Merged at the Speed of AI

taubek1 pts0 comments

Merged at the Speed of AI - by Luka Kladarić

The Chaos Guru

SubscribeSign in

Merged at the Speed of AI<br>Bun bought more verification than anyone has ever bought for a rewrite and still shipped 19 bugs no test caught

Luka Kladarić<br>Jul 13, 2026

Share

In May, Bun, the JavaScript runtime that ships inside Claude Code, replaced its entire core. About a million lines of Zig became a million lines of Rust: +1,009,272 lines, 6,502 commits, on a branch named claude/phase-a-port, merged May 14. Bun’s founder Jarred Sumner didn’t pretend a human typed it: “we haven’t been typing code ourselves for many months now.” The press ran with merged at the speed of AI and moved on.<br>After two months of silence, Bun published their promised follow up article last Wednesday. Zig’s creator Andrew Kelley published a response the following day, blunt enough that people called it a meltdown. Finally, legacy code veteran Ray Myers published his takedown of the whole spectacle on Sunday.<br>Seemingly opposed, but if you strip the venom... all three are making the same argument.<br>Three stories, one merge

Bun’s story is memory safety. The post opens with a bugfix list that reads like a confession: use-after-free in node:zlib, double-free in the CSS parser, a leaked SSL_SESSION per call. Mixing a garbage-collected JavaScript engine with manually-managed Zig memory meant every allocation was a small bet, and the team kept losing a few bets per week. Rust’s compiler turns that class of bug into a compile error. That’s the whole stated rationale. The Zig politics appear nowhere in it: not the ban on AI contributions, not the compiler fork Bun couldn’t upstream.<br>Kelley’s story is that it was never the language. The Zig team read Bun’s code for years and was, in his words, horrified: “Hacks on top of hacks.” Slop, he says, well before vibe coding was a thing. The relationship was already dead. The $60k/year donation to the Zig Software Foundation silently stopped after the Anthropic acquisition, scheduled meetings went ignored, and when the rewrite was announced, “we were ecstatic.” What the press pegged as a one sided escape turns out to be a divorce both sides wanted .<br>Myers’s story is that the decision was marketing. Real memory bugs, several viable fixes. Management picked the one that doubles as a showcase for the new model, with a trillion-dollar valuation to feed. His sharpest line: the marketing had to focus on how the AI was powerful enough to do the rewrite, “even though it was not powerful enough to catch a use-after-free.” He also lists what the rationale post doesn’t have: a pros-and-cons section, any mention of compilation speed, and a “Bun is better in Rust” section padded with wins unrelated to the rewrite.<br>One contradiction sits unresolved between them. Bun’s post says they fuzz runtime APIs 24/7 with Fuzzilli. Kelley says that on calls, the Bun team told ZSF they weren’t fuzzing anything. His first version called that an “outright fabrication,” a charge he deleted within a day.<br>And a detail I can’t resist, because this is an essay about verification: of the three posts, the angriest one is the only one with a public edit history. Kelley rewrote his conclusion in an open git repo, admitting his resentment “was obvious to the reader, but not to myself,” and apologizing to Zig users caught in the blast. He invites you to diff him.<br>The part they agree on

Bun’s defense of merging a million unreviewed-by-humans lines is that the test suite passed. All of it: ~60,000 tests, 1.38 million assertions, zero skipped, green on six platforms. Kelley’s counterattack is a single question: if that suite is good enough to certify a million lines of machine-written Rust, “Then why are you saying you have so many annoying bugs in the Zig code?” The same suite let those bugs through for years. Myers makes the same point from the outside. The model that wrote the port couldn’t catch a use-after-free.<br>Attacker and defender are standing on the same fact. A green test suite is not verification. Bun’s own postmortem proves it with a number, and the number is 19.<br>What $165,000 of verification bought

Let’s be fair first, because the lazy version of this essay (the one I almost published in June) said Bun merged on faith. They didn’t.<br>How do you review a pull request with a million added lines? Bun’s honest answer: you don’t. You review the process that writes the code, and you fix the process when it fails. Before any code, they wrote a PORTING.md mapping Zig patterns to Rust patterns and a LIFETIMES.tsv tracing the ownership of every struct field, both adversarially reviewed before use. Then the harness: one Claude implements, two separate Claudes review, each in its own context window, given only the diff, told to assume the code is wrong. At peak, 64 Claudes ran in parallel for 11 days. Total bill: 5.9 billion uncached input tokens, around $165,000 at API pricing.<br>And the adversarial reviewers earned their tokens. They caught a use-after-free...

code merged million lines after speed

Related Articles