ref(scheduler): Make InnerSchedulerState an enum

[flub]

This is more verbose, but makes reasoning about things easier.

Followup from #4246.

#skip-changelog

[iequidoo]

Looks like Stopped is not needed, it's just Paused { started: false, pause_guard_count: 0 }

[link2xt]

I would say pause_guard_count = 0 is not a valid state. Because then it is not clear what started = true, pause_guard_count = 0 means.

Or we can offset pause_guard_count by 1, so 0 means that there is a single guard and it counts additional guards.

[iequidoo]

But we can say also that started = true, pause_guard_count = 0 is an invalid state, remove Stopped and probably get less code.

Maybe indeed it's better to get rid of invalid states by renaming pause_guard_count to, say, extra_pause_guard_cnt or just extra_pauses_cnt

[flub]

We could make pause_guard_count a NonZeroU32 so you can't create the Paused state with pause_guard_count=0. It avoids this "do we count from 0 or 1" ambiguity.

I'd leave Stopped as an explicit state, I think having stopped and paused as distinct cases makes it easier to reason about.

[iequidoo]

Another option is:

enum InnerSchedulerState {
    Started(Scheduler),
    Stopped(usize), // the number of pause guards
    Paused(NonZeroUsize)
};

[link2xt]

It is easier to count from 0 than use NonZeroU32. NonZeroU32 is very tricky, for example it has saturating_add, but no saturating_sub. It is not nice to work with at all.

[flub]

Another option is:

enum InnerSchedulerState {
    Started(Scheduler),
    Stopped(usize), // the number of pause guards
    Paused(NonZeroUsize)
};

Not sure I follow this one.

[link2xt]

If we start counting with 0 instead of 1, this can go to the else branch. If count is 0 and there are no additional guards, then stop, otherwise reduce the count.

[flub]

Updated with NonZeroUsize (usize makes much more sense for this, should have done that already before).

As the commit message points out: this adds a bunch of unwrap calls. All but one are safe: when incrementing the pause_guard_count by one it could panic if we take out too many guards. But that probably means there is already some other buggy code.

I'm not too fond of it though, if you panic in a tokio task you probably just quietly scream in the void. Our application setup does not handle this and does not log those panics so things would just break subtly while carrying on. The alternative is to allow .pause() to return a Result. Maybe that's not so bad.

[link2xt]

These .unwrap()s are not needed if you count from zero.

The point of NonZeroUsize is to use 0 as a value for None when it is wrapped as Option<NonZeroUsize>, but otherwise it is just harder to work with, you need all these .get()s and .unwrap()s.

[flub]

Yeah, I know NonZero* types do optimise storage (though was really disappointed to see it doesn't do it in this case, IIUC it totally could put the bool and NonZeroUsize in a single usize-sized word - not that this matters for us though). I still think it's a nice newtype, though it could be nicer to use indeed.

I'm a bit undecided. I think the current version is reasonable, but it does have unwrap calls. The signature has to change to return a Result<IoPausedGuard> in any case to be safe. If you both vote for usize + counting from zero I'm happy to change it.