feat(local): explicit close with error checking for LocalFileSystem

[jgiannuzzi]

Which issue does this PR close?

Implements one part of #661.

Rationale for this change

See issue. This PR is limited to explicitly calling close on written files with error checking.

What changes are included in this PR?

• Add close_file() helper that calls libc::close() (Unix) / CloseHandle (Windows) directly and propagates errors, instead of relying on File::drop(). Note that this uses unsafe, like in the platforms' respective drop() implementations.
• Apply both to the put and put_multipart (via LocalUpload) code paths.
• Add libc (Unix) and windows-sys (Windows) as optional dependencies behind the fs feature for their respective platforms.
• Add unit test verifying close_file detects EBADF when the file descriptor is closed behind Rust's back. This is just to validate that close_file properly returns the OS error.

Are there any user-facing changes?

Close errors are now detected and propagated as Error::UnableToCopyDataToFile. Previously these were silently ignored. This is a correctness improvement but could surface errors that were previously hidden.

[crepererum]

Since we already depend on nix, could we use that library on Unix instead?

https://docs.rs/nix/latest/nix/unistd/fn.close.html

[jgiannuzzi]

nix was only used as a dev dependency which is why I went with libc instead, cutting down the middleman (nix uses libc under the hood). I am happy to use nix instead though, as it simplifies this piece of code significantly.

[crepererum]

I think nix is a fine choice here and keeps the dev and prod world kinda in-sync 👍

[crepererum]

This test tests the new function that you've just added. However I somewhat fail to see what actual error case you're trying to prevent here. The file descriptor isn't exposed to the API user of object_store. In #661 you reference pola-rs/polars#21002 but that issue is about polar's own file handling, not about object_store. Also you say this is an alternative to fsync, but that's not true. Closing the file doesn't give you ANY guarantees with regards to durability. So what concrete order of events leads to a case where the additional error check (via the manual FD close) would help?

[jgiannuzzi]

This test is just validating our logic by emulating a failure case.

The actual failure that can happen is when using a remote file system (e.g. NFS) and suffering from an underlying issue with the mount. In this case, the close could fail because some previous queued writes failed and checking the close return code allows the calling application to know that something failed, even if fsync wasn't called.

See this comment on the Polars issue for more details: pola-rs/polars#21002 (comment)

I don't think I claimed this was an alternative to fsync. It's rather a way to make sure these errors are reported to the caller. For durability guarantees, fsync remains required (and I think this should be part of another PR).

[crepererum]

Ah, NFS our old friend 😁 . This makes sense, thank you!

[crepererum]

BTW: you could also call close_file twice and expect that the 2nd call fails. That would make this test here also work on Windows.

[jgiannuzzi]

Good point! I've updated the Unix test and added a Windows version of it. Sadly I still need to use a raw fd/handle in order to not consume the file and be able to close it twice. Thank you Rust for generally preventing misusing APIs! (That's not sarcasm 😅)

[jgiannuzzi]

hey @crepererum, could you please take another look at this?

[crepererum]

Looks good, thank you!