<h1 id="accepting-strings"><a class="header" href="#accepting-strings">Accepting Strings</a></h1>
<h2 id="description"><a class="header" href="#description">Description</a></h2>
<p>When accepting strings via FFI through pointers, there are two principles that
should be followed:</p>
<li>Keep foreign strings &quot;borrowed&quot;, rather than copying them directly.</li>
<li>Minimize the amount of complexity and <code>unsafe</code> code involved in converting
from a C-style string to native Rust strings.</li>
<h2 id="motivation"><a class="header" href="#motivation">Motivation</a></h2>
<p>The strings used in C have different behaviours to those used in Rust, namely:</p>
<li>C strings are null-terminated while Rust strings store their length</li>
<li>C strings can contain any arbitrary non-zero byte while Rust strings must be
<li>C strings are accessed and manipulated using <code>unsafe</code> pointer operations
while interactions with Rust strings go through safe methods</li>
<p>The Rust standard library comes with C equivalents of Rust's <code>String</code> and <code>&amp;str</code>
called <code>CString</code> and <code>&amp;CStr</code>, that allow us to avoid a lot of the complexity
and <code>unsafe</code> code involved in converting between C strings and Rust strings.</p>
<p>The <code>&amp;CStr</code> type also allows us to work with borrowed data, meaning passing
strings between Rust and C is a zero-cost operation.</p>
<h2 id="code-example"><a class="header" href="#code-example">Code Example</a></h2>
<pre><code class="language-rust ignore">pub mod unsafe_module {
// other module content
/// Log a message at the specified level.
/// # Safety
/// It is the caller's guarantee to ensure `msg`:
/// - is not a null pointer
/// - points to valid, initialized data
/// - points to memory ending in a null byte
/// - won't be mutated for the duration of this function call
pub unsafe extern &quot;C&quot; fn mylib_log(
msg: *const libc::c_char,
level: libc::c_int
) {
let level: crate::LogLevel = match level { /* ... */ };
// SAFETY: The caller has already guaranteed this is okay (see the
// `# Safety` section of the doc-comment).
let msg_str: &amp;str = match std::ffi::CStr::from_ptr(msg).to_str() {
Ok(s) =&gt; s,
Err(e) =&gt; {
crate::log_error(&quot;FFI string conversion failed&quot;);
crate::log(msg_str, level);
<h2 id="advantages"><a class="header" href="#advantages">Advantages</a></h2>
<p>The example is is written to ensure that:</p>
<li>The <code>unsafe</code> block is as small as possible.</li>
<li>The pointer with an &quot;untracked&quot; lifetime becomes a &quot;tracked&quot; shared
<p>Consider an alternative, where the string is actually copied:</p>
<pre><code class="language-rust ignore">pub mod unsafe_module {
// other module content
pub extern &quot;C&quot; fn mylib_log(msg: *const libc::c_char, level: libc::c_int) {
let level: crate::LogLevel = match level { /* ... */ };
let msg_len = unsafe { /* SAFETY: strlen is what it is, I guess? */
let mut msg_data = Vec::with_capacity(msg_len + 1);
let msg_cstr: std::ffi::CString = unsafe {
// SAFETY: copying from a foreign pointer expected to live
// for the entire stack frame into owned memory
std::ptr::copy_nonoverlapping(msg, msg_data.as_mut(), msg_len);
msg_data.set_len(msg_len + 1);
let msg_str: String = unsafe {
match msg_cstr.into_string() {
Ok(s) =&gt; s,
Err(e) =&gt; {
crate::log_error(&quot;FFI string conversion failed&quot;);
crate::log(&amp;msg_str, level);
<p>This code in inferior to the original in two respects:</p>
<li>There is much more <code>unsafe</code> code, and more importantly, more invariants it
must uphold.</li>
<li>Due to the extensive arithmetic required, there is a bug in this version
that cases Rust <code>undefined behaviour</code>.</li>
<p>The bug here is a simple mistake in pointer arithmetic: the string was copied,
all <code>msg_len</code> bytes of it. However, the <code>NUL</code> terminator at the end was not.</p>
<p>The Vector then had its size <em>set</em> to the length of the <em>zero padded string</em> --
rather than <em>resized</em> to it, which could have added a zero at the end.
As a result, the last byte in the Vector is uninitialized memory.
When the <code>CString</code> is created at the bottom of the block, its read of the
Vector will cause <code>undefined behaviour</code>!</p>
<p>Like many such issues, this would be difficult issue to track down.
Sometimes it would panic because the string was not <code>UTF-8</code>, sometimes it would
put a weird character at the end of the string, sometimes it would just
completely crash.</p>
<h2 id="disadvantages"><a class="header" href="#disadvantages">Disadvantages</a></h2>
