RAII chapter for idiomatic rust

[GlenDC]

This PR adds the RAII chapter for the idiomatic Rust deep dive.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gribozavr]

Suggested change

	Rust applies RAII automatically for memory management. The `Drop` trait lets you
	Rust uses RAII for managing heap memory. The `Drop` trait lets you

[GlenDC]

Thank you. I admire your skill to find the most precise language a lot. It's clear I'll learn a lot from you on this project.

[gribozavr]

"mutex" for the variable name? I don't find abbreviations like "mux" idiomatic.

[gribozavr]

What's the expectation for the instructor - just talk through this or open the docs browser and show the APIs? I think we could use 1-2 slides that demonstrate just the relevant snippets of the Mutex and MutexGuard API.

[gribozavr]

I feel like Mutex might be too complex for a first contact with RAII.

Furthermore, don't assume the audience has mastered Drop as a part of the foundations class, it is more of a whirlwind tour. It also could have been weeks since they took the foundations class.

Here's my suggestion. How about we do two examples.

First, a custom File type that wraps a file descriptor. A file descriptor is a classic OS-level resource. We could show how to implement a simple read-only file type a with a minimal API: open() and read() to read a single byte. Then show how to implement Drop. Discuss when the drop() function runs, and how it isn't run when values are moved (contrast with C++ where the destructor always runs at the end of the scope, even for moved-from values). Show the forget() function, discuss its signature and what it means.

In other words, use this simple File type as an opportunity to do a 5-minute refresher on drop and move semantics. I see you're already doing it with instructor notes like "for a composite type such as a struct, all its fields will be dropped" and by mentioning the std::mem::drop() function. Let's lean more into it and make sure that during this discussion we have an example of a drop implementation on the screen.

Then we move on to Mutex. There we would focus on explaining the idea that for a mutex the "resource" is more abstract. In case of a mutex, the resource is exclusive access to the wrapped value. Thus, we need a second type - a MutexGuard - to represent that.

The mutex example is perfect to facilitate the drop x panic discussion. Maybe draft an extra slide that shows what happens by default with a naive drop implementation (the drop simply runs, no special code is needed for that), and then discuss why panics poison the mutex in Rust (there is a good chance that the code was mutating the shared data, so its invariants might be broken).

[GlenDC]

I like this flow a lot. Seems I can do more slides than I thought. Would you still keep the slide about scopeguard at the end?

[gribozavr]

Yes, absolutely, it should be a part of the explanation of how Mutex uses RAII.

[gribozavr]

I don't understand this point. One would apply a timeout in the same way as usual. Where we have a limitation is that drop() can't communicate with the caller: it can neither receive an argument (e.g., a timeout value) or communicate back that the timeout happened (the whole discussion about failures in drop). But certainly drop() is free to call a low-level I/O function with a timeout value - hence I'm confused about what this paragraph is trying to communicate.

The only limitation of drop I can think of that can make I/O difficult is that drop is not async. There's the unstable AsyncDrop for that.

[GlenDC]

I meant that as a user of the API you have no control over it.

As in:

• when you can Foo::close you can wrap around that logic however you want. Not just error handling, but also impose a timeout, retries, etc...
• that is not something you can do "as the user of the API" for something that happens invisible in the background by the creator of the API in Drop.

[gribozavr]

I see what you mean. I'd suggest to first say that drop is special because it terminates the object lifetime, so it is inherently a "one-shot" API. That has consequences: things like caller-driven timeouts or retries simply don't make sense - there's no object anymore after the first call. (Emphasizing caller-driven is important)

This equally applies to all APIs that consume the object by value.

The fact that drop is usually called implicitly though is not important here. For one, we can call it explicitly (std::mem::drop()); but if that wasn't available, we could have wrapped the object with drop in an Option, and then trigger drop by assigning None.

[gribozavr]

Note that the chapter does not discuss poisoned mutexes at the moment (I'm requesting that to be added in my comments above).

[GlenDC]

Yes I read that and I agree. This will be reworked with that in mind.

[gribozavr]

For the members of the audience familiar with C++, consider mentioning that in C++ a private destructor is used to achieve a similar effect. So if your C++ API design intuition tells you to make the destructor not accessible to the user, use this pattern in Rust.

[GlenDC]

Sure thing, C++ was my first primary language for many years. Wasn't always certain exactly about what languages I should refer and which not.

[gribozavr]

From an internal (sorry!) design doc for this class:

Target audience

Engineers with at least 2-3 years of coding experience in C, C++11 or newer, Java 7 or newer, Python 2 or 3, Go or any other similar imperative programming language. We have no expectation of experience with more modern or feature-rich languages like Swift, Kotlin, C#, or TypeScript.

[gribozavr]

Consider making the example a bit more realistic: set it up as if we are downloading a file through HTTP, and if the connection gets interrupted, we don't want to leave behind an incomplete file. I'm not asking to add/change code, only to update comments, and names of functions and variables.

