Replace ArrayData::new() with ArrayData::try_new() and unsafe ArrayData::new_unchecked
#822
Conversation
| /// contents of the buffers (e.g. that string offsets for UTF8 arrays | ||
| /// are within the length of the buffer). | ||
| pub fn validate(&self) -> Result<()> { | ||
| // will be filled in a subsequent PR |
There was a problem hiding this comment.
#810 has an initial set of checks
| @@ -264,6 +278,53 @@ impl ArrayData { | |||
| } | |||
| } | |||
|
|
|||
| /// Create a new ArrayData, validating that the provided buffers | |||
There was a problem hiding this comment.
The API changes in data.rs are the core changes in this PR -- everything else is a mechanical changes to use the new APIs.
Codecov Report
@@ Coverage Diff @@
## master #822 +/- ##
==========================================
+ Coverage 82.54% 82.56% +0.02%
==========================================
Files 168 168
Lines 47910 47988 +78
==========================================
+ Hits 39545 39622 +77
- Misses 8365 8366 +1
Continue to review full report at Codecov.
|
arrow/benches/array_from_vec.rs
Outdated
| let arr_data = ArrayDataBuilder::new(DataType::Int32) | ||
| .add_buffer(Buffer::from(v)) | ||
| .build(); | ||
| let arr_data = unsafe { |
There was a problem hiding this comment.
We should add a safety note here?
There was a problem hiding this comment.
It might be helpful to note that this is (very old) benchmark crate seemingly last modified by @andygrove and @sunchao https://github.com/apache/arrow-rs/blame/master/arrow/benches/array_from_vec.rs#L29-L38
To be honest it does not look safe to me. I will try and rewrite it
It is a good idea @Dandandan -- I will attempt to do so. To be honest I am not sure why all the references are legitimate uses of I don't think this PR has made the code any more or less safe / unsafe than it was before. However, it is now clearer where assumptions are made (they are all annotated with |
There was a problem hiding this comment.
Changes look good to me as well and I agree with @Dandandan that we should add safety notes.
@Dandandan and @houqp -- First I want to emphasize that this PR does not change the safety of the arrow-rs implementation -- the code is as safe/unsafe before this PR as it is after this PR. I agree that all However, I propose not requiring such annotations for this PR because:
Thus, I propose a multi-pronged approach:
I will admit that part of my reason for not wanting to try and annotate all uses of |
|
I agree with you @alamb 👍 |
|
Tried adding some safety notes, I have to agree that the task is quite intense :D I also suggest we focus on filling gaps in arrow2 instead of retrofitting arrow-rs, it's a huge undertaking that @jorgecarleitao has already tried and decided that the effort is not worth it. |
There was a problem hiding this comment.
@Dandandan -- are you OK with merging this PR given the rationale listed in #822 (comment) (you have marked the PR as changes requested)
@jhorstmann are you OK with this PR?
I would like to merge this in and then create an arrow 6.0.0 release candidate (and hopefully unblock the next downstream release of DataFusion)
I plan to make ArrayData::try_new() safer with additional validation (released as part of 6.1.0)
|
I agree with your points. The PR already improves on the current state ( |
Hehe 😃 I was just looking at it. Yeah merging as is would be great. |
|
Given the feedback I plan to rebase this and merge it in |
alamb
force-pushed
the
alamb/arraydata_unsafe
branch
from
d54bd7d
to
f85fff6
Compare
|
Thanks @alamb! I was away from a computer for a few days, this looks good! |
Which issue does this PR close?
Part of #817
Rationale for this change
This PR is a step towards making arrow-rs Rust
safeand resolving open RUSTSEC issues.ArrayData::new()is fundamentallyunsafe(in the Rust sense) as it relies on the user to pass in valid data or else allows undefined behavior. The API is easy to misuse and should be marked asunsafeto reflect this. See Validate arguments to ArrayData::try_new() #817 for more background.Builds on @jhorstmann 's work in #813
What changes are included in this PR?
ArrayData::new()unsafe ArrayData::new_unchecked()andArrayData::try_new()ArrayDataBuilder::build()fallibleunsafe ArrayDataBuilder::build_unchecked()Note:
** Splitting the changes into several PRs I think will help with reviews
** I would like to ensure the API changes are included it arrow-rs 6.0 (planning to make a release candidate in the next week or so). We can then add additional validation in 6.1, 6.2, etc as they will be non breaking API changes.
Are there any user-facing changes?
Yes -- the APIs for creating ArrayData are different. This should not affect any users who create Arrays directly, only those using the lower level APIs.