10.4 Unsafe and extern preview
User FFI surfaces, extern contracts, and where unsafe actually lives (hint: the Rust host).
Unsafe and extern preview
Preview means read the spec before you ship. User Beskid is not a daily unsafe language; interop is [Extern] contracts, manifests, and profiles.
User-facing: FFI and extern
Section titled “User-facing: FFI and extern”Normative hub: FFI and extern.
- Declare foreign surfaces with
[Extern(...)] contractpatterns aligned to Interop contracts. - Link native libraries through tooling (Foreign library import) and C ABI profiles (C ABI profile).
- Errors cross boundaries as envelopes, not thrown exceptions (Error and unwind semantics).
flowchart LR beskid[Beskid callable] abi[ABI profile rules] native[Native library or runtime export] beskid --> abi --> native
Host-facing: Rust unsafe
Section titled “Host-facing: Rust unsafe”Inside compiler/crates/beskid_runtime, builtins use #[unsafe(no_mangle)] pub extern "C-unwind"—see Builtins and symbols. That is platform maintenance, not a tutorial pattern for app authors.
JIT and dynamic loading (engine)
Section titled “JIT and dynamic loading (engine)”beskid_engine may expose platform-specific dynamic resolution paths marked Proposed in spec—do not assume Standard behavior without reading the profile ADRs (C ABI dynamic resolution).
Practical rule
Section titled “Practical rule”If you typed unsafe because you were angry at the type checker, stop. If you need native code, write a thin extern boundary and test it like an adversary.