[VOTE] Allowing use of exceptions in the engine

10 years ago by Nikita Popov — view source

unread

Hi internals!

I opened the vote on the "Exceptions in the engine" RFC:

https://wiki.php.net/rfc/engine_exceptions#vote

The vote has three options, "Yes", "No" and "Yes, without
E_RECOVERABLE_ERROR changes". The last option is a version of the proposal
without BC issues.

Some further notes:

I will not be including something like BaseException. Introducing it for
this purpose seems like bad design and will be very hard to get rid of in
the future. As the proposal (without recoverable errors) does not break BC
[1] even without it, I don't see a reason to introduce it.
Some people suggest to use different subclasses of EngineException for
different error types. I'm not against that, but I think it's okay to do
that in a separate proposal, if someone can come up with a good selection
of exception classes. It's much easier (and does not break BC) to add
subclassing later, than to add suboptimal subclass types now and try to fix
something like the SPL exception mess later.
The suggested uncaught exception error message change is just a bit of
cosmetics (and not directly related to this proposal), so I'd like to do
that separately.

And regarding the vote: If you are in favor of the proposal in general, but
want to have it in PHP 6 rather than PHP 5.6, then vote "No" here. If it
fails now, someone can revive this once the time for PHP 6 has come.

Thanks,
Nikita

[1]: We don't have a formal definition for this, but it seems to be general
consensus that relaxing error conditions does not constitute a backwards
compatibility break.

10 years ago by Ferenc Kovacs — view source

unread

Hi internals!

I opened the vote on the "Exceptions in the engine" RFC:
https://wiki.php.net/rfc/engine_exceptions#vote
The vote has three options, "Yes", "No" and "Yes, without
E_RECOVERABLE_ERROR changes". The last option is a version of the proposal
without BC issues.

Some further notes:

I will not be including something like BaseException. Introducing it for
this purpose seems like bad design and will be very hard to get rid of in
the future. As the proposal (without recoverable errors) does not break BC
[1] even without it, I don't see a reason to introduce it.

Some people suggest to use different subclasses of EngineException for
different error types. I'm not against that, but I think it's okay to do
that in a separate proposal, if someone can come up with a good selection
of exception classes. It's much easier (and does not break BC) to add
subclassing later, than to add suboptimal subclass types now and try to fix
something like the SPL exception mess later.

The suggested uncaught exception error message change is just a bit of
cosmetics (and not directly related to this proposal), so I'd like to do
that separately.

And regarding the vote: If you are in favor of the proposal in general, but
want to have it in PHP 6 rather than PHP 5.6, then vote "No" here. If it
fails now, someone can revive this once the time for PHP 6 has come.

Thanks,
Nikita

[1]: We don't have a formal definition for this, but it seems to be general
consensus that relaxing error conditions does not constitute a backwards
compatibility break.

personally I have seen catch-all blocks in the wild (try {//do something}
catch(Exception $e) {//do nothing}), which would behave differently (and
some of them would screw something up instead of terminating the app) if
the EngineException is a subclass of Exception.
I can see myself supporting this proposal for 5.6, if we can have it done
in a truly BC-safe manner, but I can understand, if the required
compromises for that would make the feature too "clunky", so maybe it would
be better to introduce it in a major version.

--
Ferenc Kovács
@Tyr43l - http://tyrael.hu

10 years ago by Nikita Popov — view source

unread

personally I have seen catch-all blocks in the wild (try {//do something}
catch(Exception $e) {//do nothing}), which would behave differently (and
some of them would screw something up instead of terminating the app) if
the EngineException is a subclass of Exception.
I can see myself supporting this proposal for 5.6, if we can have it done
in a truly BC-safe manner, but I can understand, if the required
compromises for that would make the feature too "clunky", so maybe it would
be better to introduce it in a major version.

I'm not sure I see how catch-all blocks relate to BC-safety as far as
E_ERROR is concerned. If an engine exception is accidentally caught by a
catch-all block, it means that previously it was throwing a fatal error,
which means that your code didn't work anyway - in all likeliness you were
getting a WSOD or ISE. The catch-all block will not break the code (it is
already broken), it will only change the way in which it fails (or prevent
it from failing altogether). Of course, unintentionally missing an error
is an issue, but it's not an issue of BC.

Nikita

10 years ago by Jakub Zelenka — view source

unread

personally I have seen catch-all blocks in the wild (try {//do something}
catch(Exception $e) {//do nothing}), which would behave differently (and
some of them would screw something up instead of terminating the app) if
the EngineException is a subclass of Exception.
I can see myself supporting this proposal for 5.6, if we can have it done
in a truly BC-safe manner, but I can understand, if the required
compromises for that would make the feature too "clunky", so maybe it
would
be better to introduce it in a major version.

I'm not sure I see how catch-all blocks relate to BC-safety as far as
E_ERROR is concerned. If an engine exception is accidentally caught by a
catch-all block, it means that previously it was throwing a fatal error,
which means that your code didn't work anyway - in all likeliness you were
getting a WSOD or ISE. The catch-all block will not break the code (it is
already broken), it will only change the way in which it fails (or prevent
it from failing altogether). Of course, unintentionally missing an error
is an issue, but it's not an issue of BC.

Nikita

I think that the problem could be code like this:

try {
// do same stuff
} catch (Exception $e) {}
delete_something_important();

I haven't tested the patch but from what I read it seems that
delete_something_important() would be now called even if there was a fatal
error in the try block?

In addition there is a small BC break that should be probably mentioned in
RFC. All apps with defined EngineException will not work. I actually found
one open source app. It's the first version of ORM Propel:

https://github.com/propelorm/Propel/blob/master/generator/lib/exception/EngineException.php

It looks that it's still used quite a few users (even there is a version 2
that resolved this using ns). I believe that there can be more closed
source apps so it should be at least mentioned in RFC...

Jakub

10 years ago by Adam Harvey — view source

unread

I opened the vote on the "Exceptions in the engine" RFC:
https://wiki.php.net/rfc/engine_exceptions#vote
The vote has three options, "Yes", "No" and "Yes, without
E_RECOVERABLE_ERROR changes". The last option is a version of the proposal
without BC issues.

