Merge lp:~vanvugt/mir/fatal-error into lp:mir

This negates the benefits of previous work to ensure proper shutdown in case of server problems, since many (most?) of our exceptions, especially in the platforms, are not recoverable and hence could be changed to mir::abort(). From that perspective this MP causes a regression for https://bugs.launchpad.net/mir/+bug/1189770 .

Like last time we had this discussion, it's a matter of what we deem to be more important: user experience or crash information. Ideally we want both, and there are some avenues worth exploring that may allow us to achieve that middle ground. For example we could get the core with 'gcore' and pipe that to whatever command/file is in /proc/sys/kernel/core_pattern, mimicking a crash, and then graciously shutdown mir.

On the other hand, if the init system is able to bring USC/unity8 back up properly after an abort (which is probably the case) then this is a problem mostly for developers (e.g. crashing a test server and not being able to change VTs) not for normal users. So, perhaps the best way forward is to be able to configure what mir::abort() does. For example, it could std::abort by default, or optionally throw + gcore to a file.

"Needs discussion"

PASSED: Continuous integration, rev:1642
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1618/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-utopic-i386-build/181
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-utopic-amd64-build/182
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-utopic-touch/182
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/137
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/137/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/136
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/136/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/431
        deb: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/431/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/1439
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/7144

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1618/rebuild

"last time we had this discussion" I feel we made the wrong decision by allowing the offending change to land:
    https://code.launchpad.net/~afrantzis/mir/fix-1189770/+merge/217652

The reason being we have a collection of hidden critical bugs that will never be resolvable without this change. They're hiding in the duplicates list on the right-hand-side of:
    https://bugs.launchpad.net/mir/+bug/1237332

I believe the user experience of eventually not crashing at all is more important than recovering the screen but never fixing the crashes. Although we could achieve both if we utilize the existing logic that catches crashes and does lightweight recovery: server/run_mir.cpp
I think the screen/VT recovery should be there.

Alexandros, I think we should resolve your concern as bug 1320114. I now realize that's a problem which pre-dates this proposal as the fix for bug 1189770 should have included it.

It's worth noting that you can safely do a little cleanup after a fatal signal because you're only making the stack deeper in doing so. No unwinding (loss of stack frames) occurs, so it's fine.

FAILED: Continuous integration, rev:1646
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1676/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-utopic-i386-build/253
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-utopic-amd64-build/254
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-utopic-touch/253/console
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/195
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/195/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/194
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/194/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/653
        deb: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/653/artifact/work/output/*zip*/output.zip
    FAILURE: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/1504/console
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/7363

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1676/rebuild

PASSED: Continuous integration, rev:1647
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/1678/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-utopic-i386-build/257
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-utopic-amd64-build/258
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-utopic-touch/257
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/197
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/197/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/196
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/196/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/662
        deb: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/662/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/1508
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/7373

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/1678/rebuild

> This negates the benefits of previous work to ensure proper shutdown in case
> of server problems, since many (most?) of our exceptions, especially in the
> platforms, are not recoverable and hence could be changed to mir::abort().
> From that perspective this MP causes a regression for
> https://bugs.launchpad.net/mir/+bug/1189770 .

I presume that by rasing SIGABRT we'll run the cleanup handler installed by run_mir(). Why doesn't that adequately address lp:1189770?

> Like last time we had this discussion, it's a matter of what we deem to be
> more important: user experience or crash information. Ideally we want both,
> and there are some avenues worth exploring that may allow us to achieve that
> middle ground. For example we could get the core with 'gcore' and pipe that to
> whatever command/file is in /proc/sys/kernel/core_pattern, mimicking a crash,
> and then graciously shutdown mir.

User experience is always key. And anything that damages that should be optional (like the above or a debug mode that cores immediately without any cleanup).

Alan,
Due to a small oversight, the fix for bug 1189770 is missing a fix for the signal/crash case. So I logged that as a new bug 1320114 and Alexandros is making progress toward resolving it in:
   lp:~afrantzis/mir/emergency-cleanup

So fatal signals such as SIGABRT raised by mir::abort() do still go through our emergency cleanup code. We just accidentally forgot to include VT/DRM recovery in that code path. But alf is working toward fixing that(?).

Thus when all the fixes are in place Mir will both recover the screen *and* dump clean core files. However they're not strictly dependent activities, and I'd rather keep proposals separate and smaller where possible.

I'm as keen as anyone to get clean cores in our development. But it is not so clear this is the best option for downstream developers - who may find it "impolite" for a library they are using to kill their whole process.

Adding Gerry and Michal to reviewers list for a "downstream" viewpoint.

