458: feat: Support (De)Serialization for different representations of Nullable Unions

[martin-augment]

458: To review by AI

[gemini-code-assist]

Summary of Changes

Hello @martin-augment, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the Avro Serde library's capability to handle nullable union types. It addresses the complexities of mapping Rust's Option type and various enum representations to Avro's union schema, ensuring accurate serialization and deserialization. The changes introduce internal state management to correctly interpret union variants, especially when null is a possible type, and are backed by a thorough suite of new tests.

Highlights

• Enhanced Nullable Union Handling: Introduced deserializing_some and serializing_some flags in the deserializer and serializer respectively, to correctly manage the context of Option::Some values within Avro union types.
• Deserialization Improvements: Extended Value::Union handling in deserialize_bytes, deserialize_byte_buf, deserialize_option, deserialize_map, and deserialize_enum to support various representations of nullable unions, including nested unions and maps/records within unions.
• Serialization Improvements: Updated serialize_unit_variant, serialize_newtype_variant, serialize_tuple_variant, and serialize_struct_variant to correctly determine the branch index for union schemas when serializing_some is active, ensuring proper serialization of Option::Some values.
• Comprehensive Test Coverage: Added a new test file with extensive test cases covering serialization and deserialization of nullable unions for enums, primitive integers, and records, using different Rust representations like Option<T>, custom enums, and untagged enums.

Changelog

• avro/src/serde/de.rs
  • Added deserializing_some field to Deserializer struct.
  • Added new_deserializing_some constructor to Deserializer.
  • Extended deserialize_bytes and deserialize_byte_buf to handle Value::Union.
  • Modified deserialize_option to use new_deserializing_some for Value::Union.
  • Updated deserialize_map to support Value::Union containing map, record, or null.
  • Adjusted deserialize_enum logic for Value::Union to account for deserializing_some state.
• avro/src/serde/ser_schema.rs
  • Added serializing_some field to SchemaAwareWriteSerializer struct.
  • Added new_serializing_some constructor to SchemaAwareWriteSerializer.
  • Modified serialize_unit_variant, serialize_newtype_variant, serialize_tuple_variant, and serialize_struct_variant to correctly handle Schema::Union when serializing_some is true, including logic for non-newtype enums.
• avro/tests/nullable_union.rs
  • Added new test file.
  • Implemented comprehensive test cases for serializing and deserializing nullable unions with various types (enum, int, record).
  • Included tests for different Rust representations: Option<T>, enum MyUnionNullable { Null, T(T) }, enum MyUnionAvroJsonEncoding { T(T) }, and #[serde(untagged)] enum MyUnionUntagged { T(T) }.

Activity

• The pull request was created by martin-augment.
• The pull request description indicates it is ready for AI review.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Walkthrough

This pull request implements nullable union support in Apache Avro's Serde implementation. The Deserializer gains an internal flag and constructor to track "some"-deserialization context, with enhanced union handling across multiple deserialize methods. Similarly, SchemaAwareWriteSerializer receives a matching internal flag and constructor for "some"-serialization context, with corresponding union and variant handling updates. A comprehensive test suite is added covering nullable unions with enums, primitives, records, and composite types, including Avro JSON encoding compatibility. The changes total approximately 1,127 lines across deserialization, serialization schema handling, and tests.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pr-458-2026-02-10-13-48-41

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

PR Review: Support (De)Serialization for Different Representations of Nullable Unions

Summary

This PR adds support for multiple Rust representations of Avro nullable unions (unions with null as the first variant), enabling serialization/deserialization of:

1. Rusty style: Option<T>
2. Explicit enum: Custom enums with explicit Null variant
3. Avro JSON encoding compatible: Enums matching the union structure

Code Quality: ⭐⭐⭐⭐ (4/5)

Strengths

1. Clean design pattern: The deserializing_some/serializing_some flags elegantly track when processing an Option::Some, allowing the code to adjust variant indices appropriately.

