Cloudflare fixes Rust Workers panic poisoning with new recovery model

Cloudflare has pushed Rust Workers closer to the kind of failure isolation Rust developers expect on native targets. The company said its new recovery model stops a panic or unexpected abort from leaving a Cloudflare Workers instance in an undefined state, closing off a bug class that could poison the runtime and spill over into sibling requests or later requests that should have stayed isolated.

That matters because Rust on Workers is not just a toy path anymore. Cloudflare compiles Rust to WebAssembly for its Workers platform, and the reliability problem sat in the middle of the Rust-to-JavaScript boundary, where wasm-bindgen generates the bindings many Workers apps rely on. Cloudflare said the missing ingredient was built-in recovery semantics, not just a one-off patch.

The new approach combines two defenses. First is support for panic=unwind, which keeps one failed request from contaminating the next. Second is abort recovery, which makes sure Rust code running on Wasm does not simply re-execute after an abort and wander into further undefined behavior. That is the kind of detail that sounds academic until you have a stateful edge service on the line and a single bad request can taint the whole process.

Cloudflare’s earlier mitigation path was clever, but it had tradeoffs. Starting with workers-rs version 0.6, the default path used a custom Rust panic handler, full application reinitialization, and Proxy-based indirection around the Rust-JavaScript boundary. That worked well enough for stateless handlers, but Cloudflare said reinitializing an app can throw away in-memory state, which is exactly the wrong thing for workloads like Durable Objects.

The company said the new recovery work was contributed back upstream into wasm-bindgen through collaboration inside the wasm-bindgen organization formed last year. The post was written by Guy Bedford, Hood Chatham, and Logan Gatlin, and Cloudflare framed the change as a production-hardening step for Rust at the edge, not a cosmetic cleanup.

The backdrop helps explain why this lands. Cloudflare first announced serverless Rust support for Workers on October 16, 2018, when it said code could be compiled to Wasm and uploaded to 150+ data centers. By August 14, 2023, Cloudflare was already saying it used Rust and Wasm in production for D1, Constellation, and Signed Exchanges. The workers-rs repository now shows about 3.4k stars and 905 commits, with visible support for a worker-build panic-unwind option and schedule_reinit() hooks tied to wasm-bindgen abort handling.

For Rust developers weighing whether an edge project can graduate from experiment to service, that is the real story. Panic poisoning used to be the kind of obscure runtime sharp edge that made people flinch before shipping. Cloudflare just made it a lot harder to fear.