fix: case-insensitive .dash + wallet concurrency hardening (UTXO and receive-address races)

packages/rs-platform-wallet-ffi/src/core_wallet/broadcast.rs

@@ -70,17 +70,32 @@ pub unsafe extern "C" fn core_wallet_send_to_addresses(
     check_ptr!(out_tx_bytes);
     check_ptr!(out_tx_len);
 
-    let mut outputs = Vec::with_capacity(count);
-    let addr_ptrs = std::slice::from_raw_parts(addresses, count);
-    let amount_slice = std::slice::from_raw_parts(amounts, count);
+    // `std::slice::from_raw_parts` requires a non-null, properly
+    // aligned pointer even for `len == 0`. Swift's empty
+    // `Array.withUnsafeBufferPointer.baseAddress` returns `nil`, so
+    // the `count == 0` path is allowed to ship null `addresses` /
+    // `amounts` — guard against constructing the slice in that case.
+    let outputs: Vec<(dashcore::Address, u64)> = if count == 0 {
+        Vec::new()
+    } else {
+        let addr_ptrs = std::slice::from_raw_parts(addresses, count);
+        let amount_slice = std::slice::from_raw_parts(amounts, count);
 
-    for i in 0..count {
-        let c_str = unwrap_result_or_return!(std::ffi::CStr::from_ptr(addr_ptrs[i]).to_str());
-
-        let addr = unwrap_result_or_return!(dashcore::Address::from_str(c_str)).assume_checked();
-
-        outputs.push((addr, amount_slice[i]));
-    }
+        let mut outputs = Vec::with_capacity(count);
+        for i in 0..count {
+            if addr_ptrs[i].is_null() {
+                return PlatformWalletFFIResult::err(
+                    PlatformWalletFFIResultCode::ErrorNullPointer,
+                    format!("null address pointer at index {i}"),
+                );
+            }
+            let c_str = unwrap_result_or_return!(std::ffi::CStr::from_ptr(addr_ptrs[i]).to_str());
+            let addr =
+                unwrap_result_or_return!(dashcore::Address::from_str(c_str)).assume_checked();
+            outputs.push((addr, amount_slice[i]));
+        }
+        outputs
+    };
 
     use key_wallet::account::account_type::StandardAccountType;
     let std_account_type = match account_type {
@@ -134,3 +149,93 @@ pub unsafe extern "C" fn core_wallet_free_tx_bytes(bytes: *mut u8, len: usize) {
         let _ = Box::from_raw(std::ptr::slice_from_raw_parts_mut(bytes, len));
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::handle::NULL_HANDLE;
+
+    /// `count == 0` MUST NOT touch `addresses` / `amounts` — Swift's
+    /// empty `Array.withUnsafeBufferPointer.baseAddress` gives `nil`,
+    /// and `slice::from_raw_parts` is UB on a null pointer regardless
+    /// of length. Pass `NULL_HANDLE` so the storage lookup short-
+    /// circuits to `NotFound` before any wallet code runs — we only
+    /// care that input marshalling did not blow up.
+    #[test]
+    fn send_to_addresses_zero_count_null_pointers_is_safe() {
+        // Use a non-null but fake signer pointer; the closure that
+        // would dereference it is never entered because `NULL_HANDLE`
+        // makes `with_item` return `None`.
+        let fake_signer = std::ptr::dangling_mut::<MnemonicResolverHandle>();
+        let mut out_tx: *mut u8 = std::ptr::null_mut();
+        let mut out_len: usize = 0;
+
+        let result = unsafe {
+            core_wallet_send_to_addresses(
+                NULL_HANDLE,
+                0, // BIP44Account
+                0,
+                std::ptr::null(), // null addresses — allowed because count == 0
+                std::ptr::null(), // null amounts — allowed because count == 0
+                0,
+                fake_signer,
+                &mut out_tx,
+                &mut out_len,
+            )
+        };
+        assert_eq!(result.code, PlatformWalletFFIResultCode::NotFound);
+    }
+
+    /// Non-null `addresses` array with `count == 0` is also fine.
+    #[test]
+    fn send_to_addresses_zero_count_nonnull_pointers_is_safe() {
+        let dummy_addr: *const c_char = std::ptr::null();
+        let dummy_amount: u64 = 0;
+        let addrs: [*const c_char; 1] = [dummy_addr];
+        let amts: [u64; 1] = [dummy_amount];
+        let fake_signer = std::ptr::dangling_mut::<MnemonicResolverHandle>();
+        let mut out_tx: *mut u8 = std::ptr::null_mut();
+        let mut out_len: usize = 0;
+
+        let result = unsafe {
+            core_wallet_send_to_addresses(
+                NULL_HANDLE,
+                0,
+                0,
+                addrs.as_ptr(),
+                amts.as_ptr(),
+                0, // count = 0 → array contents ignored
+                fake_signer,
+                &mut out_tx,
+                &mut out_len,
+            )
+        };
+        assert_eq!(result.code, PlatformWalletFFIResultCode::NotFound);
+    }
+
+    /// A null entry inside the address array must surface as
+    /// `ErrorNullPointer`, not UB.
+    #[test]
+    fn send_to_addresses_null_element_is_rejected() {
+        let addrs: [*const c_char; 2] = [std::ptr::null(), std::ptr::null()];
+        let amts: [u64; 2] = [1, 2];
+        let fake_signer = std::ptr::dangling_mut::<MnemonicResolverHandle>();
+        let mut out_tx: *mut u8 = std::ptr::null_mut();
+        let mut out_len: usize = 0;
+
+        let result = unsafe {
+            core_wallet_send_to_addresses(
+                NULL_HANDLE,
+                0,
+                0,
+                addrs.as_ptr(),
+                amts.as_ptr(),
+                2,
+                fake_signer,
+                &mut out_tx,
+                &mut out_len,
+            )
+        };
+        assert_eq!(result.code, PlatformWalletFFIResultCode::ErrorNullPointer);
+    }
+}

