Fix some unsound unsafe code in arrow and attempt to improve safety docs.

[veluca93]

This is a first step towards fixing #6020.

[alamb]

Thanks @veluca93 -- I looked at some of these changes -- some places definitely look like there could problems, though I am not quite sure

I wonder if you would be willing to break this PR into smaller independent PRs for review

for example,

1. the changes to parquet might go in one PR
2. Changes for list/map arrays in another
3. changes for dictionary array in another

This would both be easier to review and let us merge the parts that get consensus while we work through the others

cc @XiangpengHao and @tustvold @jhorstmann for your comments

[alamb]

Is this any more sound? it seems to me this is simply does the same check via using slice

BTW I think you can write this kind of code more concisely like

Suggested change

	let len_bytes = buf.get(self.offset..self.offset + 4);
	let len = match len_bytes {
	None => {
	return Err(ParquetError::EOF("eof decoding byte array".into()));
	}
	Some(l) => u32::from_le_bytes(l.try_into().unwrap()),
	let Some(len_bytes) = buf.get(self.offset..self.offset + 4) else {
	return Err(ParquetError::EOF("eof decoding byte array".into()));
	};
	let len = u32::from_le_bytes(len_bytes.try_into().unwrap()),

[veluca93]

Yes, I was trying to avoid the version with let .. else because I was not sure on the MSRV policies of arrow-rs :-)

As for being more sound: the original version is unsound if self.offset + 4 overflows (because it ends up calling .get_unchecked with an empty range, which is UB). In general, the new version achieves the same result without unsafe, which is IMO always a good idea (unless there are big performance issues).

[jhorstmann]

I think allocation sizes in rust are limited to isize::MAX, so offset+4 should never overflow.

Personally, I find the previous version with the simple if a bit easier to read. The unsafe can probably be removed since the compiler should be able to remove the bounds checks on its own:

let len = u32::from_le_bytes(buf[offset..offset+4].try_into().unwrap())

[veluca93]

This code is also fine IMO - I just wanted to remove the unsafe, I attempted to do so without introducing new potential branches but if we believe the compiler to remove them (or they are not perf-critical) then this is indeed the clearest option.

[alamb]

since offset is always increasing (it is formed by start offset + a usize how could it ever be smaller than start offset?

[veluca93]

It normally cannot, except in case of overflows :-)

[jhorstmann]

should we then rather use checked_add in the previous line and handle and return an error on overflow? Or use wrapping_add and keep this check, so it is clearer to the reader that overflow is being considered.

[veluca93]

Probably checked_add is the best choice (as it is more explicit). Commenting that self.offset is always at most isize::MAX, hence there is no overflow, would also be fine IMO.

[alamb]

validate_utf8 is false only for ByteViewArray (that can have arbitrary bytes) -- for StringViewArray. validate_utf8 is always true

[alamb]

BTW here are some more obsessive tests showing this is correct; #6023

[veluca93]

If I understand correctly, this is up to the caller to ensure - i.e. the caller must ensure (i.e. when calling new) that validate_utf8 is true if the data does not come from a StringViewArray. If that is correct, then this leads to potential UB if the caller does not uphold this contract, which means that new should be an unsafe function and this property should ideally be documented as a safety invariant for the struct.
But I may have misunderstood something :-)

[alamb]

can you provide an example where this leads to unsound behavior?

[veluca93]

Safe code could implement, for example, FromBytes on Box. Then constructing a BitReader from a buffer of 0 Bytes, and calling get_batch on a slice of Box would end up creating a Box containing a null pointer, which is UB.

The issue here is that this code assumes (AFAIU) that all bit patterns are valid for T: FromBytes, and this is true for the implementations of FromBytes here - but safe code could easily make it not true anymore. Thus, probably the best solution is to make FromBytes an unsafe trait.

[XiangpengHao]

ptr is derived from &mut [T], so it is properly aligned and sized. Can you give an example to show that this is unsound?

[veluca93]

Yep, this is indeed OK - see my previous comment for the issue here, which is not with constructing the slice but with writing to it.

[veluca93]

Thanks @veluca93 -- I looked at some of these changes -- some places definitely look like there could problems, though I am not quite sure

I wonder if you would be willing to break this PR into smaller independent PRs for review

for example,

1. the changes to parquet might go in one PR
2. Changes for list/map arrays in another
3. changes for dictionary array in another

This would both be easier to review and let us merge the parts that get consensus while we work through the others

cc @XiangpengHao and @tustvold @jhorstmann for your comments

Happy to split the PR up!

[veluca93]

I split up the PR into #6024 and #6025, also removing a bunch of involuntary formatting changes. I see that in the meantime there have been a few changes to view_buffer and byte_view_array - perhaps I should leave those changes for later, once the implementation settles down?

[alamb]

Thank you @veluca93 -- I hope to find time tomorrow to review the new PRs