't one of the listed versions).

I have a feeling like this is causing problems on windows, but it is a valid npm version so bun should show its full and proper version.

// bun.lock
{
  "lockfileVersion": 0,
  "workspaces": {
    "": {
      "dependencies": {
        "@scratch/paper": "^0.11.0",
      },
    },
  },
  "packages": {
    "@scratch/paper": ["@scratch/paper@0.11.0", "", {}, "sha512-UXUkcd9FLGS7nJjNAcfUcvJ6yVOFF140yJUkcn+moQXdvrR1836Ia+TZ8PdgNRYnNEBLfD9wkExl/74SAA6Ajg=="],
  }
}

Also note the sha hash belongs to the version 0.11.20171204223652 which seems to be oldest with long name, not the latest which would be 0.11.20221201200345.

---

This integer overflowing is also observed with Bun.semver functions too

console.log(Bun.semver.satisfies("0.1.11111111111", "0.1.22222222222")) // true, but should be false
console.log(Bun.semver.satisfies("0.1.1111111111", "0.1.2222222222")) // false

[RiskyMH]

The reason windows errors but not linux is because windows uses release safe which enables more errors. For example this check that shows how broken the lockfile gets with overflowed package versions:

bun/src/install/npm.zig

Lines 2398 to 2409 in 783c2b4

	if (comptime Environment.allow_assert) {
	if (cloned_versions.len > 1) {
	// Sanity check:
	// When reading the versions, we iterate through the
	// list backwards to choose the highest matching
	// version
	const first = semver_versions_[0];
	const second = semver_versions_[1];
	const order = second.order(first, string_buf, string_buf);
	bun.assertWithLocation(order == .gt, @src());
	}
	}

[RiskyMH]

@dylan-conway do you think it would be fine to turn that assert into debug only so it behaves like posix so it stops crashing?

The actual solution is to fix semver for more bits as lots of packages use the patch with date.

[dylan-conway]

@dylan-conway do you think it would be fine to turn that assert into debug only so it behaves like posix so it stops crashing?

The actual solution is to fix semver for more bits as lots of packages use the patch with date.

Yes, this and other assertions here should be debug only