This is a minor technical unsoundness that is likely to never come up in real usage of this crate.
FFI_ArrowArrayStream has public fields, including raw pointer fields. They can be set to whatever you want in safe Rust code.
ArrowArrayStreamReader::try_new() takes one of these, and internally dereferences some of the pointers.
This means you can technically have UB if you fill an FFI_ArrowArrayStream with garbage and then pass it to ArrowArrayStreamReader::try_new().
In practice, nobody's going to do that; folks will be populating the FFI type over FFI (at which point it's no longer Rust's problem).
But perhaps ArrowArrayStreamReader::try_new() should be unsafe, or FFI_ArrowArrayStream should have private fields.
I don't think this is the only such type in the crate, but it's the first one that my agentic audit noticed.
This is a minor technical unsoundness that is likely to never come up in real usage of this crate.
FFI_ArrowArrayStreamhas public fields, including raw pointer fields. They can be set to whatever you want in safe Rust code.ArrowArrayStreamReader::try_new()takes one of these, and internally dereferences some of the pointers.This means you can technically have UB if you fill an
FFI_ArrowArrayStreamwith garbage and then pass it toArrowArrayStreamReader::try_new().In practice, nobody's going to do that; folks will be populating the FFI type over FFI (at which point it's no longer Rust's problem).
But perhaps
ArrowArrayStreamReader::try_new()should beunsafe, orFFI_ArrowArrayStreamshould have private fields.I don't think this is the only such type in the crate, but it's the first one that my agentic audit noticed.