And regarding the vote: If you are in favor of the proposal in general, but
want to have it in PHP 6 rather than PHP 5.6, then vote "No" here. If it
fails now, someone can revive this once the time for PHP 6 has come.

To be clear: I've voted -1 for exactly this reason, and this reason
alone. I don't think implementing this piecemeal (without the
E_RECOVERABLE_ERROR changes) is the right way to go — I would prefer
to have the whole thing as part of a 6.0 release, rather than
potentially confusing users with a partial implementation.

Notes on the notes:

I will not be including something like BaseException. Introducing it for
this purpose seems like bad design and will be very hard to get rid of in
the future. As the proposal (without recoverable errors) does not break BC
[1] even without it, I don't see a reason to introduce it.

+1. I think I said last time that it felt like the
mysql_real_escape_string() of exception API design. :)

Some people suggest to use different subclasses of EngineException for
different error types. I'm not against that, but I think it's okay to do
that in a separate proposal, if someone can come up with a good selection
of exception classes. It's much easier (and does not break BC) to add
subclassing later, than to add suboptimal subclass types now and try to fix
something like the SPL exception mess later.

Also +1.

Adam

10 years ago by Andrea Faulds — view source

unread

To be clear: I've voted -1 for exactly this reason, and this reason
alone. I don't think implementing this piecemeal (without the
E_RECOVERABLE_ERROR changes) is the right way to go — I would prefer
to have the whole thing as part of a 6.0 release, rather than
potentially confusing users with a partial implementation.

Maybe I'm misunderstanding you here, but if you don't want it piecemeal,
surely just vote "Yes"? Or are you saying you want it in 6.0, and also
that it shouldn't be piecemeal?

--
Andrea Faulds
http://ajf.me/

10 years ago by Adam Harvey — view source

unread

To be clear: I've voted -1 for exactly this reason, and this reason
alone. I don't think implementing this piecemeal (without the
E_RECOVERABLE_ERROR changes) is the right way to go — I would prefer
to have the whole thing as part of a 6.0 release, rather than
potentially confusing users with a partial implementation.

Maybe I'm misunderstanding you here, but if you don't want it piecemeal,
surely just vote "Yes"? Or are you saying you want it in 6.0, and also that
it shouldn't be piecemeal?

I guess I explained that badly. :) The latter: I want it in 6.0, and
don't think it should be piecemeal.

Adam

10 years ago by Nikita Popov — view source

unread

I opened the vote on the "Exceptions in the engine" RFC:
https://wiki.php.net/rfc/engine_exceptions#vote
The vote has three options, "Yes", "No" and "Yes, without
E_RECOVERABLE_ERROR changes". The last option is a version of the
proposal
without BC issues.

And regarding the vote: If you are in favor of the proposal in general,
but
want to have it in PHP 6 rather than PHP 5.6, then vote "No" here. If it
fails now, someone can revive this once the time for PHP 6 has come.
To be clear: I've voted -1 for exactly this reason, and this reason
alone. I don't think implementing this piecemeal (without the
E_RECOVERABLE_ERROR changes) is the right way to go — I would prefer
to have the whole thing as part of a 6.0 release, rather than
potentially confusing users with a partial implementation.

If you're concerned about E_RECOVERABLE_ERROR in particular I should point
out that there are very few recoverable fatals in the engine. Actually, the
only common recoverable error is the typehint violation error. The others
are along the lines of "Instantiation of 'Closure' is not allowed" or
"Closure object cannot have properties" - not something you usually
encounter. For a full list see
http://lxr.php.net/search?q=E_RECOVERABLE_ERROR&defs=&refs=&path=Zend&hist=&project=PHP_TRUNK.
So I don't think that E_RECOVERABLE_ERROR is a particularly large loss in
itself - but the "partial implementation" argument presumably still stands
even without it (won't be able to port all fatal errors at once, after all.)

Nikita

10 years ago by Zeev Suraski — view source

unread

Nikita,

Apologies for not having followed the discussion a few weeks ago but I
think this proposal can't be accepted as it is even if everyone likes it.
It breaks a very basic design concept in the way both the engine code as
well as extension code is written - execution will never resume beyond an
E_ERROR.

Allowing execution to resume (through the use of exceptions) opens a huge
can of worms, and sets expectations we can't meet. In fact, the main
difference between E_ERROR and E_WARNING is the recoverability, so this is
not some small detail we can fix - we simply can't assume execution can
continue after an E_ERROR is triggered, because E_ERROR in its very
essence implies no-resumed-execution. That's also the reason error
handlers (that existed before exceptions did) don't handle E_ERROR.

I don't think a vote makes a lot of sense here, since it's asking people
whether they're in favor of the concept of being able to recover from any
kind of error. That's the wrong question (to which, by the way, I'd vote
'yes'). The real question is whether people are OK that the engine will
start randomly crashing through the use of standard PHP code, which is
pretty much out of the question.

If there are E_ERROR's which you think are erroneously tagged as E_ERROR's
and should in fact be E_RECOVERABLE_ERROR, we should change them, rather
than assuming that E_ERRORs can be tagged as recoverable wholesale...

Disclaimer: Perhaps I'm missing something. I also asked Dmitry to take a
closer look at this...

Zeev

-----Original Message-----
From: Nikita Popov [mailto:nikita.ppv@gmail.com]
Sent: Saturday, December 07, 2013 2:58 PM
To: PHP internals
Subject: [PHP-DEV] [VOTE] Allowing use of exceptions in the engine

Hi internals!

I opened the vote on the "Exceptions in the engine" RFC:
https://wiki.php.net/rfc/engine_exceptions#vote
The vote has three options, "Yes", "No" and "Yes, without
E_RECOVERABLE_ERROR changes". The last option is a version of the
proposal without BC issues.

Some further notes:

I will not be including something like BaseException. Introducing it
for this
purpose seems like bad design and will be very hard to get rid of in the
future. As the proposal (without recoverable errors) does not break BC
[1]
even without it, I don't see a reason to introduce it.

Some people suggest to use different subclasses of EngineException
for
different error types. I'm not against that, but I think it's okay to do
that in a
separate proposal, if someone can come up with a good selection of
exception classes. It's much easier (and does not break BC) to add
subclassing later, than to add suboptimal subclass types now and try to
fix
something like the SPL exception mess later.

