lab/sx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5491acbcbb4a2a7e17a231d095bdf4da367b3092
sx/docs/error-handling.md
agra f7f9def0e7 error handling
2026-05-31 16:10:36 +03:00

445 lines
12 KiB
Markdown
Raw Blame History

# Error Handling in sx
A guide to writing fallible code in sx — raising errors, propagating
them, handling them, and cleaning up.
---
## The mental model
In sx, errors travel on a **separate channel** from return values, not
wrapped around them. A function that can fail adds a trailing `!` to its
return type:
```sx
parse_digit :: (s: string) -> (s32, !) {
if s.len == 0 raise error.Empty;
if !is_digit(s[0]) raise error.BadDigit;
return s[0] - '0';
}
```
The `(s32, !)` says "returns an `s32` on success, or an error." The `!`
is one more slot in sx's normal multi-return — the error rides
alongside the values, it doesn't replace them.
Three things to know up front:
1. **Errors are tags, not data.** `error.BadDigit` is a lightweight
name (interned to an integer), not a struct with fields. To attach
context, log it; the tag itself is just an identity.
2. **You can't ignore an error by accident.** Every failable result
must be explicitly propagated, handled, or absorbed — the compiler
rejects code that silently drops an error.
3. **`try` marks every place an error can escape.** Reading the code,
every point where an error leaves a function is visibly a `try`.
---
## Declaring what can go wrong
### Inferred sets — just write `!`
The simplest failable function uses a bare `!`. The compiler figures
out which error tags it can produce by looking at the body:
```sx
read_byte :: (r: *Reader) -> (u8, !) {
if r.at_end raise error.Eof; // mints error.Eof on use
return r.next();
}
```
Callers see `read_byte`'s error type as exactly the set of tags it can
raise — here, `{ Eof }`.
### Named sets — when you want an explicit contract
For a stable, documented error contract, declare a named set and use it
in the signature:
```sx
ParseErr :: error { Empty, BadDigit, Overflow };
parse_int :: (s: string) -> (s32, !ParseErr) {
if s.len == 0 raise error.Empty;
if overflowed raise error.Overflow;
...
}
```
With a named set, `raise error.X` is checked against the declaration —
a typo like `error.BadDgit` is a compile error, because `BadDgit` isn't
in `ParseErr`.
> **Tip:** Use a named set when the error contract is part of your API.
> Use bare `!` for internal helpers where the errors are an
> implementation detail.
---
## Raising an error
`raise` ends the function with an error, like `return` ends it with a
value:
```sx
if denominator == 0 raise error.DivByZero;
```
`raise` is a statement — it can't appear inside an expression. You can
raise a literal tag (`raise error.X`) or a tag held in a variable
(`raise e`), which is handy for forwarding:
```sx
v := parse(s) catch e {
if e == error.Recoverable return default;
raise e; // forward everything else
};
```
Inside a closure, `raise` ends **that closure**, not the function the
closure was written in — a closure is its own failable function.
---
## Propagating with `try`
When you call a failable function and want its error to bubble up to
*your* caller, prefix the call with `try`:
```sx
two_digits :: (s: string) -> (s32, !) {
a := try parse_digit(s); // if this fails, two_digits fails
b := try parse_digit(s[1..]);
return a * 10 + b;
}
```
`try parse_digit(s)` means: run it; on success, `a` gets the value; on
failure, `two_digits` returns immediately with that error.
`try` works anywhere a value is expected — arguments, struct fields,
conditions:
```sx
v := combine(try parse(a), try parse(b)); // short-circuits on first failure
cfg := Config.{ port = try parse_port(s), host = try parse_host(s) };
if try is_ready(conn) { ... }
```
**The rule:** a failable call must be marked. If you write a bare
failable call with nowhere for its error to go, it's a compile error:
```sx
v := parse_digit(s); // ERROR: parse_digit can fail — handle it
v := try parse_digit(s); // OK: propagate
```
This is the heart of sx error handling: **every escape point is a
visible `try`.** You can grep for `try` to find every place your
function can fail out.
---
## Fallbacks and chains with `or`
`or` provides a value when a failable call fails, or chains to another
attempt.
### Fall back to a default value
```sx
port := parse_port(s) or 8080; // if parsing fails, port = 8080
```
The error is absorbed; `port` is a plain `s32`.
### Chain attempts — first success wins
```sx
v := try fetch_local(key) or try fetch_remote(key);
// try local; if it fails, try remote; if both fail, propagate
```
Each attempt is a `try`; if all fail, the last error propagates (and the
trace records every attempt). Mix in a terminator to never fail:
```sx
v := try fetch_local(key) or try fetch_remote(key) or default_value;
// try both; fall back to default if both fail — never propagates
```
> `or` is the same operator sx uses for optional fallback. It binds
> looser than `try`, and chains left-to-right.
---
## Handling with `catch`
`catch` handles an error inline and produces a value (or diverts
control). The bound name (`catch e`) is the error tag:
```sx
v := parse_int(s) catch e {
log.warn("bad input '{}': {}", s, e);
return -1; // bail out of the enclosing function
};
```
The catch body either produces a value of the success type, or diverges
(`return`, `raise`, `break`, `continue`, `unreachable`).
### Ignore the error
Omit the binding entirely (the body must be braced):
```sx
flush(buf) catch { }; // attempt it; ignore any failure
```
### Dispatch on the tag — the `catch e == { }` form
When you want to handle specific tags differently, use the match form —
it's sugar for `catch e { if e == { ... } }`:
```sx
v := parse_int(s) catch e == {
case .Empty: 0;
case .BadDigit: -1;
else: raise e; // forward the rest
};
```
### Multi-value catch
If the function returns multiple values, the catch body produces a
tuple:
```sx
v, n := parse_pair(s) catch e {
log.warn("parse failed: {}", e);
(0, 0)
};
```
### Comparing tags
Error tags compare with other tags and `error.X` literals — never with
raw integers (tag ids are an internal detail):
```sx
if e == error.Empty { ... } // OK
if e == 42 { ... } // ERROR — compare against a tag
```
---
## Cleanup: `defer` and `onfail`
Both register cleanup that runs when a block exits. The difference is
*when*:
- **`defer`** runs on **every** exit — success or failure.
- **`onfail`** runs **only** when an error leaves the block.
### Use `defer` for unconditional cleanup
```sx
process_file :: (path: string) -> ! {
f := try open(path);
defer close(f); // always close, success or fail
try process(try read_all(f));
}
```
### Use `onfail` for "undo on failure" — when ownership transfers on success
The classic case is a constructor that hands the resource to its caller
on success, but must clean up if a later step fails:
```sx
make_handle :: () -> (Handle, !) {
h := try sys_open();
onfail sys_close(h); // close only if a LATER step fails
try configure(h);
try register(h);
return h; // success: onfail is skipped — caller owns h
}
```
If `configure` or `register` fails, `sys_close(h)` runs and the error
propagates. On success, `onfail` is skipped — `h` belongs to the caller
now. Using `defer` here would be a bug: it'd close the handle you just
handed out.
`onfail` can bind the in-flight tag and is block-scoped — it fires when
an error leaves *its* block, even if a caller later catches that error:
```sx
v := (try {
h := try open();
onfail close(h); // scoped to this block
try use(h);
42
}) catch { default };
// use() fails → close(h) runs (cleanup happens) → catch absorbs → default
```
### Cleanup that can itself fail
Cleanup routines are often failable too. Inside a `defer`/`onfail` body
you can't `try` or `raise` (cleanup can't propagate — you're already
unwinding), so absorb the error locally:
```sx
onfail {
close(h) catch { }; // ignore a failed close
flush(buf) catch fe { log.warn("flush failed: {}", fe); };
}
```
---
## When something fails: error traces
In debug builds, sx records a **return trace** — the path an error took
from its `raise` site up through every `try` that propagated it. Print
it from a handler:
```sx
v := parse(s) catch e {
log.error("parse failed: {}", e);
trace.print_current();
return default;
};
```
```
error trace:
raised error.BadDigit
at parse_digit (parse.sx:12:5)
at parse_int (parse.sx:34:13)
at handle_line (main.sx:21:8)
```
Traces are on by default in debug builds and compiled out in release
(re-enable with `--release-traces`). They cost nothing on the success
path. Frame locations resolve through the binary's debug info, so
`lldb` / `gdb` work on sx binaries too.
Interpolating a tag with `{}` prints its **name**, not a number — in
every build, including release:
```sx
log.warn("parse failed: {}", e); // → "parse failed: BadDigit"
```
For human-readable context, use `log` on the error path — the tag tells
you *what* failed, the log tells you the *details*:
```sx
parse :: (s: string) -> (s32, !) {
onfail e { log.warn("parsing {}: {}", s, e); }
...
}
```
---
## `main` and exit codes
`main` may be void or return an integer, and may be failable:
```sx
main :: () { ... } // exit 0 on success
main :: () -> u8 { return 42; } // exit code 42
main :: () -> ! { ... } // exit 0, or 1 + trace on an unhandled error
main :: () -> (u8, !) { ... } // exit code on success; 1 on error
```
If a failable `main` exits via an error, sx prints the formatted trace
and the tag to stderr and exits with code `1`.
For explicit, shell-friendly exit codes anywhere in the program, call
`process.exit`:
```sx
process :: #import "modules/process.sx";
main :: () -> ! {
if bad_args process.exit(64); // EX_USAGE — immediate, bypasses the error system
try run();
}
```
`process.exit` is a final stop: it does not run `defer`/`onfail` and does
not propagate. Use it for deliberate termination, not for recoverable
errors.
---
## Patterns
### Resource acquisition
```sx
open_db :: (url: string) -> (Conn, !DbErr) {
c := try connect(url);
onfail disconnect(c);
try authenticate(c);
try select_schema(c);
return c; // caller owns the live connection
}
```
### Selective handling, forward the rest
```sx
load :: (path: string) -> (Data, !) {
return read(path) catch e == {
case .NotFound: try read(fallback_path); // recover one case
else: raise e; // forward the rest
};
}
```
### Fallible pipeline
```sx
// `|>` threads a value through stages; mark each fallible stage
n := try parse(s) |> try validate() |> try normalize();
```
### Validate-and-collect
```sx
parse_config :: (src: string) -> (Config, !ParseErr) {
return Config.{
name = try field(src, "name"),
port = try field_int(src, "port"),
host = try field(src, "host"),
};
// first failing field short-circuits — no partial Config escapes
}
```
---
## Rules of thumb
- **Add `!` when a function can fail.** Use a named set for public
contracts, bare `!` for internal helpers.
- **`raise` to fail, `try` to propagate, `catch` to handle, `or` to
fall back.**
- **Every failable call needs a marker** (`try` / `catch` / `or` /
destructure). If you forget, the compiler tells you exactly where.
- **`defer` always runs; `onfail` runs only on error.** Reach for
`onfail` when success transfers ownership.
- **Cleanup can't propagate** — absorb failable cleanup with `catch` /
`or`.
- **Tags are identities, not data** — log for context; compare tags to
tags, never to raw integers.
- **Traces are free in release** (compiled out) and automatic in debug.
Reference in New Issue View Git Blame Copy Permalink