Use new ExitCode type and values, change ActorError to make bad exit codes less likely #191
Conversation
| @@ -36,6 +35,8 @@ pub enum Method { | |||
| Collect = 4, | |||
| } | |||
|
|
|||
| pub const ERR_CHANNEL_STATE_UPDATE_AFTER_SETTLED: ExitCode = ExitCode::new(32); | |||
There was a problem hiding this comment.
Calling attention to this actor-defined exit code, as an example.
| @@ -61,6 +61,8 @@ pub enum Method { | |||
| CurrentTotalPower = 9, | |||
| } | |||
|
|
|||
| pub const ERR_TOO_MANY_PROVE_COMMITS: ExitCode = ExitCode::new(32); | |||
There was a problem hiding this comment.
Another actor-specific exit code.
actors/runtime/src/actor_error.rs
Outdated
| } | ||
| pub fn internal_send_aborted(msg: String) -> Self { | ||
| // TODO use symbolic constant for USR_SEND_ABORTED when it's defined. | ||
| Self { exit_code: ExitCode::from(24), msg } |
There was a problem hiding this comment.
Tada! I can define this in builtin-actors without waiting for an enum update in FVM.
actors/runtime/src/runtime/fvm.rs
Outdated
| @@ -60,7 +60,7 @@ impl<B> FvmRuntime<B> { | |||
| fn assert_not_validated(&mut self) -> Result<(), ActorError> { | |||
| if self.caller_validated { | |||
| return Err(actor_error!( | |||
| SysErrIllegalActor, | |||
| unspecified, // FIXME is this the right one? | |||
There was a problem hiding this comment.
Review: which standard exit code should we use for caller validation errors?
There was a problem hiding this comment.
Currently, this would be "unspecified". But maybe we do need an extra USR_ASSERTION_FAILED error.
actors/runtime/src/runtime/fvm.rs
Outdated
| @@ -263,28 +261,40 @@ where | |||
| value: TokenAmount, | |||
| ) -> Result<RawBytes, ActorError> { | |||
| if self.in_transaction { | |||
| return Err(actor_error!(SysErrIllegalActor; "runtime.send() is not allowed")); | |||
| return Err(actor_error!(unspecified; "runtime.send() is not allowed")); | |||
There was a problem hiding this comment.
Review: which standard exit code for state transaction violations?
actors/runtime/src/runtime/fvm.rs
Outdated
| match fvm::send::send(&to, method, params, value) { | ||
| Ok(ret) => { | ||
| if ret.exit_code.is_success() { | ||
| Ok(ret.return_data) | ||
| } else { | ||
| Err(ActorError::from(ret.exit_code)) | ||
| // The returned code can't be simply propagated as it may be a system exit code. | ||
| Err(ActorError::internal_send_aborted(format!( |
There was a problem hiding this comment.
Here's where failures of internal sends are caught.
There was a problem hiding this comment.
Won't this hide the error code from the caller?
There was a problem hiding this comment.
Right. As noted elsewhere, returning ActorError from send isn't appropriate. I'm wary of breaking the consistency with other runtime methods, but maybe I'll try fixing this one now.
| } | ||
| } | ||
| Err(err) => Err(match err { | ||
| // Some of these errors are from operations in the Runtime or SDK layer | ||
| // before or after the underlying VM send syscall. |
There was a problem hiding this comment.
See my commentary here as I was trying to get to grips with things. I'm reaching the conclusion that error numbers are not good as error values, because context is lost and it's hard to know if the right message is being attached later.
There was a problem hiding this comment.
They seem to be only enough in the case we are okay with loosing that information, otherwise we must track additional information
There was a problem hiding this comment.
We're using "numbers" here (in the syscall interface) because they're consensus critical and we want to keep things as "simple" as possible. If we can't distinguish between two cases, we should add additional exit codes for that. But I think all cases are covered.
https://github.com/filecoin-project/fvm-specs/blob/main/07-errors.md#error-numbers-by-syscall should tell you exactly what each error number means with respect to each syscall.
There was a problem hiding this comment.
See my commentary here as I was trying to get to grips with things. I'm reaching the conclusion that error numbers are not good as error values, because context is lost and it's hard to know if the right message is being attached later.
Or are you referring to the exit code in ActorError? In that case, I agree. My attitude there is:
- At the point where we can definitively say "we should exit with some specific exit code", we should just exit with that exit code (abort).