2. Comprehensive test coverage: The test file (nullable_union.rs) is exemplary with 982 lines covering multiple scenarios:

   • Nullable enums, primitives, records, and complex unions
   • All three representation styles
   • Both serialization and deserialization paths

3. Consistent implementation: The pattern is applied systematically across all relevant serialization methods (unit_variant, newtype_variant, tuple_variant, struct_variant).

4. Good error handling: Added validation for nested unions and variant index bounds with clear error messages.

Potential Issues & Concerns

1. Index Calculation Logic (Medium Priority)

In avro/src/serde/de.rs:862:

let variant_idx = *idx as usize - usize::from(self.deserializing_some);

And avro/src/serde/ser_schema.rs:1500:

let branch_index = variant_index as usize + usize::from(self.serializing_some);

Concern: The asymmetry is correct (deserialize subtracts, serialize adds), but this is subtle and error-prone. Consider:

• Adding inline comments explaining why one subtracts and one adds
• The deserialization subtraction could underflow if idx is 0 and deserializing_some is true (though this shouldn't happen with valid data)

Recommendation: Add bounds checking before the subtraction or document why underflow is impossible.

2. Special Case Enum Handling (Low Priority)

In avro/src/serde/de.rs:855-859:

if self.deserializing_some
    && let Value::Enum(_index, field) = inner.deref()
    && variants.contains(&&**field)
{
    return visitor.visit_enum(EnumUnitDeserializer::new(field));
}

Concern: This special-case handling for non-newtype enums within Some uses let-chains (let bindings in if conditions) which requires Rust edition 2021. Ensure this is compatible with your MSRV.

Question: Is there a specific reason why enums need special handling compared to other types when deserializing Some?

3. Duplicated Union Handling Pattern

The pattern for handling Value::Union is duplicated across multiple deserialize methods (deserialize_bytes, deserialize_byte_buf, deserialize_seq, deserialize_map, deserialize_struct). Each follows:

Value::Union(i, x) => {
    if matches!(x.deref(), Value::Union(_, _)) {
        Err(/* nested union error */)
    } else {
        Self::new(x.deref()).deserialize_X(visitor).map_err(/* ... */)
    }
}

Recommendation: Consider extracting this into a helper method to reduce code duplication:

fn unwrap_union_for_deserialize<V, F>(&self, i: u32, inner: &Value, f: F) -> Result<V, Error>
where F: FnOnce(Deserializer) -> Result<V, Error>

4. Missing Bounds Check Edge Case (Low Priority)

In serialization methods, the bounds check happens after calculating branch_index:

let branch_index = variant_index as usize + usize::from(self.serializing_some);
if branch_index >= union_schema.schemas.len() {
    return Err(...)
}

While correct, if variant_index is very large, the addition could theoretically overflow (though unlikely in practice with typical variant counts).

Performance Considerations

Positive: The implementation has minimal performance overhead:

• The boolean flags are simple boolean checks
• No additional allocations or complex computations
• Index arithmetic is O(1)

Neutral: The enum schema iteration in ser_schema.rs:1483-1498 could be O(n) with respect to union variants, but this only happens when serializing enums within Some, which should be rare.

Security Concerns

✅ No major security issues identified

• Proper bounds checking on variant indices
• Explicit rejection of nested unions (which could cause issues)
• No unsafe code introduced

Minor concern: Error messages include debug output of values (e.g., {x:?}), which could potentially expose sensitive data in logs. Consider if this is acceptable for your use case.

Best Practices & Style

Good:

• Follows existing code conventions
• Clear variable naming (deserializing_some, branch_index)
• Comprehensive error messages

Could improve:

• Some methods have grown quite long (e.g., serialize_unit_variant_with_schema). Consider breaking them up.
• The test file is excellent but could benefit from module-level documentation explaining the three representation styles.

