ARROW-7813: [Rust] Remove and fix unsafe code

[Marwes]

This removes or corrects many instances of unsafe code in the rust crates. This is by no means a complete fix and some of the fixes do not entirely fix the issues with the particular unsafe (see comments), but in all instances it should put the code in a better place than before.

Based on #6256

[github-actions]

https://issues.apache.org/jira/browse/ARROW-7813

[Marwes]

Removed the commits that changed the simd implemented operators. The code is definitely doing undefined behaviour though as the padding won't be initialized ( #6397 (comment) ).

So either the code could do non-simd operations for the last partial block (if any). Or the padding should be initialized before reading it.

[paddyhoran]

So either the code could do non-simd operations for the last partial block (if any). Or the padding should be initialized before reading it.

I plan to initialize the padded region, ARROW-7836 if no-one beats me to it.

[paddyhoran]

I'll try and review this tomorrow so we can get it merged.

[sunchao]

Will take a look too. This needs rebase BTW. And cc @sadikovi .

[paddyhoran]

Ping @Marwes can you re-base this so we can review if you get a chance please?

[andygrove]

@Marwes Could you rebase this ?

[Marwes]

Rebased, CI is failing though. Not sure what to do to fix.

[paddyhoran]

This was fixed by #6800. Let me see if I can re-trigger CI.

[paddyhoran]

@kszucs how can I re-trigger CI? I tried to force-push to this branch but it has no effect.

[wesm]

Not sure what happened with GitHub (they have been having outage issues?) but I rebased and CI is running again

[nevi-me]

CI is failing with unnecessary unsafe blocks on parquet\src\arrow\array_reader.rs

[paddyhoran]

@Marwes looks like just some basic issues with this, want to take a quick look? I'd like to get this one merged.

[bluss]

(I was "invited" to look at this PR, since I noticed some issues that needed fixing. All my comments will appear a bit random and semi-related to this PR, because of this. I will only comment on important issues.)

Nice, I had named 3 things I saw in arrow 0.16.0 code (not a full review)

Issue (1) about Buffer.ptr being null is being fixed here in this PR. Another common way to solve this in Rust is to use https://doc.rust-lang.org/std/ptr/struct.NonNull.html#method.dangling - an aligned non-null dummy pointer, but I won't review this solution further, Marwes can probably judge it all as well as I can. Using NonNull<T> is certainly an idea, too.
Issue (3) about making Buffer::from_raw_parts unsafe has been merged as a fix in an older PR.

Issue (2) so remains, no check for allocation failure. This produces dangerous mismatches - null pointer and nonzero length - in various places.

This doesn't have to be fixed in this PR, just to note that the issue is not fixed here.

[bluss]

This fix has disappeared, I can't see it in the diff anymore 😕

[paddyhoran]

I opened ARROW-8479

[Marwes]

Issue (1) about Buffer.ptr being null is being fixed here in this PR. Another common way to solve this in Rust is to use https://doc.rust-lang.org/std/ptr/struct.NonNull.html#method.dangling - an aligned non-null dummy pointer, but I won't review this solution further, Marwes can probably judge it all as well as I can. Using NonNull is certainly an idea, too.

That's the better solution. I just spotted the null pointer issue late in this PR and didn't want to complicate it further.

Fixed the review comments.

[bluss]

Thank you @Marwes for doing big work like this for better and safer code

[paddyhoran]

Thank you @Marwes for doing big work like this for better and safer code

Absolutely, thanks very much @Marwes! LGTM from Arrow (crate) perspective. @sunchao can you take a quick look at the changes to the Parquet crate please?

[wesm]

Would be great to get this into 0.17.0, probably needs to be merged today

cc @kszucs

[sunchao]

+1. I only had time to skim through this but it'd be great if we have some perf numbers to show there is no regression.

[kszucs]

@sunchao Included in the 0.17 release. If you find a significant regression, then we can still fix it by cutting a new release candidate.