Validate arguments to ArrayData::new and null bit buffer and buffers

[alamb]

Which issue does this PR close?

Part of #817

Rationale for this change

This is a step towards improving the security posture of arrow-rs and resolving RUSTSEC vulnerabilities by validating arguments to ArrayData::try_new(). This particular PR adds basic size and offset sanity checking.

I apologize for the massive PR, but the checks and tests are fairly repetitive.

See discussion on #817 for more details

What changes are included in this PR?

1. Add basic offset argument validation to ArrayData::try_new() based on the checks in the C++ implementation, kindly pointed out (and contributed) by @pitrou

Planned for follow on PRs:

• Add validate_full: that will also check the values of any offsets buffers: Add full data validation for ArrayData::try_new() #921
• Clean up UnionArray implementation / validate it properly (Implement Union validity bitmap changes from ARROW-9222 #85)

Are there any user-facing changes?

1. ArrayData::try_new() may return an Err now on some (invalid) inputs rather than succeeding

[alamb]

This is the core validation check.

[alamb]

These tests need to be updated because they were creating invalid Buffers (this one for example had an len of 5 and offset of 2 but only passed in an array 5 long)

[alamb]

@jorgecarleitao / @nevi-me / @jhorstmann do you have any concerns with this approach before I spent more time filling in the details for nested / compound structures (List, Dictionary, etc)?

For some of the structures, the actual data will likely need to be inspected (to ensure, for example, that the values in the offsets buffer of utf8 arrays are valid).

I am not sure about the performance impact of doing these validations -- if it turns out to be too great, I can imagine having a "trusted" version of ArrayData::new() (only callable within the arrow crate) or feature flagging the validation so it can be disabled for those users who chose to do so

[codecov-commenter]

Codecov Report

Merging #810 (92041b0) into master (62934e9) will increase coverage by 0.01%.
The diff coverage is 85.51%.

@@            Coverage Diff             @@
##           master     #810      +/-   ##
==========================================
+ Coverage   82.29%   82.31%   +0.01%     
==========================================
  Files         168      168              
  Lines       48028    48409     +381     
==========================================
+ Hits        39527    39847     +320     
- Misses       8501     8562      +61     

Impacted Files	Coverage Δ
arrow/src/compute/kernels/cast.rs	94.81% <ø> (ø)
arrow/src/datatypes/datatype.rs	65.95% <75.00%> (+1.02%)	⬆️
arrow/src/array/data.rs	79.01% <84.11%> (+4.08%)	⬆️
arrow/src/array/array_binary.rs	93.13% <100.00%> (+0.06%)	⬆️
arrow/src/array/array_boolean.rs	94.53% <100.00%> (ø)
arrow/src/array/array_list.rs	95.52% <100.00%> (ø)
arrow/src/array/array_map.rs	81.50% <100.00%> (ø)
arrow/src/array/array_primitive.rs	94.09% <100.00%> (+0.03%)	⬆️
arrow/src/array/array_union.rs	90.97% <100.00%> (+0.04%)	⬆️
arrow/src/compute/util.rs	98.90% <100.00%> (+<0.01%)	⬆️
... and 4 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 62934e9...92041b0. Read the comment docs.

[alamb]

@pitrou suggests looking at https://github.com/apache/arrow/blob/master/cpp/src/arrow/array/validate.h
and https://github.com/apache/arrow/blob/master/cpp/src/arrow/array/validate.cc as they implement similar logic on the C++ side

[jhorstmann]

The C++ validation looks extensive and includes offsets and dictionary keys, so basing the logic on that makes sense.

These offsets and dictionary keys are actually my main performance concern, I think we want at least an ArrayData::new_unchecked for usage in Array::slice and ArrayData::slice. If the original offsets or keys were valid, then the slice can be assumed to also be valid. I'd also like this unsafe method to be public for anyone wanting to implement kernels outside of arrow.

[alamb]

Sounds good @jhorstmann -- the C++ version includes two validation methods: one that basically checks buffer sizes and one that checks the offsets, etc I will attempt to mirror the same.

