Exceptions

From MozillaWiki
Revision as of 22:46, 17 January 2008 by Dmandelin (talk | contribs) (note about qi change)
Jump to navigation Jump to search

This is a discussion and planning document for refactoring Firefox to use C++ exceptions. Briefly, this means:

  • Enabling exceptions in the compiler
  • Replacing nsresult returns and checks with throw and catch statements
  • Changing getter methods to return their results directly (see outparamdel) instead of through pointer-typed parameters

The goal is to do all this without changing the behavior of Firefox, thus not introducing bugs. A somewhat more ambitious goal is to then refactor Firefox methods to be exception-safe as well, which will help avoid future bugs and may even eliminate a few existing bugs.

Benefits of Exceptions

The main reason for using exceptions is improving developer productivity. Hopefully, error handling code will become cleaner and more concise, and modifying code will be easier. outparamdel will make it easier to call getter methods. The error-handling overhaul might even come close to entirely nuking code relating to OOMs and null outparam pointers.

We don't know what the performance effects will be, but it's expected they will be minimal either way. Exceptions can increase performance because error tests are no longer needed in the common success case, output values can be returned directly, and inline code for propagating errors is removed. But exceptions can reduce performance because throwing and catching them is relatively expensive and the catch tables take up space.

General Plan

This section attempts to list all the changes that need to be made to make Firefox use exceptions. As much as possible, we'd like to break this process down into small steps and schedule them in an efficient order. (TBD)

Enabling Exceptions in the Compiler

An essential step is to enable exceptions in the compiler. By itself, this shouldn't do too much, but it may change the behavior of operator new in OOM conditions to throw exceptions instead of returning a null pointer. We'll want to do that eventually, anyway.

Taras: Exceptions are already occurring the code https://bugzilla.mozilla.org/show_bug.cgi?id=353144#c70

"Generic" Exceptions

There are several FF-specific issues with exceptions, which are discussed below. In this section, we discuss how to make FF use C++ exceptions for "generic" error conditions.

nsresult return types will be changed to void. This affects the IDL header file generator, hand-written declarations, and implementation method signatures.

An exception type hierarchy needs to be created to replace error codes. There is an opportunity here to include extra information in the exception object.

Statements like return NS_ERROR_FOO will be replaced with throw statements.

Call sites of nsresult methods need to be updated to handle exceptions instead of testing error codes. The key is to preserve current behavior. Call sites fall into a few categories:

Ignore nsresult. Call sites that ignore the nsresult must be wrapped in try { call() } catch {}. If we can prove that the call will never throw an exception, which we can currently do for about 1/3 of this category, we could remove the wrapper. However, this is potentially dangerous for the future: the called method may someday throw or propagate exceptions. Thus, it is better to make the call site exception-safe before removing the wrapper.

Propagate nsresult. This is when the method containing the call site simply propagates the error code to its caller without executing any other code (except destructors). The macro NS_ENSURE_SUCCESS does this. This category is very nice: with exceptions, there is no error handling code at all. To remove the existing error handling code, we can simply remove the assignment of the error code out of the call site and remove the return statement. This may create a dead rv variable, which can be deleted as a (conceptual) separate step.

We place call sites that log the error into this category as well: logging will be needed less with exceptions.

Compensate, then propagate nsresult. This is when the method containing the call site propagates the error code, but only after running compensation code. Compensation code restores some invariant that would otherwise be lost. The prototypical example is releasing resources to avoid leaks.

The preferred (by the designers of C++) pattern for this scenario is to create a stack object whose destructor maintains the invariant. This is particularly easy to do if the nsresult compensation code executes for both the failure and success cases: we wrap the compensation code in an object destructor and define an instance just before the call site.

If the compensation code currently runs only in the error case, then a direct translation cannot be made using compensation objects. The direct translation would be try { call() } catch { compensate(); throw e; }. However, it may be that for some call sites it is possible to express the error handling code using a stack compensation object.

Compensate, then return other nsresult. This is just like the previous case, except that a different error code is returned. In this case, we must use a catch block so that we can throw a new exception--propagation won't preserve the existing behavior. But we could still use stack compensation objects for compensation, and place only the new throw in the catch block.

But we might prefer to propagate the exception--the error handling code is simpler, and the stack trace is preserved. This would require more changes in the calling code.

Compensate, then continue. This is like the previous case, except that no error code is returned--execution continues. Again, because we are not propagating the exception, we need a catch block. Again, we do have the option of using stack compensation objects and an empty catch block.

Special Case Error: OOM

In current FF, new returns a null pointer when OOM, but with exceptions enabled, it will throw std::bad_alloc.

On most platforms, this shouldn't matter too much, as true OOMs are rare anyway. But we would of course like FF not to crash in this case, which requires catching std::bad_alloc. The easy way to do this is to refactor these call sites as described for generic errors. A more ambitious solution is to remove most of the catch blocks for OOMs, make the call sites exception-safe, and catch OOMs at a high level. That way, there would be very little code devoted to OOM handling.

Code that allocates memory by means other than new (e.g., malloc) will need to be changed to throw std::bad_alloc on failure.

Special Case Error: XPCOM Infrastructure

QueryInterface has been redesigned so that it never throws an exception. It returns a null pointer on failure, and callers must check for it if there is a possibility of failure. (Many QueryInterface calls are guaranteed to succeed.) (Note: the redesign hasn't been checked in to trunk yet.)

