Make the Store API more type-safe

Most functions now take a StorePath argument rather than a Path (which
is just an alias for std::string). The StorePath constructor ensures
that the path is syntactically correct (i.e. it looks like
<store-dir>/<base32-hash>-<name>). Similarly, functions like
buildPaths() now take a StorePathWithOutputs, rather than abusing Path
by adding a '!<outputs>' suffix.

Note that the StorePath type is implemented in Rust. This involves
some hackery to allow Rust values to be used directly in C++, via a
helper type whose destructor calls the Rust type's drop()
function. The main issue is the dynamic nature of C++ move semantics:
after we have moved a Rust value, we should not call the drop function
on the original value. So when we move a value, we set the original
value to bitwise zero, and the destructor only calls drop() if the
value is not bitwise zero. This should be sufficient for most types.

Also lots of minor cleanups to the C++ API to make it more modern
(e.g. using std::optional and std::string_view in some places).

src/libutil/rust-ffi.hh

@@ -1,16 +1,91 @@
+#pragma once
+
 #include "serialise.hh"
 
+#include <string_view>
+#include <cstring>
+#include <array>
+
 namespace rust {
 
-// Depending on the internal representation of Rust slices is slightly
-// evil...
+typedef void (*DropFun)(void *);
+
+/* A Rust value of N bytes. It can be moved but not copied. When it
+   goes out of scope, the C++ destructor will run the drop
+   function. */
+template<std::size_t N, DropFun drop>
+struct Value
+{
+protected:
+
+    std::array<char, N> raw;
+
+    ~Value()
+    {
+        if (!isEvacuated()) {
+            drop(this);
+            evacuate();
+        }
+    }
+
+    // Must not be called directly.
+    Value()
+    { }
+
+    Value(Value && other)
+        : raw(other.raw)
+    {
+        other.evacuate();
+    }
+
+    void operator =(Value && other)
+    {
+        if (!isEvacuated())
+            drop(this);
+        raw = other.raw;
+        other.evacuate();
+    }
+
+private:
+
+    /* FIXME: optimize these (ideally in such a way that the compiler
+       can elide most calls to evacuate() / isEvacuated(). */
+    inline void evacuate()
+    {
+        for (auto & i : raw) i = 0;
+    }
+
+    inline bool isEvacuated()
+    {
+        for (auto & i : raw)
+            if (i != 0) return false;
+        return true;
+    }
+};
+
+/* A Rust vector. */
+template<typename T, DropFun drop>
+struct Vec : Value<3 * sizeof(void *), drop>
+{
+    inline size_t size() const
+    {
+        return ((const size_t *) &this->raw)[2];
+    }
+
+    const T * data() const
+    {
+        return ((const T * *) &this->raw)[0];
+    }
+};
+
+/* A Rust slice. */
 template<typename T>
 struct Slice
 {
-    T * ptr;
+    const T * ptr;
     size_t size;
 
-    Slice(T * ptr, size_t size) : ptr(ptr), size(size)
+    Slice(const T * ptr, size_t size) : ptr(ptr), size(size)
     {
         assert(ptr);
     }
@@ -18,9 +93,44 @@ struct Slice
 
 struct StringSlice : Slice<char>
 {
-    StringSlice(const std::string & s): Slice((char *) s.data(), s.size()) {}
+    StringSlice(const std::string & s): Slice(s.data(), s.size()) {}
+    explicit StringSlice(std::string_view s): Slice(s.data(), s.size()) {}
+    StringSlice(const char * s): Slice(s, strlen(s)) {}
+
+    operator std::string_view() const
+    {
+        return std::string_view(ptr, size);
+    }
 };
 
+/* A Rust string. */
+struct String;
+
+extern "C" {
+    void ffi_String_new(StringSlice s, String * out);
+    void ffi_String_drop(void * s);
+}
+
+struct String : Vec<char, ffi_String_drop>
+{
+    String(std::string_view s)
+    {
+        ffi_String_new(StringSlice(s), this);
+    }
+
+    String(const char * s)
+        : String({s, std::strlen(s)})
+    {
+    }
+
+    operator std::string_view() const
+    {
+        return std::string_view(data(), size());
+    }
+};
+
+std::ostream & operator << (std::ostream & str, const String & s);
+
 struct Source
 {
     size_t (*fun)(void * source_this, rust::Slice<uint8_t> data);
@@ -33,7 +143,7 @@ struct Source
     // FIXME: how to propagate exceptions?
     static size_t sourceWrapper(void * _this, rust::Slice<uint8_t> data)
     {
-        auto n = ((nix::Source *) _this)->read(data.ptr, data.size);
+        auto n = ((nix::Source *) _this)->read((unsigned char *) data.ptr, data.size);
         return n;
     }
 };
@@ -49,11 +159,20 @@ struct Result
         std::exception_ptr * exc;
     };
 
+    ~Result()
+    {
+        if (tag == 0)
+            data.~T();
+        else if (tag == 1)
+            // FIXME: don't leak exc
+            ;
+    }
+
     /* Rethrow the wrapped exception or return the wrapped value. */
     T unwrap()
     {
         if (tag == 0)
-            return data;
+            return std::move(data);
         else if (tag == 1)
             std::rethrow_exception(*exc);
         else