packages/rs-platform-wallet-ffi/src/error.rs

@@ -80,16 +80,27 @@ pub enum PlatformWalletFFIResultCode {
     /// no in-tree producer today. Holding the slot here keeps language-mirror
     /// enums (Swift, Kotlin) numerically aligned with the eventual producer.
     ErrorArithmeticOverflow = 13,
-    /// Auto-select had no candidate inputs. Covers all three "can't-select-inputs"
-    /// wallet variants: `NoSpendableInputs` (account has nothing spendable),
-    /// `OnlyOutputAddressesFunded` (every funded address is also a destination),
-    /// and `OnlyDustInputs` (every funded address is below `min_input_amount`).
-    /// The typed Display rendering survives via the result message so callers
-    /// can distinguish the underlying cause. Caller must rotate to a fresh
+    /// Auto-select had no candidate inputs. Umbrella for every
+    /// "can't-pick-UTXOs" wallet variant: `NoSpendableInputs` (account
+    /// has nothing spendable, including the race-loser path),
+    /// `OnlyOutputAddressesFunded` (every funded address is also a
+    /// destination), and `OnlyDustInputs` (every funded address is
+    /// below `min_input_amount`). The typed Display rendering survives
+    /// via the result message so callers can distinguish the underlying
+    /// cause. Caller must wait for sync / new UTXOs, rotate to a fresh
     /// receive address, consolidate sub-min balances, or fall back to
     /// `InputSelection::Explicit`.
     ErrorNoSelectableInputs = 14,
 
+    /// Transaction builder selected an outpoint that another in-flight
+    /// build had already reserved — retryable. The originating
+    /// [`PlatformWalletError::ConcurrentSpendConflict`] carries a
+    /// `Vec<OutPoint>` of the colliding inputs; that payload is
+    /// stringified into the `message` field for now (TODO: propagate
+    /// the structured outpoint list across the FFI when a generic
+    /// payload sidecar exists).
+    ErrorConcurrentSpendConflict = 31,
+
     NotFound = 98, // Used exclusively for all the Option that are retuned as errors
     ErrorUnknown = 99,
 }
@@ -169,17 +180,27 @@ impl<T> From<Option<T>> for PlatformWalletFFIResult {
 
