Merge lp:~spiv/bzr/cleanup-hof into lp:bzr

[Trying an RFC for a branch by cross-posting to both the merge proposal on
Launchpad, and the bazaar@ list.]

Hi all,

Here's the problem. In this example, Python gives no way for final_func to know
if try_func raised an error or not:

    try:
        try_func()
    finally:
        final_func()

Not even by sys._getframe hacks, AFAICT. I can go into some gory details about
why not, but more important is what to do about it.

It's problematic because, in general, we don't want an error from final_func to
override an error from try_func. This means that sometimes users get errors
about, say, abort_write_group failing, when what originally went wrong was
“connection lost”. The various TooManyConcurrentRequests bugs are the most
common symptom of this.

This brings me to <https://bugs.launchpad.net/bzr/+bug/429747>, and
<https://code.launchpad.net/~spiv/bzr/cleanup-hof/+merge/12318>.

Bug 429747 proposes a higher-order-function that all cleanups should use to at
least give us a common place to control policy about log vs. raise, etc. That
branch implements that, as a function called run_cleanup (and some variations).
It lives in a new module, bzrlib.cleanups. I have tried to give the new module
and its contents fairly reasonable docstrings, and clear tests.

The downside of run_cleanup is that it will suppress some exceptions that should
be propagated, but that seems to be unavoidable given the limitations of Python.
(And note that developers can always use -Dcleanup to get UI warnings about
failures in run_cleanup).

The branch also implements something called do_with_cleanups, which can actually
be pretty robust and correct, at the cost of making simple callsites a bit
uglier. I have a follow-on patch that adjusts bzrlib.commit to use this, which
would fix some outstanding bugs.

So, here's the RFC: I think the policy should be:

 * use run_cleanup if a cleanup failure is likely to be unimportant to a user
   (or at least, the chance of it being important is < the chance of the main
   func raising an error that should not be obscured).
 * consider changing the cleanup function itself to never raise errors, e.g.
   abort_write_group(suppress_error=True). Then idiomatic try/finally is safe.
   Again, only applicable if failures during cleanup are "uninteresting".
 * use run_cleanups if you are running multiple cleanups; it takes care of
   running them all even if an exception happens.
 * if you want very correct behaviour, use do_with_cleanups. This tends to make
   simple callsites a bit uglier, but in already complex code (like commit) it
   may be no worse.

If agreed, I can add this to HACKING.txt.

I don't think we necessarily need to update all existing try/finally blocks at
once, but we should at least fix the cases that have been the source of bug
reports.

-Andrew.

2009/9/24 Andrew Bennetts <email address hidden>:
> [Trying an RFC for a branch by cross-posting to both the merge proposal on
> Launchpad, and the bazaar@ list.]
>
> Hi all,
>
> Here's the problem.  In this example, Python gives no way for final_func to know
> if try_func raised an error or not:
>
>    try:
>        try_func()
>    finally:
>        final_func()
>
> Not even by sys._getframe hacks, AFAICT.  I can go into some gory details about
> why not, but more important is what to do about it.
>
> It's problematic because, in general, we don't want an error from final_func to
> override an error from try_func.  This means that sometimes users get errors
> about, say, abort_write_group failing, when what originally went wrong was
> “connection lost”.  The various TooManyConcurrentRequests bugs are the most
> common symptom of this.
>
> This brings me to <https://bugs.launchpad.net/bzr/+bug/429747>, and
> <https://code.launchpad.net/~spiv/bzr/cleanup-hof/+merge/12318>.
>
> Bug 429747 proposes a higher-order-function that all cleanups should use to at
> least give us a common place to control policy about log vs. raise, etc.  That
> branch implements that, as a function called run_cleanup (and some variations).
> It lives in a new module, bzrlib.cleanups.  I have tried to give the new module
> and its contents fairly reasonable docstrings, and clear tests.
>
> The downside of run_cleanup is that it will suppress some exceptions that should
> be propagated, but that seems to be unavoidable given the limitations of Python.
> (And note that developers can always use -Dcleanup to get UI warnings about
> failures in run_cleanup).
>
> The branch also implements something called do_with_cleanups, which can actually
> be pretty robust and correct, at the cost of making simple callsites a bit
> uglier.  I have a follow-on patch that adjusts bzrlib.commit to use this, which
> would fix some outstanding bugs.
>

