-
Notifications
You must be signed in to change notification settings - Fork 449
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Use unchecked exceptions" #138
Comments
From my point of view, Clean Code’s recommendation makes perfect sense ... for Java. Unfortunately, unchecked exceptions behave differently in Java and in ABAP. Let’s go through the motions: Imagine you have a But which kind of exception will it be? A Of course you could expect the caller to read your source code to figure out which exceptions your code will be throwing. But that’s nonsense, right? We don’t want to force callers to reverse-engineer our code to understand what’s going on. We could also add a documentation, description, comment, or the like, that informs our callers that we will throw In essence, what we’d like to do is simply adding the clause This is where Java is fundamentally different. In Java, you can of course add a |
I feel you're still advocating for checked exceptions, although half-baked. In the situation you just described, there's a plethora of exceptions that can be thrown, and I shouldn't be expected as a client to deal with each one of them, even as precondition checks (in the case of CX_DYNAMIC_CHECK), since there's always the possibility that new exceptions will be added in the future as well. And if I fail to check or catch any one of them, I get a CX_SY_NO_HANDLER wrapping the original exception. Hardly an improvement. In most situations, we want to bubble the exception up to the most high level code running the program, which can catch CX_ROOT, log and respond with an error message to the user. The solution to me is documenting, as something "stronger, more reliable" is undesirable in most cases and leads us straight into checked exception territory. When that is desirable, then go all the way and use CX_STATIC_CHECK (should be rare). Look at the corresponding C# method here. C# doesn't have checked exceptions, and that's one of the places where the motivations to the Clean Code recommendation comes from. How many times have people benefited from the advertised exceptions in a method as CX_DYNAMIC_CHECK? There's no design time check to tell you if you're missing any exceptions. How many CX_SY_NO_HANDLER exceptions have you seen in the wild? Note also that this exception is very confusing, many people don't really know what that means. |
Let's explore C#, I am not familiar with it. I assume there is such a thing as libraries in C#? Suppose you get a library with a RestClient class that does REST calls, and that HTTP values other than OK are reported as exceptions. A common resilience pattern in REST is that you retry requests that failed for reasons such as timeouts, in the hope that the server can be reached some seconds later. How do you know which exception the class throws in the timeout case to know what to catch and react to? Is it the API documentation? The unit tests? |
That kind of thing is present in the documentation of such methods in C#. The API doesn't force the client to catch anything. If you want to implement a resilience pattern, like a retry or a circuit-breaker, you can catch it. The unit tests should be part of your client code, you shouldn't need to have access to the API code. You can simulate failure operations with mocks. I can see the argument for checked exceptions in this kind of API (like CX_STATIC_CHECK), but I don't see the argument for CX_DYNAMIC_CHECK, which would be wrapped in a CX_SY_NO_HANDLER if not handled/forwarded in the immediately calling code. This to me is too surprising and a potential source of frustration, since CX_SY_NO_HANDLER is an implicit exception raised by the ABAP infrastructure which wraps the real exception. It's telling you something is wrong with the code calling the API, diverting attention from the real problem, which could potentially be solved far from the calling code (e.g. with UI validation). However, most ABAP code that we create as application developers is business application code. Very rarely this kind of infrastructure APIs (file open, REST). Business exceptions are mostly validation errors, invalid state of a business object, or similar issues, and I rarely see the need for checked exceptions in this context. Even validations errors I would prefer not to use exceptions, just populate a message container. Mostly CX_NO_CHECK. Rarely CX_STATIC_CHECK. Never CX_DYNAMIC_CHECK. When telling Java developers to "use unchecked exceptions", I'm not sure that Uncle Bob is advocating to put the unchecked exceptions in the method signature. In Java you can do this, in C# you can't. Interestingly though, I tried it last night, and ABAP didn't complain when I annotated my method with CX_NO_CHECK exceptions (in the RAISING clause), even though the documentation says it would. I know I'm going against what even the ABAP documentation says about these exceptions. Perhaps my take is not the right one for this guide. I only have myself to blame, since I worked many years with C# and Java, and I always tended to favor C#'s style. |
