refactor(profiling)!: create FFI Error type and remove *Result_drop methods

[morrisonlevi]

What does this PR do?

This extracts an FFI Error type aka ddog_Error and it contains an FFI Vec internally.

/// Please treat this as opaque; do not reach into it, and especially don't
/// write into it!
#[derive(Debug)]
#[repr(C)]
pub struct Error {
    /// This is a String stuffed into the vec.
    message: Vec<u8>,
}

Then, the FFI error types use this in their Err field, instead of ddcommon_ffi::Vec<u8>:

#[repr(C)]
pub enum SendResult {
    HttpResponse(HttpStatus),
    Err(Error),
}

The *Result_drop methods have been removed:

• ddog_prof_Exporter_NewResult_drop
• ddog_prof_Exporter_Request_BuildResult_drop
• ddog_prof_Exporter_SendResult_drop
• ddog_prof_Profile_AddResult_drop
• ddog_prof_Profile_SerializeResult_drop
• ddog_Vec_Tag_PushResult_drop

And these were added instead:

• ddog_Error_drop (+ ddog_Error_message to get the message)
• ddog_prof_EncodedProfile_drop
• ddog_prof_Exporter_Request_drop

Motivation

I thought it was a bit nicer this way to not have to reach into the guts, and instead have an API.

Additionally, we realized that with the *Result_drop APIs it was a bit easy to get into double-free scenarios, so we removed them.

Additional Notes

I wish we could also extract a generic Result type, but the cbindgen output leaves a bad API. Maybe once some PRs land. The idea would be to hard-code the error type to always be the FFI Error:

#[repr(C)]
enum Result<T> {
    Ok(T),
    Err(Error), // the Error type being the one introduced here
};

How to test the change?

Use the new ddog_Error_message and ddog_Error_drop APIs:

/**
 * # Safety
 * Only pass null or a valid reference to an Error.
 */
void ddog_Error_drop(struct ddog_Error *error);

/**
 * Returns a CharSlice of the error's message that is valid until the error
 * is dropped.
 * # Safety
 * Only pass null or a valid reference to an Error.
 */
ddog_CharSlice ddog_Error_message(const struct ddog_Error *error);

As well as adjust your dropping as the *Result_drop APIs have been removed. You need to drop each case, if necessary (don't need to drop a uint64_t, obviously).

[ivoanjo]

So... I'm a bit unsure about this one.

Things I like:

• The idea of having a single "object" for containing the error, because that allows us to easily feed more information there (maybe some day the libdatadog stack trace? more details?) without having to change the API again.

• The FFI code seems cleaner and easier to follow, since it can focus on "this is an error", and the string handling stuff is only in a single place.

Things I'm not quite sure:

• This doesn't make it easier for the client to print these strings. E.g. consider that I turn every error into a Ruby string:

  VALUE err_details = ruby_string_from_prof_vec_u8(exporter_result.err);

  so I'm imagining I'd update it to:

  VALUE err_details = ruby_string_from_error(exporter_result.err);

  (where ruby_string_from_error calls ddog_Error_message.)

  So this doesn't particularly help out this part...

• One apparent benefit of this change would be to have a generic drop for every error. Which is true but... I don't think it alleviates the need for any of the other _drop methods, since there are still going to be cases where the clients need to drop the non-faulty result.

  Thus the API contract goes from "you need to either consume or drop most objects" to "you need to either consume or drop most objects, but if it's an error you can drop the error message instead", e.g. there's now two ways of doing the same thing.

  This is not necessarily a blocker; I'm thinking we can still keep the error, and not add the error-specific drop, which would prevent this issue.

• (Minor: The change to prefix arguments with _, while it makes sense from the Rust side, it's propagated to the FFI headers and its meaning there is kinda confusing. I realize that we were using a mix of _ and no _, but I actually think the right thing in the FFI is to never use _)

[morrisonlevi]

Thus the API contract goes from "you need to either consume or drop most objects" to "you need to either consume or drop most objects, but if it's an error you can drop the error message instead", e.g. there's now two ways of doing the same thing.

What got me started on this path was actually a case where dropping the result was likely to result in double-free. So for that type, I specifically would not create a drop for the result type, and force callers to drop the error case. I'm unsure if that ought to generalize or not. Maybe we should do a case-by-case review?

[ivoanjo]

If I understood correctly, the guiding principle of the latest version is: there is never any _drop for a FooResult, there's only _drop (if needed) for the contents of FooResult -- there's one for the error, and another (if needed) for the non-error return.