> So, here's the RFC: I think the policy should be:
>
>  * use run_cleanup if a cleanup failure is likely to be unimportant to a user
>   (or at least, the chance of it being important is < the chance of the main
>   func raising an error that should not be obscured).
>  * consider changing the cleanup function itself to never raise errors, e.g.
>   abort_write_group(suppress_error=True).  Then idiomatic try/finally is safe.
>   Again, only applicable if failures during cleanup are "uninteresting".
>  * use run_cleanups if you are running multiple cleanups; it takes care of
>   running them all even if an exception happens.
>  * if you want very correct behaviour, use do_with_cleanups.  This tends to make
>   simple callsites a bit uglier, but in already complex code (like commit) it
>   may be no worse.
>
> If agreed, I can add this to HACKING.txt.

(I haven't read the diff yet, but we did talk about it ...)

I was originally suggesting that we should handle this by putting all
cleanup-type code through a single bottleneck. I think you're on to
something in saying (if you are) that we should instead put it through
common policies for different types of cleanup.

My sense is that this is more about the type of cleanup than the place
...

>>>>> "Andrew" == Andrew Bennetts <email address hidden> writes:

    Andrew> [Trying an RFC for a branch by cross-posting to both the merge proposal on
    Andrew> Launchpad, and the bazaar@ list.]

    Andrew> Hi all,

    Andrew> Here's the problem. In this example, Python gives no way for final_func to know
    Andrew> if try_func raised an error or not:

    Andrew> try:
    Andrew> try_func()
    Andrew> finally:
    Andrew> final_func()

try:
   no_error = False
   try_func()
   no_error = True
finally:
   final_func(no_error)

Martin Pool wrote:
> 2009/9/24 Andrew Bennetts <email address hidden>:
[...]
>
> (I haven't read the diff yet, but we did talk about it ...)
>
> I was originally suggesting that we should handle this by putting all
> cleanup-type code through a single bottleneck. I think you're on to
> something in saying (if you are) that we should instead put it through
> common policies for different types of cleanup.

Yes, I think that's what I'm getting at (the picture has been emerging
pretty gradually!).

> My sense is that this is more about the type of cleanup than the place
> it's being called from, so I'd expect that normally we will be
> changing the functions called at cleanup, not the code with the
> try/finally block. Of course if there is code with multiply nested
> try/finally blocks and we can make it cleaner by changing to a
> higher-order-function that runs them in order, that's great.

Right, that's a good example where a h-o-f can make the code cleaner, not
just more robust.

> I think we can distinguish different types of severity of failure.
> For instance, if we fail to unlock a branch, that's worth telling the
> user about, but it's bad to give them such a large or severe message
> that it obscures their view of what actually went wrong, as often
> seems to happen in bugs.
>
> One blue-sky option here would be to indicate success or failure by
> return code: unlock (say) returns True if it actually unlocked, False
> if it failed. Then code that really cares can see, but the default
> will be not to interrupt processing. This gives you a way to have
> failures that are 'slightly interesting'.

I don't particularly like checking return values. I think it might be nice
to be able to say "foo.unlock(on_error='warn')", or
on_error='log'/'ignore'/'raise'. I'm not sure which we'd like to have as
the default, and it's also questionable about whether we really want to
burden all unlock implementations with this, but it's an interesting
strawman API.

My thinking here is that *usually* an unlock failure is probably not
something to report to the user, but there are times when we definitely want
errors to propagate directly (e.g. an explicit invocation of break-lock, and
probably during the test suite).

So there's a mix of inputs here. I'm having trouble articulating this
clearly, but roughly I feel that what's desired in any individual case may
depend on a combination of:

 - the cleanup operation itself;
 - what the callsite intends (some places may explicitly expect and suppress
   particular errors, so emitting something to the UI instead of raising
   something the callsite can catch may be a bad thing);
 - any global policy, like debug flags;
 - and maybe also the specific error (e.g. KeyboardInterrupt vs. connection
   lost vs. an assertion about unfinished progress bars)?

The challenge seems to be balancing these desires while keeping things
reasonable clean and simple.

