rstar icon indicating copy to clipboard operation
rstar copied to clipboard
verified publisher icon georust

Remove panic! instances

Open urschrei opened this issue 4 years ago • 4 comments

  • [x ] I agree to follow the project's code of conduct.
  • [ ] I added an entry to rstar/CHANGELOG.md if knowledge of this change could be valuable to users.

While tidying the doc links etc earlier, I came across a couple of instances of panic!. While these are clearly intended to cover unlikely corner cases, this is…not good? I certainly didn't realise that we potentially had to catch panics when e.g. calculating euclidean distances in geo. So far, I haven't even defined an actual error type yet, but am obviously happy to do so if people feel that it's warranted.

urschrei avatar May 17 '21 21:05 urschrei

I get the instinctual reaction that "crashing our client's app is bad", but I personally don't think that all errors should be translated to run-time errors.

In particular, I think that it doesn't make sense to capture logic-errors in this crate as run-time errors to the user, since there's really nothing the downstream user can do with them.

michaelkirk avatar May 18 '21 01:05 michaelkirk

In particular, I think that it doesn't make sense to capture logic-errors in this crate as run-time errors to the user, since there's really nothing the downstream user can do with them.

I'd like to second that. Result is best used when there are actual runtime conditions that make a given code path fail some of the time but not of all it. If a code path fails unconditionally because it has a logic error a panic and a bug fix are a sensible reaction IMHO. "Handling" this as a runtime code is limited to logging in any case.

(Things might look different in high assurance environments when a safe system state needs to be ensured even in the presence of logic errors. But even there, this might happen by catching panics top-level and resetting the system.)

Looking at the diff here, the original panic message

panic!("Unexpected reinsert. This is a bug in rstar.")

does suggest that there are indeed no runtime conditions that make this valid and hence a panic seems appropriate.

adamreichold avatar May 18 '21 05:05 adamreichold

Thanks both, I think you're absolutely correct w/r/t "if this panics it's a bug, and we should figure out what's gone wrong".

Do you feel that there's any need to note that a panic can occur (though I would prefer to understand the conditions that could produce this first and document those)

Regarding formatting / clippy in CI, we've discussed it for other georust repos before: I'd prefer to warn rather than fail, and I don't think we came up with a good way to do that, but am very happy to investigate suggestions.

Finally, I have no idea why this was a PR and not an issue. Sorry!

urschrei avatar May 19 '21 00:05 urschrei

Do you feel that there's any need to note that a panic can occur (though I would prefer to understand the conditions that could produce this first and document those)

If a panic is part of the contract of an API than this should be noted in a # Panics section in the API documentation, e.g. indexing into a slice will panic if the index is out of bounds. In this particular case, I fear the contract would be a rather unhelpful "will panic if there is in an internal inconsistency". Meaning I would only document it if there is well-defined way for the caller of API to trigger this and we do not consider this a bug in itself.

I would also like to repeat pointing out the slice indexing two lines above the panic invocation: Just because there are two explicit panic! calls in the code does not mean these are the only places were it could panic. So if we really want panic safety, we would need to audit the whole code base thoroughly from e.g. any standard library code we call that could panic. And document where we call user code that could, e.g. Point::nth usually has a panicking branch if the index is out of bounds too which could happen if Point::DIMENSIONS is inconsistent.

Regarding formatting / clippy in CI, we've discussed it for other georust repos before: I'd prefer to warn rather than fail, and I don't think we came up with a good way to do that, but am very happy to investigate suggestions.

Personally, warnings are what I want when working locally. I think errors are fine in the CI as I would not want to merge PR with faulty formatting or unhandled warnings, even if it means suppressing some. And one can always wrangle commits manually if it is an emergency of some sort.

adamreichold avatar May 19 '21 05:05 adamreichold