> Ownership was not the problem, concurrent mutation was.

I think the safety comment might have been more on-point than you think. If you look at the original code, it did something like:

- Take a lock - Swap a `Node`'s `death_list` (i.e., a list of `NodeDeath`s) with an empty one - Release the lock - Iterate over the taken `death_list`

While in another thread, you have a `NodeDeath`:

- Take a lock - Get its parent's `death_list` - Remove itself from said list. - Release the lock

The issue is what happens when a `NodeDeath` from the original list tries to remove itself after the parent Node swapped its `death_list`. In that case, the `NodeDeath` grabs the replacement list from its parent node, and the subsequent attempt to remove itself from the replacement list violates the precondition in the safety comment.

> Why rewrite in Rust if we don't apply extreme scrutiny to the tiny subset (presumably) that should be scrutinized.

That "extreme scrutiny" was applied does not guarantee that all possible bugs will be found. Humans are only human, after all.