HN
Today

Bun Rust rewrite: "codebase fails basic miri checks, allows for UB in safe rust"

A recent Rust rewrite for the popular Bun runtime has been found to harbor Undefined Behavior (UB), failing basic Miri checks even in 'safe' code. This technical exposé has ignited a fiery debate on Hacker News concerning the viability of AI-generated code, the perils of 'vibe coding,' and the often-misaligned expectations around software project marketing versus reality.

69
Score
13
Comments
#2
Highest Rank
3h
on Front Page
First Seen
May 15, 6:00 PM
Last Seen
May 15, 8:00 PM
Rank Over Time
2429

The Lowdown

A GitHub issue surfaced a critical flaw in a recent Rust rewrite for the Bun JavaScript runtime, demonstrating that the codebase exhibits Undefined Behavior (UB). This discovery, specifically a dangling reference during slice construction, was caught by Rust's Miri checker, challenging the perception of safety in Rust's 'safe' code.

  • Core Issue: The PathString::slice method attempts to create a slice from a raw pointer after the original Box holding the data has been dropped, leading to a dangling reference and UB.
  • Detection: Rust's Miri tool, a stacked borrow checker for detecting UB, flagged the error.
  • Context: The issue highlights UB occurring within unsafe blocks that were intended to be correctly encapsulated, but ultimately exposed safety violations in what would otherwise appear as 'safe Rust'.
  • Author's Stance: The issue's author directly criticized the development approach, urging against 'vibe coding' and implying AI's inadequacy for writing correct Rust, recommending the hiring of experienced Rust developers.

The revelation has sparked significant discussion, particularly around the quality control in rapid rewrites and the implications for software engineering practices involving emergent technologies like AI.

The Gossip

AI's Algorithmic Ambiguities

The discussion heavily scrutinized the role of AI in code generation, with some commenters seeing this as a clear validation that 'vibe-coding' or AI-first development is fraught with peril for correctness-critical systems. Others, however, viewed it as an inevitable, albeit messy, learning step towards a future where AI and agentic systems might iteratively improve code quality. The debate touched on whether AI-generated code, even with initial flaws, could serve as valuable training data for future iterations.

Marketing's Misleading Maneuvers

A prominent theme revolved around the asymmetry of information: grand announcements of rapid rewrites gain significant traction, while subsequent corrections or revelations of critical flaws receive far less attention. Commenters noted how marketing and PR strategies often exploit this disparity, a tactic observed not just in tech but also in mainstream media and politics, where initial sensationalism often overshadows later nuanced retractions.

Rust's Reliability Riddles

Some users expressed surprise and sought clarification on how Undefined Behavior could manifest in Rust, especially given its strong safety guarantees. While Rust's safety primarily applies to code *outside* `unsafe` blocks, this instance highlighted how incorrect usage within `unsafe` blocks can propagate UB, even if the calling code appears 'safe'. Others argued that such errors are expected in early-stage rewrites and are not fundamentally an indictment of Rust itself.

Contentious Criticisms and Community Chemistry

The original GitHub issue's tone, particularly its direct admonishment of 'vibe coding' and suggestion to 'hire a real rust dev,' provoked a mixed reaction. Some found it a necessary, albeit blunt, critique, while others deemed it unconstructive, bordering on tribalism and contributing to an unwelcoming atmosphere reminiscent of past online developer communities.