--
All posts must follow the Fuchsia Code of Conduct https://fuchsia.dev/fuchsia-src/CODE_OF_CONDUCT or may be removed.
---
You received this message because you are subscribed to the Google Groups "fidl-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fidl-dev+u...@fuchsia.dev.
To view this discussion on the web visit https://groups.google.com/a/fuchsia.dev/d/msgid/fidl-dev/65c0db64-42da-4928-9496-8297871af4d8n%40fuchsia.dev.
In this example the Foo object knows when it is being destroyed, so there does not seem to be value in invoking the callback when the Client is destroyed?
An open question is what happens when the user continues to make more method calls on the client, during/after bindings teardown.
An open question is what happens when the user continues to make more method calls on the client, during/after bindings teardown.Wouldn't that be a state violation, and lead to either error or panic, i.e. you are using a part of the API which even though exists (methods are there) is not accessible at that moment in time, and should be treated as if it is not there? A little like trying to read from a closed fd.
PL
Makes sense. Some thoughts inline.On Thu, Jun 17, 2021 at 10:59 PM Pascal <pasca...@google.com> wrote:An open question is what happens when the user continues to make more method calls on the client, during/after bindings teardown.Wouldn't that be a state violation, and lead to either error or panic, i.e. you are using a part of the API which even though exists (methods are there) is not accessible at that moment in time, and should be treated as if it is not there? A little like trying to read from a closed fd.One trickiness is that the teardown could come from a source that is outside of the user's control, e.g. the server might close their end of the channel oor send invalid data. It seems overly restrictive to penalize the user by panicking if the server closes their endpoint while the user is making a client call.
Using the fd analogy, I think it's similar to reading from a fd whose remote side has closed (e.g. reading from a socket whose peer has terminated). We could return an error reflecting this situation. On the other hand, if the user themselves requested teardown (similar to closing the local fd or closing a local channel), it sounds more reasonable if we chose to panic in this case. Perhaps we could implement distinct behavior based on the cause of the teardown.
A slightly less trickiness is that doing so forces users to add external synchronization between making calls and teardown. Currently in LLCPP, we'd simply return the same error when making a call when teardown is happening/has completed. If we chose to panic in a subset of the cases, users would have to take a lock whenever they're making a call or calling `AsyncTeardown` on the client, to avoid triggering the panic.We could continue to return the same error, but that doesn't mesh well with moving sync errors to async (fxbug.dev/75324), since that gets us to approach #2 in the first email in the thread which as Wez mentions is prone to use-after-free: we'd surface an asynchronous error saying that the bindings have torn down, but that callback might end up touching destroyed user objects if not careful.
PL
On Fri, 18 Jun 2021 at 02:46, Yifei Teng <yif...@google.com> wrote:Makes sense. Some thoughts inline.On Thu, Jun 17, 2021 at 10:59 PM Pascal <pasca...@google.com> wrote:An open question is what happens when the user continues to make more method calls on the client, during/after bindings teardown.Wouldn't that be a state violation, and lead to either error or panic, i.e. you are using a part of the API which even though exists (methods are there) is not accessible at that moment in time, and should be treated as if it is not there? A little like trying to read from a closed fd.One trickiness is that the teardown could come from a source that is outside of the user's control, e.g. the server might close their end of the channel oor send invalid data. It seems overly restrictive to penalize the user by panicking if the server closes their endpoint while the user is making a client call.That's why the HLCPP bindings don't take action if writing to the channel fails, but instead watch the channel for peer-closed, and teardown & execute the client-supplied callback when that is observed. The API contract is that callers should never call via an un-bound client.
Using the fd analogy, I think it's similar to reading from a fd whose remote side has closed (e.g. reading from a socket whose peer has terminated). We could return an error reflecting this situation. On the other hand, if the user themselves requested teardown (similar to closing the local fd or closing a local channel), it sounds more reasonable if we chose to panic in this case. Perhaps we could implement distinct behavior based on the cause of the teardown.This is already implemented in the HLCPP bindings:1. If an InterfacePtr<> is bound and peer-closed is observed then the error-handler is invoked.2. If an InterfacePtr<> is explicitly Unbind()ed then the error-handler is not invoked.There's nothing particularly tricky about that - there's just a simple API guarantee, inherent in having Unbind()ed the InterfacePtr<> - it cannot possibly observe the peer-closed after being unbound. :)
A slightly less trickiness is that doing so forces users to add external synchronization between making calls and teardown. Currently in LLCPP, we'd simply return the same error when making a call when teardown is happening/has completed. If we chose to panic in a subset of the cases, users would have to take a lock whenever they're making a call or calling `AsyncTeardown` on the client, to avoid triggering the panic.We could continue to return the same error, but that doesn't mesh well with moving sync errors to async (fxbug.dev/75324), since that gets us to approach #2 in the first email in the thread which as Wez mentions is prone to use-after-free: we'd surface an asynchronous error saying that the bindings have torn down, but that callback might end up touching destroyed user objects if not careful.That these kinds of questions are still coming up suggests that LLCPP bindings still lack a coherent threading model.
If I understand correctly, it is a requirement that it be possible for a single LLCPP binding to be shareable by clients running on multiple threads?
With a per-client single-owner object wrapping a reference to the shared multi-threaded binding object, it should be straightforward to arrange that clients are guaranteed not to be called-back from the moment they teardown that single-owner object.
Is that not something we can/want to do?
PL