util: Abort on failing CHECK_NONFATAL in debug builds #32588
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code Coverage & BenchmarksFor details see: https://corecheck.dev/bitcoin/bitcoin/pulls/32588. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsNo conflicts as of last run. |
fadb1c8 to
fa033fb
Compare
|
🚧 At least one of the CI tasks failed. HintsTry to run the tests locally, according to the documentation. However, a CI failure may still
Leave a comment here, if you need help tracking down a confusing failure. |
|
Concept ACK. Nice idea, and it does seem useful to have a macro checking for unexpected but not very serious conditions by throwing an exception that gets reported in release builds but is a fatal error in debug builds. And current uses of the macro seem like good candidates for that behavior. The only possible issues I see are: (1) The name CHECK_NONFATAL doesn't make a lot of sense anymore, now triggering fatal errors when it literally says "nonfatal" in the name. Both could be addressed in followups. Issue (2) could be addressed by having a IMO, issue (1) would be nice to address by coming up with a better designed set of checking macros and starting to use them. I think it could be good to have a:
Then, current Just a thought though. Maybe current names are not a real problem, and naming shouldn't block this PR in any case. |
fa033fb to
faae9a2
Compare
I don't think this solves issue (1). Instead of NONFATAL being inaccurately named in debug builds, it will now be THROW, because the check is neither nonfatal nor throwing in debug builds.
No objection, just mentioning that this would be a larger diff (including link-time changes, which are for some reason more involved in this area (#26688 (comment), #32543 (comment))), so a separate discussion/issue/pull seems better.
Thx, pushed a commit to fix this. |
|
Concept ACK |
There was a problem hiding this comment.
Code review ACK faae9a2. I think this is a good change. It makes sense conceptually to have check macros that always abort in debug builds, but do different things depending on cost of the check & severity of the error in release builds.
re: #32588 (comment)
I don't think this solves issue (1). Instead of NONFATAL being inaccurately named in debug builds, it will now be THROW, because the check is neither nonfatal nor throwing in debug builds.
IMO it does solve it, because the current issue is that the macro is literally doing the thing its name says it will not do (trigger a fatal error). By contrast, I don't think it is a problem for function name to just describe its primary purpose and not everything else it may do. No need to solve everything here though. Current PR seems like a step forward.
faae9a2 to
fa68bda
Compare
This does not change behavior, but documents that G_ABORT_ON_FAILED_ASSUME is set when G_FUZZING_BUILD.
fae1423 to
faabcc0
Compare
|
🚧 At least one of the CI tasks failed. HintsTry to run the tests locally, according to the documentation. However, a CI failure may still
Leave a comment here, if you need help tracking down a confusing failure. |
fa54573 to
fac50ee
Compare
There was a problem hiding this comment.
Code review ACK fac50ee, just rebased, added back functional test, and tweaked fuzz test since last review.
Overall this looks good and conceptually I like this change because it makes all the checking macros do the exact same thing in debug builds and abort, only having varying behavior in release builds.
This allows specific tests to mock the check behavior to consistently use exceptions instead of aborts for intentionally failing checks in all build configurations.
fa3f413 to
fa27b23
Compare
This requires adjusting some tests to force exceptions over aborts, or accept either exceptions or aborts. Also, remove a fuzz test in integer.cpp that is mostly redundant with the unit test added in the prior commit.
fa27b23 to
fa37153
Compare
|
ACK fa37153 |
A failing
CHECK_NONFATALwill throw an exception. This is fine and even desired in production builds, because the program may catch the exception and give the user a way to easily report the bug upstream.However, in debug development builds, exceptions for internal bugs are problematic:
Fix all issues by turning the exception into an abort in debug builds.
This can be tested by reverting the hunks to
src/rpc/node.cppandtest/functional/rpc_misc.pyand then running the functional or fuzz tests.