If things are recoverable at all, sure it would be best to not abrt. But then there's probably only so many instances when that's the case. In theory we could try and restart Mir, but since the shell is the client, that will probably be rather difficult, so I can't see many instances where Mir can die while the shell can live on...

I'm all for better stack traces. But I'd like to know if Mir aborts, what happens to threads that the shell owns? Does shell have any way to clean up its own state?

> I'm all for better stack traces. But I'd like to know if Mir aborts, what
> happens to threads that the shell owns? Does shell have any way to clean up
> its own state?

Add a handler to the_emergency_cleanup()...

PASSED: Continuous integration, rev:1652
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/2056/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-utopic-i386-build/794
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-utopic-amd64-build/800
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-utopic-touch/793
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/577
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/577/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/575
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/575/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/2410
        deb: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/2410/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/1945
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/9137

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/2056/rebuild

> > I'm all for better stack traces. But I'd like to know if Mir aborts, what
> > happens to threads that the shell owns? Does shell have any way to clean up
> > its own state?
>
> Add a handler to the_emergency_cleanup()...

Although it's worth noting that this will be run in a signal context, so you'll be severely restricted as to what you can reliably do! (The emergency cleanup code currently looks like it allocates memory in the signal context which runs a reasonable chance of deadlocking).

Globally this seems like a reasonable idea, but is there really no way to get useful debugging information out of C++ in the presence of exceptions?

Apparently not. C++ exceptions are mostly designed to be caught and handled (resolved). In some cases you do retain the original stack of an exception, but that only happens in bare threads where no one is catching. So that's a rather unrealistic scenario (unless you disallow all non-specific catches?).

Once you've caught (or even rethrown?) an exception, the original error details are lost. Because your thread only has one stack.

Another way to approach the problem would be to a:
   class UncatchableException
   {
   public:
      UncatchableException() { abort(); }
   }

That means you can still "throw" instead of using the new syntax "mir::abort". Although I'm not sure I like that.

Thinking about this some more, I suspect that this is not actually what we really want.

Core files aren't actually very useful for diagnosing things like bug# 1237332, or the many ways unity-system-compositor can fail to start with some form of DRM error. We really want not only the current state, but also the historical state - what DRM devices have been considered, what were their statuses, etc.

For SEGV-type crashes we are forced to go poking around in a core file because we haven't considered the problem ahead of time, but as I understand the code we currently get those, and even there we'd have a better time with historical state as well.

So, while dumping a more useful core on fatal exception would be more useful than the current status, I think what we *actually* want to do is dump about 300x more information to logs by default - of unsuccessful actions, but equally importantly of successful actions. We need to understand what happened leading up to the error condition, and that's often not captured in a core, however pristine.

Dump each udev device probed, each successful modeset, successful EGL initialisation, etc. Things which happen infrequently or only at startup are good targets for logging.

Absolutely not. I've been doing core analysis from the wild for many years. And the most useless bug reports are always those from projects that try to do their own error handling/logging. Just don't do it. A developer with a debugger and correct symbols can always discover more from a clean core file. As can launchpad's automatic retracer.

With correct symbols (which is generally the hardest part, but feasible), you can analyse data structures by name and dive into all your variables in a meaningful way, post-mortem. It's just not feasible to know in advance what your crashes will be and which variables are the most relevant to debugging them. That's what core files solve.

Hm.

So, I think we're actually talking about two different things here: crashes and “crashes”, which are really uncaught exceptions.

You obviously can't know what your crashes will be in advance. On the other hand, you know *exactly* what your “crashes” will be, because you deliberately put them in there.

A core file is good (or at least usually sufficient) for crashes, because the cause of the crash is the thing the program is trying to do _right now_, so it's highly likely that the state of interest is the current state.

For uncaught exceptions the current state is frequently not the interesting state - when unity-system-compositor fails to start with “could not find drm device”, the interesting data is in previous iterations of the “probe this udev device” loop. It's idiomatic to try and do a bunch of things, and if they *all* fail, throw.

Clean core files are useful, and mir::abort() looks to be useful, so I'm not disapproving.

However, most of the places you're calling mir::abort() in this branch are potentially temporary failures, and it _is_ inappropriate to abort there - failure to schedule pageflips, failure to set one crtc (out of potentially more than one active crtc), and failure in eglSwapBuffers are all potentially transitory or recoverable problems which this branch turns into a SIGABRT.

If we're raising these exceptions on a non-main thread we should stop doing that (or catch them and propagate them _to_ the main thread), though.