- Before then, we should return descriptive (structured) errors.
There was a problem hiding this comment.
"Here" is not the syscall interface, though. It's calling the SDK, which has more code and makes multiple syscalls. We need a descriptive structured error here. Propagating an error number is an antipattern.
| value, *balance | ||
| return Err(ActorError::unchecked( | ||
| ExitCode::SYS_SENDER_STATE_INVALID, | ||
| format!("cannot send value: {:?} exceeds balance: {:?}", value, *balance), |
There was a problem hiding this comment.
The mock has to replicate what the FVM would do sometimes. I have a hunch that ActorError is not a good type to return from the Runtime API.
Actually this code might be wrong, and it should be an "internal send failed", masking the system code.
There was a problem hiding this comment.
yeah using an ActorError here seems weird at best, wrong at worst.
There was a problem hiding this comment.
As Steb points out elsewhere, we don't want to mask the system exit code either, we just can't propagate it.
There was a problem hiding this comment.
See #197 for a possible fix
| @@ -965,51 +965,64 @@ impl Syscalls for MockRuntime { | |||
| ) -> anyhow::Result<Cid> { | |||
| let exp = | |||
| self.expectations.borrow_mut().expect_compute_unsealed_sector_cid.take().ok_or_else( | |||
| || actor_error!(ErrIllegalState; "Unexpected syscall to ComputeUnsealedSectorCID"), | |||
| || actor_error!(illegal_state; "Unexpected syscall to ComputeUnsealedSectorCID"), | |||
There was a problem hiding this comment.
The mock is totally messed up here. It should not be returning ActorError for mock expectation violations.
| @@ -24,7 +24,7 @@ impl ActorDowncast for anyhow::Error { | |||
| match downcast_util(self) { | |||
| Ok(actor_error) => actor_error.wrap(msg), | |||
| Err(other) => { | |||
| ActorError::new(default_exit_code, format!("{}: {}", msg.as_ref(), other)) | |||
| ActorError::unchecked(default_exit_code, format!("{}: {}", msg.as_ref(), other)) | |||
There was a problem hiding this comment.
This downcasting smells iffy, but is used a lot.
There was a problem hiding this comment.
Yeah, the solution to this is: remove the usage of anyhow in all the ipld crates (amt,hamt, blockstore,encoding) using conrete error enums. anyhow is great as a "Final" error type, but not as a generic error from which you want to retrieve the original error again. (I have some wip code that does this, but it's a bit more work to finish)
There was a problem hiding this comment.
this is now implemented in filecoin-project/ref-fvm#463
actors/runtime/src/runtime/fvm.rs
Outdated
| @@ -60,7 +60,7 @@ impl<B> FvmRuntime<B> { | |||
| fn assert_not_validated(&mut self) -> Result<(), ActorError> { | |||
| if self.caller_validated { | |||
| return Err(actor_error!( | |||
| SysErrIllegalActor, | |||
| unspecified, // FIXME is this the right one? | |||
There was a problem hiding this comment.
Currently, this would be "unspecified". But maybe we do need an extra USR_ASSERTION_FAILED error.
actors/runtime/src/runtime/fvm.rs
Outdated
| @@ -60,7 +60,7 @@ impl<B> FvmRuntime<B> { | |||
| fn assert_not_validated(&mut self) -> Result<(), ActorError> { | |||
| if self.caller_validated { | |||
| return Err(actor_error!( | |||
| SysErrIllegalActor, | |||
| unspecified, // FIXME is this the right one? | |||
actors/runtime/src/runtime/fvm.rs
Outdated
| @@ -263,28 +261,40 @@ where | |||
| value: TokenAmount, | |||
| ) -> Result<RawBytes, ActorError> { | |||
| if self.in_transaction { | |||
| return Err(actor_error!(SysErrIllegalActor; "runtime.send() is not allowed")); | |||
| return Err(actor_error!(unspecified; "runtime.send() is not allowed")); | |||
actors/runtime/src/runtime/fvm.rs
Outdated
| match fvm::send::send(&to, method, params, value) { | ||
| Ok(ret) => { | ||
| if ret.exit_code.is_success() { | ||
| Ok(ret.return_data) | ||
| } else { | ||
| Err(ActorError::from(ret.exit_code)) | ||
| // The returned code can't be simply propagated as it may be a system exit code. | ||
| Err(ActorError::internal_send_aborted(format!( |
There was a problem hiding this comment.
