Overhaul the API

[bugaevc]

Overhaul the API as requested in #33. In particular,

• Remove MmapView and MmapViewSync types
• Define two types - Mmap and MmapMut for readable and readable/writable mappings respectively. They implement Deref<Target = [u8]>/DerefMut as appropriate.
  • Mmap has no flush methods.
  • Alongside "raw" set_protection(), provide make_mut() and make_read_only() to safely convert between Mmap and MmapMut.
• Get rid of multiple open, open_path, anonymous_with_options, ... methods. Instead, provide two OpenOptions-style builders, one for file-backed and one for anonymous mappings.
  • Remove support for opening files by their path. Always use std::fs::File.
  • On Unix, memmap::file() is unsafe. This seems to be the best approach, although it is always safe to use it with ReadCopy.
  • To improve ergonomics, automatically pick a suitable Protection unless specified explicitly.
    • This makes it ergonomic enough so there's no need for additional convenience constructors.
• Convert the tests and the cat example to use the new API.
  • use super as memmap doesn't seem to work, rustc says that super is not found because it's the root module, WTF? Yet, use super::* works. Check out the workaround I came up with.

[bugaevc]

The build is failing on Windows because of unnecessary unsafes (should I just #[allow] them?) and on Rust 1.8 because I used newer features such as the ? operator.

[jonas-schievink]

What happens if I create a MmapMut and call set_protection(Protection::Read)? Will a write just segfault?

[bugaevc]

What happens if I create a MmapMut and call set_protection(Protection::Read)? Will a write just segfault?

No, set_protection() will return Err appropriately.

An alternative approach would be to split Protection into separate enums for mutable and immutable options. That would allow for things like this to be enforced statically, but it seems to make APIs less ergonomic.

[jonas-schievink]

Ah, no, that's fine. I didn't see it in the diff because it wasn't getting rendered.

[danburkert]

Hey @bugaevc, thanks for putting in the time to do this. I left some detailed nits, but I want to reiterate on a couple of higher level points:

• I'd prefer if we kept the normal user facing API completely the same for Windows and Unix, even if that means overshooting with marking things unsafe on Windows. Having a consistent cross-platform API has always been the goal of this crate. We are planning on introducing platform-specific extension traits in the future, but that will be for exposing functionality that fundamentally isn't supported across platforms.

• I think this would be easier to review if you split out the removal of the view APIs into a separate commit.

• We probably need to think about what to do about Protections. I think it's pretty clear that they aren't the right abstraction given the split in Mmap and MmapMut. Anyone have thoughts for a better way forward?

CC #33, @sfackler, @BurntSushi, I'd appreciate you alls thoughts if you have any

[danburkert]

Hey @bugaevc, thanks for putting in the time to do this. I left some detailed nits, but I want to reiterate on a couple of higher level points:

• I'd prefer if we kept the normal user facing API completely the same for Windows and Unix, even if that means overshooting with marking things unsafe on Windows. Having a consistent cross-platform API has always been the goal of this crate. We are planning on introducing platform-specific extension traits in the future, but that will be for exposing functionality that fundamentally isn't supported across platforms.

• I think this would be easier to review if you split out the removal of the view APIs into a separate commit.

• We probably need to think about what to do about Protections. I think it's pretty clear that they aren't the right abstraction given the split in Mmap and MmapMut. Anyone have thoughts for a better way forward?

CC #33, @sfackler, @BurntSushi, I'd appreciate you alls thoughts if you have any

[danburkert]

I think AnonymousMmapOptions is a better name for this, so it lines up with the type it's building.

[danburkert]

typo: method

[danburkert]

Does this constructor actually make sense? What's the usecase for creating a read-only anonymous memory map?

[bugaevc]

Yeah, I thought about this too, but decided to leave it here for consistency. I should however document that this is not what you want most of the time.

[danburkert]

I think we should go ahead and remove it unless there's a compelling reason to keep it at this point. We can always add it back later if a case can be made.

[danburkert]

I would strongly prefer if this API were the same across all platforms, even if that means marking it unsafe on Windows.

[bugaevc]

Okay.

[danburkert]

This has never really been clear to me. The Linux mmap manpage says:

It is unspecified whether changes made to the file after the mmap() call are visible in the mapped region.

That doesn't seem like it will play well with Rust's safety semantics.

[bugaevc]

Ah, right. I'll change the message to say it's unsafe even with cow.

[danburkert]

So this is just for switching from ReadWrite to ReadCopy and vice versa? That seems kinda strange - we should probably document what that even means. I'm surprised the OS allows it.

[danburkert]

Perhaps this could be make_read_only, and make_read_execute? Are there any other valid outcomes from this?

[danburkert]

Is it not possible to do a use super::*; here without the extra mod? I've never seen anything like this.

[bugaevc]

It is, I just wanted the tests code to say memmap::file instead of just file, etc. As I said above, use super as memmap doesn't work, this is either a bug or me misunderstanding how the module system works.

[danburkert]

Bad rebase?

[bugaevc]

No, actually, this method isn't used anymore, because we require for the file to be opened in advance.

[danburkert]

ah, I see

[danburkert]

Does ReadCopy even make sense for an Anonymous mapping? I'm having a hard time reasoning through some of these semantics.

[bugaevc]

No, not really; again, it's here for consistency. Do you think we should work out what combinations are actually useful and only allow those?

[danburkert]

Yah, I think eventually we should, but we can punt for now and do it in a follow-up commit.

[bugaevc]

We could get rid of protection in public API entirely, instead exposing a bunch of methods: {map, make}_read_{only, write, execute, copy_on_write} for initial mapping and conversions where they make sense.

[bugaevc]

Rebased to separate MmapView removal and addressed a couple of pointed out issues: naming (Mapping -> Mmap in Options), a typo ("methos") and API difference between Unix and Windows (it's now always unsafe to mmap a file).

Please let me know what you think about my suggestion above.

[danburkert]

Looks good, just a few comments. Could you switch the ? calls to try! so CI can pass?

[danburkert]

Looks good, just a few comments. Could you switch the ? calls to try! so CI can pass?

[danburkert]

I think we should go ahead and remove it unless there's a compelling reason to keep it at this point. We can always add it back later if a case can be made.

[danburkert]

Yah, I think eventually we should, but we can punt for now and do it in a follow-up commit.

[danburkert]

ah, I see

[danburkert]

I merged the view removal commit, so you may need to rebase over that.

[bugaevc]

• Removed AnonymousMmapOptions::map() and the corresponding test.
• Made it compile under 1.8.0 (why do you need that?)

[danburkert]

Awesome, thanks. As for Rust 1.8, there is no hard and fast requirement except that that's the status quo, so if it's not too onerous to maintain I'd prefer to. This crate is likely to be a widely used dependency, and if it forces a certain rustic version, then it's forced on everyone who uses it as well. Basically the same reason that libc maintains long backwards compat windows.

Will take a look and likely merge tonight or over the weekend. Thanks again for the help!

[bugaevc]

Great! So, if you think this:

We could get rid of protection in public API entirely, instead exposing a bunch of methods: {map, make}_read_{only, write, execute, copy_on_write} for initial mapping and conversions where they make sense.

is worth a try! 😄 , I'll make a separate PR, is that OK?

[bugaevc]

Also note that I haven't put much work into docs here, that's left for #32 and #34

[bugaevc]

Will take a look and likely merge tonight or over the weekend.

Any news?

[danburkert]

Thanks!