Some of this is coming from Xorg experience. X writes ~500 lines of output during normal startup, and this output is extremely useful in debugging the most common failures; just a core file would be much _less_ useful for most of those.

The "potentially temporary failures" thing is a real issue I know. Although it's not feasible to go rewriting all that logic to support recovery in the short term. It's a separate long term activity and not even clear how/if they are really recoverable at all.

Making some of these fatal errors into recoverable errors is a nice enhancement for the future but should not be considered a prerequisite for this. Or else we'll never get a fix for bug 1316867 in time for RTM/utopic.

I like the idea of more logging. Although that too is a separate activity. It can be done orthogonally to error handling. Your logging does not have to be (and shouldn't be) done just when errors occur.

Under the acknowledgement that we'll need to rip this out and implement a proper solution when the time is available, I find this reasonable.

Another solution, trying to combine the best of both worlds, was discussed during standup today: let the client of the library decide whether runtime errors like the ones discussed in this MP should abort, throw or do something completely different.

By default the library should be polite with client code and throw exceptions. Certain clients, which can safely handle Mir abort()s and from which we want comprehensive debugging information, can explicitly configure mir to abort(). I imagine that both unity8 and USC will want to do that.

"Needs discussion"

> Another solution, trying to combine the best of both worlds, was discussed
> during standup today: let the client of the library decide whether runtime
> errors like the ones discussed in this MP should abort, throw or do something
> completely different.
>
> By default the library should be polite with client code and throw exceptions.
> Certain clients, which can safely handle Mir abort()s and from which we want
> comprehensive debugging information, can explicitly configure mir to abort().
> I imagine that both unity8 and USC will want to do that.
>
> "Needs discussion"

We as a library have no way of knowing what else is running in the same process nor whether it is acceptable to terminate the process at any given time. Hence, it is extremely impolite for to abort process unless the client code has caused it in some way. (I.e. either the client has requested the abort or has broken a precondition.)

I'm not saying it is a primary use case, but it is conceivable that a process with another primary purpose spins up a Mir compositor briefly and expects to continue after it closes down. With errors reported via exceptions that is possible, with errors reported by "abort()" it isn't. (FWIW I'd even like it to be fully supported to run multiple Mir servers in a process without an error in one bringing the whole lot down.)

So long as the client code uses the Mir API correctly I don't think we should ever abort. (That doesn't preclude the client installing handlers for "very bad things" into Mir that abort *in client code* with our stack intact.)

Firstly keep in mind that the code does crash already, with unhandled (and undebuggable) exceptions. The change proposed here just changes them into being "debuggable".

Secondly, wanting to handle and recover from errors is a separate activity. The offending exceptions have been in the Mir code for years now and as yet no one has made them recoverable. So doing that is a large long term task and shouldn't block this one.

<IMHO>It's much more important that we be able to debug these problems and actually stop them from happening than the current situation where one can indeed clean up some things on an exception, but not report enough information to us to ever help to fix the underlying cause.</IMHO>

> Firstly keep in mind that the code does crash already, with unhandled (and
> undebuggable) exceptions. The change proposed here just changes them into
> being "debuggable".

There's only a crash if the exception propagating from run_mir() isn't caught.

That is a (questionable) decision made by client code and not something we impose in the Mir library. (The only example code we provide that fails to handle the exception is minimal_server.cpp.)

No, these exceptions are raised in the compositing thread, right? Client code has no opportunity to catch them.

-----Original Message-----
From: "Alan Griffiths" <email address hidden>
Sent: ‎9/‎07/‎2014 19:23
To: "Daniel van Vugt" <email address hidden>
Subject: Re: [Merge] lp:~vanvugt/mir/fatal-error into lp:mir/devel

> Firstly keep in mind that the code does crash already, with unhandled (and
> undebuggable) exceptions. The change proposed here just changes them into
> being "debuggable".

There's only a crash if the exception propagating from run_mir() isn't caught.

That is a (questionable) decision made by client code and not something we impose in the Mir library. (The only example code we provide that fails to handle the exception is minimal_server.cpp.)
--
https://code.launchpad.net/~vanvugt/mir/fatal-error/+merge/219471
You are reviewing the proposed merge of lp:~vanvugt/mir/fatal-error into lp:mir/devel.

> No, these exceptions are raised in the compositing thread, right? Client code
> has no opportunity to catch them.

Any exception that reaches the top of the compositing threads (i.e. it is not handled by that thread), is caught, the server is torn down, and the exception is rethrown when run_mir() finishes.

See the code in multi_threaded_compositor.cpp and the mir::terminate_with_current_exception() function for more.

