ruchy 4.1.1

A systems scripting language that transpiles to idiomatic Rust with extreme quality engineering
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349

# RefCell Borrow Rules and Panic Prevention Guide

## Executive Summary

RefCell provides **runtime-checked** borrowing. Unlike Rust's compile-time borrow checker, violations cause **panics at runtime**. This guide ensures we NEVER panic in the Ruchy interpreter.

## Core Borrow Rules

### Rule 1: Multiple Immutable Borrows Allowed
```rust
let obj = Rc::new(RefCell::new(hashmap));

// ✅ SAFE: Multiple simultaneous reads
let borrow1 = obj.borrow();
let borrow2 = obj.borrow();
let val1 = borrow1.get("key1");
let val2 = borrow2.get("key2");
// Both borrows alive simultaneously - OK!
```

### Rule 2: Only ONE Mutable Borrow at a Time
```rust
// ✅ SAFE: Single mutable borrow
{
    let mut borrow = obj.borrow_mut();
    borrow.insert("key", value);
} // Borrow dropped here

// ❌ PANIC: Two mutable borrows
let mut borrow1 = obj.borrow_mut();
let mut borrow2 = obj.borrow_mut(); // PANIC!
```

### Rule 3: No Immutable Borrow While Mutable Exists
```rust
// ❌ PANIC: Read while writing
let mut write_borrow = obj.borrow_mut();
let read_borrow = obj.borrow(); // PANIC!

// ✅ SAFE: Release write before read
{
    let mut write_borrow = obj.borrow_mut();
    write_borrow.insert("key", value);
} // Write borrow dropped
let read_borrow = obj.borrow(); // OK!
```

## Panic Scenarios in Ruchy

### Scenario 1: Nested Field Access During Mutation

**UNSAFE CODE:**
```rust
fn eval_assign_nested_bad(obj: &Rc<RefCell<HashMap<String, Value>>>) {
    let borrowed = obj.borrow(); // Immutable borrow
    let key = borrowed.get("key"); // Still borrowed!

    obj.borrow_mut().insert("other", value); // PANIC! Already borrowed
}
```

**SAFE CODE:**
```rust
fn eval_assign_nested_safe(obj: &Rc<RefCell<HashMap<String, Value>>>) {
    // Clone the value while borrowed, then release
    let key = obj.borrow().get("key").cloned();
    // Borrow released here

    obj.borrow_mut().insert("other", value); // OK!
}
```

**Why this works:** `.cloned()` creates an owned value, allowing the borrow to drop before the next borrow.

### Scenario 2: Method Call Accessing Self Fields

**UNSAFE CODE:**
```rust
fn eval_method_call_bad(instance: &Rc<RefCell<HashMap<String, Value>>>) {
    let borrowed = instance.borrow();
    let method = borrowed.get("__method").cloned().unwrap();

    // Still borrowed!
    if let Value::Closure { body, .. } = method {
        // Closure execution might try to borrow_mut instance
        self.eval_expr(&body); // PANIC if body contains self.field = value
    }
}
```

**SAFE CODE:**
```rust
fn eval_method_call_safe(instance: &Rc<RefCell<HashMap<String, Value>>>) {
    // Clone method THEN release borrow
    let method = instance.borrow().get("__method").cloned().unwrap();
    // Borrow released here

    if let Value::Closure { body, .. } = method {
        // Now safe to execute, can borrow_mut if needed
        self.eval_expr(&body); // OK!
    }
}
```

**Pattern:** Always `.cloned()` values from RefCell, never hold borrow across other operations.

### Scenario 3: Actor Message Handler Execution

**UNSAFE CODE:**
```rust
fn process_message_bad(actor: &Rc<RefCell<HashMap<String, Value>>>, msg: &Value) {
    let handlers = actor.borrow().get("__handlers").cloned().unwrap();
    let state_ref = &actor.borrow(); // Immutable borrow held

    // Execute handler which might mutate state
    execute_handler(handler, state_ref); // PANIC if handler does self.field = x
}
```

**SAFE CODE:**
```rust
fn process_message_safe(actor: &Rc<RefCell<HashMap<String, Value>>>, msg: &Value) {
    // Get handler, release borrow
    let handler = actor.borrow().get("__handlers").cloned().unwrap();
    // Borrow released here

    // Execute handler with actor reference (can borrow_mut internally)
    execute_handler(handler, actor); // OK!
}
```

**Pattern:** Pass the `Rc<RefCell<>>` itself, not a borrow of it.

### Scenario 4: Iterating While Mutating

**UNSAFE CODE:**
```rust
fn iterate_and_mutate_bad(obj: &Rc<RefCell<HashMap<String, Value>>>) {
    let borrowed = obj.borrow();
    for (key, value) in borrowed.iter() {
        // Still borrowed!
        if condition(value) {
            obj.borrow_mut().remove(key); // PANIC! Already borrowed
        }
    }
}
```

**SAFE CODE:**
```rust
fn iterate_and_mutate_safe(obj: &Rc<RefCell<HashMap<String, Value>>>) {
    // Collect keys first, release borrow
    let keys_to_remove: Vec<String> = obj.borrow()
        .iter()
        .filter(|(_, v)| condition(v))
        .map(|(k, _)| k.clone())
        .collect();
    // Borrow released here

    // Now mutate
    let mut borrowed_mut = obj.borrow_mut();
    for key in keys_to_remove {
        borrowed_mut.remove(&key); // OK!
    }
}
```

**Pattern:** Separate read and write phases. Collect data during read, mutate during write.

## Safe Patterns for Ruchy Interpreter

### Pattern 1: Clone-Release-Mutate

```rust
// ✅ ALWAYS SAFE
fn safe_pattern_1(obj: &Rc<RefCell<HashMap<String, Value>>>) {
    let value = obj.borrow().get("key").cloned(); // Clone and release
    obj.borrow_mut().insert("other", new_value);  // OK!
}
```

### Pattern 2: Scoped Borrows

```rust
// ✅ ALWAYS SAFE
fn safe_pattern_2(obj: &Rc<RefCell<HashMap<String, Value>>>) {
    {
        let borrowed = obj.borrow();
        process(borrowed.get("key"));
    } // Borrow explicitly dropped

    obj.borrow_mut().insert("key", value); // OK!
}
```

### Pattern 3: Early Drop

```rust
// ✅ ALWAYS SAFE
fn safe_pattern_3(obj: &Rc<RefCell<HashMap<String, Value>>>) {
    let borrowed = obj.borrow();
    let value = borrowed.get("key").cloned();
    drop(borrowed); // Explicitly drop borrow

    obj.borrow_mut().insert("other", value); // OK!
}
```

### Pattern 4: Separate Functions

```rust
// ✅ ALWAYS SAFE
fn read_field(obj: &Rc<RefCell<HashMap<String, Value>>>) -> Option<Value> {
    obj.borrow().get("key").cloned()
} // Borrow released on function return

fn write_field(obj: &Rc<RefCell<HashMap<String, Value>>>, val: Value) {
    obj.borrow_mut().insert("key", val); // OK, separate function
}

fn process(obj: &Rc<RefCell<HashMap<String, Value>>>) {
    let val = read_field(obj);  // Borrow released
    write_field(obj, new_val);  // OK!
}
```

**Pattern:** Separate read and write into different functions. Borrows released at function boundaries.

## Defensive Programming with try_borrow

For production code where we want to catch errors gracefully:

```rust
fn defensive_field_access(obj: &Rc<RefCell<HashMap<String, Value>>>) -> Result<Value, InterpreterError> {
    obj.try_borrow()
        .map_err(|_| InterpreterError::RuntimeError("Borrow check failed".to_string()))?
        .get("field")
        .cloned()
        .ok_or_else(|| InterpreterError::RuntimeError("Field not found".to_string()))
}
```

**When to use:**
- User-facing operations that shouldn't crash
- External API boundaries
- Debugging mode

**When NOT to use:**
- Internal interpreter operations (panic = bug, should fix)
- Performance-critical paths (adds overhead)

## Why Ruchy Won't Panic

**Single-threaded interpreter guarantees:**

1. **No concurrent access**: Only one thread executing interpreter code
2. **Sequential operations**: Each operation completes before next starts
3. **Scoped borrows**: Borrows released before next operation
4. **No recursion holding borrows**: Functions release borrows before recursion

**Example Safe Execution:**
```
1. eval_expr(actor ! message)
   ├─ Get actor instance: actor.borrow().get("__handlers").cloned() [RELEASED]
   ├─ Execute handler body: eval_expr(handler.body)
   │  └─ Field assignment: actor.borrow_mut().insert("field", value) [OK]
   └─ Return result
```

Each step releases borrows before the next step.

## Testing Strategy

### Unit Tests for Borrow Safety

```rust
#[test]
fn test_no_panic_sequential_access() {
    let obj = Rc::new(RefCell::new(HashMap::new()));

    // Sequential reads - should not panic
    for _ in 0..1000 {
        let _ = obj.borrow().get("key");
    }
}

#[test]
fn test_no_panic_sequential_writes() {
    let obj = Rc::new(RefCell::new(HashMap::new()));

    // Sequential writes - should not panic
    for i in 0..1000 {
        obj.borrow_mut().insert("key", Value::Integer(i));
    }
}

#[test]
fn test_no_panic_read_write_alternating() {
    let obj = Rc::new(RefCell::new(HashMap::new()));

    // Alternating read/write - should not panic
    for i in 0..1000 {
        obj.borrow_mut().insert("key", Value::Integer(i));
        let _ = obj.borrow().get("key").cloned();
    }
}

#[test]
#[should_panic]
fn test_panic_nested_borrow() {
    let obj = Rc::new(RefCell::new(HashMap::new()));

    let _borrow = obj.borrow(); // Hold borrow
    let _mut_borrow = obj.borrow_mut(); // PANIC!
}
```

### Property Tests

Already created in Phase 2:
- `prop_refcell_never_panics_on_borrow`: Verifies 10,000 operations don't panic

## Code Review Checklist

When reviewing code with RefCell:

- [ ] All `.borrow()` calls are followed by `.cloned()` or scoped
- [ ] No borrows held across function calls that might borrow
- [ ] Iterators don't hold borrows while mutating
- [ ] Methods on ObjectMut pass `Rc<RefCell<>>`, not `&RefCell<>`
- [ ] No borrows held across `eval_expr` calls
- [ ] Separate read and write phases clearly
- [ ] Comment any complex borrow patterns

## Summary

**Golden Rule:** Never hold a borrow across another borrow operation.

**Safe patterns:**
1. Clone then release: `.borrow().get().cloned()`
2. Scoped borrows: `{ let b = obj.borrow(); ... }`
3. Separate functions: Read in one function, write in another

**Unsafe patterns to avoid:**
1. Nested borrows: Holding borrow while trying another
2. Iterating while mutating: `for` loop with borrow_mut inside
3. Passing borrowed refs: Pass `&Rc<RefCell<>>` not `&HashMap<>`

Following these rules, Ruchy's RefCell usage will be **panic-free**.