Exceptions

From MozillaWiki
Revision as of 12:45, 17 January 2008 by Magicdice (talk | contribs) (Fix wiki links to outparamdel)
Jump to navigation Jump to search

This is a discussion and planning document for refactoring Firefox to use C++ exceptions. Briefly, this means:

  • Enabling exceptions in the compiler
  • Replacing nsresult returns and checks with throw and catch statements
  • Changing getter methods to return their results directly (see outparamdel) instead of through pointer-typed parameters

The goal is to do all this without changing the behavior of Firefox, thus not introducing bugs. A somewhat more ambitious goal is to then refactor Firefox methods to be exception-safe as well, which will help avoid future bugs and may even eliminate a few existing bugs.

Benefits of Exceptions

The main reason for using exceptions is improving developer productivity. Hopefully, error handling code will become cleaner and more concise, and modifying code will be easier. outparamdel will make it easier to call getter methods. The error-handling overhaul might even come close to entirely nuking code relating to OOMs and null outparam pointers.

We don't know what the performance effects will be, but it's expected they will be minimal either way. Exceptions can increase performance because error tests are no longer needed in the common success case, output values can be returned directly, and inline code for propagating errors is removed. But exceptions can reduce performance because throwing and catching them is relatively expensive and the catch tables take up space.

General Plan

This section attempts to list all the changes that need to be made to make Firefox use exceptions. As much as possible, we'd like to break this process down into small steps and schedule them in an efficient order. (TBD)

Enabling Exceptions in the Compiler

An essential step is to enable exceptions in the compiler. By itself, this shouldn't do too much, but it may change the behavior of operator new in OOM conditions.

Exceptions for OOM

In current FF, new returns a null pointer when OOM, but with exceptions enabled, it will throw std::bad_alloc.

On most platforms, this shouldn't matter too much, as true OOMs are rare anyway. But we would of course like FF not to crash in this case, which requires catching std::bad_alloc.

With exceptions for OOM, we should be able to delete code that returns or reacts to NS_ERRROR_OUT_OF_MEMORY.

Also, code that allocates memory by means other than new (e.g., malloc) will need to be changed to throw std::bad_alloc on failure.

Exceptions for nsresult rv != NS_OK

The big cross-cutting change is that methods will no longer return error codes, but rather throw exceptions.

nsresult return types will be changed to void. This affects the IDL header file generator, hand-written declarations, and implementation method signatures.

An exception type hierarchy needs to be created to replace error codes. There is an opportunity here to include extra information in the exception.

return NS_ERROR_FOO will be replaced with a throw statement.

Call sites that ignore exceptions will need to be wrapped in a try block with an empty catch block.

Call sites that simply forward error codes to their caller need no error handling.

Call sites that test for errors and run fixup code will need to be either (a) wrapped in a try block with a catch block containing the fixup code or (b) preceded by stack allocation of a http://en.wikipedia.org/wiki/Resource_Acquisition_Is_Initialization RAII] object in an appropriate scope.

XPConnect needs to be rewritten so that when JavaScript calls C++, the FFI catches C++ exceptions and generates JavaScript exceptions if necessary. Also, when C++ calls JavaScript, C++ exceptions should be generated in response to JavaScript exceptions. This is potentially a lot of work, because there are separate XPConnect implementations for every platform and compiler.

Functions with Special Requirements

QueryInterface may be redesigned so that it never throws an exception. It will simply return a null pointer on failure, and callers must check for it if there is a possibility of failure. (Many QueryInterface calls are guaranteed to succeed.)

GetService may be handled the same way. (TBD)

CreateInstance might also generate OOMs only, although other failure modes are possible. (TBD)

nothrow Functions

Some methods always return NS_OK. In this case, the nsresult returned is pure waste, and the translation to use exceptions is particularly easy: all return statements are stripped of their value, call sites that ignore the result are unchanged, and call sites that test the value are partially evaluated for the return value NS_OK.

One problem with this is that functions that never throw an exception today might someday be changed to throw an exception. Their call sites might then behave incorrectly when exceptions are thrown.

One "solution" to this problem that isn't currently being planned is to annotate methods as nothrow and check this annotation in the compiler. First, these extra annotations are annoying and inflexible (q.v. checked exceptions in Java). Second, they aren't checked by a standard compiler, so chances are, they will eventually become wrong.

The approach now under consideration is simply to be very careful about introducing new throw statements.

The definitive solution, also under consideration, is to make FF methods exception-safe. This means that even when an exception is thrown, all program invariants are maintained. The most common invariant to be maintained is not to leak memory or other resources. However, there are other invariants, such as counters and flags, that must also be protected.

outparamdel

(TBD)

Automated Refactoring

(TBD -- make sure to include code text quality issues.)

Static Analysis

The rest of the document (which needs rewriting to fit in better) is about how to use static analysis to help refactor Mozilla to use C++ exceptions instead of nsresults. In particular, this is about how to modify the call sites of methods so that the code uses exception handling and is exception safe.

The main goal of the rewriting is to make the code use exceptions instead of nsresults without modifying the behavior of the code. This breaks down into:

  • Ensuring that methods that don't crash now don't crash by throwing an unhandled exception.
  • Ensuring that the error handling code at the call sites runs under the same conditions and does the same thing. (Effectively, we are assuming that the current error handling is correct, and that replicating that behavior with exceptions will result in exception-safe code.)