Won't this hide the error code from the caller?
actors/runtime/src/runtime/fvm.rs
Outdated
| // How do we know the receiver is what triggered this? | ||
| // An error number doesn't carry enough information at this level | ||
| // above the raw syscall (and even then). | ||
| actor_error!(not_found; "receiver not found") |
There was a problem hiding this comment.
The send syscall is defined to return NotFound if, and only if, the receiver doesn't exist.
There was a problem hiding this comment.
There was a problem hiding this comment.
Yeah but this is not the syscall! This is invoking an SDK method that makes three syscalls. We don't know where the NotFound came from here.
actors/runtime/src/runtime/fvm.rs
Outdated
| // Actually this is more like an illegal argument where the caller attempted | ||
| // to transfer an amount larger than that representable by the VM's | ||
| // token amount type. Yes, the caller doesn't have that amount, but if they'd | ||
| // attempted to transfer a representable amount it would fail with | ||
| // SYS_INSUFFICIENT_FUNDS instead, so this difference is wierd. |
There was a problem hiding this comment.
It'll fail with InsufficientFunds (the syscall error) in both cases. See https://github.com/filecoin-project/fvm-project/blob/724650bf92b239bb7d2079cde7d5bad121d7c79f/07-errors.md#L53-L57 for the only "system" exit codes that can appear here.
Basically, the rules are:
- Syscall error numbers indicates that something went wrong with the syscall.
- Exit codes indicates that the syscall succeeded, but the called actor failed or did something wrong.
In other words:
- If we fail before we invoke the target actor, we get a syscall error.
- If we fail afterwards, we get an exit code. Usually a "user" exit code, but sometimes a "system" exit code if the actor fails without yielding a usable exit code.
Other than that, the system exit codes exist for recording failures on-chain.
There was a problem hiding this comment.
No, I traced the code. The FVM SDK will return ErrorNumber::InsufficientFunds prior to invoking the syscall in the case I describe. This is not the syscall interface. The SDK makes three syscalls and performs some other checks below here. This match branch is specifically for when we don't get a system exit code from the send (and so we can't invoke one here in userland).
I know we want it to behave how you described, but it doesn't. This is another example of error numbers being a poor representation except for directly at the actual syscall.
| } | ||
| } | ||
| Err(err) => Err(match err { | ||
| // Some of these errors are from operations in the Runtime or SDK layer | ||
| // before or after the underlying VM send syscall. |
There was a problem hiding this comment.
We're using "numbers" here (in the syscall interface) because they're consensus critical and we want to keep things as "simple" as possible. If we can't distinguish between two cases, we should add additional exit codes for that. But I think all cases are covered.
https://github.com/filecoin-project/fvm-specs/blob/main/07-errors.md#error-numbers-by-syscall should tell you exactly what each error number means with respect to each syscall.
| } | ||
| } | ||
| Err(err) => Err(match err { | ||
| // Some of these errors are from operations in the Runtime or SDK layer | ||
| // before or after the underlying VM send syscall. |
There was a problem hiding this comment.
See my commentary here as I was trying to get to grips with things. I'm reaching the conclusion that error numbers are not good as error values, because context is lost and it's hard to know if the right message is being attached later.
Or are you referring to the exit code in ActorError? In that case, I agree. My attitude there is:
- At the point where we can definitively say "we should exit with some specific exit code", we should just exit with that exit code (abort).
- Before then, we should return descriptive (structured) errors.
Stebalien
force-pushed
the
anorth/syserr
branch
from
7d62272
to
0093286
Compare
Updates all uses of the FVM's
ExitCodetype to the new one that will be released in the next crates. Updates to use the codes defined in the spec.Changes
ActorError, the type used to propagate abort codes to the trampoline, to make it easier to construct common ones and a bit harder to accidentally attempt to exit with a system exit code. As part of this, introduces exit code 24 for "internal send failed", because the exit code of the internal send may be a system exit code and can't be propagated by the caller.It's going to be painful, but please do review each change in exit code (or at least those that used to be
SysErrXxx). There are many places where I've now had to replace a system exit code with a user exit code. The tests all pass locally, but I am somewhat surprised at that.fvm_sharedcrates before merging.FYI @dignifiedquire