Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/bun_alloc/ast_alloc.rs`:
- Around line 192-203: The current set_thread_heap preserves the bump cursor
when called with null, which is unsafe because MimallocArena may be dropped on
another thread; modify set_thread_heap so it also clears the per-thread bump
state when AST_HEAP is being set to null. Specifically, update the condition
around bump_reset() in set_thread_heap to call bump_reset() when heap.is_null()
OR when heap != BUMP_HEAP.get() (so it still preserves the cursor only for the
same non-null BUMP_HEAP), referencing AST_HEAP, BUMP_HEAP, BUMP_CUR, bump_reset,
and set_thread_heap to locate the change.

In `@src/bundler/bundle_v2.rs`:
- Line 2612: The append call currently ignores failures (let _ =
self.graph.ast.append(JSAst::empty_in(self.graph.heap))) which can desynchronize
graph.ast from input_files; change this to handle the Result by converting
allocation errors into a controlled OOM crash using bun_core::handle_oom or the
.unwrap_or_oom() helper (i.e., call self.graph.ast.append(...).unwrap_or_oom()
or pass the Result into bun_core::handle_oom) so allocation failures abort
deterministically; apply the same fix to the other graph.ast.append(...) sites
(the similar calls at the other noted locations) to ensure all AST slot
allocations are handled consistently.
- Around line 6893-6895: The code tries to clone a bun_ast::Source via
empty_html_file_source.clone() when constructing a crate::Graph::InputFile
(fake_input_file), but bun_ast::Source isn't Clone; instead rebuild the Source
struct field-by-field like you do in enqueue_server_component_generated_file and
reserve_source_indexes_for_bake: create a new bun_ast::Source instance by
copying each field (e.g., source text, span, kind, etc.) from
empty_html_file_source into the new Source and use that new instance in
Graph::InputFile's source field so the code compiles without requiring Clone.

In `@src/bundler/HTMLImportManifest.rs`:
- Around line 57-61: The remaining uses of the bare Graph type must be changed
to the generic form with the lifetime/type parameters: update the function
signatures and impl header for write_escaped_json and write to accept/return
Graph<'a> (or the correct Graph<'a, T> form used elsewhere) instead of bare
Graph, and update the type argument in from_ref::<Graph>(graph) to
from_ref::<Graph<'a>>(graph) (or from_ref::<Graph<'a, T>>(graph) if Graph has a
second type parameter); ensure any function-level generics or impl lifetimes
match the HTMLImportManifest<'a> lifetime so all Graph references compile.

In `@src/bundler/linker_context/scanImportsAndExports.rs`:
- Around line 564-577: The cached identifier vs formatted identifier diverge for
strict-mode reserved words causing inconsistent symbol names; fix by ensuring
the same remapping is applied in both paths—either force-populate the cache
before formatting (call the method that triggers
MutableString::ensure_valid_identifier() so source.identifier_name is filled)
or, when using source.fmt_identifier() (the FormatValidIdentifier::fmt() path),
run the same strict_mode_reserved_word_remap()/ensure_valid_identifier logic on
the produced bytes so the ident used for init_/exports_/module_ symbol
construction is identical regardless of whether source.identifier_name was
pre-populated; update the block around ident, ident_scratch and the call sites
so they always use the remapped identifier.

In `@src/bundler/LinkerGraph.rs`:
- Around line 629-633: The loop over self.reachable_files currently indexes into
self.ast.items_import_records_mut() without guaranteeing a corresponding row,
which can panic for non-JS sources; modify the loop that uses
import_records_list[source_id.get() as usize] so it first computes let idx =
source_id.get() as usize and skips if idx >= import_records_list.len() (or
otherwise check that import_records_list has an entry for that source), i.e.,
continue when out of bounds (or when the source is a non-JS/asset if you prefer
that check), before calling .as_mut_slice() and rewriting
import_record::List<'_>.

In `@src/bundler/ThreadPool.rs`:
- Around line 423-435: The fast path in get_worker uses TLS_WORKER without
guarding against Worker::deinit() freeing the boxed Worker, causing a UAF;
update the teardown path to invalidate the cached TLS entry instead of leaving a
stale pointer. Concretely, in Worker::deinit (or where workers are
freed/deinit_soon) clear or bump TLS_WORKER for the current thread (e.g., set
its generation to a non-matching value or null the worker pointer) so
get_worker()'s generation check cannot succeed on a freed Worker; apply the same
invalidation for the other fast-path accessor noted around the 493-500 region
(the other get_* method that uses TLS_WORKER and get_worker_slow) so both fast
paths are protected.

