docs: Improve inline documentation (#11)

Author: brannondorsey

src/errors.rs

@@ -1,6 +1,6 @@
 //! Error handling is an important part of the `mem-isolate` crate. If something
 //! went wrong, we want to give the caller as much context as possible about how
-//! that error effected their `callable`, so they are well-equipped to know what
+//! that error affected their `callable`, so they are well-equipped to know what
 //! to do about it.
 //!
 //! The primary error type is [`MemIsolateError`], which is returned by
@@ -36,11 +36,17 @@ use thiserror::Error;
 /// [`MemIsolateError`] is the **primary error type returned by the crate**. The
 /// goal is to give the caller context about what happened to their callable if
 /// something went wrong.
+///
+/// For basic usage, and an introduction of how you should think about error
+/// handling with this crate, see
+/// [`examples/error-handling-basic.rs`](https://github.com/brannondorsey/mem-isolate/blob/main/examples/error-handling-basic.rs)
+///
+/// For an exhaustive look of all possible error variants, see [`examples/error-handling-complete.rs`](https://github.com/brannondorsey/mem-isolate/blob/main/examples/error-handling-complete.rs)
 // TODO: Consider making this Send + Sync
 #[derive(Error, Debug, Serialize, Deserialize)]
 pub enum MemIsolateError {
     /// Indicates something went wrong before the callable was executed. Because
-    /// the callable never executed, it should be safe to naively retry the the
+    /// the callable never executed, it should be safe to naively retry the
     /// callable with or without mem-isolate, even if the function is not
     /// idempotent.
     #[error("an error occurred before the callable was executed: {0}")]
@@ -51,7 +57,7 @@ pub enum MemIsolateError {
     #[error("an error occurred after the callable was executed: {0}")]
     CallableExecuted(#[source] CallableExecutedError),
 
-    /// Indicates something went wrong, but it is unknown wether the callable was
+    /// Indicates something went wrong, but it is unknown whether the callable was
     /// executed. **You should retry the callable only if it is idempotent.**
     #[error("the callable process exited with an unknown status: {0}")]
     CallableStatusUnknown(#[source] CallableStatusUnknownError),
@@ -93,7 +99,7 @@ pub enum CallableDidNotExecuteError {
     // That rules out a ton of overloaded io::Error posibilities. It's more
     // precise. WARNING: Serialization will fail if this is not an OS error.
     //
-    /// A system error ocurred while creating the pipe used to communicate with
+    /// A system error occurred while creating the pipe used to communicate with
     /// the child process
     #[serde(
         serialize_with = "serialize_os_error",
@@ -104,7 +110,7 @@ pub enum CallableDidNotExecuteError {
     )]
     PipeCreationFailed(#[source] io::Error),
 
-    /// A system error ocurred while closing the child process's copy of the
+    /// A system error occurred while closing the child process's copy of the
     /// pipe's read end
     #[serde(
         serialize_with = "serialize_option_os_error",
@@ -113,7 +119,7 @@ pub enum CallableDidNotExecuteError {
     #[error("system error encountered closing the child's copy of the pipe's read end: {}", format_option_error(.0))]
     ChildPipeCloseFailed(#[source] Option<io::Error>),
 
-    /// A system error ocurred while forking the child process which is used to
+    /// A system error occurred while forking the child process which is used to
     /// execute user-supplied callable
     #[serde(
         serialize_with = "serialize_os_error",
@@ -124,13 +130,13 @@ pub enum CallableDidNotExecuteError {
 }
 
 /// An error indicating that something went wrong in a way where it is difficult
-/// or impossible to determine wether the user-supplied callable was executed
+/// or impossible to determine whether the user-supplied callable was executed
 /// `¯\_(ツ)_/¯`
 ///
 /// You should only retry the callable if it is idempotent.
 #[derive(Error, Debug, Serialize, Deserialize)]
 pub enum CallableStatusUnknownError {
-    /// A system error ocurred while closing the parent's copy of the pipe's
+    /// A system error occurred while closing the parent's copy of the pipe's
     /// write end
     #[serde(
         serialize_with = "serialize_os_error",
@@ -139,15 +145,15 @@ pub enum CallableStatusUnknownError {
     #[error("system error encountered closing the parent's copy of the pipe's write end: {0}")]
     ParentPipeCloseFailed(#[source] io::Error),
 
-    /// A system error ocurred while waiting for the child process to exit
+    /// A system error occurred while waiting for the child process to exit
     #[serde(
         serialize_with = "serialize_os_error",
         deserialize_with = "deserialize_os_error"
     )]
     #[error("system error encountered waiting for the child process: {0}")]
     WaitFailed(#[source] io::Error),
 
