عرض الشرائح | المنهج العملي في التعامل مع الأخطاء

class: middle

#A Practical Approach to Error Handling

---

#Introduction

- Errors can happen anywhere
- Want reliable program
- No time to write error handling

What do we do?

---

#Options for Error Handling

```cpp
file f("file.txt");
```

What happens if the file does not exist?

- return value
```cpp
file f;
bool bOk=f.open("file.txt");
if( !bOk ) {...}
```
  * not for ctor
--

- out parameter
```cpp
bool bOk;
file f("text.txt",bOk);
if( !bOk ) {...}
```

- clutter code with checks
  * can forget check - `[[nodiscard]]` for return values
  
---
#Options for Error Handling (2)

- status: bad flag on first failure

* single control path
  * good if checking at the very end is good enough
	  * writing a file - ok
      * reading a file - maybe not

* default for C++ iostreams
--

- monad
  * goal: same code path for success and error case
  * like `std::variant<result, error>` + utilities
  * P0323R11 `std::expected`
  
---
#Options for Error Handling: Exception

- exception
--

* Catch exception objects always by reference
     * Slicing
     * Copying of exception may throw -> `std::terminate`

```cpp
struct A {...};
struct B : A {...};

try {
	throw B();
*} catch( A a ) { // B gets sliced and copied into a
	...
	throw; // throws original B
};
```

---
#Options for Error Handling: Exception

- exception
  * Catch exception objects always by reference
     * Slicing
     * Copying of exception may throw -> `std::terminate`

```cpp
struct A {...};
struct B : A {...};

try {
	throw B();
*} catch( A const& a ) { // no slicing or copying
	...
	throw; // throws original B
};
```

---

#Options for Error Handling: Exception (2)

- work like multi-level return/goto
- add invisible code paths
  * one reason some code bases do not allow exceptions

```cpp
auto inc(int i)->int { // throw(char const*)
	if(3==i) throw "Hello";
	return i+1;
}

auto main()->int {
	try {
		int n=3;
		n=inc(n); // throw(char const*)
	} catch( char const* psz ) {
		std::cout << psz;
	}
	return 0;
}
```

---

#Options for Error Handling: Exception (2)

- work like multi-level return/goto
- add invisible code paths
  * one reason some code bases do not allow exceptions

```cpp
auto inc(int i)->int { // throw(char const*)
*   if(3==i) throw "Hello";
	return i+1;
}

auto main()->int {
	try {
		int n=3;
*       n=inc(n); // throw(char const*)
	} catch( char const* psz ) {
		std::cout << psz;
	}
	return 0;
}
```

---

#Options for Error Handling: Exception (3)

```cpp
auto inc(int i, char const* & pszException )->int {
	{
		if(3==i) {
			pszException="Hello";
*           goto exception;
		}
		return i+1;
	}
exception:
	return 0;
}
```

---

#Options for Error Handling: Exception (4)

```cpp
auto main()->int {
	char const* pszException=nullptr;
	{
		int n=3;
		n=inc(n,pszException);
*       if( pszException ) goto exception;
		return 0;
	}
exception:
	{
		std::cout << pszException;
		return 0;
	}
}
```

Stop whining! Of course must write exception-safe code!

---

#Exception Safety Guarantees
(not really exception-specific)

Part of function specification

- Never Fails

- Strong Exception Guarantee:
    * may fail (throw), but will restore program state to what it was before: transactional
	   * possible and desirable in library functions
	   * very hard in application code
			* usually too many state changes

--
			
- Basic Exception Guarantee:
	* may fail (throw), but will restore program to some valid state
		
---

#Basic Exception Safety Guarantee

Customer: "Hello, is this Microsoft Word support?
  I was writing a book. Suddenly, Word deleted
  everything."

Microsoft: "Oh, that's ok. Word only provides a basic
  exception guarantee."

Customer: "Oh, alright then, thank you very much and
  have a good day!"

---

#The Challenge

- Error handling is a lot of effort
  * in development
       * must be paranoid
	   * create a lot of extra code
  * in testing
       * many codepaths to test
	   * if you don't test them, they won't work
--

- Little customer gain
--

- So what do we do?

---
#So what do we do?

- Check everything
  * check every API call
       * one wrapper per error reporting method
	     * Windows: `GetLastError()`, `HRESULT`
		 * Unix: `errno`
  * `assert` aggressively
       * asserts stay in Release 
  * `noexcept` if caller does not handle exception
       * `std::terminate`, but unexpected exceptions will terminate anyway
	   * install handler with `std::set_terminate` for checking
--

- Assume everything works
--

- Goal:
  * keep set of code paths small
  * keep set of program states small

---
#If checks fail
- prio 1: collect as much information as possible
  * client: send report with memory dump home
  * server: halt thread and notify operator
--

- prio 2: carry on somehow
  * if check was critical, program behavior now undefined: no further reports
  * do not terminate when assertion fails
      * `assert`s can be wrong, too
  * if you need safety (nuclear powerplant, etc.), add at higher level
      * example: server stops processing request categories with too many pending requests

---
#Next: Homework

- Reproduce the error at home
--

- Add handling code only for errors that are reproducible
    * Otherwise you write
	    * error handlers that are never used
        * error handlers that are never tested, do the wrong thing

--
		
- 5% of handlers handle 95% of errors
	* Write high quality error handlers
		* Bad: show message box
		* Good: fix the problem

---
#Categories of Errors: Critical

- `nullptr` access
- API calls not expected to fail
  * not with this error code
- assertions
--

- "never happens"
  * no handler
  * like C++ undefined behavior: program is invalid
--

- Client: send report, disable future reports
- Server: notify operator, enter infinite loop (wait for debugger)

- Notify user only if false alarm unlikely
  * `assert`s may be wrong
  
---
#Categories of Errors: Untested

```cpp
auto RegisterFooHook(Foo foo) {
	errcode_t err=RegisterFoo(foo);
	if(err==SUCCESS) KeepTrackOfFoo(foo);
	return err;
}
```

- If `err` indicates error, does nothing, no error handling needed
--

- But no reproduction for `RegisterFoo` failing
- Effect on rest of the program?

- Client: send report, throttle future reports
  * in Debug: notify developer
- Server: send report

---
#Categories of Errors: Bad User Experience

- 3rd party bug
  * sometimes PowerPoint makes shape disappear
- Reproducible, supported and tested

- Not nice, users may complain
--

- Client/Server: only log, no report
  * to explain behavior if user calls

---
#Categories of Errors: Indication of broken environment

- Other add-in hooked same function as us
- OS reports space as default decimal separator
  * both fully supported by us
--

- Could still be cause of a problem
--

- Client during remote support: notify support engineer
  * maybe reason for support call

---
#Error Analysis
- Reports with memory dumps sent to server
  * automatically
  * if user opted out, user can send prepared email
--

- Error database
  * memory dumps opened in debugger
  * errors automatically categorized by file/line
  * details and memory dump accessible to devs
--

- Devs can mark errors as fixed
  * trigger automatic update
  * or send automatic email - magic!

---
#Cause Analysis

- Problem often related to customer environment
- Otherwise in-house testing would have found it
--

- Memory dumps have list of loaded modules (DLLs, dylibs)
- Can we identify module causing error?
  * or versions of module?
  
--

Report database with all reports
- 1 means has particular problem
- 0 means has different problem

`0 1 1 0 0 1 0 1 0 1 1 0` (6 occurrences among 12 reports)

`x - x - - x x - x - x -` Module A (with: 3/6, without: 3/6)

`- x x - x x - x x - - -` Module B (with: 4/6, without: 2/6)
--

- Module B responsible? Or chance?

---
# Minimum Description Length

- Compressing

`0 1 1 0 0 1 0 1 0 1 1 0` (6/12)

- Knowing if reports contain module B helps compressing?

`- x x - x x - x x - - -` Module B (with: 4/6, without: 2/6)
--

- perfect arithmetic compression (Laplacian estimator)
  * estimates probability `p` that report has particular problem
- all `p` in `[0,1]` equally likely

- no. bits to compress `N` bits with `K` ones:

`log [ (N+1) * (N over K) ]`

- no. bits becomes smaller if p is closer to 0 or 1:
  * 12 bits with 6 ones: 13.55 bits
  * 12 bits with no ones: 3.70 bits

---

#Compressing Reports

`0 0 1 0 0 1 0 1 0 1 1 0` (6/12)

`x - x - - x x - x - x -` Module A (with: 3/6, without: 3/6)

`- x x - x x - x x - - -` Module B (with: 4/6, without: 2/6)
--

- Compressing all reports together (6/12): 13.55 bits
--

- Make use of module A
  * choose module A over B: 1 bit
  * compressing all reports with A (3/6): 7.13 bits
  * compressing all reports without A (3/6): 7.13 bits
  * total: 15.26 bits - module A has nothing to do with problem

---

#Compressing Reports

`0 0 1 0 0 1 0 1 0 1 1 0` (6/12)

`x - x - - x x - x - x -` Module A (with: 3/6, without: 3/6)

`- x x - x x - x x - - -` Module B (with: 4/6, without: 2/6)
- Compressing all reports together (6/12): 13.55 bits
- Make use of module B
  * choose module B over A: 1 bit
  * compressing all reports with B (4/6): 6.71 bits
  * compressing all reports without B (2/6): 6.71 bits
  * total: 14.43 bits - still not relevant enough
  
---

#Compressing Reports

`0 0 1 0 0 1 0 1 0 1 1 0` (6/12)

`x - x - - x x - x - x -` Module A (with: 3/6, without: 3/6)

`- x x - x x - x x - - -` Module B (with: 4/6, without: 2/6)

`- x x - x x - x - x - -` Module C (with: 5/6, without: 1/6)
- Compressing all reports together (6/12): 13.55 bits
- Make use of module C
  * choose module C over A and B: log2(3) = 1.58 bits
  * compressing all reports with C (5/6): 5.39 bits
  * compressing all reports without C (1/6): 5.39 bits
  * total: 12.37 bits - relevant!
--

- More hypotheses make chance more likely
- Also works if certain module fixes problem
- Extend to module versions

---

#C++20 Contracts

- new language feature
- `assert` on steroids
- declarative function pre- and postconditions

```cpp
void push(int x, queue& q)
[[expects: !q.full()]]
[[ensures: !q.empty()]]
{
...
[[assert: q.is_valid()]]
...
}
```

---

#C++20 Contracts (2)

- When check contract?
  * debug
  * release
  * never

- What to do if contract violated?
  * terminate
  * carry on
  * report (what to whom?)

--
- removed from C++20 at last moment
- discussion will continue for C++23

---
#THANK YOU!

for attending.

And yes, we are recruiting:

`hr@think-cell.com`

![](/assets/en/career/talks/errorhandling/banner.jpg)

---

#A Very Special Class of Errors

```cpp
std::int32_t a=2 000 000 000;
std::int32_t b=a+a;
```

What is `b`?

Uuh, may overflow.
- Let's check for it!
```cpp
if( b<a ) {
	... treat overflow ...
}
```

Ok?

---

#Undefined Behavior (UB)

Example: int arithmetic overflow

If program contains undefined behavior, compiler
can do anything _with the whole program_!

- In particular, compiler may assume that UB never happens

```cpp
int i=...;
int j=i;
++i;
// code for overflow may be thrown out by compiler!
// if( i<j ) {
//		... treat overflow ...
// }
```

- This is not just theory, it happens _in practice_!
- `unsigned` types are different: modulo arithmetic

↑, ←, Pg Up, k	Go to previous slide
↓, →, Pg Dn, Space, j	Go to next slide
Home	Go to first slide
End	Go to last slide
b / m / f	Toggle blackout / mirrored / fullscreen mode
c	Clone slideshow
p	Toggle presenter mode
t	Restart the presentation timer
?, h	Toggle this help

مشاركة

A Practical Approach to Error Handling

Introduction

Options for Error Handling

Options for Error Handling

Options for Error Handling

Options for Error Handling

Options for Error Handling (2)

Options for Error Handling (2)

Options for Error Handling: Exception

Options for Error Handling: Exception

Options for Error Handling: Exception

Options for Error Handling: Exception (2)

Options for Error Handling: Exception (2)

Options for Error Handling: Exception (3)

Options for Error Handling: Exception (4)

Options for Error Handling: Exception (4)

Exception Safety Guarantees

Exception Safety Guarantees

Exception Safety Guarantees

Basic Exception Safety Guarantee

The Challenge

The Challenge

The Challenge

So what do we do?

So what do we do?

So what do we do?

If checks fail

If checks fail

Next: Homework

Next: Homework

Next: Homework

Categories of Errors: Critical

Categories of Errors: Critical

Categories of Errors: Critical

Categories of Errors: Untested

Categories of Errors: Untested

Categories of Errors: Untested

Categories of Errors: Bad User Experience

Categories of Errors: Bad User Experience

Categories of Errors: Bad User Experience

Categories of Errors: Indication of broken environment

Categories of Errors: Indication of broken environment

Categories of Errors: Indication of broken environment

Error Analysis

Error Analysis

Error Analysis

Cause Analysis

Cause Analysis

Cause Analysis

Cause Analysis

Cause Analysis

Minimum Description Length

Minimum Description Length

Compressing Reports

Compressing Reports

Compressing Reports

Compressing Reports

Compressing Reports

Compressing Reports

C++20 Contracts

C++20 Contracts (2)

C++20 Contracts (2)

THANK YOU!

A Very Special Class of Errors

A Very Special Class of Errors

Undefined Behavior (UB)

Undefined Behavior (UB)

Introduction

Help