refactor: internal fn for ragged access is now safe (#721)

Author: molpopgen

src/metadata.rs

@@ -91,6 +91,13 @@
 //! let id = tables.add_individual_with_metadata(0, &[] as &[tskit::Location], &[tskit::IndividualId::NULL], &individual).unwrap();
 //! let decoded = tables.individuals().metadata::<IndividualMetadata>(id).unwrap().unwrap();
 //! assert_eq!(decoded.genetic_value.partial_cmp(&individual.genetic_value).unwrap(), std::cmp::Ordering::Equal);
+//! let _ = tables.add_individual(0, &[] as &[tskit::Location], &[tskit::IndividualId::NULL]).unwrap();
+//! let individual2 = IndividualMetadata {
+//!     genetic_value: GeneticValue(1.0),
+//! };
+//! let id2 = tables.add_individual_with_metadata(0, &[] as &[tskit::Location], &[tskit::IndividualId::NULL], &individual2).unwrap();
+//! let decoded2 = tables.individuals().metadata::<IndividualMetadata>(id2).unwrap().unwrap();
+//! assert_eq!(decoded2.genetic_value.partial_cmp(&individual2.genetic_value).unwrap(), std::cmp::Ordering::Equal);
 //! # }
 //! ```
 //!

src/sys/individual_table.rs

@@ -1,5 +1,6 @@
 use std::ptr::NonNull;
 
+use super::bindings::tsk_size_t;
 use super::flags::IndividualFlags;
 use super::newtypes::IndividualId;
 
@@ -76,18 +77,46 @@ impl IndividualTable {
 
     raw_metadata_getter_for_tables!(IndividualId);
 
-    pub fn location(&self, row: IndividualId) -> Option<&[super::newtypes::Location]> {
-        assert!(
-            (self.as_ref().num_rows == 0 && self.as_ref().location_length == 0)
-                || (!self.as_ref().location.is_null() && !self.as_ref().location_offset.is_null())
-        );
+    pub fn location_column(&self) -> &[super::newtypes::Location] {
         unsafe {
-            super::tsk_ragged_column_access(
-                row,
-                self.as_ref().location,
-                self.as_ref().num_rows,
+            std::slice::from_raw_parts(
+                self.as_ref().location.cast::<super::newtypes::Location>(),
+                self.as_ref().location_length as usize,
+            )
+        }
+    }
+
+    fn location_offset_column_raw(&self) -> &[tsk_size_t] {
+        unsafe {
+            std::slice::from_raw_parts(
                 self.as_ref().location_offset,
-                self.as_ref().location_length,
+                self.as_ref().num_rows as usize,
+            )
+        }
+    }
+
+    pub fn location(&self, row: IndividualId) -> Option<&[super::newtypes::Location]> {
+        super::tsk_ragged_column_access(
+            row,
+            self.location_column(),
+            self.location_offset_column_raw(),
+        )
+    }
+
+    fn parents_column(&self) -> &[IndividualId] {
+        unsafe {
+            std::slice::from_raw_parts(
+                self.as_ref().parents.cast::<IndividualId>(),
+                self.as_ref().parents_length as usize,
+            )
+        }
+    }
+
+    fn parents_offset_column_raw(&self) -> &[tsk_size_t] {
+        unsafe {
+            std::slice::from_raw_parts(
+                self.as_ref().parents_offset,
+                self.as_ref().num_rows as usize,
             )
         }
     }
@@ -97,15 +126,11 @@ impl IndividualTable {
             (self.as_ref().num_rows == 0 && self.as_ref().parents_length == 0)
                 || (!self.as_ref().parents.is_null() && !self.as_ref().location_offset.is_null())
         );
-        unsafe {
-            super::tsk_ragged_column_access(
-                row,
-                self.as_ref().parents,
-                self.as_ref().num_rows,
-                self.as_ref().parents_offset,
-                self.as_ref().parents_length,
-            )
-        }
+        super::tsk_ragged_column_access(
+            row,
+            self.parents_column(),
+            self.parents_offset_column_raw(),
+        )
     }
 }
 