Will ping you when I have this PR ready for review

[alamb]

This PR is not ready for review yet, but when it is I will change it to not a draft

[alamb]

Update: I have all the existing tests now passing

Still TODO:

• Write additional tests for the validation routines
• Update union type validation / sort it out (looks like arrow-rs implementation is old, and not up to current arrow spec -- see Implement Union validity bitmap changes from ARROW-9222 #85 and Add Dense/Sparse annotation to DataType::Union #814)

[alamb]

the array data in this case is only 4 elements long, so using an offset of 1 with len 4 is incorrect (goes off the end of the array data). The same with the test below

[alamb]

build() now fails the earlier validation check -- so to keep the test checking the internal BooleanArray checks need to use unsafe

Note that it might be best to eventually remove all Array specific checks (which I think will be redundant) in favor of consolidated checks in ArrayData.rs but I don't want to consider doing that until I have the validation checks completed

[alamb]

This is a similar invalid test that the new checks identified -- value_data has only three items in it, so doing offset = 1 and len = 3 can potentially read off the end. This change corrects the len to be within bounds.

There is a very similar (and thus fixed) test in array_list.rs and one in array_map.rs

[alamb]

this test is checking the ListArray specific error, but since the new ArrayData validation checks now catch the problem we need to switch to using build_unchecked() to exercise the same code path

[alamb]

The "safe" way here would be to fail validation always for Union to signal to the user that the validation checks are not correct.

I think a better story would be to fix #85 and #814 . I am torn on what to do in this case

[alamb]

I finally settled on leaving UnionArray unvalidated for this PR so that I can backport it to the 6.x release line (it is backwards compatible) and in a PR that is backward incompatible I will fixup the UnionArray implementation (and validation)

[alamb]

As part of #85 I will clean up the union array validation

[alamb]

@jhorstmann, @paddyhoran @nevi-me or @jorgecarleitao might I trouble one of you for a review of this PR? I know it is large, but I think it is important and fairly mechanical in terms of validating the creation of ArrayData

[alamb]

FYI the MIRI failure is likely the same as #879 -- I'll plan to look at that shortly if no one else gets to it

[jhorstmann]

I'm wondering what could happen if the null_count actually gives a different number than the validity buffer and whether this could lead to undefined behavior in some later operation. Most callers pass None anyway, so we calculate a number which is guaranteed to be in range. I would suggest to remove the null_count parameter from try_new to completely avoid of inconsistencies.

Kernels that want to avoid the overhead of counting bits could use the unsafe new_unchecked method. I see it is currently set by the cast_array_data function. To make that one safe while avoiding bit counting, we could just validate that the from and to layouts are equal.

[alamb]

I'm wondering what could happen if the null_count actually gives a different number than the validity buffer and whether this could lead to undefined behavior in some later operation. Most callers pass None anyway, so we calculate a number which is guaranteed to be in range.

I suspect (but can not prove) that if null_count is inconsistent with the validity buffer then there may be incorrect answers but not undefined behavior (in the Rust sense).

My plan will be:

1. In a separate PR (as it will not be backwards compatible) remove the null_count from try_new(): Remove null_count from ArrayData::try_new() #911
2. in the PR where I add the full on data checking (validate_full()) ensure that the declared null count matches the validity bitmap

[jhorstmann]

This seems to be only used for validating dictionary key types, maybe rename to is_dictionary_key_type and link the ArrowDictionaryKeyType trait in the comment.

[alamb]

Done in 8acd8d2

[jhorstmann]

I think this looks good. Might be worthwhile to convert some of the current new_unchecked usages to try_new to increase coverage.

[alamb]

I think this looks good. Might be worthwhile to convert some of the current new_unchecked usages to try_new to increase coverage.

At the moment, almost all of the tests in arrow use ArrayData::try_new(...).unwrap() so there is pretty good coverage of this code already (I found several bugs this way :) )

The remaining uses of new_unchecked() are either in compute kernels where performance seems to be critical or in tests which are explicitly checking array construction validation.

What I plan as part of implementing validate_full() is to remove all array specific type checks and the tests to use ArrayData::try_new()

[alamb]

Thanks @jhorstmann for the review. I think this PR is now ready to go and will plan to merge it early next week unless anyone objects or would like more time to review.