 impl From<PlatformWalletError> for PlatformWalletFFIResult {
     fn from(error: PlatformWalletError) -> Self {
-        // Map the typed wallet error variants explicitly so they
-        // don't flatten to ErrorUnknown at the FFI boundary. The
-        // catch-all ErrorUnknown remains for variants the FFI hasn't
-        // assigned a dedicated code yet — those still carry the
-        // typed Display rendering as the message.
+        // Map the typed wallet error variants explicitly so they don't
+        // flatten to ErrorUnknown at the FFI boundary. The catch-all
+        // ErrorUnknown remains for variants the FFI hasn't assigned a
+        // dedicated code yet — those still carry the typed Display
+        // rendering as the message.
+        //
+        // All three "can't-select-inputs" wallet variants
+        // (`NoSpendableInputs`, `OnlyOutputAddressesFunded`,
+        // `OnlyDustInputs`) collapse onto the umbrella
+        // `ErrorNoSelectableInputs` code; the typed Display rendering
+        // in the message lets callers distinguish the underlying cause
+        // (including the race-loser breadcrumb on `NoSpendableInputs`).
         let code = match &error {
             PlatformWalletError::NoSpendableInputs { .. }
             | PlatformWalletError::OnlyOutputAddressesFunded { .. }
             | PlatformWalletError::OnlyDustInputs { .. } => {
                 PlatformWalletFFIResultCode::ErrorNoSelectableInputs
             }
+            PlatformWalletError::ConcurrentSpendConflict { .. } => {
+                PlatformWalletFFIResultCode::ErrorConcurrentSpendConflict
+            }
             _ => PlatformWalletFFIResultCode::ErrorUnknown,
         };
         PlatformWalletFFIResult::err(code, error.to_string())
@@ -403,14 +424,13 @@ mod tests {
         assert!(!r.message.is_null());
     }
 
-    /// The three "can't-select-inputs" wallet variants (`NoSpendableInputs`,
-    /// `OnlyOutputAddressesFunded`, `OnlyDustInputs`) all map to the dedicated
-    /// `ErrorNoSelectableInputs` FFI code rather than flattening to
-    /// `ErrorUnknown`, and the typed Display rendering survives across the
-    /// boundary so callers can distinguish the underlying cause from the
-    /// message string.
+    /// All three "can't-select-inputs" wallet variants collapse onto the
+    /// umbrella `ErrorNoSelectableInputs` (14) FFI code, and the typed
+    /// Display rendering survives across the boundary so callers can
+    /// distinguish the underlying cause (including the race-loser
+    /// breadcrumb on `NoSpendableInputs`) from the message string.
     #[test]
-    fn no_selectable_inputs_maps_to_dedicated_code() {
+    fn no_selectable_inputs_maps_to_umbrella_code() {
         use dpp::address_funds::PlatformAddress;
         use key_wallet::account::StandardAccountType;
 
@@ -437,7 +457,7 @@ mod tests {
             assert_eq!(
                 result.code,
                 PlatformWalletFFIResultCode::ErrorNoSelectableInputs,
-                "variant should map to ErrorNoSelectableInputs (rendered: {rendered})"
+                "variant must collapse onto the umbrella code (rendered: {rendered})"
             );
             assert!(!result.message.is_null());
             let msg = unsafe { std::ffi::CStr::from_ptr(result.message) }
@@ -450,6 +470,28 @@ mod tests {
         }
     }
 
+    /// `ConcurrentSpendConflict` keeps its dedicated FFI code (31) —
+    /// race-loser breadcrumb on the typed `NoSpendableInputs` Display
+    /// is not the same thing as the builder picking an already-reserved
+    /// outpoint, and downstream callers (retry logic) must be able to
+    /// tell them apart by code.
+    #[test]
+    fn concurrent_spend_conflict_keeps_dedicated_code() {
+        let err = PlatformWalletError::ConcurrentSpendConflict {
+            selected: Vec::new(),
+        };
+        let rendered = err.to_string();
+        let result: PlatformWalletFFIResult = err.into();
+        assert_eq!(
+            result.code,
+            PlatformWalletFFIResultCode::ErrorConcurrentSpendConflict,
+        );
+        let msg = unsafe { std::ffi::CStr::from_ptr(result.message) }
+            .to_string_lossy()
+            .into_owned();
+        assert_eq!(msg, rendered);
+    }
+
     /// Other wallet-error variants without a dedicated FFI arm still
     /// fall through to `ErrorUnknown` while carrying the typed
     /// Display rendering as the message. Pin this so the catch-all

packages/rs-platform-wallet/src/error.rs

@@ -1,3 +1,4 @@
+use dashcore::OutPoint;
 use dpp::address_funds::PlatformAddress;
 use dpp::fee::Credits;
 use dpp::identifier::Identifier;
@@ -63,6 +64,12 @@ pub enum PlatformWalletError {
     #[error("Transaction building failed: {0}")]
     TransactionBuild(String),
 
+    #[error(
+        "Transaction builder selected an unavailable UTXO (concurrent spend); retry. \
+         Selected outpoints: {selected:?}"
+    )]
+    ConcurrentSpendConflict { selected: Vec<OutPoint> },
+
     #[error("no spendable inputs available on {account_type} account {account_index}: {context}")]
     NoSpendableInputs {
         account_type: StandardAccountType,