Re: [PR] `unsafe` improvements [arrow-rs]

Mon, 14 Oct 2024 08:51:24 -0700 


Manishearth commented on code in PR #6551:
URL: https://github.com/apache/arrow-rs/pull/6551#discussion_r1799749413


##########
arrow-buffer/src/util/bit_mask.rs:
##########
@@ -127,16 +127,16 @@ unsafe fn set_upto_64bits(
 }
 
 /// # Safety
-/// The caller must ensure all arguments are within the valid range.
+/// The caller must ensure `data` has `offset..(offset + 8)` range
 #[inline]
 unsafe fn read_bytes_to_u64(data: &[u8], offset: usize, count: usize) -> u64 {
     debug_assert!(count <= 8);
-    let mut tmp = std::mem::MaybeUninit::<u64>::new(0);
+    let mut tmp : u64 = 0;
     let src = data.as_ptr().add(offset);
     unsafe {
-        std::ptr::copy_nonoverlapping(src, tmp.as_mut_ptr() as *mut u8, count);
-        tmp.assume_init()
+        std::ptr::copy_nonoverlapping(src, &mut tmp as *mut _ as *mut u8, 
count);

Review Comment:
   Yes, either the debug assertion should be a real assertion or we should 
clamp.



##########
arrow-buffer/src/util/bit_mask.rs:
##########
@@ -127,16 +127,16 @@ unsafe fn set_upto_64bits(
 }
 
 /// # Safety
-/// The caller must ensure all arguments are within the valid range.
+/// The caller must ensure `data` has `offset..(offset + 8)` range
 #[inline]
 unsafe fn read_bytes_to_u64(data: &[u8], offset: usize, count: usize) -> u64 {
     debug_assert!(count <= 8);
-    let mut tmp = std::mem::MaybeUninit::<u64>::new(0);
+    let mut tmp : u64 = 0;
     let src = data.as_ptr().add(offset);
     unsafe {
-        std::ptr::copy_nonoverlapping(src, tmp.as_mut_ptr() as *mut u8, count);
-        tmp.assume_init()
+        std::ptr::copy_nonoverlapping(src, &mut tmp as *mut _ as *mut u8, 
count);

Review Comment:
   _or_ the function should be documented with clearer invariants. It is an 
unsafe function after all, it's allowed to assume these things, but "all 
arguments are within range" is two separate checks: that count is not more than 
8, and that offset/count is in range. The next commit adds the latter, not the 
former.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to