feat: columnar DataFrame ingest (Arrow / Polars / Pandas) + Arrow egress

[kafka1991]

Summary

This PR is the combined landing of #148 and #150 — two independently-developed columnar I/O tracks that both target QWP/WebSocket and share the same connection pool / SymbolGlobalDict, shipped together so downstream consumers (py-questdb-client, in-tree C/C++ tests) see one self-consistent surface.

#148 — Column-major sender (column_sender)

A DataFrame → Table ingest API. QuestDb connection pool + BorrowedSender + Chunk (per-column Vec<u8> that stacks wire bytes directly) + synchronous flush(AckLevel). Covers bool / signed integers / floats / UUID / Long256 / IPv4 / timestamps / VARCHAR / symbol_dict_{i8,i16,i32} bulk-intern. The connection-scoped SchemaRegistry (FULL / REFERENCE emit modes) and SymbolGlobalDict are shared with the row API, preserving the 1M-per-connection symbol cap on huge Pandas Categorical dicts. Full C ABI (include/questdb/ingress/column_sender.h) and a Criterion bench suite (column path ≈ memcpy ceiling; bulk-intern ~16× faster than per-row HashMap).

#150 — Apache Arrow + Polars integration

Both directions over QWP/WebSocket:

• Ingress: Buffer::append_arrow / append_arrow_at_column consumes a whole RecordBatch in one call, column-major dense bulk path (one memcpy per column; QWP null bitmap built by byte-stride OR-with-NOT of the Arrow validity buffer when boundaries align, per-row fallback only when bit-offsets are unaligned).
• Egress: Cursor::as_record_batch_reader() streaming RecordBatch iterator; Polars sub-feature provides the DataFrame bridge.
• C ABI via the Arrow C Data Interface: line_sender_buffer_append_arrow* and line_reader_cursor_next_arrow_batch. Every producer-supplied ArrowArray/ArrowSchema is pre-validated before from_ffi (schema depth ≤ 64, row_count ≤ 16M, bounded per-node buffer/child counts, and rejection of NULL or under-sized buffer arrays), so a malformed struct returns an error instead of aborting the FFI crate's panic = "abort" profile. The manual per-column FFI path caps each variable-length payload at i32::MAX.

Why merged

The two tracks were developed on the same jh_conn_pool_refactor branch and converged on shared infrastructure (connection pool, SymbolGlobalDict, QWP/WS transport). Splitting them at review time would force one to ship behind a compatibility shim for the other; merging them together avoids that churn and gives C/C++ callers — and the upcoming Pandas / Polars wrapper in py-questdb-client — a column-major, zero-redundant-copy path into QuestDB in one cut.

Public surface

See the original PRs' "Public surface" / "What's in the box" sections:

• column_sender API: feat(ingress): column-major sender for QWP/WebSocket (WS-0..WS-6) #148
• Arrow / Polars API: feat: Apache Arrow / Polars integration for QWP-WS #150

Feature gating

• questdb-rs: arrow + polars are opt-in features, excluded from almost-all-features; column_sender lives behind sync-sender-qwp-ws.
• questdb-rs-ffi: arrow feature mirrors.
• CMakeLists.txt: QUESTDB_ENABLE_ARROW=OFF by default; auto-flipped to ON when QUESTDB_TESTS_AND_EXAMPLES=ON so tests / examples exercise the Arrow path without explicit opt-in.

Test plan

• Rust unit tests: 57 column_sender + 80+ Arrow
• FFI unit tests: 8 new column_sender + Arrow path coverage
• C/C++ tests: test_arrow_c.c / test_arrow_egress.cpp / test_arrow_ingress.cpp wired into CMake and exercised in CI
• System tests against a live QuestDB: arrow_egress_fuzz / arrow_ingress_fuzz / arrow_round_trip_fuzz / arrow_alignment_fuzz
• cargo bench --features sync-sender-qwp-ws --bench column_sender
• End-to-end Pandas / Polars throughput (py-questdb-client, WS-7)

Closes #148, #150.

Summary by CodeRabbit

• New Features

  • Opt-in Apache Arrow support for Arrow egress and ingest; new column-major sender for high-throughput DataFrame ingestion; Polars integration.

