Bun Rust rewrite: "codebase fails basic miri checks, allows for UB in safe rust"
github.com284 points by ndiddy 3 hours ago
284 points by ndiddy 3 hours ago
There's a book that changed a lot of the way I think about attention and media [0]. The book isn't very good, but it flags something relevant here. There is a huge asymmetry between the reach of a big, flashy announcement (here: bun was re-written in memory-safe rust in a couple weeks), and the relatively small reach of a correction (often just a footnote on an old article, here a GH issue).
This asymmetry is well understood by marketing and PR professionals, and actively exploited.
Hmmm, given the general mood in this case, I feel like there's a lot of people keen to find any criticism of the code they can and amplify it as possible. Most of it strikes me as relatively shallow at the moment, though (that is, apart from the fact that merging such a large LLM assisted port is certainly a, uh _bold_ move (to put it lightly), there's not much that people are pointing out about the actual result that feels like it's worse than any other port in progress, but there is definitely a lot of hay being made about any issue that is found).
> Most of it strikes me as relatively shallow at the moment
It is. We’re what, a week into this exercise? Absolutely everyone criticizing it, with no exceptions, is behaving like a micromanaging middle manager who couldn’t even dream of doing the work themselves.
I half want to start a list of “people to ignore”, but such people tend to expose themselves in every other comment anyway.
Pretty typical of reddit-resembling sites like HN. People here are very politically, uh, involved.
https://news.ycombinator.com/newsguidelines.html
> Please don't post comments saying that HN is turning into Reddit. It's a semi-noob illusion, as old as the hills.
I did not say that HN is turning into reddit nor indicate any view on any way in which HN is trending. Remarking that Reddit and HN are similar is not rule breaking, they are both vote systems, etc.
> a big, flashy announcement (here: bun was re-written in memory-safe rust in a couple weeks)
Did they even claim it was "memory-safe"? Every discussion of this topic has had dozens of comments noting that their vibed codebase is bursting at the seams with unaudited unsafe blocks, lightly reviewed by people who seem to not only seem to not understand Rust, but who seem incensed at the idea of needing to understand any programming language in the first place.
No, and there's been a lot of confusion about that on this website.
They did cite Rust's safety as a motivating factor for the port. That doesn't imply trying to achieve that simultaneously with the language change — which is good, because that would be insane. (Or, if you prefer, even more insane.)
You cannot faithfully port a codebase to a new language while also radically re-architecting it. You have to choose.
They want the safety benefits of Rust going forward; i.e., after it's finished, when they then write new code in Rust.
Yeah, exactly. The typical approach is to do a mechanical translation such as with rust2c, that is full of unsafe, and then gradually refactor safety in.
But nobody makes announcements and blog posts about running that.
There's several blog posts here. https://www.memorysafety.org/initiative/av1/
And the first post is about the team working on the project, with about two and a half sentences on c2rust, and making it very clear they just started.
The newer posts go into detail about the rearchitecting that follows.
And indeed, the bun team has not done that
Did they not make the announcement? And they definitely promised a blog post even if it's not out yet.
> Did they even claim it was "memory-safe"?
they didn't,
actually the port is trying to be mostly 1:1 and in turn is mostly unsafe rust, which means no benefits initially
but also doing the 1:1 port to mostly unsafe rust is also only the first step of a full port, you then incrementally go through it fixing issues and remove "unsafe" usage. (And long term likely also doing some refactoring to using more idiomatic rust, but that has less priority).
The problem is there was no blog port describing the whole thing to someone without contextual knowledge. Instead just linked PRs which is in this case somewhat close to a "as if nearly all people only read the HN headline" case :/
Like a more context giving version of the first HN post would have something on the line of `Show HN: Bun is porting to safe rust (PR link), starting with an AI based automatized port to mostly unsafe rust which once it behaves mostly the same as Bun in the test suite will likely be merged. But must be followed up with incremental PRs to remove unsafeness, and likely also a lot of unsoundness related to the way it's ported (some explanation about why this port will have unsoundness).`
They didn't need to - much of the popular hype around rust is on the back of uninformed spectators confusing Rust's tools for enabling memory-safety (good, warranting hype) with Rust itself guaranteeing automatic memory safety (fantasy).