src/sys/macros.rs

@@ -295,21 +295,30 @@ macro_rules! safe_tsk_column_access {
 
 macro_rules! raw_metadata_getter_for_tables {
     ($idtype: ty) => {
-        pub fn raw_metadata<I: Into<$idtype>>(&self, row: I) -> Option<&[u8]> {
-            assert!(
-                (self.as_ref().num_rows == 0 && self.as_ref().metadata_length == 0)
-                    || (!self.as_ref().metadata.is_null()
-                        && !self.as_ref().metadata_offset.is_null())
-            );
+        fn metadata_column(&self) -> &[u8] {
+            unsafe {
+                std::slice::from_raw_parts(
+                    self.as_ref().metadata.cast::<u8>(),
+                    self.as_ref().metadata_length as usize,
+                )
+            }
+        }
+
+        fn metadata_offset_raw(&self) -> &[super::bindings::tsk_size_t] {
             unsafe {
-                $crate::sys::tsk_ragged_column_access::<'_, u8, $idtype, _, _>(
-                    row.into(),
-                    self.as_ref().metadata,
-                    self.as_ref().num_rows,
+                std::slice::from_raw_parts(
                     self.as_ref().metadata_offset,
-                    self.as_ref().metadata_length,
+                    self.as_ref().num_rows as usize,
                 )
             }
         }
+
+        pub fn raw_metadata<I: Into<$idtype>>(&self, row: I) -> Option<&[u8]> {
+            $crate::sys::tsk_ragged_column_access(
+                row.into(),
+                self.metadata_column(),
+                self.metadata_offset_raw(),
+            )
+        }
     };
 }

src/sys/mod.rs

@@ -141,79 +141,36 @@ unsafe fn tsk_column_access<
     tsk_column_access_detail(row, column, column_length).map(|v| v.into())
 }
 
-/// # SAFETY
-///
-/// The safety requirements here are a bit fiddly.
-///
-/// The hard case is when the columns contain data:
-///
-/// * column and offset must both not be NULL
-/// * column_length and offset_length must both be
-///   the correct lengths for the input pointers
-/// * we return None if row < 0 or row > array length.
-/// * Thus, the requirement is that the two _lengths
-///   == 0 or (pointer both not NULL and the lengths are correct)
-///
-/// When the lengths of each column are 0, we
-/// don't worry about anything else
-unsafe fn tsk_ragged_column_access_detail<
-    R: Into<bindings::tsk_id_t>,
-    L: Into<bindings::tsk_size_t>,
-    T: Copy,
->(
-    row: R,
-    column: *const T,
-    column_length: L,
-    offset: *const bindings::tsk_size_t,
-    offset_length: bindings::tsk_size_t,
-) -> Option<(*const T, usize)> {
-    let row = row.into();
-    let column_length = column_length.into();
-    if row < 0 || row as bindings::tsk_size_t > column_length || offset_length == 0 {
+fn tsk_ragged_column_access_detail<'a, T>(
+    row: usize,
+    column: &'a [T],
+    raw_offset: &'a [bindings::tsk_size_t],
+) -> Option<&'a [T]> {
+    if row >= raw_offset.len() || raw_offset.is_empty() {
         None
     } else {
-        // SAFETY: pointers are not null
-        // and *_length are given by tskit-c
-        let index = row as isize;
-        let start = *offset.offset(index);
-        let stop = if (row as bindings::tsk_size_t) < column_length {
-            *offset.offset(index + 1)
+        let start = usize::try_from(raw_offset[row]).ok()?;
+        let stop = if row < raw_offset.len() - 1 {
+            usize::try_from(raw_offset[row + 1]).ok()?
         } else {
-            offset_length
+            column.len()
         };
         if start == stop {
             None
         } else {
-            Some((
-                column.offset(start as isize),
-                stop as usize - start as usize,
-            ))
+            Some(&column[start..stop])
         }
     }
 }
 
-// SAFETY: see tsk_ragged_column_access_detail
-// We further erquire that a pointer to a T can
-// be safely cast to a pointer to an O.
-unsafe fn tsk_ragged_column_access<
-    'a,
-    O,
-    R: Into<bindings::tsk_id_t>,
-    L: Into<bindings::tsk_size_t>,
-    T: Copy,
->(
+fn tsk_ragged_column_access<'a, O, R: Into<bindings::tsk_id_t>>(
     row: R,
-    column: *const T,
-    column_length: L,
-    offset: *const bindings::tsk_size_t,
-    offset_length: bindings::tsk_size_t,
+    column: &'a [O],
+    raw_offset: &'a [bindings::tsk_size_t],
 ) -> Option<&'a [O]> {
-    unsafe {
-        tsk_ragged_column_access_detail(row, column, column_length, offset, offset_length)
-            // If the safety requirements of tsk_ragged_column_access_detail are upheld,
-            // then we have received a valid pointer + length from which to make a slice
-            .map(|(p, n)| std::slice::from_raw_parts(p.cast::<O>(), n))
-    }
+    let row = row.into();
+    let row = usize::try_from(row).ok()?;
+    tsk_ragged_column_access_detail(row, column, raw_offset)
 }
 
 /// # SAFETY

src/sys/mutation_table.rs

@@ -10,6 +10,7 @@ use super::bindings::tsk_mutation_table_add_row;
 use super::bindings::tsk_mutation_table_clear;
 use super::bindings::tsk_mutation_table_init;
 use super::bindings::tsk_mutation_table_t;
+use super::bindings::tsk_size_t;
 use super::tskbox::TskBox;
 use super::TskitError;
 
