Bun's unreleased Rust port has 13,365 unsafe blocks
4 hours ago
- #Unsafe Code Analysis
- #Bun Rust Audit
- #Software Security
- The Rust port of Bun is still unreleased, with the current build using the original Zig implementation.
- The audit details 13,365 unsafe code instances, categorized by root causes like performance, Zig port issues, and FFI boundaries.
- Unsafe density is measured per 1,000 lines of Rust, varying with proximity to C boundaries; Bun combines bindings and runtime in one workspace.
- A site is only considered fixed if safe code cannot cause undefined behavior in a release build, excluding debug assertions and wrappers.
- Three questions guided classification, with two independent classifiers and an adjudicator resolving disagreements to ensure accuracy.
- The audit aims to move about 9,300 unsafe sites to safe code, leaving around 4,000 as unsafe, based on the analysis of patterns and fixes.
- All data and measurements are from pre-release commit 3eb0fda021, and results can be replicated using provided ripgrep commands and raw data files.