Skip to content

ARROW-7813: [Rust] Remove and fix unsafe code #6395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Marwes wants to merge 20 commits into from
Closed

ARROW-7813: [Rust] Remove and fix unsafe code #6395

Marwes wants to merge 20 commits into from

Conversation

@Marwes
Copy link

@Marwes Marwes commented Feb 10, 2020
edited
Loading

This removes or corrects many instances of unsafe code in the rust crates. This is by no means a complete fix and some of the fixes do not entirely fix the issues with the particular unsafe (see comments), but in all instances it should put the code in a better place than before.

Based on #6256

@github-actions
Copy link

github-actions bot commented Feb 10, 2020

https://issues.apache.org/jira/browse/ARROW-7813

@Marwes Marwes mentioned this pull request Feb 11, 2020
Closed
@Marwes
Copy link
Author

Marwes commented Feb 13, 2020

Removed the commits that changed the simd implemented operators. The code is definitely doing undefined behaviour though as the padding won't be initialized ( #6397 (comment) ).

So either the code could do non-simd operations for the last partial block (if any). Or the padding should be initialized before reading it.

@paddyhoran
Copy link
Contributor

paddyhoran commented Feb 13, 2020

So either the code could do non-simd operations for the last partial block (if any). Or the padding should be initialized before reading it.

I plan to initialize the padded region, ARROW-7836 if no-one beats me to it.

@paddyhoran
Copy link
Contributor

paddyhoran commented Feb 13, 2020

I'll try and review this tomorrow so we can get it merged.

@sunchao
Copy link
Member

sunchao commented Feb 15, 2020
edited
Loading

Will take a look too. This needs rebase BTW. And cc @sadikovi .

@paddyhoran
Copy link
Contributor

paddyhoran commented Feb 24, 2020

Ping @Marwes can you re-base this so we can review if you get a chance please?

@andygrove
Copy link
Member

andygrove commented Mar 28, 2020

@Marwes Could you rebase this ?

@Marwes
Copy link
Author

Marwes commented Apr 1, 2020
edited
Loading

Rebased, CI is failing though. Not sure what to do to fix.

@paddyhoran
Copy link
Contributor

paddyhoran commented Apr 4, 2020

This was fixed by #6800. Let me see if I can re-trigger CI.

@paddyhoran
Copy link
Contributor

paddyhoran commented Apr 4, 2020

@kszucs how can I re-trigger CI? I tried to force-push to this branch but it has no effect.

@wesm
Copy link
Member

wesm commented Apr 4, 2020

Not sure what happened with GitHub (they have been having outage issues?) but I rebased and CI is running again

@nevi-me
Copy link
Contributor

nevi-me commented Apr 4, 2020

CI is failing with unnecessary unsafe blocks on parquet\src\arrow\array_reader.rs

@paddyhoran paddyhoran mentioned this pull request Apr 12, 2020
Open
@paddyhoran
Copy link
Contributor

paddyhoran commented Apr 12, 2020

@Marwes looks like just some basic issues with this, want to take a quick look? I'd like to get this one merged.

@bluss
Copy link

bluss commented Apr 12, 2020
edited
Loading

(I was "invited" to look at this PR, since I noticed some issues that needed fixing. All my comments will appear a bit random and semi-related to this PR, because of this. I will only comment on important issues.)

Nice, I had named 3 things I saw in arrow 0.16.0 code (not a full review)

Issue (1) about Buffer.ptr being null is being fixed here in this PR. Another common way to solve this in Rust is to use https://doc.rust-lang.org/std/ptr/struct.NonNull.html#method.dangling - an aligned non-null dummy pointer, but I won't review this solution further, Marwes can probably judge it all as well as I can. Using NonNull<T> is certainly an idea, too.
Issue (3) about making Buffer::from_raw_parts unsafe has been merged as a fix in an older PR.

Issue (2) so remains, no check for allocation failure. This produces dangerous mismatches - null pointer and nonzero length - in various places.

This doesn't have to be fixed in this PR, just to note that the issue is not fixed here.

bluss
bluss reviewed Apr 12, 2020
View reviewed changes
rust/arrow/src/buffer.rs Outdated

This comment was marked as resolved.

Sign in to view

bluss
bluss reviewed Apr 13, 2020
View reviewed changes
rust/arrow/src/buffer.rs Outdated

This comment was marked as resolved.