In `@src/bundler/ungate_support.rs`:
- Line 608: The comment above the type alias JSAst should be updated to reflect
that it is now lifetime-generic (pub type JSAst<'a> = crate::BundledAst<'a>)
rather than being erased to 'static; edit the note that mentions "'static" to
instead explain that JSAst carries the lifetime parameter through to BundledAst
and is not implicitly 'static, clarifying any ownership/borrow implications and
removing the stale contract language referencing erasure to 'static.

In `@src/js_parser/parse/parse_entry.rs`:
- Around line 318-320: Restore the lifetime tie on the logger parameter of init
by changing the signature back to accept log: &'a mut bun_ast::Log so the input
reference lifetime matches Parser<'a>'s stored non-null pointer; update the init
function signature (init) to use &'a mut bun_ast::Log, ensuring
Parser<'a>::self.log (NonNull<bun_ast::Log>) is derived from that &'a mut
reference and that log_mut()’s safety claim is now enforced by the type system
rather than only by documentation.

In `@src/resolver/resolver.rs`:
- Around line 3221-3227: The global-cache branch that sets the local variable
conditions currently maps ImportKind::Require and RequireResolve to
self.opts.conditions.require and everything else to self.opts.conditions.import,
which omits ImportKind::At and ImportKind::AtConditional and causes CSS
resolution divergence; update the match arms where conditions is assigned (the
blocks that pattern-match ast::ImportKind) to treat ImportKind::At and
ImportKind::AtConditional like the local node_modules path by returning
self.opts.conditions.style for those variants (apply the same change to both
match blocks around the global-cache logic).

In `@src/runtime/bake/DevServer.rs`:
- Around line 279-283: The CurrentBundle struct currently declares pub heap:
Box<bun_alloc::MimallocArena> before fields that borrow from that arena (e.g.,
pub start_data: bundler::bundle_v2::DevServerInput, requests,
resolution_failure_entries, promise), which causes the arena to be dropped too
early; move the heap field to be the last field in CurrentBundle so the arena is
dropped after start_data, requests, resolution_failure_entries, and promise,
ensuring finalize_bundle and bv2.deinit_without_freeing_arena() can safely clean
up arena-backed allocations.

---

Outside diff comments:
In `@src/ast/nodes.rs`:
- Around line 1099-1145: The Part struct is being stored in an arena via
PartList<'a> but still owns dropful heap containers (import_record_indices,
dependencies, declared_symbols, symbol_uses, import_symbol_property_uses) which
will survive an arena reset; change those fields to arena-backed containers or
ensure they are explicitly freed before arena teardown. Concretely, replace
plain Vec/ArrayHashMap/MultiArrayList types used in Part (import_record_indices,
dependencies, declared_symbols, symbol_uses, import_symbol_property_uses) with
their bun_alloc arena equivalents (or other AST-heap types) so their allocations
are tracked by the same arena, or add a clear/teardown API (e.g., Part::teardown
or a caller-side loop over PartList) that drops/frees/clears each of these
fields before the bun_alloc::MimallocArena reset; update any code that
constructs Parts to use the arena-aware factories or to call the teardown
routine prior to resetting the arena.

In `@src/bundler/Chunk.rs`:
- Around line 542-547: The methods code, code_standalone, and
code_with_source_map_shifts must accept the generic Graph lifetime; update their
signatures to use the Graph lifetime (e.g., change parameters typed as &Graph or
graph: &Graph to &Graph<'_> or graph: &Graph<'_>) so the Graph<'a> definition is
threaded through these methods, mirroring the existing linker_graph:
&LinkerGraph<'_> usage; make this same change in all three method declarations
to fix the compile error.

In `@src/bundler/Graph.rs`:
- Around line 20-29: Graph currently exposes a safe Graph with pool initialized
as NonNull::dangling(), causing UB when pool()/pool_mut() dereference it; change
Graph.pool from bun_ptr::BackRef<ThreadPool> to
Option<bun_ptr::BackRef<ThreadPool>> (or otherwise make it an explicit
nullable/backref wrapper), update Graph::new to set pool = None, adjust pool()
and pool_mut() accessors to return Option<&ThreadPool>/Option<&mut ThreadPool>
(or panic/handle None with a clear error) instead of dereferencing a dangling
pointer, and then assign graph.pool = Some(...) from BundleV2::init after the
real ThreadPool is allocated.