I think I like it. There's only one correct way of doing things, and it de-emphasizes the FooResults from being a thing you should care about vs just being effectively a shortcut for returning a (success flag, something) from our functions that would not exist if C allowed multiple returns natively.

One thing that occurred to me is -- should we add a note somewhere that when adding functions that return results via the FFI, they should always be marked as #[must_use]? That way clients get a compiler complaint if they just use a function that returns a result in a fire-and-forget-way (e.g. they're probably missing a drop).

I checked and every function right now is correctly tagged, but it may be useful to document this somewhere so we don't forget this key fact :)

[ivoanjo]

Is an empty string a ddog_Vec_U8 with ptr set to NULL?

[morrisonlevi]

It's not null, but doesn't use an allocation. If you follow the implementation through, you eventually see this:

    pub const fn new_in(alloc: A) -> Self {
        // `cap: 0` means "unallocated". zero-sized types are ignored.
        Self { ptr: Unique::dangling(), cap: 0, alloc }
    }

And Unique::dangling() uses a NonNull::dangling(), which has documentation:

Creates a new NonNull that is dangling, but well-aligned.
This is useful for initializing types which lazily allocate, like Vec::new does.

So, it's a non-null value that's not backed by an allocation, aka dangling. So, after the _drop() we no longer need to free anything, but if someone accidentally uses ddog_Error_drop or ddog_Error_message then it will still be memory-safe and not have double-free nor user-after-free issues. It shouldn't be relied on by the API consumer, though (fix your code, please!).

[ivoanjo]

I never read this, so nothing to fix! But I was curious what ended up there :)

[ivoanjo]

Minor: Since the error string is always going to be printed and accessed from the ffi client side, I wonder if it'd be nice to just make it a char * to save the effort of every API client having to turn it into a char * one way or another :)

[morrisonlevi]

It's a ddog_CharSlice, which does use char* for it's pointer. We can append a null byte for convenience if you want (as in debugger convenience), but that doesn't guarantee that there aren't any interior null bytes. Meaning, you need the length anyway.

[ivoanjo]

Right, what I was thinking is -- for error messages specifically libdatadog could ensure that it output a real bona-fide char * with only a null byte at the end so that clients could print it directly.

[morrisonlevi]

I checked and every function right now is correctly tagged, but it may be useful to document this somewhere so we don't forget this key fact :)

We can document it, yes, but will the programmer see/remember the documentation? :)

I added a README.md file to profiling-ffi.

[morrisonlevi]

@ivoanjo, can you double-check before I commit? I did a leak check and it turns out on main we are leaking in the exporter.cpp example (I think it's a missing ddog_prof_Profile_SerializeResult_drop on the happy path). This branch doesn't leak anything, though.

[ivoanjo]

Last check with some last-minute suggested fixes!

Otherwise I've looked at the generated C headers and they also look good.

One last thing that may be interesting to mention in the PR description is that the following were dropped (pun not intended):

• ddog_prof_Exporter_NewResult_drop
• ddog_prof_Exporter_Request_BuildResult_drop
• ddog_prof_Exporter_SendResult_drop
• ddog_prof_Profile_AddResult_drop
• ddog_prof_Profile_SerializeResult_drop
• ddog_Vec_Tag_PushResult_drop

And these were added instead:

• ddog_Error_drop (+ ddog_Error_message to get the message)
• ddog_prof_EncodedProfile_drop
• ddog_prof_Exporter_Request_drop

[ivoanjo]

Minor: Just noticed that this is actually incorrect -- the files can come from elsewhere e.g. for metrics.json or code-provenance.json :)

[ivoanjo]

Just noticed that this one was correctly removed BUT we're missing ddog_prof_Exporter_Request_drop. We even reference it in some comments, but it's nowhere to be found :)

I actually use it in the Ruby profiler mostly because the files in the request are pointing to memory that is managed by Ruby so I do this dance of:

• Grab VM lock
• Build request (Ruby is not mutating the files because I'm holding the lock)
• Release lock
• Call send

Between "Build request" and "Call send" Ruby may want to abort (e.g. let's imagine the VM really wants to shut down) and in that situation it's when I used this API:

  if (pending_exception) {
    // If we got here send did not run, so we need to explicitly dispose of the request
    ddog_prof_Exporter_Request_drop(request);

    // Let Ruby propagate the exception. This will not return.
    rb_jump_tag(pending_exception);
  }

[ivoanjo]

Minor: Fixing namespace :)

Suggested change

	/// * `request` - Takes ownership of the request. Do not call `ddog_prof_Request_drop` on
	/// * `request` - Takes ownership of the request. Do not call `ddog_prof_Exporter_Request_drop` on