Let's first focus on the question whether unchecked or checked should be the default. Unchecked exceptions decouple the code and make refactoring easier. In turn, they increase unreliability. Let's say method There is no reliable way how the provider could inform the consumer that the signature changed. Of course they could write ABAP doc, send out change logs, or do usage lookup and write e-mails to all consumers. In practice, ABAP doc is not used widely, we don't keep change logs for ABAP, usage checks miss other systems, and people get so many e-mails they regularly miss important ones. We must assume that the provider's info won't reach all consumers. The consumer also has trouble to reliably identify the signature change. His unit tests are no help because they will still throw the now decomissioned The only safeguard the consumer could install are higher level component or system tests that test the two pieces of production code together. However, these tests are slow, expensive to build/maintain, and have higher turnaround time (nightly build, not part of Ctrl+Shift+F10 runs). As a consequence, we'd like to minimize their number, but now find we have to increasingly use them in all places where we have no full control over all involved parts. In summary, unchecked exceptions seem to work well in constellations where you do not care about exceptions at all, and all of them bubble upwards to a general catch clause at the very top. In combinations where catches are needed though, they introduce a dangerous element of instability. The Compromises section tries to relate that. My impression is also that tools like the ABAP Development Tools, the Code Inspector, and the Coverage Analyzer would need to identify breaking |
Oh somehow I missed that page you linked! I think that almost captures the most common pattern. I would change it so that upper_method catches Your file read example can use Also, declaring the exception as I had the following thought the other day: usually when you hear about checked exceptions, the rule is like follows: "use checked exceptions if a client can reasonably be expected to recover from the exception". You also have the rule to "not use exceptions to control the normal flow of your application". I think both rules kind of contradict each other. What would you reasonably do if a file not found exception is thrown? Do you search for the file somewhere else? If that's the case, that would be application logic that should not be in a catch block. |
...and again, you mention that with |
This results in a syntax error for me ("CX_NO_CHECK inherits neither from CX_DYNAMIC_CHECK nor CX_STATIC_CHECK"), both in global and local classes. |
I'm glad you could verify that, @flaiker. In my system it worked differently.... go figure. |
@flaiker , just to add to my investigation, I did test a global class and a local test class. Here is the local test class, which passed with flying colors: CLASS my_static_exception DEFINITION INHERITING FROM cx_static_check.
ENDCLASS.
CLASS my_dynamic_exception DEFINITION INHERITING FROM cx_dynamic_check.
ENDCLASS.
CLASS my_runtime_exception DEFINITION INHERITING FROM cx_no_check.
ENDCLASS.
CLASS exc_test DEFINITION FOR TESTING DURATION SHORT RISK LEVEL HARMLESS.
PRIVATE SECTION.
METHODS:
raising_static RAISING my_static_exception,
raising_dynamic_decl RAISING my_dynamic_exception,
raising_dynamic_no_decl,
raising_runtime_no_decl,
raising_runtime_decl RAISING my_runtime_exception,
raising_runtime_decl_no_check RAISING cx_no_check,
exceptions_test FOR TESTING.
ENDCLASS.
CLASS exc_test IMPLEMENTATION.
METHOD exceptions_test.
DATA(raise_count) = 0.
TRY.
raising_static( ).
CATCH my_static_exception.
raise_count += 1.
ENDTRY.
TRY.
raising_dynamic_decl( ).
CATCH my_dynamic_exception.
raise_count += 1.
ENDTRY.
TRY.
raising_dynamic_no_decl( ).
CATCH cx_sy_no_handler.
raise_count += 1.
ENDTRY.
TRY.
raising_runtime_no_decl( ).
CATCH my_runtime_exception.
raise_count += 1.
ENDTRY.
TRY.
raising_runtime_decl( ).
CATCH my_runtime_exception.
raise_count += 1.
ENDTRY.
TRY.
raising_runtime_decl_no_check( ).
CATCH my_runtime_exception.
raise_count += 1.
ENDTRY.
cl_abap_unit_assert=>assert_equals( msg = 'Wrong number of exceptions was raised' exp = 6 act = raise_count ).
ENDMETHOD.
METHOD raising_dynamic_decl.
RAISE EXCEPTION TYPE my_dynamic_exception.
ENDMETHOD.
METHOD raising_dynamic_no_decl.
RAISE EXCEPTION TYPE my_dynamic_exception.
ENDMETHOD.
METHOD raising_runtime_no_decl.
RAISE EXCEPTION TYPE my_runtime_exception.
ENDMETHOD.
METHOD raising_runtime_decl.
RAISE EXCEPTION TYPE my_runtime_exception.
ENDMETHOD.
METHOD raising_runtime_decl_no_check.