GetService may be handled the same way. (TBD)

CreateInstance might also generate OOMs only, although other failure modes are possible. (TBD)

XPConnect

XPConnect needs to be rewritten so that when JavaScript calls C++, the FFI catches C++ exceptions and generates JavaScript exceptions if necessary. Also, when C++ calls JavaScript, C++ exceptions should be generated in response to JavaScript exceptions. This is potentially a lot of work, because there are separate XPConnect implementations for every platform and compiler.

outparamdel

With exceptions in place, nsresult methods become void-returning methods. Thus, methods with an "outparam" (more formally, a pointer-typed argument designated for passing a result out of the called method) will be able to place their result directly in the return value. This will make life easier for programmers and may save a few processor cycles.

We already have a tool called outparamdel for doing this refactoring. It hasn't been used yet because it can't really be done before exceptions. (Many getter methods always succeed, so we could technically apply outparamdel without exceptions, but it's risky because it assumes (a) the method will never be changed so that it can fail, and (b) the method isn't implemented in JavaScript. Neither assumption is safe.)

Automated Refactoring

There are on the order of 50,000 call sites affected by the refactoring to use exceptions, so we want to automate as much as possible. All of the basic patterns discussed above can be detected by static analysis and rewritten automatically, although there are always corner cases that are difficult to automate. We hope the corner cases are a small fraction that can be fixed by hand in reasonable time.

Code Text Quality

One key issue with automatic rewriting is the quality of the resulting source code text from a human reader's point of view. We don't want to automatically produce ugly exception code--one of our top-level goals is to make the code more readable.

This issue needs work. We'll probably have to discover the requirements through trial and review.

Static Analysis Infrastructure

Refactoring relies on static analysis to (a) detect patterns to be refactored, and (b) verify the safety of the refactoring. Verifying the safety of the refactoring means ensuring that the refactored program will behave identically to the original. Note that the safety verification is typically not sound--sound refactorings are very hard to create. But we hope to create "almost sound" refactorings that will work in practice. Of course, the refactored code must always be reviewed and tested.

Our static analysis infrastructure includes [Pork]-Oink/Elsa, [Dehydra] Classic, and Dehydra GCC. We can already do a decent job on many of the exceptions refactorings using this infrastructure. The only thing we really miss at this point is an abstract interpretation framework based on intraprocedural CFGs. We also lack an alias analysis, but we don't think precise alias analysis is important for this task.

Refactoring patterns

Here we discuss automatic refactoring as applied to each pattern described above.

Ignore

For the ignore pattern, we need an analysis to detect ignored nsresult return values and then a rewriting to wrap the call in a try block with empty catch. Optionally, the rewriting can also produce an annotation (comment or macro) at call sites that always succeed (assuming no JavaScript implementations) to aid in the later process of making the code exception-safe.

The ignore analysis can be formulated like this: A call site return value is ignored if along all forward code paths the value never reaches the condition of a branch statement and never escapes the method by being stored in a field, global variable, outparam, or argument of a called method.

To be accurate, the analysis really should be flow-sensitive (i.e., trace forward paths, and pay attention to statement ordering), because the same rv variable is often used for the results of many calls.

This analysis has been coded as a Dehydra script, and it works fairly well. But there is a limitation because there are too many paths to explore them all in Dehydra, which introduces unsoundness. However, the analysis could be expressed efficiently and without this unsoundness using abstract interpretation.

The rewriting is simple: the call expression is wrapped in a try block with empty catch. We need to think about whether this should be done with a macro, inline on one line, or on more than one line.

Propagate

For the propagate pattern, we need an analysis to detect call sites that on error immediately return the same error code, and a rewriting to remove the error code storage, testing, and return.

The propagate analysis can be formulated like this: A call site return value is propagated directly if along all forward code paths where the value is non-zero the value is returned before any side effects other than logging occur. Side effects include writing to a variable that escapes the method or calling another method.

Dehydra is a good fit for this analysis because in practice, this pattern can be detected or rejected by exploring very short paths forward from the call site: typically either the value is returned or a side effect is produced almost immediately.

One problem with producing this analysis in Dehydra is that Dehydra doesn't represent if conditions precisely. Dehydra is good at detecting things like if (NS_FAILED(rv)) (assuming that we have patched FF to make NS_FAILED an inline function, which we have), but doesn't detect things like if (NS_FAILED(rv) || foo). The simple case is the most common, so we might be able to get away with doing the more complex ones manually, but the complex cases are common enough that they are probably worth automating as well.

Rewriting propagate sites is potentially tricky, because the analysis property is defined over control-flow paths, but rewriting source code generally operates on ASTs. Hence, we're not prepared to say just yet how this will work in detail, only a general description: The basic idea that all code paths where the value is nonzero should be deleted (because they will never be reached when an exception is thrown) and all code paths where the value is zero should be specialized for a zero value.

Compensate and Propagate

The analysis conditions to detect the compensate and propagate pattern: (a) the call site is not an ignore or propagate, and (b) every path where rv is nonzero reaches ends by returning rv.

Rewriting: TBD

Compensate and Rethrow

The analysis conditions to detect the compensate and rethrow pattern: (a) the call site is not an ignore or propagate, and (b) every path where rv is nonzero reaches ends by returning a non-rv error code.

Rewriting: TBD

Compensate and Continue

The analysis conditions to detect the compensate and rethrow pattern: (a) the call site is not an ignore or propagate, and (b) every path where rv is nonzero eventually joins the paths where rv is zero.

Rewriting: TBD

Retrieved from "https://wiki.allizom.org/index.php?title=Exceptions&oldid=80206"