arrow-buffer: Potential Undefined Behavior Reported by Miri

[yilin0518]

Hi!

We are a team of researchers studying the memory safety problem in Rust. As part of our ongoing research, we performed random testing on arrow-buffer(version:57.2.0) and found that the following code snippet is reported as undefined behavior by Miri:
Describe the bug

#![feature(allocator_api)]
use arrow_buffer::*;
fn main() {
    let v6 = [112, -26, -47];
    let v7 = Vec::from(v6);
    let mut v8 = <buffer::MutableBuffer as std::convert::From<std::vec::Vec::<i32, std::alloc::Global>>>::from(v7);
    let v24 = builder::BufferBuilder::<i128>::new_from_buffer(v8);
    let v25: &'_ builder::BufferBuilder::<i128> = &v24;
    let v26 = builder::BufferBuilder::<i128>::as_slice(v25);
}

The error message miri report is as follows:

error: Undefined Behavior: constructing invalid value: encountered an unaligned reference (required 16 byte alignment but found 8)
   --> /home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/builder/mod.rs:274:18
    |
274 |         unsafe { std::slice::from_raw_parts(self.buffer.as_ptr() as _, self.len) }
    |                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
    |
    = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
    = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
    = note: BACKTRACE:
    = note: inside `arrow_buffer::BufferBuilder::<i128>::as_slice` at /home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/builder/mod.rs:274:18: 274:81
note: inside `main`
   --> src/main.rs:9:15
    |
  9 |     let v26 = builder::BufferBuilder::<i128>::as_slice(v25);
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

error: aborting due to 1 previous error; 2 warnings emitted

It seems that as_slice doesn't check the alignment of given buffer, thus causing the undefined behaviour.

To Reproduce

1. Copy the code snippet.
2. choose the rust toolchain:nightly-2025-12-06-x86_64-unknown-linux-gnu
3. install miri and run cargo miri run

Expected behavior

There should not be any undefined behaviour.

Additional context

The OS I use is Linux Unbutu.

We’d appreciate it if you could take a look and confirm whether this behavior indicates a real issue, or if it’s a false positive or an expected limitation of Miri.
Thank you very much!

[Jefffrey]

Cleaner MRE:

use arrow_buffer::{BufferBuilder, MutableBuffer};

fn main() {
    let buffer: Vec<i32> = vec![112];
    let mutable = MutableBuffer::from(buffer);
    let builder = BufferBuilder::<i128>::new_from_buffer(mutable);
    let _ = builder.as_slice();
}

EDIT: Can reproduce same for as_slice_mut()

[yilin0518]

Cleaner MRE:

use arrow_buffer::{BufferBuilder, MutableBuffer};

fn main() {
let buffer: Vec = vec![112];
let mutable = MutableBuffer::from(buffer);
let builder = BufferBuilder::::new_from_buffer(mutable);
let _ = builder.as_slice();
}
EDIT: Can reproduce same for as_slice_mut()

Thank you. Is it a Bug about as_slice and as_slice_mut?

[Jefffrey]

I think it has to do with new_from_buffer(). The safety for as_slice() (repeated for as_slice_mut()) states

arrow-rs/arrow-buffer/src/builder/mod.rs

Lines 276 to 283 in a49af1d

	pub fn as_slice(&self) -> &[T] {
	// SAFETY
	//
	// - MutableBuffer is aligned and initialized for len elements of T
	// - MutableBuffer corresponds to a single allocation
	// - MutableBuffer does not support modification whilst active immutable borrows
	unsafe { std::slice::from_raw_parts(self.buffer.as_ptr() as _, self.len) }
	}

MutableBuffer is aligned and initialized for len elements of T

But new_from_buffer() allows any MutableBuffer regardless of if it's the same type:

arrow-rs/arrow-buffer/src/builder/mod.rs

Lines 97 to 105 in a49af1d

	/// Creates a new builder from a [`MutableBuffer`]
	pub fn new_from_buffer(buffer: MutableBuffer) -> Self {
	let buffer_len = buffer.len();
	Self {
	buffer,
	len: buffer_len / std::mem::size_of::<T>(),
	_marker: PhantomData,
	}
	}

Which I assume this potential issue stems from.

cc @viirya who added the API in #3115, perhaps you can share some thoughts on this?

[viirya]

Looks like a valid issue.

Looks like two issues:

1. new_from_buffer() is too permissive - it accepts any MutableBuffer regardless of the target type's requirements
2. as_slice() assumes guarantees that weren't enforced at construction time

Probably we can:

1. Make new_from_buffer() validate/enforce alignment requirements
2. Make as_slice() check alignment at runtime and handle misaligned cases safely
3. Mark new_from_buffer() as unsafe and document the alignment precondition

[Jefffrey]

I feel issue 2 is only a result of issue 1; it's probably enough to mark new_from_buffer unsafe or make it validate alignment (or even make it private considering its used in only one place internally?) and leave as_slice as is?

[viirya]

If there is only one possible to produce a misaligned MutableBuffer. Then we can probably skip 2 as it is documented.