• Examples

  • Added C, C++ and Rust examples demonstrating Arrow egress/ingest and column-sender/Polars workflows.

• Documentation

  • Added column-sender ABI spec, implementation plan, and performance guidance.

• Tests

  • Expanded Arrow/Polars unit, smoke and fuzz coverage; new integration tests.

• Chores (CI)

  • CI updated to install pyarrow/polars, expanded test/fuzz jobs and longer timeouts.

• Benchmarks

  • New Criterion benchmarks measuring column-sender performance.

[bluestreak01]

Review — columnar DataFrame ingest (Arrow / Polars / Pandas) + Arrow egress

Adversarial level-3 review. Scope: 90 files, +40,097 / −972 — the combined landing of #148 (column_sender) + #150 (Arrow/Polars).

Disclosure: this review was produced with significant automated assistance, and the reviewer authored part of this PR (the borrow_row_sender pool, PolarsIngestOptions, impl TryInto<TableName>). Findings on those areas are effectively self-review — weight an independent pass on the pool/polars/ergonomics accordingly.

Method: build-profile facts captured; deep passes over the ~15 risk-bearing Rust/FFI files; docs/CI/examples/python-fuzz/bench treated as lower priority. Every finding below was verified against source (including arrow-rs 58.3.0).

Premise (load-bearing): questdb-rs-ffi is panic = "abort" in both release and dev (questdb-rs-ffi/Cargo.toml:72-76) → catch_unwind/panic_guard are no-ops; every reachable panic from an FFI entrypoint is a host-process abort.

Headline: unusually well-hardened. The highest-risk surface — the Arrow C Data Interface pre-from_ffi validation under panic=abort — was verified to close every eager-deref/assert/underflow site arrow-rs actually has. No confirmed memory-unsafety or data-corruption bug is reachable on the release profile through the documented, validated FFI path. The findings are an ergonomics data-loss footgun, a debug-only abort, FFI hardening gaps, and consistency/resource issues.

---

Critical (request changes)

C1 — flush() defers commit; dropping the sender (esp. the C++ RAII destructor) silently discards uncommitted rows. Easy path ≠ safe path. (verified)

• ColumnSender::flush sends FLAG_DEFER_COMMIT and does not wait for an ack (sender.rs:164-170). Drop only poisons the conn — db.rs:829-832 / 868-871: if sender.conn.in_flight() > 0 { mark_must_close() } return_to_pool(...) — it never syncs. So flush + drop-without-sync() silently drops every uncommitted frame.
• first_frame_sent travels with the pooled slot, so a recycled warm connection defers even the first flush. Identical user code loses everything on a recycled conn but commits on a cold one — nondeterministic from pool state.
• C/C++ is the dangerous surface: column_sender.hpp ~borrowed_conn() noexcept { release(); } drops silently; the C header's flush/sync docs never state "un-synced rows are not committed." Row-API Sender::flush (HTTP) commits on return — the same verb has the opposite durability contract.
• Fix: best-effort sync on Drop (or a loud debug_assert/log when in_flight()>0), and prominently document "MUST call sync/column_sender_sync or lose uncommitted rows" on flush, the C column_sender_flush, and the borrowed_conn dtor. (Caveat: documented on Rust flush and arguably intended pipelining design — flagging for an explicit decision, not asserting an accidental bug.)

---

Moderate

M1 — column_sender_arrow_import_new takes symbol_mode as a by-value #[repr(u32)] enum → out-of-range C value is instant UB. (verified) The file's own comment (column_sender.rs:273) says dtype/ack_level are taken as u32 specifically to make out-of-range a recoverable InvalidApiCall instead of UB — but column_sender_arrow_import_new (:1348) takes symbol_mode: column_sender_symbol_mode by value; a C caller passing 5 materializes an invalid discriminant (UB) before the match at :1352. Fix: make it u32 + map with InvalidApiCall on out-of-range, mirroring ack_level_from_u32.

