Why is ModificationForbidden not an Error?

Am 11.04.2020 16:32:56 schrieb Thiede, Christoph <[hidden email]>:

Hi all! Thank you very much for having this interesting discussion :-)

@Chris:

> > -1. :-) Warnings are Notifications,

> As are Errors.  Right?

Nope, sorry ;-)

 

> The two main use cases of ModificationForbidden present opposite perspectives onto it.  For "protection from accidentally modifying a literal in a CompiledMethod", I understand the inclination to make it an Error.  However, for the context of db handling, [#markDirty + #resume] is normal processing, not an "error", and not even exceptional, either, so perhaps this is just a semantic irritation sensitivity on my part.. sorry. 

> But if they want to use ModificationForbidden for a Write Barrier, they'll probably want to extricate it from Error in the handler:

> 

>    [ myDbApp doStuff ]

>      on: ModificationForbidden

>      do:

>           [ : forbidden |

>           forbidden object beWritableObject.

>           forbidden resumptionValue: forbidden retryModificationNoResume.

>           forbidden resume: forbidden resumptionValue ]

>      on: Error

>      do: [ : err | myDbApp logErrorAndNotifyUser ]

This clarification was very helpful for me. I was not aware of your second use case before.

In my opinion, we are talking about two completely different use cases for the same exception.

Literal protection is a low-level error, comparable to out-of-bounds things and primitive failures. You almost never do want to ignore or fix them.

Write barriers for #markDirty, on the other hand, sound like a domain-specific topic to me that should neither raise an error, nor eventually signal an UnhandledError, but be resumed automatically (unless handled differently) by a #defaultAction that removes the barrier (and additional handlers could, if desired, turn on some cache or so).

I have never dealt with Magma or any other DB framework for Smalltalk, but why do you (or would you) use these VM-based mechanisms for a high-level feature? Without knowing any details about your application, personally I would probably design an own exception (DirtyModification?) for that purpose. This would allow you to clearly distinguish between low-level errors ("whoops, I just made an attempt to change a read-only code literal") and higher-level exceptions (DirtyModification). If we would follow my proposal to raise ModificationForbidden from Object instead of Context, you could also consider to override #modificationForbiddenFor:at:put: in your database objects to raise DirtyModification instead of ModificationForbidden (in the same way as some classes override #error or #primitiveError).

However, focusing again on the literal protection aspect, I still don't see when the current default #resume behavior of ModificationForbidden would be ever helpful. MF >> #resume calls Exception >> #resume: which does nothing more than to return resumptionValue! When do we actually need this resumptionValue?

Why can't we design MF like the following:

#resume - not possible, will signal IllegalResumeAttempt

#retryModification - retries the modification and returns nothing special

#forceModification: - makes the object to modify writable, retries the modification and, optionally, makes the object read-only again

> If we don't want to break things (that are somehow wrong according to contemporary notion), we could make it a Warning in the Squeak 5.x release stream and turn it into an error with Squeak 6.0. That is: make it an Error today in Trunk, but if we would create a 5.4 release, we would have to remember changing it back... :-/

IIRC ModificationForbidden was introduced in 6.0alpha the first time?

Best,

Christoph

---

Von: Squeak-dev <[hidden email]> im Auftrag von Nicolas Cellier <[hidden email]>
Gesendet: Samstag, 11. April 2020 11:16:00
An: Chris Muller; The general-purpose Squeak developers list
Betreff: Re: [squeak-dev] Why is ModificationForbidden not an Error?

 

In this case we might want specialized subclasses...

Le sam. 11 avr. 2020 à 03:45, Chris Muller <[hidden email]> a écrit :

I think so, because if you try to use it for something else, it'll get entangled with your application's standard error handling.  Regular apps have error handling like:

   [ myApp doStuff ] on: Error do: [ : err | myApp logErrorAndNotifyUser ]

and so for the use-case, Protect CompiledMethod Literals from Accidental Modification, inheriting from Error will allow the best backward compatibility with existing handlers.

