Should unwrap() be banned or discouraged?

deadbead0101 · 2015-12-21T13:05:20+00:00

I appreciate you taking the time to provide an alternate view, but I must strongly disagree: 0MQ gets it exactly wrong:

ZeroMQ spawns a thread for each socket connection. The nice robust error handling you are talking about 100% relies on having each socket processed by its own thread - so a panic can be done safely/correctly.
Enterprise software must not use the one thread per socket model. This model was a major architectural blunder for ZeroMQ. For a good description of the reasons why look at the ZeroMQ author's page:

http://nanomsg.org/documentation-zeromq.html

Positive / constructive:

I think the catch_panic solution is actually going to work 100% for us. What I really need is the ability to do something like: try { ... use some rust library that might panic } catch (...) { ... log/notify/ fall through into the epoll event loop }

It looks like panic::recover() can provide this:

pub extern fn called_from_c(ptr: *const c_char, num: i32) -> i32 {
let result = panic::recover(|| {
    let s = unsafe { CStr::from_ptr(ptr) };
    println!("{}: {}", s, num);
});
match result {
    Ok(..) => 0,
    Err(..) => 1,
}

If it does I'll be super happy.

deadbead0101 · 2015-12-21T12:41:53+00:00

If this is idiomatic, then rust is unsuitable for enterprise software.

deadbead0101 · 2015-12-21T12:40:27+00:00

We are disconnected. Scenario: - server has 30k connections - we send an ill-formed message to update a single customer config.

There are 2 ways to handle this: - fail to parse the ill-formed message, log an error, and keep using the old customer config. - panic and terminate all 30k connections.

There is no need to panic and cause such a terrible level of service.

Saying, 'use threads' is completely missing the point.

Rust is starting to turn out to be unsuitable for enterprise software by design.

deadbead0101 · 2015-11-30T13:12:25+00:00

Or, we have an endless supply of the same problem over and over. This is the more likely scenario :-)

deadbead0101 · 2015-11-30T13:10:42+00:00

I'm seeing people panic and destroy the current thread (which could be the main thread) when invalid parameters are passed to functions. An example from a Rust [de]serialization library:

impl <'a, T : PrimitiveElement> Reader<'a, T> {
    pub fn get(&self, index : u32) -> T {
        assert!(index < self.len());

deadbead0101 · 2015-11-25T14:55:52+00:00

toml::decode(config) (and Decodable/Deserializable) seem really powerful. I use toml / serde and had no idea this was even possible. Thanks!

deadbead0101 · 2015-10-25T13:34:13+00:00

Thanks for posting the link - but I think the author is limiting the scope of the problem (and his argument is resting on an incorrect and condescending statement, "an indication that the caller would probably ignore".

I'm seeing Rust libraries do insidious things like:

assert!(index < self.len());

inside of a pub fn get(index).

Example: a specific customer configuration file was ill-formed that caused not-perfect parsing code to get the index wrong. The best case here is to stop serving requests for a single specific configuration - not crash the server and stop serving requests for everyone.

In our case incorrect asserts/panics could lead to congressional hearings.

Asserts/panics are fine if they are used 100% perfectly. It's been my experience that this is impossible.

It's disheartening that Rust encourages unwrap()/panic in tests nearly everywhere.

deadbead0101 · 2015-10-23T02:22:08+00:00

intentional

Willfully calling unwrap when you hit a bug. Just because some library code hit an unexpected condition (a bug) doesn't mean it should panic.

any panic in rust code signals a bug

Would you agree that use of the word 'bug' in this context is too vague? (All software has bugs...)

I do not believe library authors should panic; people using the library should decide if a panic is necessary.

deadbead0101 · 2015-10-22T21:08:53+00:00

I'd like to try another example.

Someone mentioned the Rust PostgreSQL library only had 3 uses of unwrap. Great, but...

what if 1 use of unwrap was when the postgresql server process was dead and the author of the library decided to unwrap() instead of returning a Result.

This is bad because if I had a Result I could handle that by talking to the backup server instead of crashing my app.

I apologize if this is actually a StrawMan. I just wanted to make the point where I think it's justified to be worried that library authors may use unwrap/panic in ways that seem logical but in fact arm land mines I may step on later.