> > No, these exceptions are raised in the compositing thread, right? Client
> code
> > has no opportunity to catch them.
>
> Any exception that reaches the top of the compositing threads (i.e. it is not
> handled by that thread), is caught, the server is torn down, and the exception
> is rethrown when run_mir() finishes.
>
> See the code in multi_threaded_compositor.cpp and the
> mir::terminate_with_current_exception() function for more.

Right.

What this proposal does is take code that leads to an orderly shutdown with an exception the client can (and is expected to) handle into an unconditional crash.

As I've stated before in this thread I don't think a library should behave this way.

I don't think its very well behaved for the library to abort on the user, but on the other hand do appreciate the extra debug info. Seeing as we know when that drm (or hwc for that matter) errors are not handled, maybe we could pack the exception with all the info we could glean (say via glibc's backtrace()) and hope that the client code prints it. (or we could just spew to to stderr). Obviously, this is not as nice as a coredump, but it seems to me to be an okay compromise between the concerns.

The existing behaviour ("orderly shutdown") is in no way more useful that what is proposed here. We have now spent _years_ unable to fix our crashes because of the existing behaviour. That is unacceptable.

The assertion that "the client can handle" these exceptions is false. Clients can't handle them because even we don't know how to handle them. If we did, then we would be doing so. For clients to blindly catch those exceptions is not useful, because the system is left with a blank screen and doesn't recover.

Core files are significantly more useful to fixing bugs than exception details. Particularly since we have an automated system in place that analyses cores for us. Please let us use it so we can fix these crashes.

Simply recovering/retrying things that fail before you ever understand how they can fail is too dangerous and risks getting stuck in retry loops and/or crashing again after multiple failures in less useful locations.

Unfortunately because most developers ignore bugs the severity of the situation is not fully understood by most developers. But last time we asked for public testing of Mir we were bombarded by crash reports which to this day remain unsolved. I want to avoid that happening again.

I don't think its very well behaved for the library to abort on the user.

I think it is important that the user (in this case U8 and/or USC) can get a core.

Alexandros has suggested an approach that meets both these concerns. (https://code.launchpad.net/~vanvugt/mir/fatal-error/+merge/219471/comments/544375)

Absolutely crashing is not good behaviour. But if that's the fastest path to resolving the root cause then it's the best option.

I don't think making it configurable is a good idea. Because that gives shell/server developers the option of regressing on LP: #1316867 when there is no existing DRM logic in place for a clean retry/recovery to occur. I mean if a shell did catch such an error as an exception there is no code path back into the Mir DRM code to recover at all. It's not useful to have exceptions when there's no catch/recovery plan. And I think that would be irresponsible of us to allow shell developers to experience Mir bugs which don't generate meaningful crash reports we can work with and resolve.

I wonder if there is a way we can recover the VT/display using a separate executable tied to a watchdog, or a hot-key combination of sorts which can be triggered automatically or through a hot-key combination, to get the display back into a sane state after a fatal crash.

And perhaps a good history logging mechanism, as suggested by Chris, which we can "play back" post-mortem in a developer binary where we have aborts instead of exceptions.

I am also of the opinion that the user-experience must not be compromised just because we have bugs in the system we want to address as quickly as possible. And there will continue to be bugs even after we collect many core files and address the ones that have caused them. But we should not forget that providing a good user-experience is key - piss your users off enough many times and there won't be very many left to exercise bugs in the code and help us collect core files for us to fix.

Additional state reporting and logging is a part of the solution. But not all of it.

There are two sets of users to consider here:

1. the users of Mir - shell/server developers exemplified by U8 and U-S-C
2. the users of U8

The former are the ones that should decide whether an abort is acceptable behavior for their program. Not the developers of Mir.

It may even be argued that the latter should be offered a choice too. Then beta testers can run with one option and final users with another.

For example, an option like this:

    --on-fatal-error arg (=throw) Action to take on a fatal error [throw|abort|break]

In U8 and/or U-S-C development we can change the default to "abort" in order to ensure better diagnostics. But reconfigure in a production environment to "throw".

With "throw" there should be a bespoke a FatalError exception that is understood by mir::report_exception() and reads:

    to get additional debug information in a core:
       $ ulimit -c unlimited
    and rerun with "--on-fatal-error abort"

I think the current "orderly shutdown" behavior is a good option to have and if we break it (even with the intent of restoring it "eventually") it will be hard to recover.

We already do recover the VT/display on fatal signals. That was Fix Released in Mir 0.4.0, although we failed to document it as fixed so I just updated bug 1320114 now. I was on vacation when that change landed.

mir::abort() follows an orderly shutdown procedure. It does recover the screen and provides a _more_ friendly user experience in that it allows us to finally debug the crashes and fix them once and for all. Thus, more friendly in that the number of crashes will be reduced.