Documentation

Missing:

• No documentation comments explaining the new deserializing_some/serializing_some fields
• No updates to public documentation explaining the supported union representations
• The ignored test at line 1283 (deserialize_rusty_untagged_my_record_b_27) should have a comment explaining why it's ignored and what needs to be fixed

Recommendation: Add rustdoc comments:

/// Tracks whether we're currently deserializing an `Option::Some` variant.
/// When true, variant indices are adjusted to account for the implicit `null` 
/// first variant in the Avro union schema.
deserializing_some: bool,

Test Coverage: ⭐⭐⭐⭐⭐ (5/5)

The test coverage is exemplary:

• Tests all representation styles
• Tests both serialization and deserialization
• Tests multiple union types (enum, primitive, record, complex)
• Tests edge cases (untagged enums, multiple variants)

One ignored test suggests there's a known limitation with untagged enums that deserialize to the wrong variant (the "pitfall" module). This is acceptable if documented.

Final Recommendations

1. Before merging:

   • Add documentation comments for the new fields
   • Add inline comments explaining the index arithmetic
   • Document why the test at line 1283 is ignored
   • Consider adding a bounds check before the subtraction in deserialization

2. Consider for follow-up:

   • Refactor duplicated union-handling code
   • Add integration examples to documentation showing the three representation styles
   • Investigate if the ignored test case can be supported

Verdict: ✅ Approve with Minor Revisions

This is a well-implemented feature with excellent test coverage. The core logic is sound, but would benefit from additional documentation and minor code improvements. The ignored test should be documented or fixed.

---

Review generated with assistance from Claude Code

[gemini-code-assist]

Code Review

This pull request enhances support for serializing and deserializing nullable unions in various representations, introducing a state flag (deserializing_some/serializing_some) to correctly handle Option<T> types and adjusting variant indices. However, a critical security vulnerability exists: the implementation assumes the null variant is always the first element in an Avro union. This hardcoded assumption can lead to a Denial of Service (panic) during deserialization and data integrity issues during serialization when schemas do not conform, specifically causing a guaranteed panic in debug builds for certain valid Avro schemas. Furthermore, while the overall implementation is solid, there are minor opportunities to improve error messages for better debugging clarity.

[gemini-code-assist]

The code performs an unchecked subtraction *idx as usize - usize::from(self.deserializing_some) on line 862. When self.deserializing_some is true (which happens when deserializing an Option<T> where the value is not null) and the Avro union index *idx is 0, this will cause a panic due to integer underflow in debug builds. In release builds, it will wrap to usize::MAX, which will then fail the bounds check on line 863 and return an error.

This occurs when the Avro schema for a nullable union has the non-null variant at index 0 (e.g., ["int", "null"]), which is perfectly valid according to the Avro specification. An attacker providing a crafted Avro file with such a schema can cause a Denial of Service (DoS) by crashing the application (in debug mode) or causing unexpected deserialization failures.

Furthermore, the logic hardcodes the assumption that null is always the first variant in a nullable union. If null is at a different position (e.g., index 1 in ["int", "null", "string"]), the subtraction will result in the wrong variant being selected, leading to data corruption.

[martin-augment]

value:useful; category:bug; feedback: The Gemini AI reviewer is correct! The calculation of the branch_index may lead to usize underflow when the null variant is not the first in the union. The Avro specification recommends listing the null first, but it allows to use it in a non-first position too. Prevents an application crash at production due to invalid variant index. The calculation should be done with checked operations and an Err should be returned instead with recommendation to put the null at the first position.

[gemini-code-assist]

The serialization logic hardcodes the assumption that the null variant is always the first branch in a nullable union by adding usize::from(self.serializing_some) to the variant index (e.g., on line 1500). If the Avro schema has null at a different position or if the union does not contain null at all, this will result in serializing the wrong variant or an out-of-bounds error. This can lead to data corruption when serializing enums wrapped in Option if the schema does not follow the expected ["null", ...] pattern.

[martin-augment]

value:useful; category:bug; feedback: The Gemini AI reviewer is correct! The calculation of the branch_index may lead to usize underflow when the null variant is not the first in the union. The Avro specification recommends listing the null first, but it allows to use it in a non-first position too. Prevents an application crash at production due to invalid variant index. The calculation should be done with checked operations and an Err should be returned instead with recommendation to put the null at the first position.