> It seems to me the most common requests are:
>
> * TooManyConcurrentRequests as a knock-on effect from a previous
> operation being interrupted either because of a client-side bug or
> error, or a connection dropping
> * Unlock failing because ...

Vincent Ladeuil wrote:
[...]
> try:
> no_error = False
> try_func()
> no_error = True
> finally:
> final_func(no_error)

Ugh! And of course then you need to change final_func to reliably never
raise errors depending on that flag... and then there are cases with multiple
cleanups...

But yes, changing the try/finally somehow is the only option (using
do_with_cleanups from my patch is another variation on this). It's a
shame because it means the obvious spelling is not the correct one :(

-Andrew.

> Vincent Ladeuil wrote:
> [...]
> > try:
> > no_error = False
> > try_func()
> > no_error = True
> > finally:
> > final_func(no_error)
>
> Ugh! And of course then you need to change final_func to reliably never
> raise errors depending on that flag... and then there are cases with multiple
> cleanups...

Not to mention the possibility of UnboundLocalErrors - unlikely in this simple case, but still possible if you just happen to get interrupted at the right time.

But Vincent's suggestion does point out something interesting, which is that the "has an error occurred" or "have things finished correctly" is often already available in the program state without needing a specific variable to be added for it. In the case we're primarily looking at here: if unlock runs and the medium(?connection?) is still in use, then we can be pretty sure that we were in fact interrupted. Now what should it do?

We can decompose this into:
How do we detect when we're in a knock-on error case?
What do we do differently?

The assumption is that we want to suppress errors only when they would be knock-on errors. I think we do want to squelch them in that case, but perhaps for some of these errors, like failure to unlock, they don't need to be propagated as errors at any time (outside of testing etc).

2009/9/24 Andrew Bennetts <email address hidden>:
> Martin Pool wrote:
>> 2009/9/24 Andrew Bennetts <email address hidden>:
> [...]
>>
>> (I haven't read the diff yet, but we did talk about it ...)
>>
>> I was originally suggesting that we should handle this by putting all
>> cleanup-type code through a single bottleneck.  I think you're on to
>> something in saying (if you are) that we should instead put it through
>> common policies for different types of cleanup.
>
> Yes, I think that's what I'm getting at (the picture has been emerging
> pretty gradually!).
>
>> My sense is that this is more about the type of cleanup than the place
>> it's being called from, so I'd expect that normally we will be
>> changing the functions called at cleanup, not the code with the
>> try/finally block.  Of course if there is code with multiply nested
>> try/finally blocks and we can make it cleaner by changing to a
>> higher-order-function that runs them in order, that's great.
>
> Right, that's a good example where a h-o-f can make the code cleaner, not
> just more robust.
>
>> I think we can distinguish different types of severity of failure.
>> For instance, if we fail to unlock a branch, that's worth telling the
>> user about, but it's bad to give them such a large or severe message
>> that it obscures their view of what actually went wrong, as often
>> seems to happen in bugs.
>>
>> One blue-sky option here would be to indicate success or failure by
>> return code: unlock (say) returns True if it actually unlocked, False
>> if it failed.  Then code that really cares can see, but the default
>> will be not to interrupt processing.  This gives you a way to have
>> failures that are 'slightly interesting'.
>
> I don't particularly like checking return values.

OK, but why? Obviously in general in Python one should be using
exceptions rather than return code as the normal convention, but are
there any other drawbacks? The other main reason is that return codes
can easily be ignored but that is (perhaps) just what we want here.

One problem with return codes is that, if you return a boolean, you
don't get any explanation of what went wrong. We could potentially
return an Exception object, but that might be getting too weird.

> I think it might be nice
> to be able to say "foo.unlock(on_error='warn')", or
> on_error='log'/'ignore'/'raise'.  I'm not sure which we'd like to have as
> the default, and it's also questionable about whether we really want to
> burden all unlock implementations with this, but it's an interesting
> strawman API.

That seems ok, at least assuming that you expect different callers to
prefer to get errors, warnings, or nothing. But aside from tests
specifically for locking, I'm not sure that they will.

