[codex] Fix async future handling across GC

[aaronvg]

Summary

• keep in-flight async futures GC-stable in bex_engine by storing handles instead of raw HeapPtrs
• resolve the current future pointer from the handle before calling set_future_ready / fulfil_future
• add an early_yield regression test that forces allocation pressure before baml.sys.sleep(1) completes

Root cause

The engine was carrying raw HeapPtrs for async futures outside the VM while the VM could hit a GC safepoint during Await. If GC moved the future object before the async sys-op completed, the engine later called fulfil_future with a stale pointer. That stale pointer could then drop the wrong PendingFuture, which matches the nondeterministic libmalloc abort seen in the VM double-free repro.

Impact

This removes a GC-sensitive use-after-move in the async future fulfillment path. The practical effect is that long-running async/sys-op flows should stop aborting when a future completes after GC has run.

Validation

• cargo test -p bex_engine --manifest-path baml_language/Cargo.toml --test early_yield -- --nocapture
• cargo test -p bex_engine --manifest-path baml_language/Cargo.toml --test early_yield sleep_future_survives_gc_safepoint -- --nocapture
• cargo build -p baml_cli --manifest-path baml_language/Cargo.toml
• manually reran a minimal baml-cli run repro that allocates, awaits baml.sys.sleep(1), and completed successfully across repeated runs

---

Note

Medium Risk
Touches the engine’s async/await fulfillment path and GC coordination by changing how future identities are tracked, which could impact correctness under load or cancellation. Changes are localized and include a regression test covering the previously failing GC-at-Await scenario.

Overview
Fixes async sys-op future completion across GC safepoints by storing a GC-stable Handle (not a raw HeapPtr) for in-flight futures and resolving the current pointer right before set_future_ready/fulfil_future.

Adds a new engine error (FutureHandleInvalid) for cases where a future handle can no longer be resolved, and introduces an early_yield regression test (sleep_future_survives_gc_safepoint) that forces allocation pressure before awaiting baml.sys.sleep(1) to ensure futures survive a GC at Await.

^{Reviewed by Cursor Bugbot for commit 933b2af. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
beps	Ready	Preview, Comment	Apr 24, 2026 4:39pm
promptfiddle	Ready	Preview, Comment	Apr 24, 2026 4:39pm

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9e6ebb17-ab75-43ab-9223-e0c882f4d819

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch aaron/vm-double-free

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}