[gemini-code-assist]

The error message here seems to be a copy-paste from deserialize_bytes. It says "as bytes", but this is inside deserialize_byte_buf. This could be confusing when debugging. It should probably be updated to "as byte_buf".

Suggested change

	.map_err(|e| {
	de::Error::custom(format!(
	"Attempted to deserialize Value::Union({i}, {x:?}) as bytes: {e:?}"
	))
	})
	.map_err(|e| {
	de::Error::custom(format!(
	"Attempted to deserialize Value::Union({i}, {x:?}) as byte_buf: {e:?}"
	))
	})

[gemini-code-assist]

In serialize_newtype_variant_with_schema, the error message for an out-of-bounds index uses variant_index, but the check is performed on branch_index. This can be misleading when serializing_some is true, as branch_index would be variant_index + 1. The error message should use branch_index to be accurate. Using "Branch index" instead of "Variant index" in the message would also improve clarity.

Suggested change

	if branch_index >= union_schema.schemas.len() {
	return Err(create_error(format!(
	"Variant index out of bounds: {}. The union schema has '{}' schemas",
	variant_index,
	union_schema.schemas.len()
	)));
	}
	if branch_index >= union_schema.schemas.len() {
	return Err(create_error(format!(
	"Branch index out of bounds: {}. The union schema has '{}' schemas",
	branch_index,
	union_schema.schemas.len()
	)));
	}

[gemini-code-assist]

In serialize_tuple_variant_with_schema, the error message for an out-of-bounds index uses variant_index, but the check is performed on branch_index. This can be misleading when serializing_some is true, as branch_index would be variant_index + 1. The error message should use branch_index to be accurate. Using "Branch index" instead of "Variant index" in the message would also improve clarity.

Suggested change

	if branch_index >= union_schema.schemas.len() {
	return Err(create_error(format!(
	"Variant index out of bounds: {}. The union schema has '{}' schemas",
	variant_index,
	union_schema.schemas.len()
	)));
	}
	if branch_index >= union_schema.schemas.len() {
	return Err(create_error(format!(
	"Branch index out of bounds: {}. The union schema has '{}' schemas",
	branch_index,
	union_schema.schemas.len()
	)));
	}

[gemini-code-assist]

In serialize_struct_variant_with_schema, the error message for an out-of-bounds index uses variant_index, but the check is performed on branch_index. This can be misleading when serializing_some is true, as branch_index would be variant_index + 1. The error message should use branch_index to be accurate. Using "Branch index" instead of "Variant index" in the message would also improve clarity.

Suggested change

	if branch_index >= union_schema.schemas.len() {
	return Err(create_error(format!(
	"Variant index out of bounds: {}. The union schema has '{}' schemas",
	variant_index,
	union_schema.schemas.len()
	)));
	}
	if branch_index >= union_schema.schemas.len() {
	return Err(create_error(format!(
	"Branch index out of bounds: {}. The union schema has '{}' schemas",
	branch_index,
	union_schema.schemas.len()
	)));
	}

[augmentcode]

🤖 Augment PR Summary

Summary: Extends serde (de)serialization to better handle nullable Avro unions represented in different Rust/Serde shapes.

Changes:

• Adds `deserializing_some` to the value deserializer to distinguish `Option::Some` context when the input is a `Value::Union`.
• Adds `serializing_some` to the schema-aware serializer and uses it during `serialize_some` to adjust how union branch indices are written.
• Improves `Value::Union` handling for bytes/byte-buf, maps/records, and enum deserialization to support “nullable union” patterns.
• Adjusts enum-variant serialization into `Schema::Union` to account for nullable unions and unit-enum cases.
• Adds an extensive new test suite covering nullable unions over primitives, enums, and records (including untagged cases).

Technical Notes: The new logic relies on shifting union indices in Option::Some flows (notably assuming null is the first branch in nullable unions).

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

let variant_idx = *idx as usize - usize::from(self.deserializing_some); can underflow when deserializing_some is true and idx == 0 (e.g., nullable unions where null isn’t the first branch), which can panic in debug or produce a wrapped index in release. Consider guarding this case and returning a clear error instead of subtracting unconditionally.