But if they want to use ModificationForbidden for a Write Barrier, they'll probably want to extricate it from Error in the handler:

   [ myDbApp doStuff ]

     on: ModificationForbidden

     do:

          [ : forbidden |

          forbidden object beWritableObject.

          forbidden resumptionValue: forbidden retryModificationNoResume.

          forbidden resume: forbidden resumptionValue ]

     on: Error

     do: [ : err | myDbApp logErrorAndNotifyUser ]

But now that I'm handling ModificationForbidden separately, what if I want Protect CompiledMethod Literals from Accidental Modification, too?  I'm no longer handling correctly for that, because the handler has to assume they're signaled in the context of the DB use case and not the Protection use case.

 - Chris

On Fri, Apr 10, 2020 at 12:06 PM tim Rowledge <[hidden email]> wrote:

> On 2020-04-09, at 6:55 PM, Chris Muller <[hidden email]> wrote:
>
> The two main use cases of ModificationForbidden present opposite perspectives onto it.

In that case perhaps we actually need two different signals?

tim
--
tim Rowledge; [hidden email]; http://www.rowledge.org/tim
Useful random insult:- Has an inferiority complex, but not a very good one.

Am 21.04.2020 06:05:10 schrieb Eliot Miranda <[hidden email]>:

Hi Christoph,

On Sat, Apr 11, 2020 at 7:32 AM Thiede, Christoph <[hidden email]> wrote:

Hi all! Thank you very much for having this interesting discussion :-)

@Chris:

> > -1. :-) Warnings are Notifications,

> As are Errors.  Right?

Nope, sorry ;-)

 

> The two main use cases of ModificationForbidden present opposite perspectives onto it.  For "protection from accidentally modifying a literal in a CompiledMethod", I understand the inclination to make it an Error.  However, for the context of db handling, [#markDirty + #resume] is normal processing, not an "error", and not even exceptional, either, so perhaps this is just a semantic irritation sensitivity on my part.. sorry. 

> But if they want to use ModificationForbidden for a Write Barrier, they'll probably want to extricate it from Error in the handler:

> 

>    [ myDbApp doStuff ]

>      on: ModificationForbidden

>      do:

>           [ : forbidden |

>           forbidden object beWritableObject.

>           forbidden resumptionValue: forbidden retryModificationNoResume.

>           forbidden resume: forbidden resumptionValue ]

>      on: Error

>      do: [ : err | myDbApp logErrorAndNotifyUser ]

This clarification was very helpful for me. I was not aware of your second use case before.

In my opinion, we are talking about two completely different use cases for the same exception.

There are many use cases for the same exception, just as there are many use cases for bounds violations or divide by zero, or,  or, ....  The point is that at the point where the exception is raised neither the VM nor the code immediately above it knows what the use case is, and the exception is raised precisely to find out how the exception should be handled, which means that sears hing for the exception/.handling the exception is about discovering what the particular use case *is*.  Sio no, one can't magically intuit what the high level use case is at the point of failure.  That's *why* we have exception systems.

 

Literal protection is a low-level error, comparable to out-of-bounds things and primitive failures. You almost never do want to ignore or fix them.

Write barriers for #markDirty, on the other hand, sound like a domain-specific topic to me that should neither raise an error, nor eventually signal an UnhandledError, but be resumed automatically (unless handled differently) by a #defaultAction that removes the barrier (and additional handlers could, if desired, turn on some cache or so).

I have never dealt with Magma or any other DB framework for Smalltalk, but why do you (or would you) use these VM-based mechanisms for a high-level feature? Without knowing any details about your application, personally I would probably design an own exception (DirtyModification?) for that purpose. This would allow you to clearly distinguish between low-level errors ("whoops, I just made an attempt to change a read-only code literal") and higher-level exceptions (DirtyModification). If we would follow my proposal to raise ModificationForbidden from Object instead of Context, you could also consider to override #modificationForbiddenFor:at:put: in your database objects to raise DirtyModification instead of ModificationForbidden (in the same way as some classes override #error or #primitiveError).

However, focusing again on the literal protection aspect, I still don't see when the current default #resume behavior of ModificationForbidden would be ever helpful. MF >> #resume calls Exception >> #resume: which does nothing more than to return resumptionValue! When do we actually need this resumptionValue?