In `@src/bundler/LinkerContext.rs`:
- Around line 1901-1908: The recursion in validate_tla can index
ast_import_records for files that don't have ASTs (non-JS targets) causing a
panic; update the code in validate_tla (call site using
record.source_index.get() and ast_import_records) to first check that
ast_import_records contains an entry for record.source_index.get() and that the
entry is Some/has AST before indexing into it (e.g., use get(index).and_then(|r|
r.as_slice()/Option) or bail/continue when out of range or None), matching the
shorter column semantics enforced in link(), so TLA recursion simply skips
CSS/asset/no-AST files instead of panicking.

In `@src/js_parser/lexer.rs`:
- Around line 2686-2705: The constructors init_json and init_without_reading
currently take log: &mut Log with no lifetime, which allows the caller to drop
or reborrow the Log while the lexer holds a NonNull<Log> and is unsound; change
the API to tie the Log's lifetime to the lexer by introducing an explicit
lifetime (e.g. &'log mut Log) on those parameters or add a separate 'log
lifetime to the Lexer type plus a PhantomData<&'log mut Log> field, and update
the struct docstring (the comment about "'a is the lifetime of the borrowed
Log") to reflect the new 'log lifetime so the invariant is enforced by the type
system; ensure all init* constructors (init_json, init_without_reading, etc.)
and the log field use the new 'log lifetime consistently.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/ast/nodes.rs`:
- Line 1140: PartList<'a> now places Part instances in the arena but Part still
owns drop-managed containers (Part.dependencies, Part.symbol_uses,
Part.import_symbol_property_uses) whose destructors won't run when the Mimalloc
arena resets, leaking per-file state; fix this by migrating those fields to
arena-backed containers or freeing them explicitly before the arena reset:
replace Vec/ArrayHashMap usages inside struct Part with arena-allocated
equivalents (e.g., bun_alloc::ArenaVec<'a, T> or your AstAlloc-backed map types)
or convert them to indices/refs into arena-owned storage, and if migration isn't
possible ensure code paths that clear/free Part::dependencies, Part::symbol_uses
and Part::import_symbol_property_uses are called before the
bun_alloc::MimallocArena reset so no Drop-dependent resources remain.

In `@src/bun_alloc/baby_vec.rs`:
- Around line 141-145: The reserve()/push overflow bug: replace unchecked
addition and clamping with a hard check using checked_add and a capacity ceiling
check against u32::MAX (or MAX as used by the vec implementation) and fail early
instead of clamping; specifically modify reserve (and similar spots at the other
ranges) to compute let need = self.len.checked_add(additional).and_then(|n| if n
<= MAX { Some(n) } else { None }) and abort/panic (or return an Err) when None,
and change grow_exact/grow_to to propagate that failure rather than silently
clamping — ensure push uses the same checked logic so it cannot proceed when len
== cap.
- Around line 303-315: The current drain<R: RangeBounds<usize>> implementation
only uses debug_assert! so partial ranges silently drain everything in release;
either enforce the precondition at runtime or narrow the API to a full-drain
method. Fix option A: replace the debug_assert! checks in pub fn drain<R:
RangeBounds<usize>>(&mut self, range: R) with real runtime validation (inspect
range.start_bound() and range.end_bound(), and if they don’t match
Unbounded/Included(0) and the expected end matching self.len, call panic! with a
clear message referencing the provided range) before doing
core::mem::replace(self, BabyVec::new_in(self.alloc)).into_iter(). Fix option B:
remove the RangeBounds generic and change the signature to pub fn drain(&mut
self) -> IntoIter<'a, T> (and drop the range parameter and its checks), making
it an explicit full-drain operation; update callers accordingly.

In `@src/bun_alloc/lib.rs`:
- Around line 291-310: transfer_arena currently only calls v.set_allocator(dst)
which leaves the existing buffer owned by the source arena; instead perform an
eager migration of the backing buffer into dst: inside transfer_arena, allocate
a new buffer on dst (using MimallocArena APIs / mi_heap_realloc_aligned or
mi_heap_malloc with the current capacity/usable size), memcpy the existing bytes
from v's pointer into the new buffer, free the old buffer (mi_free) from the
source arena, then update ArenaVec's internal pointer/length/capacity and call
v.set_allocator(dst) so the Vec truly lives on dst; alternatively, if you prefer
not to move memory, replace transfer_arena with a narrower API that documents
and enforces the source MimallocArena outliving the ArenaVec (e.g., rename to
reassign_allocator_unchecked and require caller responsibility).

