CONCEPT Cited by 1 source

Sandbox poisoning

Definition

Sandbox poisoning is the failure class in which a single request's crash leaves a shared sandbox in an undefined state, so that subsequent requests served by the same sandbox can produce arbitrary — often silent — incorrect behaviour. The per-request blast radius of the original failure widens to every request that touches the poisoned instance.

Canonical wiki instance at the Wasm-instance tier: a Rust panic on wasm32-unknown-unknown compiled with panic=abort traps with the unreachable instruction, exits to JavaScript with a WebAssembly.RuntimeError, and leaves the Wasm instance's linear memory + global state in whatever half-written condition the panicking code stopped in. Stock wasm-bindgen pre-2026-04 had no mechanism to recover the instance. Per the Cloudflare source:

"An unhandled Rust abort in a Worker affecting one request might escalate into a broader failure affecting sibling requests or even continue to affect new incoming requests."

The "new incoming requests" clause is what makes this a distinct class from ordinary blast-radius concerns: the failure outlives the failing request and even outlives the worker restart window.

Why it's especially bad for stateful workloads

Workers holding meaningful in-memory state — typified by Durable Objects in Cloudflare's case — face a compounding risk: "A single panic in one request could wipe the in-memory state being used by other concurrent requests." Reinitialising the instance to recover from a stock-panic=abort crash destroys that shared state, even for requests that were in-flight and otherwise fine.

Remediation stack

Sandbox poisoning is contained in two layers, each addressing a different class of failure:

1. Recoverable unwinds — concepts/panic-unwind on Wasm, built on Wasm Exception Handling. Destructors run, state is preserved, the instance remains valid and reusable. Addresses the .unwrap() / assert! / explicit panic!() class.
2. Non-recoverable aborts — concepts/abort-recovery via Exception.Tag + set_on_abort hook. The embedder detects a genuine abort (OOM, corrupted state) and reinitialises. Addresses the failure-can't-unwind class. "The invalid state does not persist, ensuring a single failure does not cascade into multiple failures."

The two layers compose: unwind for the common case (state preserved); reinitialise for the rare non-unwindable case (state lost, but service continues).

Seen in

• sources/2026-04-22-cloudflare-making-rust-workers-reliable-panic-and-abort-recovery-in-wasm-bindgen — canonical wiki instance. Rust-on-Wasm sandbox poisoning as the bug class Cloudflare's wasm-bindgen reliability work eliminates end-to-end.

Related

• concepts/panic-abort — the Rust panic strategy that produced this class on Wasm.
• concepts/panic-unwind — the primary remediation (state-preserving).
• concepts/abort-recovery — the secondary remediation (state-losing last resort).
• concepts/webassembly-exception-handling — Wasm primitive underneath panic=unwind + Exception.Tag.
• concepts/capability-based-sandbox — adjacent sandbox-discipline concept at the same substrate.
• concepts/blast-radius — general-framing parent; this concept is the specific blast-radius-widens-past-the- request failure shape.
• systems/wasm-bindgen / systems/workers-rs / systems/webassembly.