I don't see what benefit exceptions buy you in this case. Our fatal signal handler is just as good at recovering the screen and providing a nice user experience. The only difference is that exceptions would prevent us from getting good crash reports and being able to fix bugs.

Exceptions allow users of our library to also partake of the
clean-shutdown goodness.

They may want to do things other than SIGABRT when their Mir server
crashes.

I thought users could utilize the emergency recovery code?... Or maybe it needs more API still?...
   https://code.launchpad.net/~afrantzis/mir/platform-emergency-cleanup/+merge/222662
Inserting new handlers with that _should_ allow you to clean up on both exceptions and fatal signals.

If you relied on exceptions alone for clean up then you're missing out, because that will never catch crashes like SIGSEGV.

That assumes that terminating is the correct behavior, and that everything they want to do is safe in a signal context, which it probably isn't.

-----Original Message-----
From: "Daniel van Vugt" <email address hidden>
Sent: ‎14/‎07/‎2014 18:32
To: "Daniel van Vugt" <email address hidden>
Subject: Re: [Merge] lp:~vanvugt/mir/fatal-error into lp:mir/devel

I thought users could utilize the emergency recovery code?... Or maybe it needs more API still?...
   https://code.launchpad.net/~afrantzis/mir/platform-emergency-cleanup/+merge/222662
Inserting new handlers with that _should_ allow you to clean up on both exceptions and fatal signals.

If you relied on exceptions alone for clean up then you're missing out, because that will never catch crashes like SIGSEGV.
--
https://code.launchpad.net/~vanvugt/mir/fatal-error/+merge/219471
You are reviewing the proposed merge of lp:~vanvugt/mir/fatal-error into lp:mir/devel.

PASSED: Continuous integration, rev:1660
http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-ci/2144/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-android-utopic-i386-build/931
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-clang-utopic-amd64-build/937
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-utopic-touch/929
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/665
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-amd64-ci/665/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/663
        deb: http://jenkins.qa.ubuntu.com/job/mir-team-mir-development-branch-utopic-armhf-ci/663/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/3033
        deb: http://jenkins.qa.ubuntu.com/job/generic-mediumtests-builder-utopic-armhf/3033/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/mir-mediumtests-runner-mako/2068
    SUCCESS: http://s-jenkins.ubuntu-ci:8080/job/touch-flash-device/9766

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/mir-team-mir-development-branch-ci/2144/rebuild

Blocked on Alan's "Needs Fixing". Not sure what needs fixing though. Looks like a general disapproval of the whole concept without any alternate solutions for bug 1316867 being proposed yet.

> Blocked on Alan's "Needs Fixing". Not sure what needs fixing though. Looks
> like a general disapproval of the whole concept without any alternate
> solutions for bug 1316867 being proposed yet.

What "Needs Fixing" is:

1. Aborting as the only action for fatal errors.
2. Aborting as the default action for fatal errors.

Both of would be solved by introducing a mechanism that allows the _users_ of libmirserver to decide what to do in case of fatal errors. The default implementation would be to throw an exception, which, as discussed above, is the most safe and polite reaction.

I expect unity8 and USC to override the fatal error handler and abort() on error to provide sufficient debugging information in the wild, but that's ultimately their decision to make.

It seems like exceptions are more flexible to the library user, who knows what they want to do. Installing emergency cleanup handlers isn't a sufficient substitute (signal context). I don't like abort by default because of this.

I clicked the wrong review status

I'm confused. I've already explained why exceptions are unacceptable here.

Giving people the option of regressing on the bug without providing them with any DRM recovery logic to use as an alternative solution in exception handlers is pointless. It fails to address bug 1316867, defeating the point of this whole exercise.

I'm happy to say "Won't Fix" on the bug. But not happy to wear the blame for it.

I don't understand your confusion. Ever since the first review comment it has been explained why exceptions are not only acceptable but also the desired default for a library.

The fixes outlined by Alexandros do indeed need some additional work in unity-mir and/or unity8 to resolve bug 1316867 but those changes are under our control. It would also means that users of Mir will not be swearing at us for writing a library that summarily terminates their process.

We're kind of going round in circles. So I thought I should clarify my position and state where the red-line lies as far as I'm concerned :

- It's important for us not to abort on the user unconditionally just to make our lives easier.

I'd be happy with any configurable way that this is handled as long as abort is not the default. In its current form, I'll go ahead and disapprove.