In `@src/bun_core/thread_id.rs`:
- Around line 124-125: Replace the nightly-only attribute usage by changing the
bare #[thread_local] static TLS_THREAD_ID (type ThreadId) to use the stable
thread_local! macro: declare TLS_THREAD_ID via thread_local! with a const
initializer that constructs a core::cell::Cell<ThreadId> initialized to 0, so
accesses to TLS_THREAD_ID remain fast and avoid the LocalKey state-machine;
update any direct static references to use TLS_THREAD_ID.with(...) or the
appropriate LocalKey API where the code previously read/wrote the static Cell.

In `@src/bundler/AstBuilder.rs`:
- Around line 450-458: The HMR temp symbol created by
generate_temp_ref(temp_export) is recorded in declared_symbols/current_scope but
not added to top_level_symbols_to_parts and is then redundantly appended into
current_scope.generated; instead, after creating temp_id and updating
parts[1].declared_symbols and symbol_uses, register temp_id in
top_level_symbols_to_parts mapped to the part (parts[1] / part index 1) so the
BundledAst has the part mapping for that top-level symbol, and remove the
redundant VecExt::append(&mut self.current_scope_mut().generated, temp_id) call.

In `@src/bundler/bundle_v2.rs`:
- Around line 7272-7275: The replacement AST is being allocated on the parse
worker's thread-local heap via result.ast.parts.allocator() (result_heap), which
can cross threads and segfault; in on_parse_task_complete replace the moved-from
placeholder with an allocation that uses the bundle thread's heap (e.g., use
self.graph.heap) or an allocation-free tombstone instead of
JSAst::empty_in(result_heap), and keep the move into this.graph.ast at
result_source_index using core::mem::replace(&mut result.ast, /* safe
placeholder that does not use result_heap */) so no allocation happens on the
worker arena.

In `@src/bundler/ThreadPool.rs`:
- Around line 558-567: The arena() method must not return a safe 'static
reference because Worker::deinit() frees the heap (bun_core::heap::take()),
making cached &'static references unsound; change pub fn arena(&self) ->
&'static ThreadLocalArena to return a reference tied to &self (e.g. pub fn
arena(&self) -> &ThreadLocalArena) and remove the use of
bun_ptr::detach_lifetime_ref; instead obtain a temporary reference from the
BackRef (self.arena.get() or equivalent) and cast it to a reference with the
same lifetime as &self (or keep it unsafe inside a private unsafe helper that
callers must not store), update callers of ThreadPool::arena / ThreadLocalArena
to accept a non-'static borrow, and ensure Worker::deinit and any heap-take code
cannot be called while such borrows are live.

In `@src/js_parser/p.rs`:
- Line 8361: The parser currently moves module_scope into the returned Ast but
leaves ts_namespace_scopes and ts_namespace_member_maps owned by P, so when
P::drop() runs those maps are freed and any Ast scopes holding ts_namespace
handles become dangling; fix by transferring these TS-namespace sidecars into
the Ast during to_ast()/to_ast-like return (or, if the AST must not own them,
clear all scope references to ts_namespace handles before P is dropped).
Concretely, update P::to_ast()/to_module_ast (the code paths that move
module_scope into js_ast::Ast<'a>) to also move ts_namespace_scopes and
ts_namespace_member_maps into the returned Ast struct (or set the corresponding
scope fields to None/clear handles) and remove freeing of those maps from
P::drop() so the Ast owns the sidecars and no dangling references remain.

---

Outside diff comments:
In `@src/ast/ast_result.rs`:
- Around line 23-61: The Ast<'a> struct still contains heap-owned fields
(export_star_import_records, top_level_symbols_to_parts including its inner
Vec<u32>s, and ts_enums with their StringHashMaps) that rely on Drop and
therefore leak when the arena is reset; switch those fields to arena-backed
collections (e.g., replace Vec/HashMap/StringHashMap with the project's arena
equivalents or Store/PartList-style types used elsewhere) or add an explicit
teardown method (e.g., Ast::free_arena_owned_fields or Ast::teardown) that
manually clears/frees export_star_import_records, top_level_symbols_to_parts
(iterate and clear inner Vec<u32>s), and ts_enums maps before the arena reset;
update constructors and any code that mutates these fields to allocate into the
arena variants and ensure the new teardown is called where the arena is reset.