> My thinking here is that *usually* an unlock failure is probably not
> something to report to the user, but there are times when we definitely want
> errors to propagate directly (e.g. an explicit invocation of break-lock, and
> probably during the test suite).

I don't think break-lock calls unlock, it calls break_lock, which
presumably would always error.

> So there's a mix of inputs here.  I'm having troubl...

Andrew Bennetts writes:

 > Here's the problem. In this example, Python gives no way for
 > final_func to know if try_func raised an error or not:
 >
 > try:
 > try_func()
 > finally:
 > final_func()

In 2.6, you can do

try:
    errflag = "Impossible is nothing."
    try_func()
except:
    errflag = "Uh oh ..."
finally:
    final_func(errflag)

In earlier Pythae you must do the ugly but equivalent

try:
    errflag = "Impossible is nothing."
    try:
        try_func()
    except:
        errflag = "Uh oh ..."
finally:
    final_func(errflag)

I believe Guido acknowledged not allowing the more compact notation in
the first place to be excessive caution, but it's not impossible to
distinguish exceptions raised by try_func from those raised by
final_func.

So what's the problem? You want to do this without fixing all the
broken try ... finally blocks?

 > Not even by sys._getframe hacks, AFAICT. I can go into some gory
 > details about why not,

Inquiring minds want to know....

2009/9/24 Stephen J. Turnbull <email address hidden>:

> I believe Guido acknowledged not allowing the more compact notation in
> the first place to be excessive caution, but it's not impossible to
> distinguish exceptions raised by try_func from those raised by
> final_func.
>
> So what's the problem?  You want to do this without fixing all the
> broken try ... finally blocks?

It's not _impossible_, we just don't want to add boilerplate to
everything that uses a try/finally block. There are many more of them
than there are distinct types of cleanup to run.

--
Martin <http://launchpad.net/~mbp/>

Martin Pool wrote:
> 2009/9/24 Stephen J. Turnbull <email address hidden>:
>
> > I believe Guido acknowledged not allowing the more compact notation in
> > the first place to be excessive caution, but it's not impossible to
> > distinguish exceptions raised by try_func from those raised by
> > final_func.
> >
> > So what's the problem?  You want to do this without fixing all the
> > broken try ... finally blocks?
>
> It's not _impossible_, we just don't want to add boilerplate to
> everything that uses a try/finally block. There are many more of them
> than there are distinct types of cleanup to run.

Especially when the boilerplate involved is just complex enough that it
would be error-prone.

e.g. your proposed boilerplate appears to be missing a raise in the except
block... (unless you also suggest boilerplate in every final_func to start with
saving sys.exc_info() and then finally reraise it!)

-Andrew.

We actually want something a lot closer to 'with', I suspect.

The problem is that we support python 2.4

-Rob

Martin Pool wrote:
[...]
> > I don't particularly like checking return values.
>
> OK, but why? Obviously in general in Python one should be using
> exceptions rather than return code as the normal convention, but are
> there any other drawbacks? The other main reason is that return codes
> can easily be ignored but that is (perhaps) just what we want here.

It's just the “easy to forget to check them” issue that concerns me.

> One problem with return codes is that, if you return a boolean, you
> don't get any explanation of what went wrong. We could potentially
> return an Exception object, but that might be getting too weird.
>
> > I think it might be nice
> > to be able to say "foo.unlock(on_error='warn')", or
> > on_error='log'/'ignore'/'raise'.  I'm not sure which we'd like to have as
> > the default, and it's also questionable about whether we really want to
> > burden all unlock implementations with this, but it's an interesting
> > strawman API.
>
> That seems ok, at least assuming that you expect different callers to
> prefer to get errors, warnings, or nothing. But aside from tests
> specifically for locking, I'm not sure that they will.

Yeah, I'm not sure exactly how featureful we need to be. It could well be a
YAGNI, although testability is important.

> > My thinking here is that *usually* an unlock failure is probably not
> > something to report to the user, but there are times when we definitely want
> > errors to propagate directly (e.g. an explicit invocation of break-lock, and
> > probably during the test suite).
>
> I don't think break-lock calls unlock, it calls break_lock, which
> presumably would always error.

Oh, right, good point. I feel like there's probably other examples, but
perhaps not...