M2 — numpy append has a data pointer + row_count but no buffer byte-length → a wrapper bug = OOB read (host crash/UB). (verified) column_sender_chunk_append_numpy_column(data: *const u8, row_count, dtype, ...) (column_sender.rs:2016) reads row_count * elem_size(dtype) bytes trusting caller dtype/count; nothing carries nbytes. An int8 array tagged f64/geohash_i64 reads 8× the buffer. Unlike the Arrow path (validated via from_ffi pre-checks), the numpy path has no length to even sanity-check. Fix: thread a data_len/nbytes param and assert row_count.checked_mul(elem_size) <= data_len before any read; reject non-C-contiguous / negative-stride in the wrapper.

M3 — Negative FixedSizeList size bypasses the Arrow validator → debug-build abort. (verified) validate_arrow_array_depth guards negative FixedSizeBinary(width) (lib.rs:4058-4064) but not FixedSizeList(_, size). A schema +w:-1 with n_buffers=2 passes the floor/cap checks, then arrow-rs bit_width computes child_bits * (-1 as usize). Under dev panic=abort + overflow-checks → abort; release wraps and validate_full then rejects gracefully (so: debug-only abort, release-safe). No +w:-N test exists. Fix: also reject negative FixedSizeList size (mirror the FixedSizeBinary guard).

M4 — Pool health Mutex held across the blocking connect handshake. (verified) connect_conn_pool (db.rs:1163) locks inner.health, then connect_conn → connector.connect_round(&mut health) does full TCP+TLS+WS-upgrade I/O under the lock. Serializes all concurrent connects pool-wide and head-of-line-blocks transport-dead returns (which also lock_health) behind a slow/black-holed connect — degrading the failover path the pool exists for. No deadlock. Fix: choose the endpoint under the lock, release it during network I/O, re-acquire to record the result.

M5 — Egress: per-column degenerate-list node budget (16M) is reset per column, not per batch → OOM/abort amplification. (confirmed, reachability nuance) MAX_DEGENERATE_LIST_NODES=16M with node_budget recomputed each array_column_to_arrow call (convert.rs:644); a frame may carry MAX_COLUMNS_PER_TABLE=2048 array columns, each a [16M,0] row → multi-GB retained → OOM (=abort under FFI). Exact per-column wire cost not fully traced. Fix (regardless): make the node budget batch-global, or cap array-column count / cumulative expanded nodes per batch.

M6 — Egress: mid-query decode errors are now failover-eligible → deterministic-corruption reconnect/replay loop + per-round eprintln!. (confirmed, nuance) reader.rs routes decode ProtocolError through failover_after_stream_failure; warn_on_protocol_error_failover logs each round (reader.rs:541). A server deterministically emitting a corrupt frame now reconnect→replay→re-corrupt until the per-Execute budget drains, with unbounded stderr, where the old path failed fast. Fix: keep deterministic decode codes terminal (or give decode-driven replays a small dedicated cap); rate-limit the log.

M7 — Within the column API, table/column names use two different shapes + validation timings. (verified) column_sender_chunk_new takes raw const char* table_name / Chunk::new(impl Into<String>) validated lazily at flush (chunk.rs:423); column_sender_flush_arrow_batch takes a validated line_sender_table_name eagerly (column_sender.h:1081). A pre-validated line_sender_table_name can't feed the chunk path, and the same bad name fails at different points. Fix: accept the validated newtypes on the chunk/column entrypoints too, or document the split loudly.

M8 — Designated-timestamp requirement diverges between publish paths. (verified) The chunk path hard-errors without a designated timestamp (encoder.rs:108); flush_arrow_batch silently server-stamps unless _at_column is used — silently ignoring a timestamp column the caller intended as designated (clock-skew / wrong partition), no error. Fix: require an explicit server-stamp opt-in on flush_arrow_batch, or document the divergence at both sites.

M9 — durable_watermarks is never pruned (conn.rs:116, populated :476). Only pending_durable_targets is pruned on sync. With request_durable_ack=on, a server emitting many distinct table names grows the map for the connection's pooled life → slow OOM. Fix: prune/cap durable_watermarks.

M10 — No test coverage for sliced / non-zero-offset Arrow arrays — the classic encoder trap. (verified by grep) No .slice( anywhere in arrow_batch.rs tests; every test builds offset-0 arrays. Sliced arrays reach this encoder via the polars path (after df.slice/filter) and FFI. The slice handling reads correct in all paths traced, but a mission-critical column-major unsafe path with zero offset-slice tests is a real gap. Fix: add encode tests over array.slice(1, n) per ColumnKind, including an offset%8 != 0 bitmap case.