The suggested uncaught exception error message change is just a bit
of
cosmetics (and not directly related to this proposal), so I'd like to do
that
separately.

And regarding the vote: If you are in favor of the proposal in general,
but
want to have it in PHP 6 rather than PHP 5.6, then vote "No" here. If it
fails
now, someone can revive this once the time for PHP 6 has come.

Thanks,
Nikita

[1]: We don't have a formal definition for this, but it seems to be
general
consensus that relaxing error conditions does not constitute a backwards
compatibility break.

10 years ago by Nikita Popov — view source

unread

Nikita,

Apologies for not having followed the discussion a few weeks ago but I
think this proposal can't be accepted as it is even if everyone likes it.
It breaks a very basic design concept in the way both the engine code as
well as extension code is written - execution will never resume beyond an
E_ERROR.

Allowing execution to resume (through the use of exceptions) opens a huge
can of worms, and sets expectations we can't meet. In fact, the main
difference between E_ERROR and E_WARNING is the recoverability, so this is
not some small detail we can fix - we simply can't assume execution can
continue after an E_ERROR is triggered, because E_ERROR in its very
essence implies no-resumed-execution. That's also the reason error
handlers (that existed before exceptions did) don't handle E_ERROR.

I don't think a vote makes a lot of sense here, since it's asking people
whether they're in favor of the concept of being able to recover from any
kind of error. That's the wrong question (to which, by the way, I'd vote
'yes'). The real question is whether people are OK that the engine will
start randomly crashing through the use of standard PHP code, which is
pretty much out of the question.

If there are E_ERROR's which you think are erroneously tagged as E_ERROR's
and should in fact be E_RECOVERABLE_ERROR, we should change them, rather
than assuming that E_ERRORs can be tagged as recoverable wholesale...

Hi Zeev!

I think this is a misunderstanding... I'm not suggesting to simply let the
engine continue after an E_ERROR - as you pointed out, that would likely
just crash it a few lines further down.

This RFC is mainly a policy RFC: The goal is to allow the use of exceptions
in the engine and to allow changing existing fatal errors to exceptions.
The change from fatal errors to exceptions needs to happen manually, by
adjusting the surrounding code to support continued execution (usually that
means freeing resources + returning). A lot of fatal errors are easy to
change, others are very hard or impossible. Changing fatal errors to
exceptions rather than recoverable errors is both more useful to the end
user and technically easier (as recoverable errors need to continue
execution in the same codepath, which is often a lot harder to implement
and find appropriate semantics for), which is why I'm suggesting this
particular course of action.

So, basically what I'm suggest is what you say in the last paragraph, just
going directly to exceptions rather than converting to E_RECOVERABLE_ERROR
:)

Hope this is a bit clearer.

Nikita

10 years ago by Zeev Suraski — view source

unread

Hi Zeev!

I think this is a misunderstanding... I'm not suggesting to simply let the
engine continue after an E_ERROR - as you pointed out, that would likely
just crash it a few lines further down.

This RFC is mainly a policy RFC: The goal is to allow the use of
exceptions in the engine and to allow changing existing fatal errors to
exceptions. The change from fatal errors to exceptions needs to happen
manually, by adjusting the surrounding code to support continued execution
(usually that means freeing resources + returning). A lot of fatal errors
are easy to change, others are very hard or impossible. Changing fatal
errors to exceptions rather than recoverable errors is both more useful to
the end user and technically easier (as recoverable errors need to continue
execution in the same codepath, which is often a lot harder to implement
and find appropriate semantics for), which is why I'm suggesting this
particular course of action.

So, basically what I'm suggest is what you say in the last paragraph, just
going directly to exceptions rather than converting to E_RECOVERABLE_ERROR
:)

Hope this is a bit clearer.

OK, got you. Not using exceptions in the engine was also a design
decision (so that we don't force OO concepts on non-OO people) - need to
think if it still makes sense and get back to the vote.

Thanks!

Zeev

10 years ago by Hannes Magnusson — view source

unread

Hi internals!

I opened the vote on the "Exceptions in the engine" RFC:
https://wiki.php.net/rfc/engine_exceptions#vote
The vote has three options, "Yes", "No" and "Yes, without
E_RECOVERABLE_ERROR changes". The last option is a version of the proposal
without BC issues.

Wow. This is one of the bigger language changes I have seen proposed to date.

I see the framework guys jumping in on this right away wanting pretty
OO interface of course - but hold your horses a bit.
This is a very fundamental change in the language and a vote should
not be casted lightly.

The recoverable error cases is something I argued when breaking type
hinting was decided to be E_REOCVERABLE_ERROR for reasons that still
baffle me (and depending if its extension code or userland code,
effectively continues current context or not, since internals will
most likely bail out on zpp) - but now we are talking about about
changing something much bigger then that...

If this gets accepted, what is the reason we have these error levels
at all, and shouldn't E_* friends be rewritten into more convenient
logging framework and remove the association with "errors"?

-Hannes

10 years ago by Dmitry Stogov — view source

unread

Hi Nikita,

The idea makes sense, but it really changes the fundamental design decision.
For now the patch misses more than 300 places where you'll have to find a
way to recover from a error state.
As you said, it's hardly possible in some cases (e.g. memory_limit
overflow).

Anyway, I'm not sure if the effort and risks of bugs and breaks cost the
ability of writing "dirty" code.

Thanks. Dmitry.

Hi internals!

I opened the vote on the "Exceptions in the engine" RFC:
https://wiki.php.net/rfc/engine_exceptions#vote
The vote has three options, "Yes", "No" and "Yes, without
E_RECOVERABLE_ERROR changes". The last option is a version of the proposal
without BC issues.

Some further notes:

I will not be including something like BaseException. Introducing it for
this purpose seems like bad design and will be very hard to get rid of in
the future. As the proposal (without recoverable errors) does not break BC
[1] even without it, I don't see a reason to introduce it.

Some people suggest to use different subclasses of EngineException for
different error types. I'm not against that, but I think it's okay to do
that in a separate proposal, if someone can come up with a good selection
of exception classes. It's much easier (and does not break BC) to add
subclassing later, than to add suboptimal subclass types now and try to fix
something like the SPL exception mess later.

