Conversation
|
@dbuenzli, does it correspond to what you want? |
|
I'm not exactly sure I understand the distinction you are trying to make and/or if that is really needed. Maybe listing the cases for For example the comment by @xavierleroy's from 8630 you linked to says:
As far as I'm concerned this is
From a high-level perspective what I want is the ability when programming from C, to have enough hooks to be able to treat the OCaml system as a library, including if the OCaml system fails in some way, so that I can shutdown and restart it rather than having it |
|
Thanks for having a look.
The distinction is not mine, it is current OCaml's. When switching fatal_error to abort by default, some calls to exit have explicitly been excluded from the change. When trying to understand why, one finds the above guideline distinguishing between "internal runtime errors" and "errors in user code". This patch is not about whether there should be such a distinction or not, but whether to give the user the possibility to customise remaining calls to exit.
I am not sure this would help clarify, because the main purpose of the patch is not to change this distinction (and I hope saying so clarifies), and I do not have strong opinions on which particular error falls in which category. But if the principle of the patch (first commit) is accepted, there is indeed the opportunity to decide that some calls to fatal_error should actually be fatal_user_error (second commit). This is optional and secondary, but if deemed desirable then it is good to do it for 4.10 to avoid switching back and forth between abort and exit. Let's first discuss the principle (first commit).
I am not sure this is the best example indeed. Have a look for instance at calls to fatal_user_error introduced in the first commit (e.g. calls to exit which are being factored), or in the second commit (e.g. out_of_memory which arguably come from bugs in user code).
This patch works towards this goal, by making remaining calls to exit(2) in the runtime customisable, and ensuring that I won't have to introduce further naked calls to exit(2) in the future. My feeling around this patch is that I'll need you to champion it/help me make it right, otherwise it might take a while before we (I) revisit this idea again. Hope this helps. |
No problem. I'll try to have a deeper look some time until next monday. |
|
I had a closer look at this and I remain unconvinced that a new error path and hook should be introduced for this. I still find the distinction between user and runtime error to be rather contentious e.g. labelling an out of memory error like here: as a user error is dubious to me. I think that if it is thought to be important to be able to distinguish between fatal errors, then we should rather have a precise account of the actual error condition using an error code rather than have multiple hooks with a contentious notion ("user" error). In other words I would rather call for a change in the signature of This would allow for example to 1) funnel the current This would then allow to reach the following design goal: The runtime system always either exits normally, by explicit user program choice, via P.S. (I noticed along the way there are also a few stray |
ba6bf3d to
5dce3bf
Compare
|
Thank you again for the feedback. A couple of points:
One thing I can propose is to merge the two fatal hooks into one and have it take an error enum as an argument. Only the wrappers would differ. However, I still do not see the need for more than two wrappers caml_fatal_error and caml_fatal_user_error (the first one has to remain for backwards-compatibility so we have at least 2 wrappers). |
Being revolutionary or not is besides the point, this PR proposes something new to solve an exisiting problem, and I don't think this new thing is appropriate. I'm only suggesting another way to go about these things.
What I wrote is that as a C observer of the OCaml runtime system I should only ever witness a termination of the runtime system either via
I don't really see what's wrong with simply calling |
|
I agree with many things you wrote. Let us focus on the topic of the current PR: avoiding naked I would disagree with changing the current PR into any of the following:
IIUC, we disagree over 2. My concern is:
I mean, I do not exclude volunteering for it, but I would need to hear strong support for your idea before I start coding anything. In addition, I am concerned that this is a bit of work and that the deadline for this idea is OCaml 4.10. With this in mind, I see two solutions where there are two fatal error functions and:
Another thing to think about is whether although imperfect for you, this can be a step in the good direction, that can be improved later. |
|
@gadmm I don't really know what to say, I'm kind of repeating myself at that point. I have the impression we should not multiply the hooks for abnormal termination and I do not find the notion of "user" error to be meaningful or precise. When people will develop the runtime system and need to terminate the system they will constantly have to ask themselves is this a Maybe a core dev should chime in with his own view on this. (Also personally I rather have a good solution in say 4.11 than rush something in 4.10 to have it changed later) |
|
Of course, I mention 4.10 only because there will be fewer options after the current mechanism reaches users. I would rather see the number of fatal error situations decrease rather than increase, that's why I do not see this dilemma arising. I also suspect that the categorisation of errors would be less clear-cut than you suggest. The mechanism for handling serious errors programmatically is exceptions. The hope with the approach of merely consolidating the current practice was to avoid discussing the semantics of fatal errors, about which I do not have opinions. For now I do not see this PR converging (but that's ok). |
|
I come back to this PR to decide what to do with it. One proposed alternative is now ruled out due to the freeze of 4.10 (and the signature of its I have a couple of questions to decide:
Without waiting for an answer, I will assume it is "yes" because this sounds sensible to me.
If not I keep pushing for the current solution because I sympathize with the goal 1) and the current PR is the most straightforward one to achieve it, possibly with amendments if you wish. It is better to have a solution rather than hopefully wishing for an ideal solution which never comes. One interest for the current patch is that it reverts the default behaviour on fatal out of memory situations to exiting instead of aborting, and I have read comments from at least two people here who reported that doing a core dump on a out of memory situation is a very bad idea. |
This introduces a new kind of fatal error,
caml_fatal_user_error, denoting unrecoverable error in user code, which by default calls exit(2) and is customisable with a dbünzli-hook. This is inspired by the guideline from #8630 (review). According to it,caml_fatal_error, which now callsabort, should only be used for internal runtime failures. I needed a fatal error which denotes an error in user code at #8962. Then I noticed that some actual uses of caml_fatal_error would be better as caml_fatal_user_error (mainly related to out of memory conditions). Overall, I do not have strong opinions on this patch. On the principle of a new function for error in user code, I think it corresponds to current usage in the compiler codebase (some calls to exit(2) are factored and now customisable), and to what people want according to what I read on this github. On the changing of some fatal_error into fatal_user_error, this is subjective, and I don't care that much. It is open to unlimited bikeshedding.If the principle of the patch is accepted, then it is good to have it in 4.10 to avoid changing between abort/exit semantics back and forth.