fix(sidecar-ffi): revert ddog_free_charslice to Box::from_raw (UB)

[yannham]

What does this PR do?

Fix potential UB.

Reverts ddog_free_charslice from CString::from_raw (introduced in #1698) back to Box::from_raw.

Addresses APMSP-3062.

Motivation

#1698 changed the free function to use CString::from_raw, because the previous code was technically Undefined Behavior: we freed a single pointer instead of freeing a proper slice (wrong layout). In addition, while it turns out CString use a Box<[u8]> as a backing, it's not guaranteed nor exposed, so we should not rely on this. #1698 wrongly assumed that slices to be freed by ddog_free_charslice were coming from ddog_span_debug_log exclusively. In this case, using CString::from_raw to free is indeed correct.

Unfortunately, dd-trace-php also frees slice obtained from ddog_serialize_trace_into_charslice. On binary MessagePack data this can theoretically cause a buffer over-read and heap corruption.

The original bug hasn't been included in a release yet: #1698 landed after v34.0.0.

Additional Notes

As mentioned, the previous behavior was technically UB. However, this was the behavior before #1698 and hasn't caused observed issues. It turns out the default allocator ignores the layout, as it probably keeps its own separate header data (https://doc.rust-lang.org/src/std/sys/alloc/unix.rs.html#47-49). As mentioned, CString does use Box<[u8]> under the hood. So while bad on paper, this was the status quo before and no actual corruption should be triggered as long as we keep using the main allocator. In the meantime, a proper fix (e.g. separate free functions or unified allocation strategy) should absolutely be made.

How to test the change?

Run cargo test -p datadog-sidecar-ffi.

[github-actions]

Clippy Allow Annotation Report

Comparing clippy allow annotations between branches:

• Base Branch: origin/main
• PR Branch: origin/yannham/revert-free-charslice

Summary by Rule

Rule	Base Branch	PR Branch	Change

Annotation Counts by File

File	Base Branch	PR Branch	Change

Annotation Stats by Crate

Crate	Base Branch	PR Branch	Change
clippy-annotation-reporter	5	5	No change (0%)
datadog-ffe-ffi	1	1	No change (0%)
datadog-ipc	21	21	No change (0%)
datadog-live-debugger	6	6	No change (0%)
datadog-live-debugger-ffi	10	10	No change (0%)
datadog-profiling-replayer	4	4	No change (0%)
datadog-remote-config	3	3	No change (0%)
datadog-sidecar	57	57	No change (0%)
libdd-common	13	13	No change (0%)
libdd-common-ffi	12	12	No change (0%)
libdd-data-pipeline	5	5	No change (0%)
libdd-ddsketch	2	2	No change (0%)
libdd-dogstatsd-client	1	1	No change (0%)
libdd-profiling	13	13	No change (0%)
libdd-telemetry	20	20	No change (0%)
libdd-tinybytes	4	4	No change (0%)
libdd-trace-normalization	2	2	No change (0%)
libdd-trace-obfuscation	3	3	No change (0%)
libdd-trace-stats	1	1	No change (0%)
libdd-trace-utils	15	15	No change (0%)
Total	198	198	No change (0%)

About This Report

This report tracks Clippy allow annotations for specific rules, showing how they've changed in this PR. Decreasing the number of these annotations generally improves code quality.

[datadog-prod-us1-5]

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 72.75% (-0.02%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: f19f327 | Docs | Datadog PR Page | Give us feedback!}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.74%. Comparing base (3bf778c) to head (f19f327).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2031      +/-   ##
==========================================
- Coverage   72.76%   72.74%   -0.02%     
==========================================
  Files         458      458              
  Lines       75789    75790       +1     
==========================================
- Hits        55147    55135      -12     
- Misses      20642    20655      +13     