RAISE EXCEPTION TYPE my_runtime_exception.
ENDMETHOD.
METHOD raising_static.
RAISE EXCEPTION TYPE my_static_exception.
ENDMETHOD.
ENDCLASS. |
No idea. Either way we should stick to the documented behavior, which is the one you're experiencing. Thanks for checking that. |
Confirmed this with the ABAP language group. In response to repeated feedback, including our prior discussion of this issue, they added the possibility to declare |
Amazing! This wil probably cause me to change most of my cx_dynamic_check exceptions to cx_no_check (they were only dynamic, to be able to document them in the method signature and not force the caller to catch them). This unfortunately leaves this styleguide in a weird situation. It would now be quite easy to recommend using cx_no_check, but basically no one has the required AS ABAP release and will have for years to come. I doubt this gets backported to earlier releases? |
I still would recommend using |
In my opinion that comes with high cost:
Currently I'd rather have my correctly documented and declared dynamic_check exceptions in the method signature (and live with them being wrapped into cx_sy_no_handler in some cases) than to have the drawbacks listed above. |
Thanks for those points. I certainly don't have that much experience with ABAP Doc. My general comment was about documenting the exception, regardless if it would be in ABAP Doc or some other form. Any consumer of your classes or APIs should clearly have a place to learn about it before using it. |
Today I decided to switch back to checked exceptions after having used unchecked exceptions for a while (as a consequence of R. Martins recommendation in Clean Code). The reason is more pragmatic than conceptual: I just caused too much dumps because I was not aware of possible exceptions when reusing methods. To me, the problem is, that one does not see the possible exceptions in the signature of a method called and without a deeper look at the reused coding the danger of provocation of aborts is too big |
I'd like to come back to this topic, specifically this section: https://github.com/SAP/styleguides/blob/main/clean-abap/sub-sections/Exceptions.md#why-cx_no_check-doesnt-help
This is not true for newer versions anymore. Exceptions inheriting from CX_NO_CHECK can be declared in method signatures. Doing so does not cause a syntax error anymore. I do not know since which version supported this first. The documentation is updated since version 7.55:
If we follow the reasoning of Exceptions.md, then CX_NO_CHECK should be the preferred exception type. If CX_NO_CHECK still should not be recommended, then the section should be updated with the new reasons accordingly. |
This was introduced with 7.55, there is a small blog about it here: Of particular interest is the bit: |
The post by HrFlorianHoffmann advocating use of checked exceptions as default is a bit misguided because the provided example is actually one of the rare cases where a checked exception makes perfect sense and I would consider using one myself. If what you're mostly working on are small code modules/libraries to be used by other teams then it might feel like a general rule. Such small libraries pretty much don't have anything but a public API, so the use of checked exceptions is in order. However, I'm mostly working on mid to large systems with at least a few hundred classes and often a few dosen calls on the call stack during runtime. Use of checked exceptions anywhere else but the thin public API layer is pure nonsense. When working on large systems it's essential to manage complexity by isolating higher level classes from the implementation details of the lower level classes. Checked exceptions break that rule, which is very very VERY bad. |
From my point of view the section needs adaptation. It is currently even not in line with the content of the book. The chapter in exceptions contains in the summary this recommendation:
This is supporting the approach @niuniuch uses: In larger systems you want to use unchecked exceptions internally and checked exceptions for external facing interfaces. What is considered external can deviate based on the environment. As discussed earlier in this thread: if it is possible, the exceptions should be added in the raising section to add transparency. |
I'd be cautious with the raising section. 100% in favour of a single exception hierarchy for internal exceptions with 1 ZCX superclass inheriting from CX_NO_CHECK. |
So practically speaking you do this with the internal / external approach?