[gribozavr]

I think this should be put right after let mut file, in order to:

• emphasize that file and cleanup go together,

• to ensure that file gets deleted even if we have a problem in writeln!().unwrap().

[randomPoison]

Looks pretty good, there's lots of good stuff in this chapter 😁 I've got various feedback below, but it's definitely off to a good start!

[randomPoison]

Suggested change

	This unwind behavior can be overridden to instead
	[abort on panic](https://github.com/rust-lang/rust/blob/master/library/panic_abort/src/lib.rs).
	This unwind behavior can be overridden to instead
	[abort on panic](https://github.com/rust-lang/rust/blob/master/library/panic_abort/src/lib.rs),
	in which case no destructors will run.

I think it'd be good to call out that Drop won't run on abort.

[randomPoison]

I think this whole point can be pulled out into its own slide. Talking about when Drop runs and when it doesn't is worth covering directly. I think you'd also want to talk about forget on that slide, and maybe briefly note that leaking destructors is not unsafe (unless you plan to cover them elsewhere).

[randomPoison]

This seems unnecessary. I don't think we need to redirect students to a book about concurrency, that's pretty tangential to RAII and we're already talking about Mutex in the slides.

[randomPoison]

I think this slide should also mention that drop bombs are useful in cases where the finalizing operation (e.g. commit and rollback in the slide's example) needs to return some kind of output, which means it can't be handled normally in Drop (realistically, commit and rollback would want to return Results to indicate if they succeeded or not). This is one of the limitations of Drop mentioned on the previous slide, so it'd be worth noting that this pattern is a common way to work around that limitation.

[randomPoison]

This seems like a weird example to me. I've worked with C libraries that have custom allocation and deallocation functions, and in those cases the straightforward solution was to create a custom Box-like smart pointer and do the deallocation in Drop.

I don't think we need to mention FFI at all here, I think the decision of whether or not to use a drop bomb has more to do with whether or not there's a reasonable way to cleanup in Drop or if the finalizing operation needs to return anything (see also my comment on the file). That situation may come up in FFI, but it's not the FFI specifically that makes a drop bomb necessary.

[randomPoison]

I don't think this needs to be mentioned. Unless we're diving into scopeguard's sources and discussing how and why to use ManuallyDrop, I don't think this is worth diving into.

[randomPoison]

Suggested change

	- [`ManuallyDrop`](https://doc.rust-lang.org/std/mem/struct.ManuallyDrop.html):
	A zero-cost wrapper that disables the automatic drop behavior of a value,
	making manual cleanup required and explicit.
	- [`ManuallyDrop`](https://doc.rust-lang.org/std/mem/struct.ManuallyDrop.html):
	A zero-cost wrapper that disables the automatic drop behavior of a value,
	making manual cleanup required and explicit. This requires unsafe code to use,
	though, so it's recommended to only use this if strictly necessary.

I think mentioning ManuallyDrop is fine since it's relevant, but we should be clear to students that it's not the first tool to reach for.

[randomPoison]

I think we should provide an example of this. I find that it's a common pattern when doing complex logic in Drop. This might even be worth pulling out into its own slide.

[randomPoison]

Suggested change

	let cleanup = guard(path, |path| {
	// Errors must be handled inside the guard,
	// but cannot be propagated.
	let _ = fs::remove_file(path);
	});
	let cleanup = guard(path, |path| {
	println!("Operation failed, deleting file: {:?}", path);
	// Errors must be handled inside the guard,
	// but cannot be propagated.
	let _ = fs::remove_file(path);
	});

I think adding a println! here would make this easier to demonstrate in class. Right now it's hard to observe when the cleanup happens because the only observable effect is removing the file, which we can't really show directly in class. With the println! we can more directly see when the cleanup does and doesn't happen.

[randomPoison]

Maybe move this point to the top, since it most directly explains what this example is doing and why. You may want to reword/reorganize this to merge it with the current first bullet point.

[djmitche]

This is probably better described as a "segment" rather than a "chapter". However, these interlinks have been hard to keep updated in the past -- it may be better to just say "from the Fundamentals course".

[djmitche]

It's probably only necessary to include one "callback" to Fundamentals -- the important point is to that this slide is a quick review of previous content, and if students need a deeper refresher they can find that content in the Fundamentals course.

That said, these speaker notes are pretty long! Is it possible to trim this down to just call out the bits necessary for the RAII patterns introduced here, leaving the rest to the students' memory of Fundamentals?

[djmitche]

The stack doesn't unwind things -- the stack is unwound in handling a panic or normal function return.

[djmitche]

It's worth noting that a very common reason you can't drop the thing is that the deallocation method is async and there's no async drop. Database transactions are an excellent example of this, in fact -- it's typically not possible to just rollback a transaction in drop().