Components	Coverage Δ
libdd-crashtracker	65.21% <ø> (-0.02%)	⬇️
libdd-crashtracker-ffi	36.82% <ø> (ø)
libdd-alloc	98.77% <ø> (ø)
libdd-data-pipeline	85.30% <ø> (ø)
libdd-data-pipeline-ffi	70.51% <ø> (ø)
libdd-common	79.81% <ø> (ø)
libdd-common-ffi	74.41% <ø> (ø)
libdd-telemetry	73.34% <ø> (-0.03%)	⬇️
libdd-telemetry-ffi	31.36% <ø> (ø)
libdd-dogstatsd-client	82.64% <ø> (ø)
datadog-ipc	76.22% <ø> (ø)
libdd-profiling	81.70% <ø> (+0.01%)	⬆️
libdd-profiling-ffi	64.79% <ø> (ø)
libdd-sampling	97.46% <ø> (ø)
datadog-sidecar	29.19% <100.00%> (+0.02%)	⬆️
datdog-sidecar-ffi	10.17% <100.00%> (+0.21%)	⬆️
spawn-worker	48.86% <ø> (ø)
libdd-tinybytes	93.16% <ø> (ø)
libdd-trace-normalization	81.71% <ø> (ø)
libdd-trace-obfuscation	87.30% <ø> (ø)
libdd-trace-protobuf	68.25% <ø> (ø)
libdd-trace-utils	88.86% <ø> (-0.11%)	⬇️
libdd-tracer-flare	86.88% <ø> (ø)
libdd-log	74.83% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6c944b2c37

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Free CharSlice with the matching allocation type

When callers free a slice returned by ddog_span_debug_log, the pointer was produced by CString::into_raw in this same file, but this line reconstructs a Box<c_char> instead. Box::from_raw must be given a pointer that came from Box::into_raw for the same type/layout; using it for the CString allocation deallocates with a one-byte layout and can corrupt or abort on allocators that validate layout. This also means the shared free function still cannot safely handle both current owned producers without reconstructing the correct owner for each allocation kind.

Useful? React with 👍 / 👎.

[yannham]

This is true, but done knowingly. cf the PR description.

[dd-octo-sts]

Artifact Size Benchmark Report

aarch64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.so	7.57 MB	7.57 MB	0% (0 B) 👌
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.a	82.01 MB	82.01 MB	0% (0 B) 👌

aarch64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.17 MB	10.17 MB	0% (0 B) 👌
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.a	93.07 MB	93.07 MB	0% (0 B) 👌

libdatadog-x64-windows

Artifact	Baseline	Commit	Change
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.dll	24.31 MB	24.31 MB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.lib	81.48 KB	81.48 KB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.pdb	176.90 MB	176.91 MB	+0% (+8.00 KB) 👌
/libdatadog-x64-windows/debug/static/datadog_profiling_ffi.lib	910.53 MB	910.53 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.dll	7.91 MB	7.91 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.lib	81.48 KB	81.48 KB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.pdb	23.49 MB	23.49 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/static/datadog_profiling_ffi.lib	46.91 MB	46.91 MB	0% (0 B) 👌

libdatadog-x86-windows

Artifact	Baseline	Commit	Change
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.dll	21.03 MB	21.03 MB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.lib	82.76 KB	82.76 KB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.pdb	180.73 MB	180.73 MB	0% (0 B) 👌
/libdatadog-x86-windows/debug/static/datadog_profiling_ffi.lib	903.74 MB	903.74 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.dll	6.12 MB	6.12 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.lib	82.76 KB	82.76 KB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.pdb	25.19 MB	25.19 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/static/datadog_profiling_ffi.lib	44.60 MB	44.60 MB	0% (0 B) 👌

x86_64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.a	73.11 MB	73.11 MB	0% (0 B) 👌
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.so	8.45 MB	8.45 MB	0% (0 B) 👌

x86_64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.a	88.51 MB	88.51 MB	0% (0 B) 👌
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.27 MB	10.27 MB	0% (0 B) 👌

[yannham]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-05-22 15:15:50 UTC ℹ️ Start processing command /merge

---

2026-05-22 15:15:55 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 49m (p90).

---

2026-05-22 15:18:24 UTC ℹ️ MergeQueue: Readding this merge request to the queue because another merge request processed with yours failed. No action is needed from your side.

---

2026-05-22 15:59:02 UTC ❌ MergeQueue: The checks failed on this merge request

Tests failed on this commit 4d693d7:

• [windows-latest:] test report
• cargo test #windows-latest
• allchecks

What to do next?

• Investigate the failures and when ready, re-add your pull request to the queue!
• If your PR checks are green, try to rebase/merge. It might be because the CI run is a bit old.
• Any question, go check the FAQ.