Why can't we design MF like the following:

#resume - not possible, will signal IllegalResumeAttempt

#retryModification - retries the modification and returns nothing special

#forceModification: - makes the object to modify writable, retries the modification and, optionally, makes the object read-only again

> If we don't want to break things (that are somehow wrong according to contemporary notion), we could make it a Warning in the Squeak 5.x release stream and turn it into an error with Squeak 6.0. That is: make it an Error today in Trunk, but if we would create a 5.4 release, we would have to remember changing it back... :-/

IIRC ModificationForbidden was introduced in 6.0alpha the first time?

Best,

Christoph

---

Von: Squeak-dev <[hidden email]> im Auftrag von Nicolas Cellier <[hidden email]>
Gesendet: Samstag, 11. April 2020 11:16:00
An: Chris Muller; The general-purpose Squeak developers list
Betreff: Re: [squeak-dev] Why is ModificationForbidden not an Error?

 

In this case we might want specialized subclasses...

Le sam. 11 avr. 2020 à 03:45, Chris Muller <[hidden email]> a écrit :

I think so, because if you try to use it for something else, it'll get entangled with your application's standard error handling.  Regular apps have error handling like:

   [ myApp doStuff ] on: Error do: [ : err | myApp logErrorAndNotifyUser ]

and so for the use-case, Protect CompiledMethod Literals from Accidental Modification, inheriting from Error will allow the best backward compatibility with existing handlers.

But if they want to use ModificationForbidden for a Write Barrier, they'll probably want to extricate it from Error in the handler:

   [ myDbApp doStuff ]

     on: ModificationForbidden

     do:

          [ : forbidden |

          forbidden object beWritableObject.

          forbidden resumptionValue: forbidden retryModificationNoResume.

          forbidden resume: forbidden resumptionValue ]

     on: Error

     do: [ : err | myDbApp logErrorAndNotifyUser ]

But now that I'm handling ModificationForbidden separately, what if I want Protect CompiledMethod Literals from Accidental Modification, too?  I'm no longer handling correctly for that, because the handler has to assume they're signaled in the context of the DB use case and not the Protection use case.

 - Chris

On Fri, Apr 10, 2020 at 12:06 PM tim Rowledge <[hidden email]> wrote:

> On 2020-04-09, at 6:55 PM, Chris Muller <[hidden email]> wrote:
>
> The two main use cases of ModificationForbidden present opposite perspectives onto it.

In that case perhaps we actually need two different signals?

tim
--
tim Rowledge; [hidden email]; http://www.rowledge.org/tim
Useful random insult:- Has an inferiority complex, but not a very good one.

--

_,,,^..^,,,_

best, Eliot

Am 23.04.2020 01:50:42 schrieb Eliot Miranda <[hidden email]>:

Hi All,

On Wed, Apr 22, 2020 at 10:59 AM tim Rowledge <[hidden email]> wrote:

> On 2020-04-22, at 3:20 AM, Marcel Taeumel <[hidden email]> wrote:
>
> Hi all!
>
> So, we make ModificationForbidden a (resumable) Error for now? Is this the conclusion?

Yes, I hope so :-)

 

It's a super-low-level error that ought to be handled really really closely to where the error was raised. As Eliot mentioned, the VM can't know the circumstances and just raises it; the the closest possible handler should be in place that *does* know the circumstances. That way Chris gets to spot that is it a database issue and handle things properly, including likely raising a new error for higher level code.

As I've already mentioned what one can do, and the VisualWorks version does do, for GemStone-style persistence, as add behavior to the exception so one can specify a per-object response.

So if the exception is unhandled, then before it raises an UnhandledError it checks an identity dictionary, which maps object to message, and if the read-only object that was the cause of the error is in the dictionary, instead the exception performs the message with the object as an argument.  So a database layer can add the objects it is managing to the map in ModificationForbidden, and mark them as read-only.  Then any and all attempts at modifying these objects will cause the database man ager to be notified.

So very simply we can have a pluggable solution that allows different clients to map the exception into different responses as desired.
So can we please stop wasting time discussing this and get on with implementing it?  The GemStone folks have understood how to manage ModificationForbidden for years and the use of it has been in production.  We simply need to catch up.  We're nearly there.

