[GitHub] [arrow-rs] alamb commented on a diff in pull request #1866: Mark typed buffer APIs safe (#996) (#1027)

Mon, 13 Jun 2022 13:22:50 -0700 


alamb commented on code in PR #1866:
URL: https://github.com/apache/arrow-rs/pull/1866#discussion_r896100716


##########
arrow/src/buffer/immutable.rs:
##########
@@ -181,19 +181,14 @@ impl Buffer {
 
     /// View buffer as typed slice.
     ///
-    /// # Safety
+    /// # Panics
     ///
-    /// `ArrowNativeType` is public so that it can be used as a trait bound 
for other public
-    /// components, such as the `ToByteSlice` trait.  However, this means that 
it can be
-    /// implemented by user defined types, which it is not intended for.
-    pub unsafe fn typed_data<T: ArrowNativeType + num::Num>(&self) -> &[T] {
-        // JUSTIFICATION
-        //  Benefit
-        //      Many of the buffers represent specific types, and consumers of 
`Buffer` often need to re-interpret them.
-        //  Soundness
-        //      * The pointer is non-null by construction
-        //      * alignment asserted below.
-        let (prefix, offsets, suffix) = self.as_slice().align_to::<T>();
+    /// This function panics if the underlying buffer is not aligned
+    /// correctly for type `T`.
+    pub fn typed_data<T: ArrowNativeType>(&self) -> &[T] {
+        // SAFETY
+        // ArrowNativeType are trivially transmutable, and this method checks 
alignment

Review Comment:
   ```suggestion
           // ArrowNativeType is sealed (can't be implemented outside the arrow 
crate,
           // trivially transmutable, and this method checks alignment
   ```



##########
arrow/src/buffer/immutable.rs:
##########
@@ -181,19 +181,14 @@ impl Buffer {
 
     /// View buffer as typed slice.
     ///
-    /// # Safety
+    /// # Panics
     ///
-    /// `ArrowNativeType` is public so that it can be used as a trait bound 
for other public
-    /// components, such as the `ToByteSlice` trait.  However, this means that 
it can be
-    /// implemented by user defined types, which it is not intended for.
-    pub unsafe fn typed_data<T: ArrowNativeType + num::Num>(&self) -> &[T] {
-        // JUSTIFICATION
-        //  Benefit
-        //      Many of the buffers represent specific types, and consumers of 
`Buffer` often need to re-interpret them.
-        //  Soundness
-        //      * The pointer is non-null by construction
-        //      * alignment asserted below.
-        let (prefix, offsets, suffix) = self.as_slice().align_to::<T>();
+    /// This function panics if the underlying buffer is not aligned
+    /// correctly for type `T`.
+    pub fn typed_data<T: ArrowNativeType>(&self) -> &[T] {

Review Comment:
   I wonder if this is truly "safe" -- is it really true that any bit pattern 
is a valid `ArrowNativeType`? I am thinking about floating point 
representations in particular -- I wonder if this API could potentially create 
invalid `f32` / `f64` which seems like it would thus still be `unsafe` 🤔 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to