Mark BufferBuilder::new_from_buffer as unsafe#9292
Merged
alamb merged 1 commit intoapache:mainfrom Jan 29, 2026
Merged
Conversation
github-actions
bot
added
arrow
Jefffrey
commented
Jan 28, 2026
Comment on lines
+98
to
+101
| /// # Safety | ||
| /// | ||
| /// - `buffer` bytes must be aligned to type `T` | ||
| pub unsafe fn new_from_buffer(buffer: MutableBuffer) -> Self { |
Comment on lines
-234
to
+236
| /// | ||
| /// let mut builder = BufferBuilder::<u32>::new(10); | ||
| /// builder.append_n_zeroed(3); | ||
| /// | ||
| /// assert_eq!(builder.len(), 3); | ||
| /// assert_eq!(builder.as_slice(), &[0, 0, 0]) | ||
| /// ``` |
Contributor
Author
There was a problem hiding this comment.
Drive by cleanup of these empty lines in the docstring, see how they currently look like:
Also fix missing closing block syntax here.
Comment on lines
+398
to
+401
| let buffer = MutableBuffer::from(value); | ||
| // SAFETY | ||
| // - buffer is aligned to T | ||
| unsafe { Self::new_from_buffer(buffer) } |
Contributor
Author
There was a problem hiding this comment.
This is the only usage of this API in our codebase, which already upholds the invariants
Contributor
Author
|
I wouldn't mind making this API private if thats preferred (since its only used in one place) 🤔 |
alamb
approved these changes
Jan 28, 2026
Contributor
alamb
left a comment
alamb
left a comment
There was a problem hiding this comment.
Makes sense to me -- thanks @Jefffrey and @yilin0518
| _marker: PhantomData<T>, | ||
| } | ||
|
|
||
| impl<T: ArrowNativeType> BufferBuilder<T> { |
Contributor
There was a problem hiding this comment.
I think we have discovered over time that BufferBuilder is typically not as performant as using Vec -- but maybe that is a comment for a different day
Contributor
|
fyi @viirya |
viirya
reviewed
Jan 28, 2026
| /// | ||
| /// ``` | ||
| /// # use arrow_buffer::builder::BufferBuilder; | ||
| /// |
viirya
approved these changes
Jan 28, 2026
Contributor
Contributor
Author
|
Thanks @yilin0518 for reporting this |
Contributor
|
I think we should backport this to the 57 release The only thing I worry about is that it is technically a breaking API change |
10 tasks
Contributor
Author
|
I think breaking changes are fine if its for the sake of fixing unsound behaviour 🤔 |
Contributor
|
I will plan to back port it then |
alamb
pushed a commit
to alamb/arrow-rs
that referenced
this pull request
Jan 30, 2026
# Which issue does this PR close? <!-- We generally require a GitHub issue to be filed for all bug fixes and enhancements and this helps us generate change logs for our releases. You can link an issue to this PR using the GitHub syntax. --> - Closes apache#9287 # Rationale for this change <!-- Why are you proposing this change? If this is already explained clearly in the issue then this section is not needed. Explaining clearly why changes are proposed helps reviewers understand your changes and offer better suggestions for fixes. --> As identified by the issue, it is possible to use safe APIs to produce an unaligned buffer in `BufferBuilder`. # What changes are included in this PR? <!-- There is no need to duplicate the description in the issue here but it is sometimes worth providing a summary of the individual changes in this PR. --> Mark `BufferBuilder::new_from_buffer` as unsafe since there are alignment invariants that must be upheld to use it correctly. Also fix some docstrings. # Are these changes tested? <!-- We typically require tests for all PRs in order to: 1. Prevent the code from being accidentally broken by subsequent changes 2. Serve as another way to document the expected behavior of the code If tests are not included in your PR, please explain why (for example, are they covered by existing tests)? --> Marking API unsafe only. # Are there any user-facing changes? <!-- If there are user-facing changes then we may require documentation to be updated before approving the PR. If there are any breaking changes to public APIs, please call them out. --> Yes.
Contributor
alamb
added a commit
that referenced
this pull request
Feb 2, 2026
…) (#9312) - Part of #9240 - Related to #9287 This is a backport of the following PR to the 57 line - #9292 from @Jefffrey Note this is technically an API change (if this API is used by downstream crates they will have to mark the callsites with `unsafe`). However per a conversation with @Jefffrey #9292 (comment) and our general focus on safety, it seems better to err on the safety side > I think breaking changes are fine if its for the sake of fixing unsound behaviour 🤔 Co-authored-by: Jeffrey Vo <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Which issue does this PR close?
Rationale for this change
As identified by the issue, it is possible to use safe APIs to produce an unaligned buffer in
BufferBuilder.What changes are included in this PR?
Mark
BufferBuilder::new_from_bufferas unsafe since there are alignment invariants that must be upheld to use it correctly.Also fix some docstrings.
Are these changes tested?
Marking API unsafe only.
Are there any user-facing changes?
Yes.