> > So there's a mix of inputs here.  I'm having trouble articulating this
> > clearly, but roughly I feel that what's desired in any individual case may
> > depend on a combination of:
> >
> >  - the cleanup operation itself;
> >  - what the callsite intends (some places may explicitly expect and suppress
> >   particular errors, so emitting something to the UI instead of raising
> >   something the callsite can catch may be a bad thing);
> >  - any global policy, like debug flags;
> >  - and maybe also the specific error (e.g. KeyboardInterrupt vs. connection
> >   lost vs. an assertion about unfinished progress bars)?
> >
> > The challenge seems to be balancing these desires while keeping things
> > reasonable clean and simple.
>
> My idea was that we should try, at least in a branch, just changing
> the policy, and see what happens in several dimensions: how that
> changes the look & feel of the code as you change it, what tests fail
> if any and how easy & clean it is to fix them, and what positive or
> negative effects this has on users. Then we'll have more data on the
> balance.

Ok, trying it in practice makes good sense. I might aim for trying to
update (or at least look at) every try-finally in bzrdir.py, repository.py
and branch.py and see how it goes.

[...]
> I think that policy sounds ok, though maybe we need different
> functions for important and unimportant cleanups. I suggest taking
> the im...

2009/9/24 Andrew Bennetts <email address hidden>:
> Martin Pool wrote:
>> 2009/9/24 Stephen J. Turnbull <email address hidden>:
>>
>> > I believe Guido acknowledged not allowing the more compact notation in
>> > the first place to be excessive caution, but it's not impossible to
>> > distinguish exceptions raised by try_func from those raised by
>> > final_func.
>> >
>> > So what's the problem?  You want to do this without fixing all the
>> > broken try ... finally blocks?
>>
>> It's not _impossible_, we just don't want to add boilerplate to
>> everything that uses a try/finally block.  There are many more of them
>> than there are distinct types of cleanup to run.
>
> Especially when the boilerplate involved is just complex enough that it
> would be error-prone.
>
> e.g. your proposed boilerplate appears to be missing a raise in the except
> block... (unless you also suggest boilerplate in every final_func to start with
> saving sys.exc_info() and then finally reraise it!)

This is the place where Stephen's supposed to say something about Lisp
being a great improvement on many languages that came after it... ;-)

--
Martin <http://launchpad.net/~mbp/>

2009/9/24 Andrew Bennetts <email address hidden>:
>> My idea was that we should try, at least in a branch, just changing
>> the policy, and see what happens in several dimensions: how that
>> changes the look & feel of the code as you change it, what tests fail
>> if any and how easy & clean it is to fix them, and what positive or
>> negative effects this has on users.  Then we'll have more data on the
>> balance.
>
> Ok, trying it in practice makes good sense.  I might aim for trying to
> update (or at least look at) every try-finally in bzrdir.py, repository.py
> and branch.py and see how it goes.

I'm kind of hoping you won't actually need to change them though, only
the code they call.

> [...]
>> I think that policy sounds ok, though maybe we need different
>> functions for important and unimportant cleanups.  I suggest taking
>> the implementation all the way through with say unlock so that we can
>> see how it actually behaves.
>
> That sounds like a good experiment, although I dread the effort to actually
> update all the implementations of unlock...
>
> (By “all the way through” you mean extending the API of unlock, right?)

By "all the way through" I mean to the point where you can
interactively test (somehow, maybe by killing your network connection)
creating a situation where unlock would run after an error, and
observe that it looks better than it does with the current code. Not
all the way 'across' every case at first.

--
Martin <http://launchpad.net/~mbp/>

Andrew Bennetts writes:

 > e.g. your proposed boilerplate appears to be missing a raise in the
 > except block...

That's not proposed boilerplate; that's proof of concept that
communication *is* possible.

That said, I don't think reraising from the try is appropriate; that
puts you in the same boat you are worried about where you can't
distinguish between an exception that occurs in try_func() and one
that occurs in final_func().

If I were writing code where there are a lot of try-finally blocks,
but only a few versions of final_func(), what I would probably
actually do is stuff the actual exception into errflag, and let each
final_func() reraise it, deal with it, or ignore it as appropriate to
that final_func().

Agreed, this is still ugly and somewhat error prone with except-less
try-finally blocks, but the semantics and syntax of a finally clause
that handles exceptions are less than transparent to me. Should the
exception be available to finally if already handled? What is the
syntax for binding the exception to an identifier in the finally
clause? Should exceptions (re)raised in an except clause be treated
differently from exceptions that were raised from the try clause?

Martin Pool wrote:
[...]
> OK, so +1 from me, but the proof will be in how it would handle the
> bugs reported as TooMany*. It might be worth grepping for them and
> looking at their call stacks.

So, I've spent some time looking at the TooMany* bug reports. Here's a summary
of causes:

 * WorkingTree.pull has error -> then runs unlock in finally
 * Branch.push has error -> then run unlock in finally
 * Repo.fetch has error during stream -> then run unlock in finally
   (e.g. due to buggy stream from old server sending cross-format to 2a)
 * commit has an error -> then runs a bunch of unlocks in a finally

So those are all a case of unlock doomed to failure by prior error, then
obscures that prior error.

There is one other case, though:

 * WorkingTree.commit invokes -> BzrBranch5.get_master_branch -> Branch.open ->
   BzrDir.open -> do_catching_redirections... eventually 'BzrDir.open' RPC fails
   with TooMany* error.

This one doesn't appear to be a cleanup error, but some sort of failure about
charging onwards after an error, when probably we shouldn't? I'm not sure
exactly what's going on there, but I suspect a bug in the way we find formats in
BzrDir.open. Anyway, this one is not a bug during cleanup AFAICT.

So, it appears we would get excellent mileage out of changing unlock on the core
objects (Branch, WorkingTree, etc) to suppress at least most errors, although
probably we still want to allow LockNotHeld and maybe LockBroken to raise, not
just warn?

2009/9/25 Andrew Bennetts <email address hidden>:
> Martin Pool wrote:
> [...]
>> OK, so +1 from me, but the proof will be in how it would handle the
>> bugs reported as TooMany*.  It might be worth grepping for them and
>> looking at their call stacks.
>
> So, I've spent some time looking at the TooMany* bug reports.  Here's a summary
> of causes:
>
>  * WorkingTree.pull has error -> then runs unlock in finally
>  * Branch.push has error -> then run unlock in finally
>  * Repo.fetch has error during stream -> then run unlock in finally
>   (e.g. due to buggy stream from old server sending cross-format to 2a)
>  * commit has an error -> then runs a bunch of unlocks in a finally
>
> So those are all a case of unlock doomed to failure by prior error, then
> obscures that prior error.

OK

> There is one other case, though:
>
>  * WorkingTree.commit invokes -> BzrBranch5.get_master_branch -> Branch.open ->
>   BzrDir.open -> do_catching_redirections... eventually 'BzrDir.open' RPC fails
>   with TooMany* error.
>
> This one doesn't appear to be a cleanup error, but some sort of failure about
> charging onwards after an error, when probably we shouldn't?  I'm not sure
> exactly what's going on there, but I suspect a bug in the way we find formats in
> BzrDir.open.  Anyway, this one is not a bug during cleanup AFAICT.
>
> So, it appears we would get excellent mileage out of changing unlock on the core
> objects (Branch, WorkingTree, etc) to suppress at least most errors, although
> probably we still want to allow LockNotHeld and maybe LockBroken to raise, not
> just warn?

That sounds good. We could even consider not treating LockNotHeld etc
differently to start with, people are unlikely to try to catch them.

--
Martin <http://launchpad.net/~mbp/>

Martin Pool wrote:
[...]
> > So, it appears we would get excellent mileage out of changing unlock on the core
> > objects (Branch, WorkingTree, etc) to suppress at least most errors, although
> > probably we still want to allow LockNotHeld and maybe LockBroken to raise, not
> > just warn?
>
> That sounds good. We could even consider not treating LockNotHeld etc
> differently to start with, people are unlikely to try to catch them.

I'm pretty sure tests do, though.

I'm currently experimenting with a decorator that looks like this:

    @only_raises(errors.LockNotHeld, errors.LockBroken)
    def unlock(self):

And so far it's looking promising, although there's still a little bit of test
suite fall out...

So what is the status of this submission? Is it superseded by your other work?