to be able to use no check internally and static check externally? And then TRY CATCH reraise at the API layer??? Surely not. Or do you try catch reraise every ZCX_ABC_NO_CHECK at the API layer but only have one ZCX_ABC_API_ERROR static check exception which then points to the concrete instance of ZCX_ABC_NO_CHECK via previous? Causing the API consumer to not be able to differentiate between error cases unless relying on the previous attribute whose values are unknown. |
What the API consumer needs to know is that something went wrong and perhaps an error message to display to the user. The consumer doesn't need or want to know what excactly the error condision is. That's the whole purpose of breaking a large system into subsystems - to hide implementation details of one part from the other parts. In practice I usually catch CX_ROOT in the API layer and raise a checked ZCX_ABC_API_ERROR, or perhaps one of a small set of checked exceptions if really necessary (i.e. internal system error vs invalid input). Remember that following Clean Code doesn't bring value on it's own - the book just goes into detail on some of the concepts discussed in other books, like Agile Software Development and Clean Architecture. If you're designing your systems in a way recommended by Robert Martin (and many other prominent software engineers like Martin Fowler, Kent Beck, Dave Farley, Allen Holub etc.) then Clean Code is a cherry on top. Of course the problem is how to know at the start if the system will need complexity management or not? Unless you have a magic crystal ball I recommend starting every project assuming it will need it at some point. With this approach, the worst thing that can happen is that you will end up with a little over-engineering. The consequences of erring on the other side can be much more severe. |
Hmm, I would have said the consumer does want to know at least somewhat to be able to react differently. Propagate an insufficient authorization error up and just log it or retry a network connectivity issue a few times. But I guess that kind of handling should already have happenend behind the API facade so the caller doesn't actually need to know, as for example the network connectivity would be an implementation detail.
Regarding this: I do pass them not for the consumer to make sense of them but for the runtime to be able to log the whole exception stack from beginning to end (uncaught exception / RAISE SHORTDUMP / some kind of logging component).
I would disagree with that. By catching CX_ROOT you also catch all CX_SY* exceptions including things like database deadlocks that are extemely painful to analyze if there is no shortdump for the exception. Which catching CX_ROOT will do, unless you have your own logging component in the catch block so you do not need to rely on ST22. Catching ZCX_ABC_NO_CHECK seems reasonable to me though. On the other hand, how do you handle the static check errors on the API consumer side? You don't want to directly use them as they'd force you to declare and propagate as well since they are checked. Do you wrap those there inside of CX_NO_CHECK exceptions again until another API facade is reached? |
Correct. In general it's a good architectural principle to have a thin adapter layer on the API's you consume - so you can mock it for automated testing, translate input/outputs, etc. You just put the exception wrapping there. |
Excaclty. I would say that if the API consumer needs to know it's a connectivity issue so it can retry then it's a architectural flaw and the line of abstraction needs to be in a different place.
I'm not going to disagree with that, but dumps are a tricky subject. For many years I was a strong advocate for dumping, because of the reasons you mention. But back then I was working as an (almost) internal developer. Now I work in a environment where external clients use the systems I'm working on so dumping is a big no-no because it hurts the company's image - you always want to end the execution with some kind of 'Service is unavailable, please raise a ticket' message. |
I don't think so. The only thing I can think of is isolating a process using RFC, then the shortdump will be created but the parent can still continue execution (abapGit's integration test suite uses this technique and ABAP Unit as well I think). For creating trace data directly inside a catch block various applications created their own logging and tracing tools to serialize environment data and present it in some kind of analysis program (/IWFND/ERROR_TRACE for example). |
Maybe let's start with simple things. Can we all agree that CX_DYNAMIC_CHECK is an oddity unknown in more civilised languages and it's always better to just use CX_NO_CHECK? To me it looks like the designers of ABAP OO realised that using checked exceptions is not feasible in more complex developments, but didn't have the courage to do the right thing, because ABAP OO was clearly based on an early version of Java, and back then the Java world still thought that checked exceptions are a good idea.... |
I agree on 7.55 and up, where CX_NO_CHECK exceptions can be declared in method signatures. Before that CX_DYNAMIC_CHECK allowed for documenting exceptions in method signatures without forcing the caller to catch them (at the cost that higher levels of the call stack cannot catch them because of CX_SY_NO_HANDLER), which often was a fair compromise for me. As discussed above. |
Following the recommendation of Clean Code to "use unchecked exceptions", I ALWAYS end up using CX_NO_CHECK as my custom exceptions' superclass. I think CX_STATIC_CHECK adds too much noise everywhere it's used. CX_STATIC_CHECK is just like using checked exceptions in Java, it forces people to add empty catch blocks, deal with exceptions that they have no idea how to deal with, or to propagate exceptions in their method signatures needlessly. CX_NO_CHECK is the closest to unchecked exceptions. (CX_DYNAMIC_CHECK is just weird.)
I feel that the recommendation in this guide is moving contrary to years of experience with checked/unchecked exceptions, at least in the Java community, distilled in Clean Code. What do you think?
The text was updated successfully, but these errors were encountered: