Accepting Blame for Safe Tunneled Exceptions

Total Page:16

File Type:pdf, Size:1020Kb

Accepting Blame for Safe Tunneled Exceptions Accepting Blame for Safe Tunneled Exceptions Yizhou Zhang∗ Guido Salvaneschiy Quinn Beightol∗ Barbara Liskovz Andrew C. Myers∗ ∗Cornell University, USA yTU Darmstadt, Germany zMIT, USA [email protected] [email protected] [email protected] [email protected] [email protected] Abstract 1. Introduction Unhandled exceptions crash programs, so a compile-time Exceptions make code more reliable by helping programmers check that exceptions are handled should in principle make handle abnormal or unusual run-time conditions. The core software more reliable. But designers of some recent lan- idea is to transfer control in a nonlocal way to handler code guages have argued that the benefits of statically checked ex- that can be factored out from common-case code. This sepa- ceptions are not worth the costs. We introduce a new stati- ration of concerns simplifies code and prompts programmers cally checked exception mechanism that addresses the prob- not to forget about exceptional conditions. lems with existing checked-exception mechanisms. In partic- There has been disagreement since the 1970’s about how ular, it interacts well with higher-order functions and other or whether exceptions should be subject to static check- design patterns. The key insight is that whether an excep- ing [19, 28]. This disagreement continues to the present tion should be treated as a “checked” exception is not a prop- day [17]. Some currently popular languages—Java [20] and erty of its type but rather of the context in which the excep- Swift [46]—offer checked exceptions that the compiler stati- tion propagates. Statically checked exceptions can “tunnel” cally ensures are handled. However, exceptions are not part of through code that is oblivious to their presence, but the type type checking in other popular languages such as C++ [44], system nevertheless checks that these exceptions are han- C# [23], Scala [36], and Haskell [38]. dled. Further, exceptions can be tunneled without being acci- Proponents of static checking argue that exceptions rep- dentally caught, by expanding the space of exception identi- resent corner cases that are easy to forget. The evidence fiers to identify the exception-handling context. The resulting suggests they have a point. One study of a corpus of C# mechanism is expressive and syntactically light, and can be code [8] determined that 90% of the possible exceptions are implemented efficiently. We demonstrate the expressiveness undocumented. Undocumented exceptions make it hard to of the mechanism using significant codebases and evaluate know whether all exceptions are handled, and these unhan- its performance. We have implemented this new exception dled exceptions percolate up through abstraction layers, caus- mechanism as part of the new Genus programming language, ing unexpected software failures. Statically checked excep- but the mechanism could equally well be applied to other pro- tions help programmers build more robust code [48]. gramming languages. Opponents of static checking argue that the annotation Categories and Subject Descriptors D.3.3 [Programming burden of statically checked exceptions does not pay off— Languages]: Language Constructs and Features—Control that statically checked exceptions are too rigid to support structures common design patterns and common ways in which soft- ware evolves [11, 51]. They, too, have a point. The problems Keywords Exception tunneling; exception handling; Genus with statically checked exceptions have become more appar- ent in recent years as object-oriented (OO) languages like C#, Scala, and Java have acquired lambda expressions and the use of higher-order functions has become more common. As a re- Permission to make digital or hard copies of part or all of this work for personal or sult, the promise of exceptions to help make software more classroom use is granted without fee provided that copies are not made or distributed reliable has been partly lost. for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM Studies of the effectiveness of exception mechanisms have must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, concluded that existing mechanisms do not satisfy the appro- to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected] or Publications Dept., ACM, priate design criteria [6,7]. C# does not statically check ex- Inc., fax +1 (212) 869-0481. ceptions because its designers did not know how to design PLDI ’16, June 13–17, 2016, Santa Barbara, CA, USA such an exception mechanism well, saying “more thinking Copyright c 2016 ACM 978-1-4503-4261-2/16/06. $15.00 DOI: http://dx.doi.org/10.1145/2908080.2908086 is needed before we put some kind of checked exceptions 1 mechanism in place” [22]. It seems the long-running conflict more reliable. However, there are two quite different classes between checked and unchecked exceptions can be resolved of exceptional events, with