---

Minor

• Encoder never calls validate_full itself (arrow_batch.rs:3205 only checks null_count ≤ len); safety is one missing call away for any future native caller of flush_arrow_batch passing an unvalidated/build_unchecked array.
• numpy NumpyDtype::validate() doesn't range-check decimal scale (numpy_wire.rs:245) despite the module doc claiming the caller validates; FFI path is covered, direct Rust callers aren't.
• numpy bulk paths use panicking out.reserve(..) while only the ndarray path uses try_reserve; mitigated upstream but inconsistent under panic=abort.
• drifted_batch not cleared on the raw↔arrow cursor API switch (egress.rs:2566) → stale parked batch replayed out of order on a supported mixed-use path.
• symbol_array assumes codes.len()==row_count unguarded (convert.rs:507) and reader.rs:1658 .expect("HaveBatch implies last_batch") → abort-on-invariant-violation under FFI; return ProtocolError instead.
• Pre-existing (not this PR): line_sender_utf8_assert/table_name_assert/column_name_assert panic! on caller input; line_sender_utf8_init does from_raw_parts(buf,len) with no NULL guard.
• Redundant double dict-rollback (encoder.rs:146/177 + sender.rs:303/354) — idempotent today, fragile if rollback ever becomes non-idempotent.
• Strict trailing-byte rejection (conn.rs:931) latches the conn on any extra bytes → breaks forward-compat with a server that appends response fields.

---

Downgraded (initially suspected, verified safe — high-signal)

• Arrow FFI is not an abort vector on release for structural malformation. The pre-from_ffi walk (lib.rs:3950-4136) closes every arrow-rs eager-deref/assert/underflow site, uses cycle-safe iterative depth/try_reserve walks, and rejects negative/over-MAX_CHUNK_ROWS length/offset. Verified against arrow-rs 58.3.0. (Residual truth: buffer byte-size/alignment lies are inherently untrustable across the C Data Interface — worth documenting.)
• Null-bitmap construction is bit-exact and in-bounds for all offset/length/slice combinations (arrow_batch.rs:639, both aligned and unaligned byte-stride branches) — the PR's headline risk, verified.
• numpy uses read_unaligned everywhere for multibyte reads; unaligned numpy buffers do not cause alignment UB.
• conn.rs parser cannot be panicked by server bytes — every try_into().unwrap() is preceded by a length check; frames capped at 256 MiB; try_reserve before resize. Flagged panic!/expect are test-only.
• In-flight/ack-slot accounting has no off-by-one; no cross-borrower commit — recycled conns are latched must_close when in_flight()>0; status 0x00 = committed.
• Ownership/free across the Arrow CDI is correct — consume-on-success, double-import rejected (release.is_none()), exported batches own refcounted buffers (no use-after-free when the cursor drops), FailoverRetry re-exports a valid release.
• ABI evolvability is sound — new error codes appended (no mid-enum insertion); ErrorCode/NumpyDtype/ArrowColumnOverride/AckLevel are #[non_exhaustive]; C++ noexcept forwarders call only non-throwing C fns. C↔Rust signature parity verified across ~40 column-sender entrypoints + the 43-value numpy-dtype enum.

---

Summary

• Verdict: request changes — driven by C1 (silent data-loss footgun on the C/C++ RAII path) and FFI hardening gaps M1/M2/M3. The core unsafe machinery (Arrow validation, null-bitmap, wire encoders, pool accounting) is verified sound on the release profile; this is a high-quality PR.
• Findings: 1 Critical, 10 Moderate, ~8 Minor; ~8 suspected issues verified-safe and downgraded.
• Most actionable: (1) decide C1 (Drop-sync or loud warning + docs); (2) fix M1 (symbol_mode → u32) and M3 (negative FixedSizeList) — small, clearly correct; (3) thread a length into the numpy ABI (M2); (4) add sliced-array encoder tests (M10).
• Not deeply covered (time-boxed): the Python system-test fuzzers, C/C++ doctests, CMake/CI wiring, benches, and doc/*.md specs — recommend a focused pass on system_test/arrow_*_fuzz.py and cpp_test/test_arrow_* before merge for CI-parity assurance.