Severity: high

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[martin-augment]

value:useful; category:bug; feedback: The Augment AI reviewer is correct! The calculation of the branch_index may lead to usize underflow when the null variant is not the first in the union. The Avro specification recommends listing the null first, but it allows to use it in a non-first position too. Prevents an application crash at production due to invalid variant index. The calculation should be done with checked operations and an Err should be returned instead with recommendation to put the null at the first position.

[augmentcode]

In the serializing_some path, the union scan only matches Schema::Enum, so unions that reference the enum via Schema::Ref (e.g. ["null", "MyEnum"]) will fall through and then error via serialize_unit_struct_with_schema (since it doesn’t support Enum). Consider resolving Schema::Ref variants while scanning so Option<MyEnum> can serialize against referenced-enum union branches.

Severity: high

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[martin-augment]

value:useful; category:bug; feedback: The Augment AI reviewer is correct! The new logic should add a support for Schema::Ref too because the reference may point to a Schema::Enum. Prevents an error while resolving the variant if it is a reference to an enum schema

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

avro/src/serde/de.rs (1)

852-873: ⚠️ Potential issue | 🟠 Major

Arithmetic underflow risk when idx == 0 and deserializing_some == true.

Line 862: *idx as usize - usize::from(self.deserializing_some) will panic in debug mode (or wrap to usize::MAX in release) when idx is 0. The comment says "Assume null is the first branch" — but this assumption isn't enforced. A union like ["int", "null"] or malformed data with Value::Union(0, non_null_value) will trigger this.

Use checked_sub or an explicit guard:

🐛 Proposed fix

-                let variant_idx = *idx as usize - usize::from(self.deserializing_some);
-                if (variant_idx) < variants.len() {
+                let Some(variant_idx) = (*idx as usize).checked_sub(usize::from(self.deserializing_some)) else {
+                    return Err(de::Error::custom(format!(
+                        "Union variant index {idx} is too small to be a non-null branch when deserializing Some"
+                    )));
+                };
+                if variant_idx < variants.len() {

🧹 Nitpick comments (3)

avro/src/serde/de.rs (1)

85-90: Consider restricting visibility of new_deserializing_some.

This constructor is pub but it exposes an internal implementation detail (the "Some" deserialization context). External callers could misuse it by constructing a deserializing_some=true deserializer on arbitrary values, triggering the underflow issue above. Consider pub(crate) unless there's a reason for full public visibility.

avro/src/serde/ser_schema.rs (1)

637-650: Same visibility concern as the deserializer: consider pub(crate) for new_serializing_some.

This constructor exposes the internal serializing_some flag. Like its deserializer counterpart new_deserializing_some, consider restricting visibility to pub(crate) unless public use is intended.

avro/tests/nullable_union.rs (1)

973-981: Add a comment explaining why this test is #[ignore]d.

This is a known serde limitation: with #[serde(untagged)], serde tries variants in declaration order and MyRecordA always matches first because both records have identical shapes ({ a: i32 }). A short comment would save future readers from investigating.

💡 Suggested doc comment

     #[test]
-    #[ignore]
+    #[ignore] // serde's untagged deserialization tries variants in order;
+    // MyRecordA always matches first since both records have the same shape { a: i32 }
     fn deserialize_rusty_untagged_my_record_b_27() -> AvroResult<()> {

[martin-augment]

1. Index Calculation Logic (Medium Priority)

In avro/src/serde/de.rs:862:

let variant_idx = *idx as usize - usize::from(self.deserializing_some);

And avro/src/serde/ser_schema.rs:1500:

let branch_index = variant_index as usize + usize::from(self.serializing_some);

Concern: The asymmetry is correct (deserialize subtracts, serialize adds), but this is subtle and error-prone. Consider:

• Adding inline comments explaining why one subtracts and one adds
• The deserialization subtraction could underflow if idx is 0 and deserializing_some is true (though this shouldn't happen with valid data)

Recommendation: Add bounds checking before the subtraction or document why underflow is impossible.

value:useful; category:bug; feedback: The Claude AI reviewer is correct! The calculation of the branch_index may lead to usize underflow when the null variant is not the first in the union. The Avro specification recommends listing the null first, but it allows to use it in a non-first position too. Prevents an application crash at production due to invalid variant index. The calculation should be done with checked operations and an Err should be returned instead with recommendation to put the null at the first position.

