Skip to content

PATTERN Cited by 2 sources

Rust replacement of dynamic-language hot path

A structural rewrite of an edge / request-path service from a dynamically-typed implementation (Lua-on-nginx, Python, Ruby, JavaScript) to Rust, motivated by a mix of performance and correctness goals. The correctness payoff is structural: whole classes of dynamic-language bugs (nil index, wrong-type coercion, missing-case branches) become compile-time errors rather than runtime exceptions.

Canonical instance

Cloudflare's FL1 → FL2 proxy migration. FL1 is Lua-on-nginx / OpenResty; FL2 is Rust. The 2025-12-05 post-mortem is the canonical wiki statement:

In our replacement for this code in our new FL2 proxy, which is written in Rust, the error did not occur. This type of code error is prevented by languages with strong type systems.

The FL1 Lua nil-index bug (see concepts/nil-index-lua-bug) was structurally impossible in the FL2 Rust rewrite without the specific bug being re-found and fixed during the rewrite. The type system did the work.

Not a panacea

Sibling wiki instance sources/2025-11-18-cloudflare-outage-on-november-18-2025 shows the limit of the pattern: FL2 (Rust) crashed 17 days before FL1 (Lua), because a .unwrap() on a feature-file-size bounds check panicked when an upstream ClickHouse permission migration caused the file to grow unexpectedly. The Rust type system structurally prevents nil-index-class bugs; it does not prevent:

Language choice eliminates one class of bug; it does not substitute for fail-open discipline or for ingest validation.

Sibling wiki instances of the broader migration pattern

Common framing (from multiple orgs): "New code → safe language at the margin" (Android team framing). You don't rewrite the world, but every new hot-path service gets a type system that prevents classical pointer / nil / coercion bugs by construction.

Seen in

Last updated · 200 distilled / 1,178 read