unsafe code should be only used when necessary, and should be carefully scrutinized during PR reviews.
The code should never panic or crash, which means that any instance of unwrap or expect is a potential time-bomb. Even if you structured your code to make them impossible, any reader will have to read the code very carefully to prove to themselves that an unwrap won't panic. Often you can instead rewrite your code so as to avoid it. The same goes for indexing into a slice (which will panic on out-of-bounds) - it is often preferable to use .get().
For instance:
let first = if vec.is_empty() {
return;
} else {
vec[0]
};can be better written as:
let Some(first) = vec.get(0) else { return; };We log problems using our own re_log crate (which is currently a wrapper around tracing).
- An error should never happen in silence.
- Validate code invariants using
assert!ordebug_assert!. - Validate user data and return errors using
thiserror. - Attach context to errors as they bubble up the stack using
anyhow. - Log errors using
re_log::error!orre_log::error_once!. - If a problem is recoverable, use
re_log::warn!orre_log::warn_once!. - If an event is of interest to the user, log it using
re_log::info!orre_log::info_once!. - The code should only panic if there is a bug in the code.
- Never ignore an error: either pass it on, or log it.
- Handle each error exactly once. If you log it, don't pass it on. If you pass it on, don't log it.
Strive to encode code invariants and contracts in the type system as much as possible. So if a vector cannot be empty, consider using vec1. Parse, don’t validate.
Some contracts cannot be enforced using the type system. In those cases you should explicitly enforce them using assert (self-documenting code) and in documentation (if it is part of a public API).
The log is for several distinct users:
- The application user
- The application programmer
- The library user
- The library programmer
We are all sharing the same log stream, so we must cooperate carefully.
This is for unrecoverable problems. The application or library couldn't complete an operation.
Libraries should ideally not log ERROR, but instead return Err in a Result, but there are rare cases where returning a Result isn't possible (e.g. then doing an operation in a background task).
Application can "handle" Errors by logging them as ERROR (perhaps in addition to showing a popup, if this is a GUI app).
This is for recoverable problems. The operation completed, but couldn't do exactly what it was instructed to do.
Sometimes an Err is handled by logging it as WARNING and then running some fallback code.
This is the default verbosity level. This should mostly be used only by application code to write interesting and rare things to the application user. For instance, you may perhaps log that a file was saved to specific path, or where the default configuration was read from. These things lets application users understand what the application is doing, and debug their use of the application.
This is a level you opt-in to to debug either an application or a library. These are logged when high-level operations are performed (e.g. texture creation). If it is likely going to be logged each frame, move it to TRACE instead.
This is the last-resort log level, and mostly for debugging libraries or the use of libraries. Here any and all spam goes, logging low-level operations.
The distinction between DEBUG and TRACE is the least clear. Here we use a rule of thumb: if it generates a lot of continuous logging (e.g. each frame), it should go to TRACE.
We use thiserror for errors in our libraries, and anyhow for type-erased errors in applications.
For faster hashing, we use ahash (ahash::HashMap, …).
When the hashmap key is high-entropy we use nohash-hasher (nohash_hasher::IntMap).
We follow the Rust API Guidelines.
We use rust fmt with default settings.
We have blank lines before functions, types, impl blocks, and docstrings.
We format comments // Like this, and //not like this.
When importing a trait to use its trait methods, do this: use Trait as _;. That lets the reader know why you imported it, even though it seems unused.
When intentionally ignoring a Result, prefer foo().ok(); over let _ = foo();. The former shows what is happening, and will fail to compile if foo:s return type ever changes.
When you must remember to do something before merging a PR, write TODO or FIXME in any file. The CI will not be green until you either remove them or rewrite them as TODO(yourname).
You can also use the todo()! macro during development, but again it won't pass CI until you rewrite it as todo!("more details"). Of course, we should try to avoid todo! macros in our code.
Use debug-formatting ({:?}) when logging strings in logs and error messages. This will surround the string with quotes and escape newlines, tabs, etc. For instance: re_log::warn!("Unknown key: {key:?}");.
Use re_error::format(err) when displaying an error.
When in doubt, be explicit. BAD: id. GOOD: msg_id.
Be terse when it doesn't hurt readability. BAD: message_identifier. GOOD: msg_id.
Avoid negations in names. A lot of people struggle with double negations, so things like non_blocking = false and if !non_blocking { … } can become a source of confusion and will slow down most readers. So prefer connected over disconnected, initialized over uninitialized etc.
For UI functions (functions taking an &mut egui::Ui argument), we use the name ui or _ui suffix, e.g. blueprint_ui(…) or blueprint.ui(…).
Points, vectors, rays etc all live in different spaces. Whenever there is room for ambiguity, we explicitly state which space something is in, e.g. with ray_in_world.
Here are some of our standard spaces:
ui: coordinate system used byegui, measured in logical pixels ("points"), with origin in the top leftimage: image pixel coordinates, possibly with an addedz=depthspace: a user-defined space where they log stuff intoworld: the common coordinate system of a 3D scene, usually same asspaceview: X=right, Y=down, Z=back, origin = center of screen
We use column vectors, which means matrix multiplication is done as M * v, i.e. we read all matrix/vector operations right-to-left. We therefore name all transform matrices as foo_from_bar, for instance:
let point_in_world = world_from_view * point_in_view;This means the name of the space matches up nicely, e.g.:
let projection_from_object = projection_from_view * view_from_world * world_from_object;See https://www.sebastiansylvan.com/post/matrix_naming_convention/ for motivation.
For consistency, we use the same naming convention for other non-matrix transforms too. For instance, functions: let screen = screen_from_world(world);.
Vectors are directions with magnitudes. Points are positions.