CONCEPT Cited by 1 source
Unhandled Rust panic¶
A Rust worker thread aborts because a .unwrap(),
.expect(), assertion, or explicit panic!() was hit without
a handler. Behaviorally equivalent to an unhandled exception in
other languages — the thread dies mid-request, and downstream
requests served by that thread return 5xx until the worker
restarts.
The Rust type system structurally prevents the nil-dereference
/ null-pointer class (see concepts/program-correctness /
concepts/memory-safety) but does not prevent the panic
class: the programmer chose .unwrap() instead of handling the
Err/None arm.
let n: Result<usize, _> = parse_feature_count(&file);
let n = n.unwrap(); // panics if Err
assert!(n <= 200, "feature file over cap"); // panics if false
Both lines compile cleanly. The type system was satisfied; the failure-mode discipline was not.
Canonical instance¶
sources/2025-11-18-cloudflare-outage-on-november-18-2025 —
FL2's Bot Management module bounds-checked the feature file's
row count against its preallocated 200-feature cap via
.unwrap(). On a doubled feature file (upstream ClickHouse
permission migration), the check failed:
Every request hitting the bots module returned HTTP 5xx. ~3 hours of core-traffic outage. The absence of a fail-open arm was the bug, not the language choice.
Contrast with the 2025-12-05 FL1 Lua bug¶
The 2025-12-05 outage is the symmetric case: a Lua nil-index exception on FL1 (which Rust's type system would have prevented), but again no fail-open path. Together the two incidents show that language choice eliminates one class of bug but not the absence-of-fail-open-path class — the latter sits above the language.
Remediation stance¶
Named explicitly in the 2025-11-18 post ("Reviewing failure modes for error conditions across all core proxy modules") and again in the 2025-12-05 post as "Fail-Open" Error Handling. See concepts/fail-open-vs-fail-closed.
Seen in¶
- sources/2025-11-18-cloudflare-outage-on-november-18-2025 — canonical wiki instance on FL2.
Related¶
- concepts/program-correctness
- concepts/memory-safety
- concepts/fail-open-vs-fail-closed
- concepts/nil-index-lua-bug — the Lua-side sibling failure class.
- concepts/hot-path