@@ -100,24 +101,31 @@ impl MutationTable {
 
     raw_metadata_getter_for_tables!(MutationId);
 
-    pub fn derived_state(&self, row: MutationId) -> Option<&[u8]> {
-        assert!(
-            (self.as_ref().num_rows == 0 && self.as_ref().derived_state_length == 0)
-                || (!self.as_ref().derived_state.is_null()
-                    && !self.as_ref().derived_state_offset.is_null())
-        );
-        // SAFETY: either both columns are empty or both pointers at not NULL,
-        // in which case the correct lengths are from the low-level objects
+    fn derived_state_column(&self) -> &[u8] {
         unsafe {
-            super::tsk_ragged_column_access(
-                row,
-                self.as_ref().derived_state,
-                self.as_ref().num_rows,
+            std::slice::from_raw_parts(
+                self.as_ref().derived_state.cast::<u8>(),
+                self.as_ref().derived_state_length as usize,
+            )
+        }
+    }
+
+    fn derived_state_offset_raw(&self) -> &[tsk_size_t] {
+        unsafe {
+            std::slice::from_raw_parts(
                 self.as_ref().derived_state_offset,
-                self.as_ref().derived_state_length,
+                self.as_ref().num_rows as usize,
             )
         }
     }
+
+    pub fn derived_state(&self, row: MutationId) -> Option<&[u8]> {
+        super::tsk_ragged_column_access(
+            row,
+            self.derived_state_column(),
+            self.derived_state_offset_raw(),
+        )
+    }
 }
 
 impl Default for MutationTable {

src/sys/provenance_table.rs

@@ -58,47 +58,57 @@ impl ProvenanceTable {
         Ok(rv)
     }
 
-    pub fn timestamp(&self, row: ProvenanceId) -> Option<&str> {
-        assert!(
-            (self.as_ref().num_rows != 0 && self.as_ref().timestamp_length != 0)
-                || (!self.as_ref().timestamp.is_null()
-                    && !self.as_ref().timestamp_offset.is_null())
-        );
+    fn timestamp_column(&self) -> &[u8] {
+        unsafe {
+            std::slice::from_raw_parts(
+                self.as_ref().timestamp.cast::<u8>(),
+                self.as_ref().timestamp_length as usize,
+            )
+        }
+    }
 
-        // SAFETY: the previous assert checks the safety
-        // requirements
-        let timestamp_slice = unsafe {
-            super::tsk_ragged_column_access(
-                row,
-                self.as_ref().timestamp,
-                self.as_ref().num_rows,
+    fn timestamp_offset_column_raw(&self) -> &[tsk_size_t] {
+        unsafe {
+            std::slice::from_raw_parts(
                 self.as_ref().timestamp_offset,
-                self.as_ref().timestamp_length,
+                self.as_ref().num_rows as usize,
             )
-        };
+        }
+    }
+
+    pub fn timestamp(&self, row: ProvenanceId) -> Option<&str> {
+        let timestamp_slice = super::tsk_ragged_column_access(
+            row,
+            self.timestamp_column(),
+            self.timestamp_offset_column_raw(),
+        );
         match timestamp_slice {
             Some(tstamp) => std::str::from_utf8(tstamp).ok(),
             None => None,
         }
     }
 
+    fn record_column(&self) -> &[u8] {
+        unsafe {
+            std::slice::from_raw_parts(
+                self.as_ref().record.cast::<u8>(),
+                self.as_ref().record_length as usize,
+            )
+        }
+    }
+
+    fn record_offset_column_raw(&self) -> &[tsk_size_t] {
+        unsafe {
+            std::slice::from_raw_parts(self.as_ref().record_offset, self.as_ref().num_rows as usize)
+        }
+    }
+
     pub fn record(&self, row: ProvenanceId) -> Option<&str> {
-        assert!(
-            (self.as_ref().num_rows != 0 && self.as_ref().record_length != 0)
-                || (!self.as_ref().record.is_null() && !self.as_ref().record_offset.is_null())
+        let record_slice = super::tsk_ragged_column_access(
+            row,
+            self.record_column(),
+            self.record_offset_column_raw(),
         );
-
-        // SAFETY: the previous assert checks the safety
-        // requirements
-        let record_slice = unsafe {
-            super::tsk_ragged_column_access(
-                row,
-                self.as_ref().record,
-                self.as_ref().num_rows,
-                self.as_ref().record_offset,
-                self.as_ref().record_length,
-            )
-        };
         match record_slice {
             Some(rec) => std::str::from_utf8(rec).ok(),
             None => None,