[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] Error handling in Mirage - request for comments!

Le mercredi, 11 fÃvrier 2015 Ã 16:18, Thomas Leonard a Ãcrit :

> I think someone who wants to advocate this style should check it /
> change it. It probably needs some worked examples showing it being
> used too.

Seems fine.  

However I disagree with most of the system 5 "problems": I think most of the 
presented problems are solved by providing the monadic combinators/operators 
for the error type and I don't see why this system is harder to explain to new 
users: many OCaml libraries already use that scheme.  

Two problem that exist and that are not mentioned is that you'll sometimes have 
to write explicit coercions (which shouldn't be too bad if you always take care 
to give a type name to sets of polyvars) and that type errors could sometimes 
get wild.  

> Yes, by definition. But what should the "intended scope" be, and how
> do we ensure the producer and consumers of the exception agree?

If you assume the only exceptions you'll get are programming errors then one 
point of view is the following: no exception should cross a component boundary. 

Mirage components are akin to plugins (except they are statically linked in), 
the only way to robustly deal with that is to protect any call to the component 
against spurious exceptions (here's an example using dynlink and first class 
module [1]).  

This burden can be put either on the component writer by type-forcing her to 
use a trap abstraction or at the component composition level by having a 
wrapping functor that forwards the calls but catches any spurious exceptions.  

In both cases the spurious exception should be converted to an appropriate 
`('a, [>`Internal_error of exn]) result` value so that the user of the 
component can further make a decision of what it wants to do with that. (In the 
linked example we log the spurious exception and return a default ~fail value 
to allow to continue the computation, a combinator could be provided for that).

This may seem heavy (all component functions return at least `('a, 
[>`Internal_error of exn]) result` values) until you realize you can provide 
users with functors that can implement error handling strategies to knowingly 
and robustly liberate you from part of the error handling. E.g. the behaviour 
of the linked example could be implemented by a functor that takes a Log module 
and a component implementation, internal errors would be logged and the functor 
would define a default behaviour for the `Internal_error cases. Altogether I 
think this system is much more robust and has much better compositional 
properties than using implicit exceptions.  



[1] Any call to the dynlinked module is protected by this function:


Here's an example of use:


MirageOS-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.