BUN RUST UB BUG: AUTopsy

THE DISSECTION

This is a live, confirmed instance of AI-generated Rust code shipping with a classic dangling pointer / use-after-free vulnerability—exactly the class of bugs Rust's type system was architected to eliminate at compile time.

The code path:

1. Box::new(*b"Hello World")     → heap-allocates [u8; 12]
2. PathString::init(&*test)       → takes &[u8] BORROWING that heap allocation
3. drop(test)                     → deallocates the heap memory
4. init.slice()                   → uses a pointer to freed memory

Line 97 constructs core::slice::from_raw_parts(ptr as *const u8, self.len()) where ptr references memory that no longer exists. This is Undefined Behavior by definition, not a theoretical concern. Miri caught it in testing. In release builds without sanitizers, this silently corrupts memory until it detonates in production.

THE CORE FALLACY

"AI can write Rust because Rust has strict rules."

This conflates pattern-matching syntax with understanding constraints. Rust's safety guarantees are enforced at the type/lifetime level—the compiler is a proof engine. AI generates text that looks like valid Rust, not proofs that are valid Rust. The ownership model isn't a style guide; it's a logical system with non-negotiable axioms. AI produces strings in the language of Rust while violating its semantics at the level of lifetimes, which are invisible to syntax-highlighting and almost entirely opaque to LLMs trained on corpus patterns.

THE HIDDEN ASSUMPTION SMUGGLED IN

The commenter assumes the problem is "not vibe coding" and "hire a real Rust dev." That's insufficient. The hidden assumption is that human review is a sufficient defense against AI-generated systems code. It isn't, for two reasons:

1. Reviewer bandwidth is bounded; LLM output volume is unbounded. A team with one senior Rust engineer can merge 50 AI-generated PRs per sprint. Code review cannot function as a proof system.
2. This specific bug would require deep Rust lifetime knowledge to catch reliably. A reviewer unfamiliar with interior mutability patterns and self-referential structs might glance past it. The bug is subtle even for competent Rust developers.

SOCIAL FUNCTION

This is a revelation of structural limits dressed as a dev forum comment. It surfaces a category error that's accelerating: systems-level infrastructure is being written by tools that don't understand the invariants that make the systems safe. The comedic framing ("vibe coding") masks a serious indictment of how AI-assisted development is being deployed in performance-critical, security-sensitive codebases.

DT LENS VERDICT

The Discontinuity Thesis predicts this pattern: cognitive automation produces artifacts that resemble correct output while violating the structural constraints that make the output correct. Rust's memory safety depends on lifetime proofs that are logically sound but syntactically invisible. AI generates the syntax; humans are supposed to supply the proof; humans increasingly don't, because volume pressure removes the time to do so.

Bun is a high-profile, production-deployed JavaScript runtime. This bug was caught by Miri in a test case. The question is how many equivalent dangling-pointer constructions exist in the rest of the codebase that haven't been caught, and whether the CI pipeline includes Miri runs for all unsafe blocks—which it almost certainly doesn't.

Verdict: A single bug, narrow scope. The pattern, however, is terminal for the assumption that AI-assisted systems code is viable without architectural-level changes to how correctness is verified. The moat around Rust's safety guarantees works when humans write Rust. It collapses when humans write prompts that write Rust.