The suggested uncaught exception error message change is just a bit of
cosmetics (and not directly related to this proposal), so I'd like to do
that separately.

And regarding the vote: If you are in favor of the proposal in general, but
want to have it in PHP 6 rather than PHP 5.6, then vote "No" here. If it
fails now, someone can revive this once the time for PHP 6 has come.

Thanks,
Nikita

[1]: We don't have a formal definition for this, but it seems to be general
consensus that relaxing error conditions does not constitute a backwards
compatibility break.

10 years ago by Pierre Joye — view source

unread

hi,

Hi internals!

I opened the vote on the "Exceptions in the engine" RFC:
https://wiki.php.net/rfc/engine_exceptions#vote
The vote has three options, "Yes", "No" and "Yes, without
E_RECOVERABLE_ERROR changes". The last option is a version of the proposal
without BC issues.

Some further notes:

I will not be including something like BaseException. Introducing it for
this purpose seems like bad design and will be very hard to get rid of in
the future. As the proposal (without recoverable errors) does not break BC
[1] even without it, I don't see a reason to introduce it.

Some people suggest to use different subclasses of EngineException for
different error types. I'm not against that, but I think it's okay to do
that in a separate proposal, if someone can come up with a good selection
of exception classes. It's much easier (and does not break BC) to add
subclassing later, than to add suboptimal subclass types now and try to fix
something like the SPL exception mess later.

The suggested uncaught exception error message change is just a bit of
cosmetics (and not directly related to this proposal), so I'd like to do
that separately.

And regarding the vote: If you are in favor of the proposal in general, but
want to have it in PHP 6 rather than PHP 5.6, then vote "No" here. If it
fails now, someone can revive this once the time for PHP 6 has come.

I do not mind having it in 5.x or 6. but I do mind introducing
exceptions in the core without defining what we want. Baby steps are
nice but where do we stop at this stage then? Can we use exceptions in
extensions as well? Or in other parts of the engine? This is a very
good move forward but also a very critical move. We need to clarify
how we do it, where it can be done, naming or how we want them
exactly, etc.

That's why I can't vote yes with this exact proposal (and its state).

Cheers,

Pierre

@pierrejoye | http://www.libgd.org

10 years ago by Nikita Popov — view source

unread

I do not mind having it in 5.x or 6. but I do mind introducing
exceptions in the core without defining what we want. Baby steps are
nice but where do we stop at this stage then? Can we use exceptions in
extensions as well? Or in other parts of the engine? This is a very
good move forward but also a very critical move. We need to clarify
how we do it, where it can be done, naming or how we want them
exactly, etc.

That's why I can't vote yes with this exact proposal (and its state).

Is there something particular that you would like to have clarified or
specified? I tried to keep the scope narrow - only engine and only fatal
errors, but if you wish to have stricter specification on some parts,
please say so.

About your particular questions:

Can we use exceptions in extensions as well?
This RFC is only about the engine - it does not affect our standard library
exts. The rules there stay the same: Functions throw warnings/notices,
methods may throw exceptions.

Or in other parts of the engine?
What do you mean by "other parts"? I'm referring to the Zend engine as a
whole, though primarily the executor, because converting compile-time
errors will require more careful planning.

Thanks,
Nikita

10 years ago by Pierre Joye — view source

unread

I do not mind having it in 5.x or 6. but I do mind introducing
exceptions in the core without defining what we want. Baby steps are
nice but where do we stop at this stage then? Can we use exceptions in
extensions as well? Or in other parts of the engine? This is a very
good move forward but also a very critical move. We need to clarify
how we do it, where it can be done, naming or how we want them
exactly, etc.

That's why I can't vote yes with this exact proposal (and its state).

Is there something particular that you would like to have clarified or
specified? I tried to keep the scope narrow - only engine and only fatal
errors, but if you wish to have stricter specification on some parts,
please say so.

I would prefer to see introduce exceptions in the whole core and clearly
define how we want them or where. Adding very good documentation is also a
requirement (see Zeev's reply).

Not doing may lead to half backed support with everyone doing its little
sauce and will end as a big mess. We should avoid that.

About your particular questions:

Can we use exceptions in extensions as well?
This RFC is only about the engine - it does not affect our standard
library exts. The rules there stay the same: Functions throw
warnings/notices, methods may throw exceptions.

Right, everyone does his thing and it is not confusing and inconsistent.
Let solve the whole thing instead of a rather limited and not so useful.

Or in other parts of the engine?
What do you mean by "other parts"? I'm referring to the Zend engine as a
whole, though primarily the executor, because converting compile-time
errors will require more careful planning.

As of other errors, functions, operators, etc.

Cheers,
Pierre

10 years ago by Nikita Popov — view source

unread

The vote on the Engine Exceptions RFC ended with 24 in favor, 21 against
and 1 in the middle. As this vote had a 2/3-majority requirement, this
means that the RFC is declined.

You can find the voting results on
https://wiki.php.net/rfc/engine_exceptions#vote.

Nikita

10 years ago by Jakub Zelenka — view source

unread

I think that the problem could be code like this:

try {
// do same stuff
} catch (Exception $e) {}
delete_something_important();

Code which is that naïve probably doesn't run safely anyway, I doubt we
should worry about it.

That's, of course, a simplified example! You can have code much more
complex with similar result. The point was that you would be able to catch
a fatal error and then do some nasty stuff after that... :)

10 years ago by Philip Sturgeon — view source

unread

Hi Zeev!

I think this is a misunderstanding... I'm not suggesting to simply let the
engine continue after an E_ERROR - as you pointed out, that would likely
just crash it a few lines further down.

This RFC is mainly a policy RFC: The goal is to allow the use of
exceptions in the engine and to allow changing existing fatal errors to
exceptions. The change from fatal errors to exceptions needs to happen
manually, by adjusting the surrounding code to support continued execution
(usually that means freeing resources + returning). A lot of fatal errors
are easy to change, others are very hard or impossible. Changing fatal
errors to exceptions rather than recoverable errors is both more useful to
the end user and technically easier (as recoverable errors need to continue
execution in the same codepath, which is often a lot harder to implement
and find appropriate semantics for), which is why I'm suggesting this
particular course of action.

So, basically what I'm suggest is what you say in the last paragraph, just
going directly to exceptions rather than converting to E_RECOVERABLE_ERROR
:)

Hope this is a bit clearer.

OK, got you. Not using exceptions in the engine was also a design
decision (so that we don't force OO concepts on non-OO people) - need to
think if it still makes sense and get back to the vote.

Thanks!

Zeev

I think it is fair to say there is a big difference between "forcing
OO concepts on non-OO people" and which is what is being proposed
here: "this is an object which you can use if you'd like to find out
what is happening with this exception."

No PHP developer is going to get away with not using any objects ever
regardless of their preferred design approach, so offering them
exception objects is not going to frighten anyone off.

Or I missed your point. :)

10 years ago by Zeev Suraski — view source

unread

OK, got you. Not using exceptions in the engine was also a design
decision (so that we don't force OO concepts on non-OO people) - need
to think if it still makes sense and get back to the vote.

Thanks!

Zeev

I think it is fair to say there is a big difference between "forcing OO
concepts
on non-OO people" and which is what is being proposed
here: "this is an object which you can use if you'd like to find out
what is
happening with this exception."

No PHP developer is going to get away with not using any objects ever
regardless of their preferred design approach, so offering them
exception
objects is not going to frighten anyone off.

While I disagree that all PHP developers would have to use objects (you
can live a full healthy procedural life in PHP) - regardless, exceptions
and their jargon is a much more advanced OO concept than just using plain
objects. Throwing, catching, propagation rules, try/catch/finally - those
all come hand in hand with exceptions. We've made a conscious decision
not to force this on users back when we introduced exceptions, and keep
the engine use errors only (which can be converted to exceptions easily
enough using error handlers).

Note that I think that this part is debatable - I'm a lot more worried on
the feedback Dmitry provided earlier today (although I admit I'm not crazy
of just keeping things the way they, and letting those who are interested
in exceptions convert errors to exceptions on their own).

Zeev

10 years ago by Philip Sturgeon — view source

unread

OK, got you. Not using exceptions in the engine was also a design
decision (so that we don't force OO concepts on non-OO people) - need
to think if it still makes sense and get back to the vote.

Thanks!

Zeev

I think it is fair to say there is a big difference between "forcing OO
concepts
on non-OO people" and which is what is being proposed
here: "this is an object which you can use if you'd like to find out
what is
happening with this exception."

No PHP developer is going to get away with not using any objects ever
regardless of their preferred design approach, so offering them
exception
objects is not going to frighten anyone off.

While I disagree that all PHP developers would have to use objects (you
can live a full healthy procedural life in PHP) - regardless, exceptions
and their jargon is a much more advanced OO concept than just using plain
objects. Throwing, catching, propagation rules, try/catch/finally - those
all come hand in hand with exceptions. We've made a conscious decision
not to force this on users back when we introduced exceptions, and keep
the engine use errors only (which can be converted to exceptions easily
enough using error handlers).

Note that I think that this part is debatable - I'm a lot more worried on
the feedback Dmitry provided earlier today (although I admit I'm not crazy
of just keeping things the way they, and letting those who are interested
in exceptions convert errors to exceptions on their own).

Zeev

Right, you can absolutely live a full and healthy life in PHP using
entirely procedural code (things like the dual interfaces for MySQLi
ensure that) but I really really do not see "here is an object,
try/catch/finally or EngineException" as "forcing OO concepts on
non-OO people" because it isn't. The user does not need to worry about
propogation rules unless they start writing their own exceptions and
try/catch/finally is not inherently OOP. Even if it was the average
procedural user is just going to see the difference of "Fatal Error
you code is screwed" changing to "Uncaught Engine Exception your code
is screwed" if they don't want to bother catching anything, which they
wouldn't if they didnt want to use try/catch... so the whole thing is
a bit of a non-argument.

I know it is not your main concern, but I really don't want this
argument being used as one against this RFC in general.

10 years ago by Zeev Suraski — view source

unread

Right, you can absolutely live a full and healthy life in PHP using
entirely
procedural code (things like the dual interfaces for MySQLi ensure that)
but I
really really do not see "here is an object, try/catch/finally or
EngineException" as "forcing OO concepts on non-OO people" because it
isn't. The user does not need to worry about propogation rules unless
they
start writing their own exceptions and try/catch/finally is not
inherently OOP.
Even if it was the average procedural user is just going to see the
difference
of "Fatal Error you code is screwed" changing to "Uncaught Engine
Exception
your code is screwed" if they don't want to bother catching anything,
which
they wouldn't if they didnt want to use try/catch... so the whole thing
is a bit
of a non-argument.

Our implementation of exceptions is very much OO, borrowed from Java
(which in turn borrowed a lot from C++). You need to understand a fair
bit and know some extra syntax to exceptions properly, even if you don't
write new exception classes. We can agree to disagree though, I don't
think we'll change each other's mind :)

I know it is not your main concern, but I really don't want this
argument
being used as one against this RFC in general.

For me it is an argument. Instead of being able to handle these errors in
the same way they handle all other errors, now they have to learn new
syntax and concepts. I see no reason to change the status quo, which
allows those who want exceptions to easily convert errors to thrown
exceptions, into a state where those who don't want to use exceptions are
forced to use them. Again, it's entirely fair that we disagree...

Zeev

10 years ago by Seva Lapsha — view source

unread

For me it is an argument. Instead of being able to handle these errors in
the same way they handle all other errors, now they have to learn new
syntax and concepts. I see no reason to change the status quo, which
allows those who want exceptions to easily convert errors to thrown
exceptions, into a state where those who don't want to use exceptions are
forced to use them. Again, it's entirely fair that we disagree...

Sorry for intruding, but - I as a user (and I'm sure many would agree)
would be happy to have a configuration level choice to either get an
exception thrown or a fatal error.

Thx,
Seva

10 years ago by Nikita Popov — view source

unread

For me it is an argument. Instead of being able to handle these errors in
the same way they handle all other errors, now they have to learn new
syntax and concepts. I see no reason to change the status quo, which
allows those who want exceptions to easily convert errors to thrown
exceptions, into a state where those who don't want to use exceptions are
forced to use them. Again, it's entirely fair that we disagree...

You can't convert fatal errors to exceptions using an error handler. That's
why I'm targeting fatal errors here and not all errors in general. While
I'm not a big fan of PHP's error system in general, it's easy enough to
turn warnings or notices into exceptions via error handlers. But for fatal
errors that's just not possible.

To achieve what I want it would be enough to turn fatal errors into
recoverable fatal errors, that would already allow the error handler
approach. But that's a lot harder to do (and imho less usable) than
directly using exceptions. Keeping the engine stable after an exceptions is
relatively simple, the same can't be said about recoverable fatals.

Regarding the "forcing OO concepts": As Philip pointed out, unless you
already make use of try/catch a fatal error and an uncaught exception are
about the same to the end user - actually, an uncaught exception is just a
special fatal error. I could totally understand your concerns - if this
discussion weren't about fatal errors. E.g. changing a warning to an
exception would cause lots of issues. The @ operator would stop working and
people would be forced to use try/catch. But for fatals @ never worked in
the first place. You can't handle them right now. Changing them to
exceptions adds the ability to handle them via try/catch, but of course you
don't need to do them. You can let them bubble (and in most cases that's
what you should do) and let them effectively act the same way as a fatal
error currently does, just with a bit of a different message ;)

Thanks,
Nikita

10 years ago by Philip Sturgeon — view source

unread

For me it is an argument. Instead of being able to handle these errors in
the same way they handle all other errors, now they have to learn new
syntax and concepts. I see no reason to change the status quo, which
allows those who want exceptions to easily convert errors to thrown
exceptions, into a state where those who don't want to use exceptions are
forced to use them. Again, it's entirely fair that we disagree...

You can't convert fatal errors to exceptions using an error handler. That's
why I'm targeting fatal errors here and not all errors in general. While I'm
not a big fan of PHP's error system in general, it's easy enough to turn
warnings or notices into exceptions via error handlers. But for fatal errors
that's just not possible.

To achieve what I want it would be enough to turn fatal errors into
recoverable fatal errors, that would already allow the error handler
approach. But that's a lot harder to do (and imho less usable) than directly
using exceptions. Keeping the engine stable after an exceptions is
relatively simple, the same can't be said about recoverable fatals.

Regarding the "forcing OO concepts": As Philip pointed out, unless you
already make use of try/catch a fatal error and an uncaught exception are
about the same to the end user - actually, an uncaught exception is just a
special fatal error. I could totally understand your concerns - if this
discussion weren't about fatal errors. E.g. changing a warning to an
exception would cause lots of issues. The @ operator would stop working and
people would be forced to use try/catch. But for fatals @ never worked in
the first place. You can't handle them right now. Changing them to
exceptions adds the ability to handle them via try/catch, but of course you
don't need to do them. You can let them bubble (and in most cases that's
what you should do) and let them effectively act the same way as a fatal
error currently does, just with a bit of a different message ;)

Thanks,
Nikita

Right. Put simply:

Users who previously did not care about exceptions will continue to
not care about exceptions, and do not have to do anything any
differently.
Users who want to handle fatal errors somehow (because you
currently cannot) can use this to catch them.

Nobody needs to work with exceptions if they dont want to, that fatal
error just shows up as a uncaught backtrace and fatals errors just
like it used to.

Seems like a win win.

10 years ago by Zeev Suraski — view source

unread

Nikita, Philip, see below:

-----Original Message-----
From: Philip Sturgeon [mailto:pjsturgeon@gmail.com]
Sent: Monday, December 09, 2013 8:10 PM
To: Nikita Popov
Cc: Zeev Suraski; PHP internals
Subject: Re: [PHP-DEV] [VOTE] Allowing use of exceptions in the engine

On Mon, Dec 9, 2013 at 11:41 AM, Nikita Popov nikita.ppv@gmail.com
wrote:

You can't convert fatal errors to exceptions using an error handler.
That's why I'm targeting fatal errors here and not all errors in
general. While I'm not a big fan of PHP's error system in general,
it's easy enough to turn warnings or notices into exceptions via error
handlers. But for fatal errors that's just not possible.

That's correct, but you seem to be ignoring the reason for that. It's not
an arbitrary decision, but rather, the semantics of what fatal errors are.
They're fatal, not recoverable (with the reason being that the
engine/extension/whatever may be in an unstable state), and therefore it
should not be possible to use any mechanism to recover from them, be
them error handlers or exceptions.

To achieve what I want it would be enough to turn fatal errors into
recoverable fatal errors, that would already allow the error handler
approach. But that's a lot harder to do (and imho less usable) than
directly using exceptions. Keeping the engine stable after an
exceptions is relatively simple, the same can't be said about
recoverable
fatals.

In both cases, the complexity isn't in the code that would trigger the
error/exception. The complexity is that you now put the burden of keeping
all the data structures of the engine/extension in a 100% working state,
while the current semantics is that code execution will never resume.
While you pointed out in the RFC a specific example of a place where an
exception would be a bit easier to implement than an error, it's a very
specialized example - errors that happen on the void between two function
scopes - and doesn't hold true for most errors. I don't think it makes
sense to say it's significantly easier to turn fatal errors into
exceptions than turning fatal errors into recoverable errors.

Regarding the "forcing OO concepts": As Philip pointed out, unless you
already make use of try/catch a fatal error and an uncaught exception
are about the same to the end user - actually, an uncaught exception
is just a special fatal error.

First off, there should be no concept of 'recoverable fatal error'. If
it's fatal, it cannot be recoverable and vice versa. The real term should
just be 'recoverable error'. That small detail may be in the root of our
misunderstanding. All the negative side effects listed in the RFC for
fatal errors are in there by design, since we cannot guarantee that if
we run the destructors/finally blocks or otherwise allow graceful
handling, this will not result in a segfault. That's exactly the whole
idea beyond a fatal (by definition non-recoverable) error.

Secondly, the patch radically changes execution behavior in case of
recoverable errors for people using error handlers and arguably in a very
bad way, effectively forcing them to start using exceptions if they want
to truly recover from the error. Otherwise, by the time the exception
turns into an error, there's nothing you can recover (you've already
bubbled up all the way to the global scope). That will break apps relying
on the current behavior.

Last, in the RFC it mentions that 'recoverable errors are hard to catch'.
That you're forced to use an error_handler. How are they any different
from any other error/warning type? While you (and many others) have bias
for using exception handling, others prefer using error_handlers
especially when writing procedural code. Changing errors to exceptions
using an error handler is trivial (and we can also implement Seva's
suggestion of having an INI directive for that, although I think using a
serializable error handler makes more sense). The reverse, however, is
not even possible. So I very much stand by what I said, that if we accept
this RFC, we're forcing OO concepts (or the try/catch concept) on all
users which is something that we intentionally wanted to avoid. Users who
could use centralized error handlers will no longer be able to do so and
handle recoverable errors.

concerns - if this discussion weren't about fatal errors. E.g.
changing a warning to an exception would cause lots of issues. The @
operator would stop working and people would be forced to use
try/catch. But for fatals @ never worked in the first place. You can't
handle them right now. Changing them to exceptions adds the ability to
handle them via try/catch, but of course you don't need to do them.
You can let them bubble (and in most cases that's what you should do)
and let them effectively act the same way as a fatal error currently
does, just with a bit of a different message ;)

Again, I think that in the majority of the cases, if you can safely turn
an E_ERROR onto an exception, you can just as easily turn it into an
E_RECOVERABLE_ERROR. It makes no sense, IMHO, to tie this effort together
with changing the semantics of how the engine reports problems, and more
so - change it in a way that inconsistent across different error types AND
breaks backwards compatibility in a pretty big way (for recoverable
errors).

Users who previously did not care about exceptions will continue to
not
care about exceptions, and do not have to do anything any differently.

Given that most (all minus one) of the people in favor of this idea voted
'yes' and not for the second 'yes w/o E_RECOVERABLE_ERROR', that's not
exactly accurate. That means that recovery code that worked fine with
E_RECOVERABLE_ERROR will now break, and it won't be possible to fix it w/o
learning exceptions and adding try/catch blocks all over the application.

Users who want to handle fatal errors somehow (because you currently
cannot) can use this to catch them.

I think we're way too optimistic about the ability to recover from places
which are marked by E_ERROR today, and that turning them to exceptions is
hardly the magical solution that just makes all the
inconsistency/stability issues go poof.

Nobody needs to work with exceptions if they dont want to, that fatal
error
just shows up as a uncaught backtrace and fatals errors just like it
used to.

Seems like a win win.

Seems more like a lose/risk situation to me (lose BC for recoverable
errors, take risk with inconsistent data structures for fatal errors).

Zeev

10 years ago by Marco Pivetta — view source

unread

Nobody needs to work with exceptions if they dont want to, that fatal
error
just shows up as a uncaught backtrace and fatals errors just like it
used to.

Seems like a win win.

Seems more like a lose/risk situation to me (lose BC for recoverable
errors, take risk with inconsistent data structures for fatal errors).

The example in the doc is really good as a counter-argument for what you
just said here. Being able to release a lock, close a connection, do some
sort of "bail out with (no|small number of) victims" is REALLY important
for some applications.

If an application fatal'd, then I don't really care if my data structures
are invalid: I just want to save what I can save and quit. If I want to
keep operating, then that's my problem and I'm the stupid guy in the room,
so I don't see a reason for disallowing fatals to be dealt with in the
userland code.

That is a must-have in my opinion.

Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.com/

10 years ago by Stas Malyshev — view source

unread

Hi!

If an application fatal'd, then I don't really care if my data structures
are invalid: I just want to save what I can save and quit. If I want to

The part that you're missing here is that it's not your data structures
that may be invalid, it's engine's. And what you call "I can save and
quit", the engine calls "execute arbitrary amount of code", for which it
needs valid data structures. Unless your "save and quit" code does not
call any functions and does nothing useful at all, from the engine POV
your "save and quit" is no different from "continue working normally" -
it needs all the data structures to be in a perfect order as if nothing
bad happened. For some errors, it may be possible. For some, it may be
possible but hard. For some, it may not be possible. But the main point
here is this:
For the engine, there's no difference between "continue normally as
nothing happened" and "save and quit", as soon as you start running PHP
code that does anything useful at all.
So if you can recover from an error, you can recover to a normal state.
If you can not, then you can not. There's no "save and quit" scenario
here that can do anything different.

Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227

10 years ago by Marco Pivetta — view source

unread

Hi!

If an application fatal'd, then I don't really care if my data structures
are invalid: I just want to save what I can save and quit. If I want to

The part that you're missing here is that it's not your data structures
that may be invalid, it's engine's.

Not missing anything here - I know that stuff may be hugely broken (stack
pointers & co for example).

And what you call "I can save and
quit", the engine calls "execute arbitrary amount of code", for which it
needs valid data structures. Unless your "save and quit" code does not
call any functions and does nothing useful at all, from the engine POV
your "save and quit" is no different from "continue working normally" -
it needs all the data structures to be in a perfect order as if nothing
bad happened. For some errors, it may be possible. For some, it may be
possible but hard.

Yes, and it looks like Nikic actually identified a list of what looks like
a big dealw and what not. I know it may be hard to guarantee that code can
be executed after a fatal, but I wouldn't deny it upfront just because it's
a non-trivial problem (or an undefined state of the engine).

Marco Pivetta

http://twitter.com/Ocramius

http://ocramius.github.com/

10 years ago by Nikita Popov — view source

unread

Thanks for the detailed reply Zeev.

Nikita, Philip, see below:

On Mon, Dec 9, 2013 at 11:41 AM, Nikita Popov nikita.ppv@gmail.com
wrote:

You can't convert fatal errors to exceptions using an error handler.
That's why I'm targeting fatal errors here and not all errors in
general. While I'm not a big fan of PHP's error system in general,
it's easy enough to turn warnings or notices into exceptions via error
handlers. But for fatal errors that's just not possible.

That's correct, but you seem to be ignoring the reason for that. It's not
an arbitrary decision, but rather, the semantics of what fatal errors are.
They're fatal, not recoverable (with the reason being that the
engine/extension/whatever may be in an unstable state), and therefore it
should not be possible to use any mechanism to recover from them, be
them error handlers or exceptions.

Ostensibly, yes. Practically that's just not true. Most (nearly all) fatal
errors occur in situation where there is no global engine instability, but
only some local inconvenience. Like, I tried to fetch this zval, but got
NULL instead (because it's a string offset), what do I do now? No
instability, just not pleasant to continue from here.

I have already ported approximately 40% of the fatal errors in the engine
to use exceptions. I can assure you that all of those have nothing to do
with engine instability and changing them to exception was mostly trivial
(the hard part is adjusting phpt outputs...)

I'm pretty sure that most of the remaining ~100 fatal errors will be just
as easy to convert. I just looked through the list to find the ones which
can't be converted:

"Invalid opcode %d/%d/%d" => This error only occurs in case of a serious
skrewup from our side. Shouldn't occur in practice
"Arrived at end of main loop which shouldn't happen" => This is
effectively dead code, just a debugging message.
"Balloc() failed to allocate memory" and "Balloc() allocation exceeds
list boundary" => Those two are from zend_strtod. Again, you won't see them
in practice (unless you try to parse a 100K digit float maybe. don't know
the exact background here)
"Error installing signal handler for %d" => From zend_signals, occurs
when a sigaction call fails. This seems like a "just to be sure" check that
shouldn't occur in practice. But in either case, this is only relevant for
pcntl, as nothing else makes use of the function.
"Attempt to destruct pending exception" => (Not sure whether this is
just a debugging error or whether it can really occur. We don't have a test
for it at least)
"Method %s::__toString() must not throw an exception"
- 6 more exception related fatals (like exception must be object etc) =>
  may be problematic to use exceptions for errors about exceptions (but I may
  be wrong here, it might well be that exceptions are safe here)
"Nesting level too deep - recursive dependency?" => from zend_hash. As
this is used in a bunch of places, likely can't be changed.
"Class entry requested for an object without PHP class" => Doesn't occur
in practice, because we always use objects with ce.
"Allowed memory size / Out of memory" => The obvious candidates ^^
"Possible integer overflow in memory allocation"
"Maximum execution time of %d second%s exceeded"
"Corrupted fcall_info provided to zend_call_function()" => Once again,
this one doesn't occur in practice, just debugging.

That list has 17 errors that can't or likely can't be converted. Add 10
more and round up to 30 to account for stuff I might have missed. This
still allows us to convert approximately 85% of the errors. Also note that
at least 6 of those are really "debugging errors" that do not practically
occur. The most common ones from the list will be the "Allowed memory size"
and "Maximum execution time" errors, but we knew from the start that those
can't be changed.

To also approach this from the other side, here are some examples of errors
that I have already converted to exceptions (listing everything would blow
things up a bit too much):

"Call to a member function %s() on a non-object" => Arguably the error
that annoys people most
"Call to undefined method %s::%s()", "Call to undefined function %s()",
"Class '%s' not found" + variations on the "not found" topic
"Cannot call abstract method %s::%s()" + a number of variations on the
"cannot call" topic
"Class name must be a valid object or a string", "Method name must be a
string" + variations on the "must be xyz" topic
"Cannot use string offset as an array" + a huge number of variations on
the same thing. We have a lot of string offset related fatals ;)
"Cannot use [] for reading"
"Cannot pass parameter %d by reference"
"Cannot instantiate %s %s"
...

Hopefully you can now see that fatal errors - in most cases - do not cause
engine instability and can be relatively easily recovered. Of course, some
fatal errors will stay, no way around that. But we can convert a good
portion of them. And many of the errors that are actually important to
people (like "Call [...] on a non-object") can be (and are already) easily
converted.

To achieve what I want it would be enough to turn fatal errors into

recoverable fatal errors, that would already allow the error handler
approach. But that's a lot harder to do (and imho less usable) than
directly using exceptions. Keeping the engine stable after an
exceptions is relatively simple, the same can't be said about
recoverable
fatals.

While you pointed out in the RFC a specific example of a place where an
exception would be a bit easier to implement than an error, it's a very
specialized example - errors that happen on the void between two function
scopes - and doesn't hold true for most errors. I don't think it makes
sense to say it's significantly easier to turn fatal errors into
exceptions than turning fatal errors into recoverable errors.

Again, this just isn't true. If I say that converting fatals to recoverable
errors is harder, I say that because I actually tried to do it before going
with the exception approach. For exceptions the procedure is always the
same: Free resources, then return (+ ensuring exception safety in the
calling code, but that's usually a given). For recoverables things are a
lot more complicated. Let's forget about the complex cases where function
calls and stacks are involved, let's just take the very simplest fatal
errors like "Cannot use string offset as an array". Those types of fatals
occur whenever a GET_OPx_ZVAL_PTR_PTR call returns NULL. As said, with
exceptions handling them is trivial, but what do you do in the case of
recoverable? Do you allocate a new IS_NULL zval and work on that? Of course
that would just produce a bunch of new warnings or errors down the row
(also just allocating a zval may not be enough for the PTR_PTR case). It
would be a lot better to make the result of the "whole" operation (rather
than an individual fetch) an IS_NULL zval (without additional errors), but
that's where things will get technically very complicated.

With recoverables every single errors needs careful consideration to find
some behavior where we can continue execution in some
not-totally-meaningless way. With exceptions you just always follow the
same dumb scheme ;)

Secondly, the patch radically changes execution behavior in case of
recoverable errors for people using error handlers and arguably in a very
bad way, effectively forcing them to start using exceptions if they want
to truly recover from the error. Otherwise, by the time the exception
turns into an error, there's nothing you can recover (you've already
bubbled up all the way to the global scope). That will break apps relying
on the current behavior.

Yes, there are concerns regarding E_RECOVERABLE_ERROR, that's why I added a
separate voting options for it. If recoverable errors are your main issue
(which seems so, given that most of your mail was about that), then that's
your voting option ;)

Last, in the RFC it mentions that 'recoverable errors are hard to catch'.
That you're forced to use an error_handler. How are they any different
from any other error/warning type?

Not any different. Please realize though that "Just use an error handler to
turn everything into exceptions" is a somewhat idyllic view that fails when
it comes to library inter-compatibility. If you are writing portable code
you can't use a global error handler to convert everything to exceptions.
Instead you need to create and restore an error handler in every single
place where you want to make use of try/catch with a recoverable ;)

Nikita