In `@src/bundler/LinkerContext.rs`:
- Around line 1898-1910: The loop over import_records calls validate_tla with
ast_import_records[record.source_index.get() as usize].as_slice() without
re-checking that record.source_index points to an AST-bearing entry; to fix, add
a guard before indexing (e.g. ensure record.source_index.get() as usize <
ast_import_records.len() or compare against import_records_len) and skip or
handle non-AST targets so validate_tla is only invoked with a valid slice;
update the code paths around the for loop and the validate_tla(...) call to use
a checked access (or early continue) when the source_index is out of bounds.

In `@src/bundler/transpiler.rs`:
- Around line 1779-1848: The AlreadyBundled branch of js_ast::Result constructs
a ParseResult but currently sets runtime_transpiler_cache to None, dropping the
previously computed rtc_ptr; update the ParseResult construction (in the
js_ast::Result::AlreadyBundled arm) to forward the computed rtc_ptr into
runtime_transpiler_cache (use the same value/name used earlier, e.g., rtc_ptr or
the variable that holds the runtime transpiler cache) so cache propagation is
preserved for the AlreadyBundled fast path; ensure the field type matches
(wrap/clone/transfer as needed) when assigning to runtime_transpiler_cache in
the ParseResult returned alongside ast, already_bundled, source, loader,
input_fd, etc.

In `@src/js_parser/lexer.rs`:
- Around line 2686-2705: The public constructors (init, init_json,
init_without_reading) accept &mut Log but the struct stores NonNull<Log> and
log() reconstitutes &mut Log, creating a potential use-after-free; restore the
borrow by changing the constructors to accept &'a mut Log (or add an explicit
'_log lifetime on the struct) so the compiler enforces that the Log outlives the
lexer, or else mark these constructors unsafe/internal and document the safety
requirements; update the signatures of init, init_json, and init_without_reading
and any callers accordingly, and adjust the field/lifetime comments to match the
chosen approach.

In `@src/runtime/api/JSTranspiler.rs`:
- Around line 801-825: get_parse_result() currently lies by returning
ParseResult<'static> while on the non-REPL path processed_code is an alias to
the caller's code buffer, so the AST borrows non-'static data; fix by either (A)
copying non-REPL bytes into the allocated arena before creating the
arena_ref/source so the AST truly borrows arena-owned data (update the non-REPL
branch where processed_code is set and ensure arena_ref.alloc is used for the
bytes), or (B) change the function signature and ParseResult usage to be
lifetime-generic (e.g., ParseResult<'a>) so the return reflects the caller-owned
lifetime and update callers of get_parse_result() accordingly (adjust types at
call sites that consume ParseResult). Ensure modifications reference
get_parse_result, ParseResult<'static>, processed_code, source, and
arena/arena_ref so the borrowed lifetimes are consistent.

In `@src/runtime/cli/repl.rs`:
- Around line 1852-1866: The code in transform_for_repl rebinds the variable
arena (first used as the parse arena) when assigning from
ast.symbols.allocator(), which shadows the original and reduces clarity; rename
the original parse arena binding to parse_arena and rename the allocator binding
to symbols_alloc (or similar) wherever they are declared and used (e.g., the
initial parse arena declaration around line ~1783 and the later let arena =
*ast.symbols.allocator(); used by print_ast and bun_alloc::ArenaVec::new_in) and
update all references in this function (including calls to
bun_js_printer::print_ast, bun_alloc::ArenaVec::new_in, and symbol Map
initialization) so the two distinct allocator variables are unambiguous.

---

Duplicate comments:
In `@src/bun_alloc/ast_alloc.rs`:
- Around line 192-203: The bump cursor must not be preserved when installing a
null heap; modify set_thread_heap to call bump_reset() not only when switching
to a different non-null heap but also when heap.is_null() so the TLS cursor is
cleared on null install. Update the condition around bump_reset() in
set_thread_heap (which reads AST_HEAP/BUMP_HEAP and calls bump_reset) to trigger
reset when heap.is_null() || heap != BUMP_HEAP.get(), ensuring no stale cursor
survives a null install while leaving other logic intact (leave
bump_invalidate_heap and MimallocArena semantics unchanged).

