Accepting Blame for Safe Tunneled Exceptions Yizhou Zhang∗ Guido Salvaneschiy Quinn Beightol∗ Barbara Liskovz Andrew C. Myers∗ ∗Cornell University, USA yTU Darmstadt, Germany zMIT, USA [email protected] [email protected] [email protected] [email protected] [email protected] Abstract 1. Introduction Unhandled exceptions crash programs, so a compile-time Exceptions make code more reliable by helping programmers check that exceptions are handled should in principle make handle abnormal or unusual run-time conditions. The core software more reliable. But designers of some recent lan- idea is to transfer control in a nonlocal way to handler code guages have argued that the benefits of statically checked ex- that can be factored out from common-case code. This sepa- ceptions are not worth the costs. We introduce a new stati- ration of concerns simplifies code and prompts programmers cally checked exception mechanism that addresses the prob- not to forget about exceptional conditions. lems with existing checked-exception mechanisms. In partic- There has been disagreement since the 1970’s about how ular, it interacts well with higher-order functions and other or whether exceptions should be subject to static check- design patterns. The key insight is that whether an excep- ing [19, 28]. This disagreement continues to the present tion should be treated as a “checked” exception is not a prop- day [17]. Some currently popular languages—Java [20] and erty of its type but rather of the context in which the excep- Swift [46]—offer checked exceptions that the compiler stati- tion propagates. Statically checked exceptions can “tunnel” cally ensures are handled. However, exceptions are not part of through code that is oblivious to their presence, but the type type checking in other popular languages such as C++ [44], system nevertheless checks that these exceptions are han- C# [23], Scala [36], and Haskell [38]. dled. Further, exceptions can be tunneled without being acci- Proponents of static checking argue that exceptions rep- dentally caught, by expanding the space of exception identi- resent corner cases that are easy to forget. The evidence fiers to identify the exception-handling context. The resulting suggests they have a point. One study of a corpus of C# mechanism is expressive and syntactically light, and can be code [8] determined that 90% of the possible exceptions are implemented efficiently. We demonstrate the expressiveness undocumented. Undocumented exceptions make it hard to of the mechanism using significant codebases and evaluate know whether all exceptions are handled, and these unhan- its performance. We have implemented this new exception dled exceptions percolate up through abstraction layers, caus- mechanism as part of the new Genus programming language, ing unexpected software failures. Statically checked excep- but the mechanism could equally well be applied to other pro- tions help programmers build more robust code [48]. gramming languages. Opponents of static checking argue that the annotation Categories and Subject Descriptors D.3.3 [Programming burden of statically checked exceptions does not pay off— Languages]: Language Constructs and Features—Control that statically checked exceptions are too rigid to support structures common design patterns and common ways in which soft- ware evolves [11, 51]. They, too, have a point. The problems Keywords Exception tunneling; exception handling; Genus with statically checked exceptions have become more appar- ent in recent years as object-oriented (OO) languages like C#, Scala, and Java have acquired lambda expressions and the use of higher-order functions has become more common. As a re- Permission to make digital or hard copies of part or all of this work for personal or sult, the promise of exceptions to help make software more classroom use is granted without fee provided that copies are not made or distributed reliable has been partly lost. for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM Studies of the effectiveness of exception mechanisms have must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, concluded that existing mechanisms do not satisfy the appro- to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected] or Publications Dept., ACM, priate design criteria [6,7]. C# does not statically check ex- Inc., fax +1 (212) 869-0481. ceptions because its designers did not know how to design PLDI ’16, June 13–17, 2016, Santa Barbara, CA, USA such an exception mechanism well, saying “more thinking Copyright c 2016 ACM 978-1-4503-4261-2/16/06. $15.00 DOI: http://dx.doi.org/10.1145/2908080.2908086 is needed before we put some kind of checked exceptions 1 mechanism in place” [22]. It seems the long-running conflict more reliable. However, there are two quite different classes between checked and unchecked exceptions can be resolved of exceptional events, with different design goals: only by a new exception mechanism. • Failures. Some events cannot reasonably be expected to This paper aims to provide a better exception mecha- be handled correctly by the program—especially, events nism, one that combines the benefits of static checking with that arise because of programmer mistakes. Other events the flexibility of unchecked exceptions. The new mechanism such as running out of memory also fall into this category. gives programmers static, compile-time guidance to ensure exceptions are handled, but works well with higher-order • Unusual conditions. Other events arise during correct functions and design patterns. It adds little programmer bur- functioning of the program, in response to an unusual den and even reduces that burden. The run-time overhead but planned-for state of the environment, or even just an of the mechanism is low, because exception handling does unusual case of an algorithm. not require stack-trace collection in common use cases and These two classes place different requirements on the ex- avoids the need to wrap checked exceptions inside unchecked ception mechanism. For failures, efficiency is not a concern ones. because the program is not expected to recover. However, Two main insights underlie the new design. The first is that programmers need the ability to debug the (stopped) program the distinction between “checked” and “unchecked” should to discover why the failure occurred, so it is important to not be a property of the type of the exception being raised, as collect a stack trace. Furthermore, since failures imply vio- it is in Java, but rather a property of the context in which the lation of programmer assumptions, having to declare them exception propagates. In contexts that are aware of an excep- as part of method signatures or write handler code for them tion, the exception should be checked statically to ensure that is undesirable. Nonetheless, there are cases where the ability it is handled. To handle higher-order functions and design to catch failure exceptions is useful, such as when building patterns, however, some contexts must be oblivious to ex- frameworks for executing code that might fail. ceptions propagating through them; exceptions should tunnel For the second class of exceptions, unusual conditions, the uncaught through oblivious contexts, effectively unchecked. design goals are different. Now efficiency matters! Because This principle implies that the same exception may be both exceptions are slow in many common languages, program- checked and unchecked at different points during its propa- mers have learned to avoid using them. One insight is that gation. To prevent oblivious code from accidentally catch- because unusual conditions are part of the correct function- ing exceptions, a second insight is needed: exceptions can be ing of the program, the overhead of collecting a stack trace is distinguished by expanding the space of exception identifiers unnecessary. with an additional label that describes the exception-aware Unfortunately, existing languages tend not to support the context in which this exception can be caught. These labels distinction between these two exception classes well. For ex- can be viewed as an extension of the notion of blame labels ample, typical Java usage always leads to stack-trace collec- found in previous work on gradual typing [50]. Unlike with tion, making exceptions very expensive. At the same time, gradual typing, this sort of “blame” is not a programmer er- code is cluttered with handlers for impossible exceptions. ror; it is instead a way to indicate that exceptions should tun- nel through the oblivious code until they arrive at the right 2.1 Higher-Order Functions and Exceptions exception-aware context. Current exception mechanisms do not work well in code that We start the rest of the paper by exploring requirements uses higher-order functions. An example is an ML-style map for a good exception mechanism in Section 2. Sections3–6 method that applies a function argument to each element present our new exception mechanism informally in the con- of a list, returning a new list. Callers of the higher-order text of a Java-like language. Section 7 defines a core language function may wish to provide as an argument a function whose semantics show more precisely how the mechanism that produces exceptions to report an unusual condition that works. Using this core language, we prove the key theorem was encountered, such as an I/O exception. Of course, we that all exceptions are handled explicitly. Section 8 describes want these exceptions to be handled. But the implementation our implementation of the new exception mechanism in the of map knows nothing about these exceptions, so if such context of the Genus programming language [53]. The effec- exceptions do occur, they should be handled by the caller of tiveness of the mechanism is evaluated in Section 9, using map.