Please don't make me explain this idea once again ;-)

>

>
> Given having a handler really close to the source, perhaps we are better off keeping it non-resumable and using one of the other approaches to continuing like #retryUsing: (ExceptionTester>>#simpleRetryUsingTest is the only example in the clean image) ? 

tim
--
tim Rowledge; [hidden email]; http://www.rowledge.org/tim
Strange OpCodes: BFM: Branch on Full Moon

--

_,,,^..^,,,_

best, Eliot

On Apr 23, 2020, at 5:55 PM, Chris Muller <[hidden email]> wrote:

However, I still don't see the path for how to use this in a complex multi-db Magma application with oblivious objects (e.g., Morphs).  It's not something any of the GemStone clients I consulted at as developer or DBA ever had to contend with either, but perhaps not something you're targeting.  Squeak is a different animal...  I will stay tuned here and watch for the answers as they unfold...

 - Chris

 

So can we please stop wasting time discussing this and get on with implementing it?  The GemStone folks have understood how to manage ModificationForbidden for years and the use of it has been in production.  We simply need to catch up.  We're nearly there.   

 

Please don't make me explain this idea once again ;-)

>

>
> Given having a handler really close to the source, perhaps we are better off keeping it non-resumable and using one of the other approaches to continuing like #retryUsing: (ExceptionTester>>#simpleRetryUsingTest is the only example in the clean image) ? 

tim
--
tim Rowledge; [hidden email]; http://www.rowledge.org/tim
Strange OpCodes: BFM: Branch on Full Moon

--

_,,,^..^,,,_

best, Eliot

Am 24.04.2020 05:26:56 schrieb Chris Muller <[hidden email]>:

So if the exception is unhandled, then before it raises an UnhandledError it checks an identity dictionary, which maps object to message, and if the read-only object that was the cause of the error is in the dictionary, instead the exception performs the message with the object as an argument.  So a database layer can add the objects it is managing to the map in ModificationForbidden, and mark them as read-only.  Then any and all attempts at modifying these objects will cause the database man ager to be notified. 

 So very simply we can have a pluggable solution that allows different clients to map the exception into different responses as desired. 

But an object in your db table could easily be an Array literal held by a CompiledMethod, not expected to change, but persistent by reference nonetheless.  So if the application did then modify it accidentally, instead of Forbidden protection, your DB manager would happily modify it.  It's this separation of use-cases is all what the question was about I think, not a big deal, we've lived with unprotected CM literals for this long already, and I've never needed WriteBarrier for anything other than a DB.

Since objects get added to the collection intentionally the array literal would not be added and hence the manager would not modify it.  

How would the manager know not to add it?  It can't be by checking #isReadOnlyObject, since that presents the same paradox -- requiring the manager to know the business of whatever other use-case has it set.  If it assumed it was for CM-literal protection, it wouldn't add it, but what if it was just some debugging or something?

 

Your example is a straw man.  

However, I still don't see the path for how to use this in a complex multi-db Magma application with oblivious objects (e.g., Morphs).  It's not something any of the GemStone clients I consulted at as developer or DBA ever had to contend with either, but perhaps not something you're targeting.  Squeak is a different animal...  I will stay tuned here and watch for the answers as they unfold...

The objects that get added to the wrote barrier management collection get added by managers that want to manage specific objects, not arbitrary objects. Can you see that a DB manager would add objects it has materialized from the DB that it wanted to transparently write-back in modification, and no others?

Yes, absolutely.  The manager will get every ModificationForbidden signal under its code whether its meant for the DB or not.  Existence in a global table means handle it, otherwise pass it up the stack.  But this means the DB is now occupying the use of the readOnly bit, not available for other applications or use-cases.

I hope this critique isn't taken to mean I don't think this isn't a good feature for the VM and image.  I do.  Everything is a balance of features and limitations.  I'm still trying to determine whether Magma can benefit from this, and I have to get deeply critical to find the right decision.  I will be following this feature closely, thanks for your patience with my questions.

 - Chris

On Apr 24, 2020, at 9:59 AM, Jakob Reschke <[hidden email]> wrote: