wal-db 0.5.0

Write-ahead log primitive for Rust storage engines. Durable, recoverable, lock-free append path. The WAL substrate under lsm-db, txn-db, raft-io, and Hive DB.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221

//! The crate error type.
//!
//! Every fallible operation in `wal-db` returns [`Result<T>`], whose error is
//! [`WalError`]. The type integrates with the portfolio's `error-forge`
//! framework — it implements [`error_forge::ForgeError`], so callers get the
//! stable `kind` / `is_fatal` metadata other crates rely on — while still
//! exposing the underlying [`std::io::Error`] through [`std::error::Error::source`]
//! for code that needs to inspect the OS error kind directly.

use std::{fmt, io};

use error_forge::ForgeError;

/// A specialised [`Result`](std::result::Result) for log operations.
///
/// Defaults its error to [`WalError`], so most signatures read `Result<T>`.
pub type Result<T, E = WalError> = std::result::Result<T, E>;

/// Everything that can go wrong while appending to, syncing, or recovering a log.
///
/// The type is [`#[non_exhaustive]`](https://doc.rust-lang.org/reference/attributes/type_system.html#the-non_exhaustive-attribute):
/// future versions may add variants without a major bump, so a `match` over it
/// must include a wildcard arm.
#[non_exhaustive]
#[derive(Debug)]
pub enum WalError {
    /// An underlying I/O operation failed.
    ///
    /// `context` names the operation that was attempted (for example
    /// `"open log file"` or `"flush to stable storage"`) so the message is
    /// actionable without a backtrace. The original [`io::Error`] is preserved
    /// as the [`source`](std::error::Error::source); inspect it when the OS
    /// error kind (disk full, permission denied, interrupted) drives recovery.
    Io {
        /// What the log was trying to do when the I/O error occurred.
        context: &'static str,
        /// The underlying operating-system error.
        source: io::Error,
    },

    /// An append was rejected because the record is larger than the configured
    /// limit.
    ///
    /// Records are bounded by [`WalConfig::max_record_size`](crate::WalConfig::max_record_size)
    /// so that a single oversized — or maliciously crafted — record cannot force
    /// an unbounded allocation on the recovery path. The append makes no change
    /// to the log; the caller may split the payload or raise the limit.
    RecordTooLarge {
        /// The length of the rejected record, in bytes.
        len: usize,
        /// The configured maximum record size, in bytes.
        max: u32,
    },

    /// Recovery reached a record that is not intact.
    ///
    /// Either the record's checksum did not match its bytes, or its length
    /// prefix is implausible. In an append-only log a damaged record means
    /// everything after it is untrustworthy, so iteration surfaces this once and
    /// then stops. `offset` is the byte position of the record where the break
    /// was detected.
    Corruption {
        /// Byte offset of the record at which recovery stopped.
        offset: u64,
        /// A short, human-readable reason the record was rejected.
        reason: &'static str,
    },

    /// A typed record could not be encoded or decoded.
    ///
    /// Produced only by the typed-record API (the `pack-io` feature):
    /// `Wal::append_typed` when a value fails to serialise, or `Record::decode`
    /// when a record's bytes do not deserialise into the requested type.
    /// `detail` carries the underlying codec error's message.
    Encoding {
        /// The underlying serialization error, as text.
        detail: String,
    },
}

impl WalError {
    /// Wrap an [`io::Error`] with the static context describing the operation.
    pub(crate) fn io(context: &'static str, source: io::Error) -> Self {
        WalError::Io { context, source }
    }

    /// Build a [`WalError::Corruption`] for the record at `offset`.
    pub(crate) fn corruption(offset: u64, reason: &'static str) -> Self {
        WalError::Corruption { offset, reason }
    }

    /// Build a [`WalError::Encoding`] from a codec error's message.
    #[cfg(feature = "pack-io")]
    pub(crate) fn encoding(detail: impl core::fmt::Display) -> Self {
        WalError::Encoding {
            detail: detail.to_string(),
        }
    }
}

impl fmt::Display for WalError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            WalError::Io { context, source } => {
                write!(f, "i/o error while {context}: {source}")
            }
            WalError::RecordTooLarge { len, max } => {
                write!(
                    f,
                    "record of {len} bytes exceeds the maximum of {max} bytes"
                )
            }
            WalError::Corruption { offset, reason } => {
                write!(f, "log corruption at byte offset {offset}: {reason}")
            }
            WalError::Encoding { detail } => {
                write!(f, "typed record codec error: {detail}")
            }
        }
    }
}

impl std::error::Error for WalError {
    fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
        match self {
            WalError::Io { source, .. } => Some(source),
            WalError::RecordTooLarge { .. }
            | WalError::Corruption { .. }
            | WalError::Encoding { .. } => None,
        }
    }
}

/// A bare [`io::Error`] converts into [`WalError::Io`] with a generic context.
///
/// Call sites that know what they were doing attach a specific context instead;
/// this exists for the `?` ergonomics of code that does not.
impl From<io::Error> for WalError {
    fn from(source: io::Error) -> Self {
        WalError::Io {
            context: "performing a log i/o operation",
            source,
        }
    }
}

impl ForgeError for WalError {
    fn kind(&self) -> &'static str {
        match self {
            WalError::Io { .. } => "Io",
            WalError::RecordTooLarge { .. } => "RecordTooLarge",
            WalError::Corruption { .. } => "Corruption",
            WalError::Encoding { .. } => "Encoding",
        }
    }

    fn caption(&self) -> &'static str {
        "write-ahead log error"
    }

    /// Corruption is unrecoverable by retry: the bytes on disk are already
    /// damaged. I/O and size errors are left non-fatal for the caller to judge.
    fn is_fatal(&self) -> bool {
        matches!(self, WalError::Corruption { .. })
    }
}

#[cfg(test)]
#[allow(clippy::unwrap_used, clippy::expect_used)]
mod tests {
    use super::*;

    #[test]
    fn test_io_error_exposes_source() {
        let inner = io::Error::new(io::ErrorKind::PermissionDenied, "denied");
        let err = WalError::io("open log file", inner);
        let source = std::error::Error::source(&err).expect("io error has a source");
        let io_source = source
            .downcast_ref::<io::Error>()
            .expect("source downcasts to io::Error");
        assert_eq!(io_source.kind(), io::ErrorKind::PermissionDenied);
    }

    #[test]
    fn test_record_too_large_has_no_source() {
        let err = WalError::RecordTooLarge {
            len: 4096,
            max: 1024,
        };
        assert!(std::error::Error::source(&err).is_none());
    }

    #[test]
    fn test_corruption_is_fatal_others_are_not() {
        assert!(WalError::corruption(128, "checksum mismatch").is_fatal());
        assert!(!WalError::RecordTooLarge { len: 1, max: 0 }.is_fatal());
        let io = WalError::io("x", io::Error::from(io::ErrorKind::Other));
        assert!(!io.is_fatal());
    }

    #[test]
    fn test_kind_matches_variant() {
        assert_eq!(WalError::corruption(0, "x").kind(), "Corruption");
        assert_eq!(
            WalError::RecordTooLarge { len: 1, max: 0 }.kind(),
            "RecordTooLarge"
        );
    }

    #[test]
    fn test_display_is_actionable() {
        let err = WalError::RecordTooLarge {
            len: 4096,
            max: 1024,
        };
        assert_eq!(
            err.to_string(),
            "record of 4096 bytes exceeds the maximum of 1024 bytes"
        );
    }
}