← 返回
未分类 中文

Serde Code Review

Reviews serde serialization code for derive patterns, enum representations, custom implementations, and common serialization bugs. Use when reviewing Rust co...
审查 serde 序列化代码,涵盖派生模式、枚举表示、自定义实现以及常见序列化错误。用于 Rust 代码审查。
anderskev anderskev 来源
未分类 clawhub v1.0.3 2 版本 100000 Key: 无需
★ 0
Stars
📥 534
下载
💾 2
安装
2
版本
#latest

概述

Serde Code Review

Review Workflow

  1. Check Cargo.toml — Note serde features (derive, rc), format crates (serde_json, toml, bincode, etc.), and Rust edition (2024 has breaking changes affecting serde code)
  2. Check derive usage — Verify Serialize and Deserialize are derived appropriately
  3. Check enum representations — Enum tagging affects wire format compatibility and readability
  4. Check field attributes — Renaming, defaults, skipping affect API contracts
  5. Check edition 2024 compatibility — Reserved gen keyword, RPIT lifetime capture changes, never_type_fallback
  6. Verify round-trip correctness — Serialized data must deserialize back to the same value

Gates (before reporting findings)

Run in order. Do not write a finding until the step that applies has passed.

  1. Serde context on diskPass when: You have read the relevant Cargo.toml (crate or workspace root) and can state Rust edition, serde / serde_derive features if non-default (derive, rc), and which format crates apply (serde_json, toml, bincode, etc.) for the code under review. Then apply edition-specific checklist items (e.g. gen, RPIT/never_type_fallback) only when that file supports them.
  1. Per-finding evidencePass when: Each issue cites [FILE:LINE] from the current tree for the struct/enum, Serialize/Deserialize impl, or attribute block in question (not from memory, docs-only, or another branch).
  1. Category check vs protocolPass when: For the finding type (derive attrs, enum tagging, flatten, custom impl, sqlx + serde alignment), you ran the matching checks from the review-verification-protocol skill (e.g. full type definition + serde attrs before “wrong representation”; confirmed edition in Cargo.toml before edition-2024-only findings). Then add the finding.
  1. Output shapePass when: The report lines match Output Format below (severity + description).

Output Format

Report findings as:

[FILE:LINE] ISSUE_TITLE
Severity: Critical | Major | Minor | Informational
Description of the issue and why it matters.

Quick Reference

Issue TypeReference
-----------------------
Derive patterns, attribute macros, field configurationreferences/derive-patterns.md
Custom Serialize/Deserialize, format-specific issuesreferences/custom-serialization.md

Review Checklist

Derive Usage

  • [ ] #[derive(Serialize, Deserialize)] on types that cross serialization boundaries
  • [ ] #[derive(Debug)] alongside serde derives (debugging serialization issues)
  • [ ] Feature-gated derives when serde is optional: #[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
  • [ ] Prefer #[expect(unused)] over #[allow(unused)] for serde-only fields (self-cleaning lint suppression, stable since 1.81)

Enum Representation

  • [ ] Enum tagging is explicit (not relying on serde's default externally-tagged format when another is intended)
  • [ ] Tag names are stable and won't collide with field names
  • [ ] #[serde(rename_all = "...")] used consistently across the API

Field Configuration

  • [ ] #[serde(skip_serializing_if = "Option::is_none")] for optional fields (clean JSON output)
  • [ ] #[serde(default)] for fields that should have fallback values during deserialization
  • [ ] #[serde(rename = "...")] when Rust field names differ from wire format
  • [ ] #[serde(flatten)] used judiciously (can cause key collisions)
  • [ ] No #[serde(deny_unknown_fields)] on types that need forward compatibility
  • [ ] No fields or variants named gen — reserved keyword in edition 2024 (use r#gen or rename)

Database Integration (sqlx)

  • [ ] #[derive(sqlx::Type)] enums use consistent representation with serde
  • [ ] Enum variant casing matches between serde (rename_all) and sqlx (rename_all)

Edition 2024 Compatibility

  • [ ] No fields or enum variants named gen (reserved keyword — use r#gen with #[serde(rename = "gen")] or choose a different name)
  • [ ] Custom Serialize/Deserialize impls returning impl Trait account for RPIT lifetime capture changes (all in-scope lifetimes captured by default; use + use<'a> for precise control)
  • [ ] Deserialization error paths handle never_type_fallback! falls back to ! instead of (), which affects match exhaustiveness on Result patterns

Correctness

  • [ ] Round-trip tests exist for complex types (serialize → deserialize → assert_eq)
  • [ ] PartialEq derived for types with round-trip tests
  • [ ] No lossy conversions (e.g., f64i64 in JSON numbers)
  • [ ] Decimal used for money/precision-sensitive values, not f64

Severity Calibration

Critical

  • Enum representation mismatch between serializer and deserializer (data loss)
  • Missing #[serde(rename)] causing API-breaking field name changes
  • #[serde(flatten)] causing silent key collisions
  • Lossy numeric conversions (f64 precision loss for monetary values)

Major

  • Inconsistent rename_all across related types (confusing API)
  • Missing skip_serializing_if causing null/empty noise in output
  • deny_unknown_fields on types consumed by evolving APIs (breaks forward compatibility)
  • Missing round-trip tests for complex enum representations
  • Field or variant named gen without r#gen escape (edition 2024 compile failure)

Minor

  • Unnecessary #[serde(default)] on required fields
  • Using string representation for enums when numeric would be more efficient
  • Verbose custom implementations where derive + attributes suffice
  • Using #[allow(unused)] instead of #[expect(unused)] for serde-only fields (prefer self-cleaning lint suppression)

Informational

  • Suggestions to switch enum representation for cleaner wire format
  • Suggestions to add #[non_exhaustive] alongside serde for forward compatibility

Valid Patterns (Do NOT Flag)

  • Externally tagged enums — serde's default, valid for many use cases
  • #[serde(untagged)] enums — Valid when discriminated by structure, not by tag
  • serde_json::Value for dynamic data — Appropriate for truly schema-less fields
  • #[serde(skip)] on computed fields — Correct for derived/cached values
  • #[serde(with = "...")] for custom formats — Standard for dates, UUIDs, etc.
  • r#gen with #[serde(rename = "gen")] — Correct edition 2024 workaround for gen fields in wire formats
  • + use<'a> on custom serializer return types — Precise RPIT lifetime capture (edition 2024)

Before Submitting Findings

Complete Gates (before reporting findings) above; gate 3 incorporates the review-verification-protocol skill for serde-related issue types.

版本历史

共 2 个版本

  • v1.0.3 当前
    2026-06-01 20:53
  • v1.0.2
    2026-05-03 06:51 安全 安全

安全检测

腾讯云安全 (Keen)

队列中

腾讯云安全 (Sanbu)

队列中

🔗 相关推荐

dev-programming

Github

steipete
使用 `gh` CLI 与 GitHub 交互,通过 `gh issue`、`gh pr`、`gh run` 和 `gh api` 管理议题、PR、CI 运行及高级查询。
★ 683 📥 330,680
education

Tutorial Docs

anderskev
教程模式——面向学习的指南,通过引导式实践教学。用于编写教程、学习指南、入门指南等。
★ 0 📥 707
dev-programming

CodeConductor.ai

larsonreever
AI驱动平台,提供快速全栈开发、智能体、工作流自动化及低代码AI集成的可扩展产品创建。
★ 79 📥 182,873