FFI Code Review

Review Workflow

1. Check Cargo.toml -- Note Rust edition (2024 has breaking changes to extern blocks and unsafe attributes), build-dependencies (bindgen, cc, pkg-config), crate-type (cdylib, staticlib), and links key
2. Check build.rs -- Verify link directives (cargo:rustc-link-lib, cargo:rustc-link-search), bindgen configuration, and C source compilation
3. Check extern blocks -- Verify calling conventions, symbol declarations, and safety annotations
4. Check type layout -- Every type crossing FFI must be #[repr(C)] or a primitive FFI type
5. Check string and pointer handling -- CStr/CString usage, null checks, ownership transfers
6. Check callbacks -- extern "C" fn pointers, panic safety across FFI boundary
7. Verify before reporting -- Load beagle-rust:review-verification-protocol before submitting findings

Output Format

Report findings as:

[FILE:LINE] ISSUE_TITLE
Severity: Critical | Major | Minor | Informational
Description of the issue and why it matters.

Quick Reference

Review Checklist

extern Blocks and Calling Conventions

• Foreign function declarations use extern "C" (explicit, not bare extern)
• Edition 2024: extern "C" {} blocks written as unsafe extern "C" {}
• Functions exposed to C use extern "C" fn (not default Rust calling convention)
• Calling convention matches the foreign library ("C", "system" for Win32 API)
• #[link(name = "...")] specifies the correct library name
• #[link(name = "...", kind = "static")] used when statically linking

Symbol Management

• Exported functions use #[no_mangle] to preserve symbol names
• Edition 2024: #[no_mangle] written as #[unsafe(no_mangle)]
• Edition 2024: #[export_name = "..."] written as #[unsafe(export_name = "...")]
• #[link_name = "..."] used when Rust name differs from C symbol
• Exported items are pub (only public #[no_mangle] symbols appear in library output)

Type Layout

• Every struct/union crossing FFI has #[repr(C)] -- Rust's default layout is undefined
• Primitive types use std::ffi / std::os::raw equivalents (c_int, c_char, c_void)
• No bare i32 where C uses int -- use c_int (width varies by platform)
• Quirky C types like __be32 use byte arrays ([u8; 4]), not Rust integers
• Enums crossing FFI use #[repr(C)] or #[repr(u8)]/#[repr(u32)] with explicit discriminants
• C-style bitflag enums use a newtype around an integer (or bitflags crate), not a Rust enum
• #[non_exhaustive] on enums representing C enumerations that may gain new values

String Handling

• C strings use CStr (borrowed) or CString (owned), never &str or String
• CString::new() result is checked for interior null bytes (returns Err on \0)
• CString outlives any *const c_char pointer derived from it via .as_ptr()
• Incoming *const c_char validated with CStr::from_ptr() inside unsafe
• No assumption that C strings are valid UTF-8 -- use to_str() which returns Result
• OS paths use OsStr/OsString and CStr, not &str

Ownership and Allocation

• Clear ownership contract: who allocates, who frees
• Rust-allocated memory freed by Rust (Box::from_raw), C-allocated freed by C
• Box::into_raw / Box::from_raw paired correctly for heap transfers
• Vec::into_raw_parts used when passing arrays to C (pointer + length + capacity)
• Destructor functions exposed for every opaque Rust type given to C
• No Drop running on C-allocated memory (and vice versa)

Callbacks

• Callback types are extern "C" fn(...), not closures or fn(...)
• Callbacks use std::panic::catch_unwind to prevent panics from unwinding across FFI
• Callback context passed as *mut c_void with safe reconstruction at call site
• Option<extern "C" fn(...)> used for nullable function pointers (niche optimization)

Bindgen and Build Scripts

• Bindgen output reviewed for correctness (auto-generated types may need adjustment)
• -sys crate pattern used for raw bindings, separate crate for safe wrappers
• build.rs uses cargo:rustc-link-lib and cargo:rustc-link-search correctly
• links key in Cargo.toml prevents duplicate linking of the same native library
• Platform-specific bindings generated per-build (not checked in for a single platform)

Safety Documentation

• Every unsafe block has a // SAFETY: comment explaining invariants
• Every public FFI wrapper function documents safety requirements
• Edition 2024: unsafe fn bodies use explicit unsafe {} blocks around unsafe ops

Severity Calibration

Critical (Block Merge)

• Missing #[repr(C)] on types crossing FFI boundary (undefined memory layout)
• Wrong string handling: &str/String where CStr/CString required
• Ownership confusion: freeing C-allocated memory with Rust's allocator (or vice versa)
• Panic unwinding across FFI boundary without catch_unwind
• Using Rust enum for C bitflags (invalid discriminant = undefined behavior)
• Passing closure where extern "C" fn pointer required

Major (Should Fix)

• Missing safety documentation on unsafe blocks or public FFI functions
• No null pointer check on incoming *const T / *mut T before dereferencing
• CString dropped before its pointer is used by C (dangling pointer)
• Missing #[link(name = "...")] causing link failures on some platforms
• Edition 2024: extern block not marked unsafe extern
• Edition 2024: #[no_mangle] not wrapped in #[unsafe(...)]

Minor (Consider Fixing)

• Using i32 instead of c_int for C int (correct on most platforms but not portable)
• Missing #[non_exhaustive] on enums mapping to extensible C enumerations
• Verbose manual bindings where bindgen would be more maintainable
• Checked-in bindings without platform guards

Informational

• Suggestions to split raw bindings into a -sys crate
• Suggestions to add opaque wrapper types for distinct *mut c_void pointers
• Suggestions to use Option<NonNull<T>> for nullable pointers

Valid Patterns (Do NOT Flag)

• unsafe extern "C" {} in edition 2024 -- correct form for foreign declarations
• #[unsafe(no_mangle)] in edition 2024 -- correct form for symbol export
• Option<extern "C" fn(...)> for nullable callbacks -- niche optimization guaranteed
• Option<NonNull<T>> for nullable pointers -- zero-cost nullable pointer pattern
• *mut c_void for opaque C types -- standard when internal layout is irrelevant
• Distinct empty structs wrapping c_void for type-safe opaque pointers -- prevents pointer confusion
• CStr::from_bytes_with_nul_unchecked with compile-time literal -- safe when literal is known null-terminated
• extern "C-unwind" for controlled unwinding -- valid per RFC 2945
• include!(concat!(env!("OUT_DIR"), "/bindings.rs")) in bindgen crates -- standard pattern
• Box::into_raw / Box::from_raw pairs for ownership transfer -- correct pattern when paired

Before Submitting Findings

Load and follow beagle-rust:review-verification-protocol before reporting any issue.