fix(ffi): eliminate aliasing UB + add Azure Policy JSON compilation FFI#727
Merged
anakrish merged 2 commits intoMay 22, 2026
Merged
Conversation
anakrish
force-pushed
the
anakrish/azure-policy-json-ffi
branch
from
f06cbd5 to
5384e09
Compare
There was a problem hiding this comment.
Pull request overview
Adds native (FFI) and C# bindings to compile Azure Policy JSON policy definitions directly into RVM programs, including support for context-dependent policy functions via a VM context document.
Changes:
- Introduces FFI APIs for Azure Policy JSON compilation (
regorus_compile_azure_policy_definition) and for setting RVM ambient context (regorus_rvm_set_context). - Adds C# surface area (
AzurePolicyCompiler.CompilePolicyDefinition,Rvm.SetContextJson) plus example app usage and README documentation. - Adds new Rust FFI tests and C# MSTest coverage for end-to-end compilation + execution scenarios; bumps binding versions to 0.10.1.
Reviewed changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| bindings/ffi/src/rvm.rs | Adds regorus_rvm_set_context to set ambient context JSON for Azure Policy execution. |
| bindings/ffi/src/compile.rs | Adds regorus_compile_azure_policy_definition to compile Azure Policy definition JSON into an RVM Program. |
| bindings/ffi/src/compile_tests.rs | New Rust-side FFI tests for Azure Policy JSON compilation + context execution. |
| bindings/ffi/src/alias_registry.rs | Adds helper to provide alias registry to compiler. |
| bindings/ffi/Cargo.toml | Bumps regorus-ffi version to 0.10.1. |
| bindings/ffi/Cargo.lock | Updates lockfile for regorus-ffi version bump. |
| bindings/csharp/TargetExampleApp/Program.cs | Adds Azure Policy JSON compilation demonstration. |
| bindings/csharp/Regorus/Rvm.cs | Adds SetContextJson wrapper over native regorus_rvm_set_context. |
| bindings/csharp/Regorus/Program.cs | Makes Program handle ctor internal to allow construction from new compiler API. |
| bindings/csharp/Regorus/NativeMethods.cs | Adds P/Invoke declarations for new Azure Policy compilation + context APIs. |
| bindings/csharp/Regorus/AzurePolicyCompiler.cs | New C# API to compile Azure Policy JSON definitions into RVM programs. |
| bindings/csharp/Regorus.Tests/AzurePolicyCompilerTests.cs | New C# tests for compile + evaluate flows (aliases, params, context). |
| bindings/csharp/README.md | Documents Azure Policy JSON evaluation workflow and VM context requirement. |
| bindings/csharp/Directory.Packages.props | Bumps C# package version to 0.10.1. |
anakrish
force-pushed
the
anakrish/azure-policy-json-ffi
branch
3 times, most recently
from
d8b5e72 to
7c59e0d
Compare
Add to_shared_ref() helper that creates &T (shared reference) from raw pointers instead of &mut T. This eliminates undefined behavior caused by violating Rust's aliasing invariant when C# SafeHandle permits concurrent FFI calls on the same handle. With &mut T, the compiler may assume exclusive (noalias) access and reorder or elide reads/writes — a miscompilation risk when another thread holds a reference to the same object. Switching to &T removes that assumption; actual mutation is mediated by the interior RwLock inside Handle<T>, which is the sole synchronization mechanism. Migrated sites: - rvm.rs: 20 non-drop call sites - engine.rs: 30 non-drop call sites + with_unwind_guard for timer fns - compiled_policy.rs: 2 call sites - Fix null-data UB in regorus_program_deserialize_binary Drop paths retain to_ref() where exclusive access is guaranteed by the caller contract (preventing use-after-free). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
anakrish
force-pushed
the
anakrish/azure-policy-json-ffi
branch
from
7c59e0d to
bbc1dd4
Compare
anakrish
changed the title
- AliasRegistry builder pattern: RegorusAliasRegistryBuilder (mutable, single-threaded) + RegorusAliasRegistry (immutable, Arc-wrapped) - Azure Policy JSON compilation: regorus_compile_azure_policy_rule and regorus_compile_azure_policy_definition with alias registry support - regorus_rvm_set_context for host-supplied ambient data - C# AliasRegistryBuilder and AliasRegistry classes with convenience factories (FromJson, FromManifest, Empty) - C# AzurePolicyCompiler static class for policy rule/definition compilation - Compile functions take *const RegorusAliasRegistry (read-only via to_shared_ref for concurrent compilation safety) - Fix pre-existing clippy warnings across multiple crates Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
anakrish
force-pushed
the
anakrish/azure-policy-json-ffi
branch
from
bbc1dd4 to
c7014f8
Compare
dpokluda
approved these changes
May 22, 2026
dekomissMSFT
approved these changes
May 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two changes: a soundness fix for the FFI layer, and new Azure Policy JSON compilation bindings.
Commit 1: fix(ffi): eliminate aliasing UB via to_shared_ref migration
The previous
to_ref()pattern created&mut Tfrom raw pointers — instant UB under Rust's aliasing rules when C#SafeHandlepermits concurrent FFI calls. The compiler may assume exclusive (noalias) access and reorder or elide reads/writes.Fix: New
to_shared_ref()helper creates&T(shared reference). Mutation is mediated solely by the interiorRwLockinsideHandle<T>. Migrated 52 call sites acrossrvm.rs,engine.rs, andcompiled_policy.rs. Drop paths retainto_ref()where exclusive access is guaranteed by caller contract.Also fixes null-data UB in
regorus_program_deserialize_binaryand addswith_unwind_guardto engine timer config functions.Commit 2: feat(ffi): add Azure Policy JSON compilation FFI and C# bindings
RegorusAliasRegistryBuilder(mutable, single-threaded) →build()→RegorusAliasRegistry(immutable,Arc-wrapped, thread-safe)regorus_compile_azure_policy_ruleandregorus_compile_azure_policy_definitionwith optional alias registryregorus_rvm_set_contextfor host-supplied ambient data (resourceGroup, subscription, etc.)AliasRegistryBuilder,AliasRegistry(withFromJson/FromManifest/Emptyfactories),AzurePolicyCompilerstatic classDesign decisions
*const RegorusAliasRegistry(read-only viato_shared_ref) for concurrent compilation safetyArc<AliasRegistry>avoids cloning — refcount bump only (note:Rc=Arcin this crate viaarcfeature)Rc::try_unwrapoptimization avoids unnecessaryProgramclone#[cfg(feature = "azure_policy")]