Call sites that ignore nsresult return values

One case where we don't necessarily want to keep current behavior is at call sites that ignore their return values: 

 callSomeMethodThatCanFail();

This is probably a bug, so we want a tool that can find and flag all of these results. After the bugs are fixed, any remaining call sites that really should ignore failures can be rewritten automatically to ignore exceptions.

Note that the following pattern is not an ignored nsresult return value: 

 rv = callMethod();
 return rv;

This pattern can be rewritten to use exceptions (by simply letting any exceptions propagate up to the caller) with the techniques described in the section on making call sites exception safe.

Analysis to detect ignored return values

Roughly, the analysis should flag all call sites where:

  • the method is not guaranteed nothrow (i.e., the method can fail)
  • there is no branch on NS_FAILED(rv) or NS_SUCCEEDED(rv)

The easy way is to look for if statements where the condition contains NS_FAILED(rv) or NS_SUCCEEDED(rv). But that's not perfect, because of things like:

  • Calling NS_FAILED directly on the function without a variable
  • Assigning the rv or the NS_FAILED test result to a variable then branching later
  • Overwriting the value of rv before the test (so the rv isn't actually branched on)

The current thrower tool catches many of these cases but not all. It's believed that (a) thrower only produces false positives, not false negatives, and (b) doesn't produce too many false positives on Mozilla.

Rewriting ignored return values

If it turns out most of these are bugs, we can just flag them for manual repair.

On the other hand, if almost all of these sites are correct code, then we can handle an ignore site like this: 

 callMethod();

by rewriting it to this: 

 nsresult rv = callMethod();
 if (NS_FAILED(rv)) {}

and letting the full rewriting algorithm rewrite this to use exceptions. Or, we could rewrite it directly as: 

 try {
   callMethod();
 } except (nserror e) {}

The latter pattern can be expressed with a macro. (dmandelin: But macros are bad, right? I'd vote for no macros here.)

Making call sites exception safe

Most call sites do check for errors and respond somehow. This section is about how to rewrite those call sites.

We'll start with the assumption that call sites adhere to a simple pattern that's relatively easy to rewrite, namely: 

 nsresult rv = callSomeMethod();
 // note1: no code between call & rv test -- such code can of course be
 //        accommodated with exceptions but requires more design
 // note2: also accept NS_SUCCEEDED(rv) with code in opposite then/else branches
 if (NS_FAILED(rv)) {
   maybe fixup();
   return rv OR return NS_ERROR_FOO or return 0;
 } else {
   maybe do_stuff();
 }

This requires a static analysis that finds all call sites that don't match this pattern so they can be flagged for manual rewrite.

Given the simple pattern, the rewrite looks like this: 

     try {
         callSomeMethod();
         maybe do_stuff();
     } except (nserror e) {
        maybe fixup();
        maybe throw NS_ERROR_FOO; // if original returns new error code
        maybe return;             // if original returns 0
     }

The thrower tool handles some instances of this pattern. (dmandelin: I don't know exactly what thrower can do at this point.)

But there are at least two big practical problems with this rewrite.

First, when the original code failure case ends with 'return rv', the natural thing to do with exceptions is let the exception propagate. (If we use the rewrite above, we're cutting off the stack trace, which is bad for debugging.) If there is no 'fixup' code, then this is easy: just have no try block. If there is 'fixup' code, then we should rewrite to use a compensator object: 

 // class created to run fixup
 class SomeCompensator {
   ~SomeCompensator() { fixup(); }
 };

 // call site
 SomeCompensator();
 callSomeMethod();

This is the style recommended by C++ authorities. The problem here is that the code is no longer equivalent to the original nsresult code: the fixup is run on success as well as failure. We still might be able to produce this rewriting automatically, but we need to know more about how the fixups appear in our code and how they can be identified.

Besides fixups, the current nsresult code often logs errors or runs assertions. With exception stack traces, logging should be less important, but assertions are a real issue. We need to decide out how the assertion sites should behave with exceptions and then figure out how to implement that in C++.

The second problem is that the if condition is often a little more complicated than what our pattern allows. We also have:

  • NS_FAILED(rv) || foo
  • NS_FAILED(rv) && foo
  • NS_FAILED(rv1) || NS_FAILED(rv2)
  • NS_FAILED(rv1) && NS_SUCCEEDED(rv2)

Above, we said we'd flag these for manual fix, but some of them, like the first two, are pretty common and we might want to fix them automatically. The first two cases seem fairly easy to handle, but we need more information on how they're being used.

nothrow methods

Methods that never fail are the easiest to handle: exception safety at call sites is free. These are called nothrow methods following the Effective C++ terminology. We can remove all exception handlers protecting nothrow call sites, making the code shorter and easier to read.

We'll assume that any method implemented in JavaScript can fail and throw an exception, so the nothrow analysis is restricted to methods implemented in C++. The prime example is property retrieval methods.

GNU attribute syntax

Microsoft C++ nothrow attribute syntax

nothrow analysis

There are three ways a method can fail:

  • By returning a non-zero (non-NS_OK) value,
  • By calling another nsresult method that can fail (i.e., is not nothrow),
  • By using a C++ feature that can throw an exception. The primary example is allocating memory with new. new badness

The static analysis must be designed to detect any of these conditions. Because it's hard to know what method will be called in C++, a good starting point for the analysis would be to say that a method is nothrow if it can only return 0, does not invoke new, and does not call any other method. If this doesn't pick up enough nothrow methods, we can either do it by hand or augment the analysis with a simple call graph construction.

Retrieved from "https://wiki.allizom.org/index.php?title=Exceptions&oldid=80144"