Prevent Rows row index overflow

[alamb]

Which issue does this PR close?

• None.

Rationale for this change

Rows used unchecked usize arithmetic when validating a requested row index. In optimized builds, very large indexes could wrap the bounds check before reaching the unchecked row access path.

What changes are included in this PR?

This adds checked arithmetic for row index validation and reuses it for both Rows::row and Rows::row_len.

Are these changes tested?

Yes. This adds regression coverage for overflowing row indexes.

Are there any user-facing changes?

Invalid row indexes that overflow during bounds validation now panic consistently. There are no API changes.

[alamb]

Thanks @Dandandan

[scovich]

This PR just replaces an existing assert! panic with a new explicit panic that cannot be optimized away?

[alamb]

In rust assert! is not optimized away in release builds (only debug_assert! is)

The change here also also checks for overflow when doing row + 1 (using checked_add). Without that, if you pass in usize::MAX it will wrap around to 0, which I think will pass the assert and not trigger the panic

I do think trying to access memory at offset uisze::MAX will then most likely then cause a SIGSEGV, but it seemed better to check the corner case anyway

[scovich]

I do think trying to access memory at offset uisze::MAX will then most likely then cause a SIGSEGV, but it seemed better to check the corner case anyway

Yeah, Vec specifically documents a panic if you try to grow it beyond isize::MAX entries. Not sure if the same applies to slices ion general or if that's a vec-specific thing?

[scovich]

Ah, it does seem to be a general limitation:
https://doc.rust-lang.org/std/primitive.pointer.html#method.offset

Allocations can never be larger than isize::MAX bytes