[martin-augment]

2. Special Case Enum Handling (Low Priority)

In avro/src/serde/de.rs:855-859:

if self.deserializing_some
    && let Value::Enum(_index, field) = inner.deref()
    && variants.contains(&&**field)
{
    return visitor.visit_enum(EnumUnitDeserializer::new(field));
}

Concern: This special-case handling for non-newtype enums within Some uses let-chains (let bindings in if conditions) which requires Rust edition 2021. Ensure this is compatible with your MSRV.

value:annoying; category:bug; feedback: The Claude AI reviewer is not correct! As can be seen in the root Cargo.toml the project uses Rust edition 2024, so it is OK to use let-chains.

[martin-augment]

3. Duplicated Union Handling Pattern

The pattern for handling Value::Union is duplicated across multiple deserialize methods (deserialize_bytes, deserialize_byte_buf, deserialize_seq, deserialize_map, deserialize_struct). Each follows:

Value::Union(i, x) => {
    if matches!(x.deref(), Value::Union(_, _)) {
        Err(/* nested union error */)
    } else {
        Self::new(x.deref()).deserialize_X(visitor).map_err(/* ... */)
    }
}

value:good-to-have; category:bug; feedback: The Claude AI reviewer is correct! There is some code duplication that would be good to be extracted to a helper function and reused. Prevents higher maintenance cost and bigger chance of regressions if a bug is fixed at only one place but not in the duplicated code.

[martin-augment]

4. Missing Bounds Check Edge Case (Low Priority)

In serialization methods, the bounds check happens after calculating branch_index:

let branch_index = variant_index as usize + usize::from(self.serializing_some);
if branch_index >= union_schema.schemas.len() {
    return Err(...)
}

While correct, if variant_index is very large, the addition could theoretically overflow (though unlikely in practice with typical variant counts).

value:useful; category:bug; feedback: The Claude AI reviewer is correct! The calculation of the branch_index may lead to usize underflow when the null variant is not the first in the union. The Avro specification recommends listing the null first, but it allows to use it in a non-first position too. Prevents an application crash at production due to invalid variant index. The calculation should be done with checked operations and an Err should be returned instead with recommendation to put the null at the first position.

[martin-augment]

852-873: ⚠️ Potential issue | 🟠 Major

Arithmetic underflow risk when idx == 0 and deserializing_some == true.

Line 862: *idx as usize - usize::from(self.deserializing_some) will panic in debug mode (or wrap to usize::MAX in release) when idx is 0. The comment says "Assume null is the first branch" — but this assumption isn't enforced. A union like ["int", "null"] or malformed data with Value::Union(0, non_null_value) will trigger this.

value:useful; category:bug; feedback: The CodeRabbit AI reviewer is correct! The calculation of the branch_index may lead to usize underflow when the null variant is not the first in the union. The Avro specification recommends listing the null first, but it allows to use it in a non-first position too. Prevents an application crash at production due to invalid variant index. The calculation should be done with checked operations and an Err should be returned instead with recommendation to put the null at the first position.

[martin-augment]

85-90: Consider restricting visibility of new_deserializing_some.

This constructor is pub but it exposes an internal implementation detail (the "Some" deserialization context). External callers could misuse it by constructing a deserializing_some=true deserializer on arbitrary values, triggering the underflow issue above. Consider pub(crate) unless there's a reason for full public visibility.

value:good-to-have; category:bug; feedback: The CodeRabbit AI reviewer is correct! The visibility of the new methods should be as minimal (private) as possible. Once released as public API it would be much harder to modify/improve/remove it later. Prevents exposing internal implementation to the public API for no good reason.