different design goals: only by a new exception mechanism. • Failures. Some events cannot reasonably be expected to This paper aims to provide a better exception mecha- be handled correctly by the program—especially, events nism, one that combines the benefits of static checking with that arise because of programmer mistakes. Other events the flexibility of unchecked exceptions. The new mechanism such as running out of memory also fall into this category. gives programmers static, compile-time guidance to ensure exceptions are handled, but works well with higher-order • Unusual conditions. Other events arise during correct functions and design patterns. It adds little programmer bur- functioning of the program, in response to an unusual den and even reduces that burden. The run-time overhead but planned-for state of the environment, or even just an of the mechanism is low, because exception handling does unusual case of an algorithm. not require stack-trace collection in common use cases and These two classes place different requirements on the ex- avoids the need to wrap checked exceptions inside unchecked ception mechanism. For failures, efficiency is not a concern ones. because the program is not expected to recover. However, Two main insights underlie the new design. The first is that programmers need the ability to debug the (stopped) program the distinction between “checked” and “unchecked” should to discover why the failure occurred, so it is important to not be a property of the type of the exception being raised, as collect a stack trace. Furthermore, since failures imply vio- it is in Java, but rather a property of the context in which the lation of programmer assumptions, having to declare them exception propagates. In contexts that are aware of an excep- as part of method signatures or write handler code for them tion, the exception should be checked statically to ensure that is undesirable. Nonetheless, there are cases where the ability it is handled. To handle higher-order functions and design to catch failure exceptions is useful, such as when building patterns, however, some contexts must be oblivious to ex- frameworks for executing code that might fail. ceptions propagating through them; exceptions should tunnel For the second class of exceptions, unusual conditions, the uncaught through oblivious contexts, effectively unchecked. design goals are different. Now efficiency matters! Because This principle implies that the same exception may be both exceptions are slow in many common languages, program- checked and unchecked at different points during its propa- mers have learned to avoid using them. One insight is that gation. To prevent oblivious code from accidentally catch- because unusual conditions are part of the correct function- ing exceptions, a second insight is needed: exceptions can be ing of the program, the overhead of collecting a stack trace is distinguished by expanding the space of exception identifiers unnecessary. with an additional label that describes the exception-aware Unfortunately, existing languages tend not to support the context in which this exception can be caught. These labels distinction between these two exception classes well. For ex- can be viewed as an extension of the notion of blame labels ample, typical Java usage always leads to stack-trace collec- found in previous work on gradual typing [50]. Unlike with tion, making exceptions very expensive. At the same time, gradual typing, this sort of “blame” is not a programmer er- code is cluttered with handlers for impossible exceptions. ror; it is instead a way to indicate that exceptions should tun- nel through the oblivious code until they arrive at the right 2.1 Higher-Order Functions and Exceptions exception-aware context. Current exception mechanisms do not work well in code that We start the rest of the paper by exploring requirements uses higher-order functions. An example is an ML-style map for a good exception mechanism in Section 2. Sections3–6 method that applies a function argument to each element present our new exception mechanism informally in the con- of a list, returning a new list. Callers of the higher-order text of a Java-like language. Section 7 defines a core language function may wish to provide as an argument a function whose semantics show more precisely how the mechanism that produces exceptions to report an unusual condition that works. Using this core language, we prove the key theorem was encountered, such as an I/O exception. Of course, we that all exceptions are handled explicitly. Section 8 describes want these exceptions to be handled. But the implementation our implementation of the new exception mechanism in the of map knows nothing about these exceptions, so if such context of the Genus programming language [53]. The effec- exceptions do occur, they should be handled by the caller of tiveness of the mechanism is evaluated in Section 9, using map.
Recommended publications
  • Why Do Developers Neglect Exception Handling?