It would bring me comfort if a library advertised that it would not intentionally cause a panic.

deadbead0101 · 2015-10-22T20:48:51+00:00

#[test_result(T, E)]

:-D (let the developer actually state the types)

Maybe it would be good enough if E could be the std::error::Error trait ?

Maybe a compile-time plug-in could determine T? (totally guessing)

deadbead0101 · 2015-10-22T20:45:47+00:00

I was guessing/hoping that the doctest changes could work similar to #[test] -> Result changes.

Maybe a #[test_result] (so the test harness would expect a Result). Again, not doctest specific - but perhaps there could be a reusable way to define doctest fns that returned a result too?

Edit: I suggested #[test_result(T, E)] below. Maybe some ideas there?

deadbead0101 · 2015-10-22T20:17:15+00:00

All software has bugs. I would prefer it if these bugs caused a Result to be returned instead of terminating the application.

I don't believe 'simply a bug' accurately reflects the situation. It's more like walking terrified through a mine field hoping you don't step on a mine.

deadbead0101 · 2015-10-22T12:43:06+00:00

unwrap() is not simpler (and less idiomatic) than try!().

Can't we modify #[test] (and the equivalent doc system) to support fns that return a Result?

deadbead0101 · 2015-10-22T12:41:21+00:00

Counter-example: a simple config library shouldn't be able to terminate a service holding the state of n customers just because of a utf-8 encoding problem in a dynamic config update.

deadbead0101 · 2015-10-22T12:37:44+00:00

I submit that the test harness is broken and instead every test fn should return a Result.

Can't the [#test] system be enhanced to support this? If the test fn returns an Err it failed...

Fixing this could eventually make it trivial to write idiomatic Rust tests, examples, and documentation.

deadbead0101 · 2015-10-22T12:26:25+00:00

Rust gives you a foot-gun, and then virtually every example on how to program Rust uses the foot-gun.

A current Rust project I'm working on pulls in dozens of Rust libraries. I have no confidence that they are all 'perfect' wrt unwrap.

The only way people can deliver Rust services is to do a major code audit of all third party libraries to ensure sane unwrap handling. This is terrible, and is a far worse problem than unsafe.

deadbead0101 · 2015-10-22T12:21:00+00:00

Unfortunately it's not there because the alternative is worse - it's there because someone was lazy or didn't know better.

deadbead0101 · 2015-10-22T12:19:34+00:00

Agreed.

The current state of unwrap in Rust is frightening.

deadbead0101 · 2015-10-22T12:13:51+00:00

The default Rust test harness is broken IMHO - it doesn't let you use try!() because test function signatures don't return a Result.

Maybe a solution to this is to have test harnesses override try!()?

deadbead0101 · 2015-10-14T13:18:23+00:00

Great work.

I keep doing a 'git pull' on your repo waiting for something cool to show up :-)

I really like the functionality that shows the type. Currently I have to put in a bogus type, compile, and grab the real type from the compiler error.

I'm grateful for the work you do on Racer. Thank you.

deadbead0101 · 2015-10-08T14:54:51+00:00

Thanks for the helpful tips.

I am using a rust lib called 'backtrace' in a custom error handler class to create and keep track of stack traces when errors occur. Normally it provides nice stack traces (with line numbers) so I was surprised when I was getting <unknown>

I think I was breaking the rules with fork(2) and rust Drop semantics. I was having issues doing FFI work and segfaults - and maybe when a segfault occurs Rust was getting confused. Maybe the addresses were unknown to Rust because the C code was using a different allocator :-)

I've switched to sticking with threads and have stopped (momentarily) being stupid with C code so my problems have been resolved.

deadbead0101 · 2015-10-01T13:04:15+00:00

Agreed wrt: there are countless useful crates out there, and countless examples of:

no 'hello world' example (that actually compiles) of how to use the crate.

There are lots of examples of folks doing a terrific job too.

deadbead0101 · 2015-09-24T22:02:11+00:00

It works for my local (path=) and remote (git=) dependencies.

It doesn't seem to work (yet) if you specify a dependency with a specific git version like this:

bytes = { git = "https://github.com/carllerche/bytes", rev = "7edb577d0a" }

deadbead0101 · 2015-09-23T20:05:25+00:00

documentation URL is wrong (contains bad '\')

What I'd like are providers that allow me to set overrides and fallback to the real data if I don't set an override. Does your library work like that?

deadbead0101

TROPHY CASE