Mark BufferBuilder::new_from_buffer as unsafe#9292
Conversation
| /// # Safety | ||
| /// | ||
| /// - `buffer` bytes must be aligned to type `T` | ||
| pub unsafe fn new_from_buffer(buffer: MutableBuffer) -> Self { |
| /// | ||
| /// let mut builder = BufferBuilder::<u32>::new(10); | ||
| /// builder.append_n_zeroed(3); | ||
| /// | ||
| /// assert_eq!(builder.len(), 3); | ||
| /// assert_eq!(builder.as_slice(), &[0, 0, 0]) | ||
| /// ``` |
| let buffer = MutableBuffer::from(value); | ||
| // SAFETY | ||
| // - buffer is aligned to T | ||
| unsafe { Self::new_from_buffer(buffer) } |
There was a problem hiding this comment.
This is the only usage of this API in our codebase, which already upholds the invariants
|
I wouldn't mind making this API private if thats preferred (since its only used in one place) 🤔 |
alamb
left a comment
There was a problem hiding this comment.
Makes sense to me -- thanks @Jefffrey and @yilin0518
| _marker: PhantomData<T>, | ||
| } | ||
|
|
||
| impl<T: ArrowNativeType> BufferBuilder<T> { |
There was a problem hiding this comment.
I think we have discovered over time that BufferBuilder is typically not as performant as using Vec -- but maybe that is a comment for a different day
|
fyi @viirya |
| /// | ||
| /// ``` | ||
| /// # use arrow_buffer::builder::BufferBuilder; | ||
| /// |
|
Thanks @yilin0518 for reporting this |
|
I think we should backport this to the 57 release The only thing I worry about is that it is technically a breaking API change |
|
I think breaking changes are fine if its for the sake of fixing unsound behaviour 🤔 |
|
I will plan to back port it then |
# Which issue does this PR close? <!-- We generally require a GitHub issue to be filed for all bug fixes and enhancements and this helps us generate change logs for our releases. You can link an issue to this PR using the GitHub syntax. --> - Closes apache#9287 # Rationale for this change <!-- Why are you proposing this change? If this is already explained clearly in the issue then this section is not needed. Explaining clearly why changes are proposed helps reviewers understand your changes and offer better suggestions for fixes. --> As identified by the issue, it is possible to use safe APIs to produce an unaligned buffer in `BufferBuilder`. # What changes are included in this PR? <!-- There is no need to duplicate the description in the issue here but it is sometimes worth providing a summary of the individual changes in this PR. --> Mark `BufferBuilder::new_from_buffer` as unsafe since there are alignment invariants that must be upheld to use it correctly. Also fix some docstrings. # Are these changes tested? <!-- We typically require tests for all PRs in order to: 1. Prevent the code from being accidentally broken by subsequent changes 2. Serve as another way to document the expected behavior of the code If tests are not included in your PR, please explain why (for example, are they covered by existing tests)? --> Marking API unsafe only. # Are there any user-facing changes? <!-- If there are user-facing changes then we may require documentation to be updated before approving the PR. If there are any breaking changes to public APIs, please call them out. --> Yes.
…) (#9312) - Part of #9240 - Related to #9287 This is a backport of the following PR to the 57 line - #9292 from @Jefffrey Note this is technically an API change (if this API is used by downstream crates they will have to mark the callsites with `unsafe`). However per a conversation with @Jefffrey #9292 (comment) and our general focus on safety, it seems better to err on the safety side > I think breaking changes are fine if its for the sake of fixing unsound behaviour 🤔 Co-authored-by: Jeffrey Vo <[email protected]>

Which issue does this PR close?
Rationale for this change
As identified by the issue, it is possible to use safe APIs to produce an unaligned buffer in
BufferBuilder.What changes are included in this PR?
Mark
BufferBuilder::new_from_bufferas unsafe since there are alignment invariants that must be upheld to use it correctly.Also fix some docstrings.
Are these changes tested?
Marking API unsafe only.
Are there any user-facing changes?
Yes.