-    /// A system error ocurred while reading the child's result from the pipe
+    /// A system error occurred while reading the child's result from the pipe
     #[serde(
         serialize_with = "serialize_os_error",
         deserialize_with = "deserialize_os_error"

src/lib.rs

@@ -1,3 +1,43 @@
+//! # `mem-isolate`: *Run unsafe code safely*
+//!
+//! It runs your function via a `fork()`, waits for the result, and
+//! returns it.
+//!
+//! This grants your code access to an exact copy of memory and state at the
+//! time just before the call, but guarantees that the function will not affect
+//! the parent process's memory footprint in any way. It forces functions to be
+//! *pure*, even if they aren't.
+//!
+//! ```
+//! use mem_isolate::execute_in_isolated_process;
+//!
+//! // No heap, stack, or program memory out here...
+//! let result = mem_isolate::execute_in_isolated_process(|| {
+//!     // ...Can be affected by anything in here
+//!     Box::leak(Box::new(vec![42; 1024]));
+//! });
+//! ```
+//!
+//! To keep things simple, this crate exposes only two public interfaces:
+//!
+//! * [`execute_in_isolated_process`] - The function that executes your code in
+//!   an isolated process.
+//! * [`MemIsolateError`] - The error type that function returns ☝️
+//!
+//! For more code examples, see [`examples/`](https://github.com/brannondorsey/mem-isolate/tree/main/examples).
+//! [This one](https://github.com/brannondorsey/mem-isolate/blob/main/examples/error-handling-basic.rs)
+//! in particular shows how you should think about error handling.
+//!
+//! For more information, see the [README](https://github.com/brannondorsey/mem-isolate).
+//!
+//! ## Supported platforms
+//!
+//! Because of its heavy use of POSIX system calls, this crate only
+//! supports Unix-like operating systems (e.g. Linux, macOS, BSD).
+//!
+//! Windows and wasm support are not planned at this time.
+#![warn(missing_docs)]
+
 #[cfg(not(any(target_family = "unix")))]
 compile_error!(
     "Because of its heavy use of POSIX system calls, this crate only supports Unix-like operating systems (e.g. Linux, macOS, BSD)"
@@ -28,12 +68,87 @@ pub use serde::{Serialize, de::DeserializeOwned};
 /// serializes its result (using bincode) and writes it through a pipe, which
 /// the parent reads and deserializes.
 ///
-/// # Safety
-/// This code directly calls glibc functions (via the libc crate) and should
-/// only be used in a Unix environment.
+/// # Example
+///
+/// ```rust
+/// use mem_isolate::execute_in_isolated_process;
+///
+/// let leaky_fn = || {
+///     // Leak 1KiB of memory
+///     let data: Vec<u8> = Vec::with_capacity(1024);
+///     let data = Box::new(data);
+///     Box::leak(data);
+/// };
+///
+/// let _ = execute_in_isolated_process(leaky_fn);
+/// // However, the memory is not leaked in the parent process here
+/// ```
+///
+/// # Error Handling
+///
+/// Error handling is organized into three levels:
+///
+/// 1. The first level describes the effect of the error on the `callable` (e.g.
+///    did your callable function execute or not)
+/// 2. The second level describes what `mem-isolate` operation caused the error
+///    (e.g. did serialization fail)
+/// 3. The third level is the underlying OS error if it is available (e.g. an
+///    `io::Error`)
+///
+/// For most applications, you'll care only about the first level:
+///
+/// ```rust
+/// use mem_isolate::{execute_in_isolated_process, MemIsolateError};
+///
+/// // Function that might cause memory issues
+/// let result = execute_in_isolated_process(|| {
+///     // Some operation
+///     "Success!".to_string()
+/// });
+///
+/// match result {
+///     Ok(value) => println!("Callable succeeded: {}", value),
+///     Err(MemIsolateError::CallableDidNotExecute(_)) => {
+///         // Safe to retry, callable never executed
+///         println!("Callable did not execute, can safely retry");
+///     },
+///     Err(MemIsolateError::CallableExecuted(_)) => {
+///         // Do not retry unless idempotent
+///         println!("Callable executed but result couldn't be returned");
+///     },
+///     Err(MemIsolateError::CallableStatusUnknown(_)) => {
+///         // Retry only if idempotent
+///         println!("Unknown if callable executed, retry only if idempotent");
+///     }
+/// }
+/// ```
+///
+/// For a more detailed look at error handling, see the documentation in the
+/// [`errors`] module.
+///
+/// ## Important Note on Closures
+///
+/// When using closures that capture and mutate variables from their environment,
+/// these mutations **only occur in the isolated child process** and do not affect
+/// the parent process's memory. For example, it may seem surprising that the
+/// following code will leave the parent's `counter` variable unchanged:
+///
+/// ```rust
+/// use mem_isolate::execute_in_isolated_process;
+///
+/// let mut counter = 0;
+/// let result = execute_in_isolated_process(|| {
+///     counter += 1;  // This increment only happens in the child process
+///     counter        // Returns 1
+/// });
+/// assert_eq!(counter, 0);  // Parent's counter remains unchanged
+/// ```
+///
+/// This is the intended behavior as the function's purpose is to isolate all
+/// memory effects of the callable. However, this can be surprising, especially
+/// for [`FnMut`] or [`FnOnce`] closures.
 pub fn execute_in_isolated_process<F, T>(callable: F) -> Result<T, MemIsolateError>
 where
-    // TODO: Consider restricting to disallow FnMut() closures
     F: FnOnce() -> T,
     T: Serialize + DeserializeOwned,
 {
@@ -161,7 +276,7 @@ where
             } // The read_fd will automatically be closed when the File is dropped
 
             if buffer.is_empty() {
-                // TODO: How can we more rigerously know this? Maybe we write to a mem map before and after execution?
+                // TODO: How can we more rigorously know this? Maybe we write to a mem map before and after execution?
                 return Err(CallableStatusUnknown(CallableProcessDiedDuringExecution));
             }
             // Update the deserialization to handle child errors