In `@src/bundler/LinkerGraph.rs`:
- Around line 629-633: The loop that rewrites SCB import records indexes into
import_records_list using entries from reachable_files without ensuring the
source is AST-backed; update the loop in LinkerGraph so you skip non-AST sources
before indexing into import_records_list (e.g., check whether the source_id
refers to an AST-backed source or is within the bounds/has an entry in
items_import_records_mut) to avoid panics when reachable_files contains
CSS/HTML/assets; specifically guard the iteration over
self.reachable_files.slice() (the for source_id ...) and only access
import_records_list[source_id.get() as usize] when that source is known to have
AST import records (or use a safe get and continue when None).

In `@src/bundler/ThreadPool.rs`:
- Around line 637-680: The deinit function currently frees the Worker without
clearing the thread-local cache, leaving TLS_WORKER pointing at freed memory;
update deinit (the unsafe fn deinit(this: *mut Worker)) to invalidate/clear
TLS_WORKER (the thread-local cached pointer used by get_worker()) early — before
dropping fields, arenas, or calling bun_core::heap::destroy(this) — so any
subsequent get_worker() fast-path sees no valid cached worker and falls back to
the guarded lookup; ensure you perform the TLS clear in both branches where
worker.has_created is true or false and before any operation that frees or
destroys the Worker.

In `@src/js_parser/parse/parse_entry.rs`:
- Around line 318-320: The Parser::init signature must accept the logger with
the parser lifetime so the NonNull<bun_ast::Log> you store remains valid; change
the parameter from log: &mut bun_ast::Log to log: &'a mut bun_ast::Log in
Parser::init (and propagate that 'a where needed) so the Parser<'a> retains a
pointer derived from a same‑lifetime reference; ensure any places constructing
NonNull::new_unchecked or calling log_mut() still use that &'a mut bun_ast::Log
to preserve the type‑level lifetime guarantee.

In `@src/resolver/resolver.rs`:
- Around line 3221-3227: The ESModule initializer in the global-cache exports
path currently maps ast::ImportKind::At and AtConditional to
self.opts.conditions.import causing CSS/style imports to resolve differently;
update the match that sets conditions (the branch handling
ast::ImportKind::Require | RequireResolve vs others) so that ImportKind::At and
ImportKind::AtConditional use self.opts.conditions.style instead of
self.opts.conditions.import; apply the same change to the analogous match
further down (the other ESModule initializer referenced in the comment) so both
global-cache paths use self.opts.conditions.style for style imports.

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@src/bun_alloc/baby_vec.rs`:
- Around line 141-146: The addition in reserve (and similarly in reserve_exact)
can overflow and wrap, bypassing the capacity check; change the calculation of
need in reserve and reserve_exact to use checked or saturating arithmetic (e.g.,
use self.len.checked_add(additional).unwrap_or(usize::MAX) or
self.len.saturating_add(additional)) before comparing to self.cap, then call
grow_to(need) if need > self.cap; reference the reserve, reserve_exact functions
and grow_to so you update both methods to compute a non-wrapping need value and
handle the saturated/overflow case consistently.

In `@src/bundler/ThreadPool.rs`:
- Around line 423-435: The TLS_WORKER cached pointer can become dangling because
Worker::deinit frees the Worker without clearing the thread-local cache; update
Worker::deinit to invalidate the TLS entry (TLS_WORKER) for the current thread
so get_worker()’s fast path (which checks generation against
ThreadPool::generation) cannot return a freed pointer — ensure the TLS slot is
cleared/zeroed before freeing or setting generation to a non-matching value so
subsequent calls to get_worker() fall through to get_worker_slow(id).
- Around line 558-570: The arena() method is unsound because it returns a
&'static ThreadLocalArena that can outlive the Worker and be used after
deinit()/deinit_soon; change the API to either (A) make arena(&self) ->
&ThreadLocalArena (remove the 'static and tie the lifetime to &self) and stop
using bun_ptr::detach_lifetime_ref, or (B) rename to unsafe fn
arena_static(&self) -> &'static ThreadLocalArena and document explicit safety
requirements (caller must guarantee the Worker outlives any reference, reference
must not be stored across deinit()/deinit_soon), updating call sites and
Worker::create / Worker::get expectations accordingly; reference symbols:
arena(), ThreadLocalArena, bun_ptr::detach_lifetime_ref, BackRef,
Worker::create, Worker::get, deinit_soon, deinit().