The author kept bragging about classes of bugs that would not happen with Rust.
A bug-for-bug port to Rust is the first step to fixing that. Assuming the port is actually 1:1 without any behavioral changes, these bugs already exist in the Zig code. The difference is now it's known where effort can be dedicated in order to one day have a memory-safe release of Bun. People have absolutely lost their mind over this and completely forgotten the benefits Rust gives you. I feel like I've gone back 10 years reading threads about the Rust port of Bun these are the exact same arguments we see from people advocating continued use of C++.
> Assuming the port is actually 1:1 without any behavioral changes, these bugs already exist in the Zig code
The "1:1" assumption is a massive unjustified assumption. Rust and Zig have different memory models, so it's possible to do a "1:1" translation of Zig code to Rust and end up with undefined behavior in Rust.
For example, Zig code might make assumptions about lifetimes based on implicit knowledge of which allocator was used for some memory. That could cause problems in Rust if you erase the lifetime https://github.com/oven-sh/bun/blob/main/src/bun_core/string...
> Assuming the port is actually 1:1 without any behavioral changes
It's not, that's clear from this kind of bug popping up. Functionally this bug exists because `PathString` was converted into a "safe" Rust API but still works the same internally as the original Zig code did (via using `unsafe`), that introduces UB that wasn't there in the Zig code.
If it was attempting to be a 1:1 with no behavior changes (like c2Rust attempts to do) then this would not have been turned into a "safe" Rust API like this.
[flagged]
Quite to the contrary to what you write, many people pushing for Rust explicitly recommend to be very restrictive about touching existing, battle tested code and only rewrite it if you're substantially refactoring it anyways, or if it is a critical exposed piece of functionality - such as media codecs for example, which have a long history of being broken. The winning strategy that for example the google android team pursues is to not rewrite existing code, but write all new code in Rust, because real-world data shows that vulnerabilities in existing code follow a decay curve - most issues are detected in the early life of the code. That's the strategy that Firefox uses, too. (Though I'm curious about how LLMs change that equation because deteting errors in rarely used code path' seems to be what they're doing well)
And indeed, this is very much what Rust was designed to do with the ability to interface with existing C/C++ code in both directions. So this is the strategy that the designers of the language had in mind from the early days. It's a deliberate choice to offer this, and not an emergent property that was later discovered.
> many people pushing for Rust
You have couched this correctly, because we all know there are people out there who do go around yelling "Rewrite it in X" without thought (where X is the flavour of the month)
I also wanted to say - your description of the /right/ way to align a project with tech X is a restatement of Martin Fowler's "Strangler pattern"
Can you edit your post - "equation because deteting errors" is ambiguous - deleting, or detecting - I cannot work out which you mean
And yet, all I ever see are attacks against these convenient bogeymen with artistic exaggerations like yours... but I never see the bogeymen themselves.
You've never seen the Rust evangelists?
I am genuinely jealous.
Also, I know you made a typo, but it did make me laugh
Bogeymen is what you meant
Boogymen reminds me of the joke in Millenium Man (How do you make a handkerchief dance - put a little boogie in it)
I actually have not, for real. And I keep getting beaten up here on HN just for daring to say it.
Makes you think who is who in this situation. Bullies screaming they are the victims.
A quick scan of your comment history suggests that you see one every day ;)
And - the number of times I have been grossly downvoted for daring to utter a true word about Rust (or even Rust adjacent) will let you know your non-existent Rust evangelists are indeed the bullies - with one now screaming that he is a victim.
If you want definitive proof - look at this sub thread where you're so triggered that people talk about the mere existence of Rust evangelists (and evangelists exist for every tech - they always have and always will - which you would know given your [claimed] history in the field) that you want to argue they they aren't evangelists, they're just poor misunderstood victims.
Note: I say claimed not as a jab but because I don't know you and can only go on your claims in your profile.