    Why Do Developers Neglect Exception Handling? Hina Shah, Carsten Görg, Mary Jean Harrold College of Computing, Georgia Institute of Technology, Atlanta, Georgia, U.S.A. {hinashah,goerg,harrold}@cc.gatech.edu ABSTRACT code. However, in these proposed approaches both types of code In this paper, we explore the problems associated with exception (main functionality code and exception handling code) would still handling from a new dimension: the human. We designed a study be implemented by the same developer. Filho and colleagues [2, that evaluates (1) different perspectives of software developers to 3] suggest lexically separating error-handling code from normal understand how they perceive exception handling and what meth- code so that both code types can be independently modified. In ods they adopt to deal with exception handling constructs, and (2) addition they propose leveraging aspect-oriented programming to the usefulness of a visualization tool that we developed in previ- enhance the separation between error-handling code and normal ous work for exception handling. We describe the design of our code. Zhang and colleagues [10] propose a different approach that study, present details about the study’s participants, describe the provides programmers with more intuitive exception-handling be- interviews we conducted with the participants, present the results havior and control. of the study, and discuss what we learned from the study. Based All these approaches concentrate on enhancing the separation on our analysis, we suggest several
    [Show full text]
  • SWI-Prolog 5.8.1 Reference Manual In
    University of Amsterdam Kruislaan 419, 1098 VA Amsterdam VU University Amsterdam De Boelelaan 1081a, 1081 HV Amsterdam The Netherlands SWI-Prolog 5.8 Reference Manual Updated for version 5.8.1, November 2009 Jan Wielemaker [email protected] http://www.swi-prolog.org SWI-Prolog is a Prolog implementation based on a subset of the WAM (Warren Ab- stract Machine). SWI-Prolog was developed as an open Prolog environment, providing a powerful and bi-directional interface to C in an era this was unknown to other Prolog implementations. This environment is required to deal with XPCE, an object-oriented GUI system developed at SWI. XPCE is used at SWI for the development of knowledge- intensive graphical applications. As SWI-Prolog became more popular, a large user-community provided requirements that guided its development. Compatibility, portability, scalability, stability and provid- ing a powerful development environment have been the most important requirements. Edinburgh, Quintus, SICStus and the ISO-standard guide the development of the SWI- Prolog primitives. This document gives an overview of the features, system limits and built-in predicates. Copyright c 1990–2009, University of Amsterdam Contents 1 Introduction 10 1.1 SWI-Prolog....................................... 10 1.1.1 Books about Prolog............................... 10 1.2 Status.......................................... 11 1.3 Compliance to the ISO standard............................ 11 1.4 Should you be using SWI-Prolog?........................... 11 1.5 The XPCE GUI system for Prolog........................... 12 1.6 Release Notes...................................... 13 1.7 Donate to the SWI-Prolog project........................... 19 1.8 Acknowledgements................................... 19 2 Overview 21 2.1 Getting started quickly................................
    [Show full text]
  • NAHS Technology and Business Department Introduction to Programming Curriculum Map
    NAHS Technology and Business Department Introduction to Programming Curriculum Map NAHS Technology and Business Department Introduction to Programming Curriculum Map Overview In this course, students are introduced to the fundamentals of computer programming. Students will explore programming concepts such as input/output, variables, methods, control logic, looping, arrays, classes, encapsulation, inheritance, and exception handling using both a graphical and text-based interface. Students will become proficient in code design, development, and testing process by applying these concepts to create various puzzles, forms, and games Curriculum Components • History of computers o Original needs that led to computer development o Historical figures related to the development of computers o The role of government in the development of computers o Computer generations & their characteristics • History of programming languages o The role of a computer program o Differences between computers and humans o Programming language generations and their characteristics o Characteristics of structured programming • Number Systems o Understanding number systems used by computers, understanding why they are used, and physical conversion among them • Programming concepts o Object oriented programming o Information hiding/encapsulation o Concepts related to classes, objects, and instances • Programming Lifecycle o Designing o Building the interface o Adding code o Testing o Concepts involved with building the final application (stand-alone) and understanding the difference between source code and object (executable) code Revised 10/31/10 1 NAHS Technology and Business Department Introduction to Programming Curriculum Map • Objects and Event Handlers o Understand what causes events to be “fired” o Using the appropriate event handler o Using the appropriate object for the intended job • Programming concepts o Assigning values to properties o The concept of datatypes o New dataype: strings o Handling basic syntax errors.
    [Show full text]
  • Dissertation Presented to the Faculty of the Graduate School of Cornell University
    DESIGNING FLEXIBLE, MODULAR LINGUISTIC ABSTRACTIONS A Dissertation Presented to the Faculty of the Graduate School of Cornell University in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy by Yizhou Zhang August 2019 © 2019 Yizhou Zhang ALL RIGHTS RESERVED DESIGNING FLEXIBLE, MODULAR LINGUISTIC ABSTRACTIONS Yizhou Zhang, Ph.D. Cornell University 2019 Programming-language design is more active than ever: existing languages are evolving continually and rapidly, and new languages keep springing up. While this constant iteration of language design aims to help programmers manage a growing software complexity, programmers are still frequently frustrated by poor design decisions in even the most essential aspects of modern program- ming languages. Less than satisfactory solutions to generic programming and exception handling typify this situation: the inadequacy of current solutions has even forced language designers to abandon these problematic language features. This is an unfortunate state of affairs. Language design does not have to be about abandoning old features or piling on new ones. This dissertation proposes novel linguistic abstractions for the aforementioned design problems, offering ease of use, expressive power, strong guarantees, and good performance all at the same time. It introduces a new mechanism for generic programming, embodied in the Genus programming language. Genus adds expressive power and strengthens static checking, while handling common usage patterns simply. The power of Genus is then integrated into a second language design, Familia, that unifies several polymorphism mechanisms in a lightweight package. Evaluation sug- gests the design of Genus and Familia addresses the need for genericity and extensibility in developing large, complex software.
    [Show full text]
  • Expressive Checked Exceptions
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by eCommons@Cornell Accepting Blame: Expressive Checked Exceptions Yizhou Zhang∗ Guido Salvaneschiy Quinn Beightol∗ Barbara Liskovz Andrew C. Myers∗ ∗Cornell University yTU Darmstadt zMIT [email protected] [email protected] [email protected] [email protected] [email protected] April, 2016 Abstract Unhandled exceptions crash programs, so a compile-time check that exceptions are handled should in principle make software more reliable. But designers of some recent languages have argued that the benefits of statically checked exceptions are not worth the costs. We introduce a new statically checked exception mechanism that addresses the problems with existing checked-exception mechanisms. In par- ticular, it interacts well with higher-order functions and other design patterns. The key insight is that whether an exception should be treated as a “checked” exception is not a property of its type but rather of the context in which the exception propagates. Statically checked exceptions can “tunnel” through code that is oblivious to their presence, but the type system nevertheless checks that these exceptions are handled. Further, exceptions can be tunneled without being accidentally caught, by expanding the space of exception identifiers to identify the exception-handling context. The resulting mechanism is ex- pressive and syntactically light, and can be implemented efficiently. We demonstrate the expressiveness of the mechanism using significant codebases and evaluate its performance. We have implemented this new exception mechanism as part of the new Genus programming language, but the mechanism could equally well be applied to other programming languages.
    [Show full text]
  • Technical Report on C++ Performance
    ISO/IEC TR 18015:2004(E) 2005-06-15 Information Technology — Programming languages, their environments and system software interfaces Technical Report on C++ Performance Technical Report on C++ Performance ISO/IEC TR 18015:2004(E) Contents Contents ......................................................................................2 Foreword ......................................................................................4 Introduction ......................................................................................5 1 Scope ......................................................................................7 2 Normative References .....................................................................8 3 Terms and definitions .....................................................................9 4 Typical Application Areas ............................................................. 18 4.1 Embedded Systems.......................................................................................................18 4.2 Servers.............................................................................................................................20 5 Language Features: Overheads and Strategies .......................... 21 5.1 Namespaces ...................................................................................................................21 5.2 Type Conversion Operators........................................................................................22 5.3 Classes and Inheritance................................................................................................23
    [Show full text]