Sign in to view

bluss
bluss reviewed Apr 13, 2020
View reviewed changes
rust/arrow/src/buffer.rs Outdated

This comment was marked as resolved.

Sign in to view

Copy link

@bluss bluss Apr 15, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fix has disappeared, I can't see it in the diff anymore 😕

Copy link
Contributor

@paddyhoran paddyhoran Apr 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opened ARROW-8479

Markus Westerlind added 7 commits April 14, 2020 09:42
Better error message for missing test data
62919d4
fix: murmur hash is only safe on platforms with unaligned loads
5a15589 
Might be other platforms this works on as well, but those could be added
as they are found
fix: Use safe code to read types in bit_util
5681258 
Fixes undefined behaviour that could occur from safe code calling with
`T == Box<i32>` etc.
Remove unnecessary unsafe in memcpy functions
44bf359
fix: Don't allow arbitrary transmutes when decoding
27b7b29 
This may cause panics in code using ByteArray or Int96 but no tests
currently test these paths. Still better than the status quo which would
be undefined behaviour (if the replaced code paths were hit).
Remove unnecessary unsafe in Int96 construction
20e62c4
fix: Don't trust parquet data to be UTF-8
4df3f2b
Markus Westerlind added 13 commits April 14, 2020 09:42
refactor: Remove unnecessary unsafe in decoding
5a69773
fix: Restrict which types can be transmuted to byte slices
fb719eb 
Some types such as `&[Int96]` and `&[ByteArray]` can't be transmuted to a `&[u8]`
as they aren't plain old data.

`&mut bool` can't be transmuted to a `&mut u8` since that would
allow writing values other than 0 or 1 to it.
refactor: Remove unnecessary unsafe from rle encoding
c9996be
fix: Prevent aliasing of &mut with FatPtr by threading lifetimes
fc0d0d4
fix: Don't alias &mut from bit_writer
b73debc
refactor: Avoid unsafe in put
92e3205
refactor: Avoid unsafe when casting RecordReader
46a894b
refactor: Move unsafe into MutableBuffer
425ba07
fix: Don't create a slice from a null pointer when calling Buffer::data
c606440
refactor: No need for unsafe in Debug impl for Buffer
52cc391
Fix fn data
6990951
Fix non-simd compilation
cfb8496
Fix bluss's review comments
45cccc4
@Marwes
Copy link
Author

Marwes commented Apr 14, 2020

Issue (1) about Buffer.ptr being null is being fixed here in this PR. Another common way to solve this in Rust is to use https://doc.rust-lang.org/std/ptr/struct.NonNull.html#method.dangling - an aligned non-null dummy pointer, but I won't review this solution further, Marwes can probably judge it all as well as I can. Using NonNull is certainly an idea, too.

That's the better solution. I just spotted the null pointer issue late in this PR and didn't want to complicate it further.

Fixed the review comments.

@bluss
Copy link

bluss commented Apr 14, 2020
edited
Loading

Thank you @Marwes for doing big work like this for better and safer code

paddyhoran
paddyhoran approved these changes Apr 14, 2020
View reviewed changes
Copy link
Contributor

@paddyhoran paddyhoran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @Marwes for doing big work like this for better and safer code

Absolutely, thanks very much @Marwes! LGTM from Arrow (crate) perspective. @sunchao can you take a quick look at the changes to the Parquet crate please?

@wesm
Copy link
Member

wesm commented Apr 14, 2020

Would be great to get this into 0.17.0, probably needs to be merged today

cc @kszucs

sunchao
sunchao approved these changes Apr 14, 2020
View reviewed changes
Copy link
Member

@sunchao sunchao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1. I only had time to skim through this but it'd be great if we have some perf numbers to show there is no regression.

@kszucs
Copy link
Member

kszucs commented Apr 15, 2020

@sunchao Included in the 0.17 release. If you find a significant regression, then we can still fix it by cutting a new release candidate.

@Marwes Marwes deleted the unsafe_rust_2 branch April 15, 2020 09:33
@alamb alamb mentioned this pull request Apr 26, 2021
Closed
@asfimport asfimport mentioned this pull request Apr 16, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paddyhoran paddyhoran paddyhoran approved these changes

@sunchao sunchao sunchao approved these changes

+1 more reviewer

@bluss bluss bluss left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Component: Rust

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@Marwes @paddyhoran @sunchao @andygrove @wesm @nevi-me @bluss @kszucs