Re: better error messages through assertions

[Philip McGrath]

Hi,

On 3/7/22 05:13, Ludovic Courtès wrote:
> Hi Philip,
>
> Philip McGrath <philip@philipmcgrath.com> skribis:
>
> > Racket's state-of-the-art contract system has many features and nuances. I *do
> > not* think anyone should try to implement them all in one fell swoop. I'm
> > hoping there's a way to implement your simple assertions with only a modest
> > amount of overhead that will provide the right base on which to grow the rest
> > of a contract system. In the short term, the advantage over:
> >
> > >      (assert-type (listof service?) services
> > >                   "SERVICES must be a list of <service> values.")
> >
> > is that you don't have to write error messages by hand.
> >
> > You need two types of values:
> >
> >   1. Contracts, recognized by `contract?`; and
> >   2. Blame objects, recognized by `blame?`.
>
> [...]
>
> Thanks for the explanation and references!  I had briefly looked at
> Racket’s contract API in the past but your message gave a clearer view
> of how this all fits together.

I'm glad this is something Guix people are interested in!

> > I would love to have contracts in Guix, even very rudimentary contracts. If
> > it's something the community more generally would be interested in, I'd be
> > glad to help as much as I can.
>
> It’d be great to benefit from your expertise here.  Like you wrote, I
> think we should start with a simple contract system, certainly simpler
> than Racket’s, and build from there.
>
> If you’re willing and able to spend time prototyping this, that’s great.
> :-)

I'm interested in putting together a prototype.

I've taken my own suggestion and asked the Racket community for more 
advice: 
https://racket.discourse.group/t/advice-on-implementing-a-contract-system/832

To quote the end of my last message there,

> The tl;dr of all that is that `(guix records)` seems to ultimately call for 
> "indy-dependent" contracts[1].
>
> On the one hand, the distinction between "indy-dependent" `->i`[2] and 
> "lax-dependent" `->d`[3] is exactly the sort of hard-learned lesson that I hope the Guix 
> community can draw from Racket's decades of experience.
>
> On the other hand, I'm increasingly intrigued by the idea of starting with 
> forms along the lines of `invariant-assertion`[4] and `struct-guard/c`[5] and 
> truly sticking to flat contracts to start with, leaving all the higher-order 
> complexity for another day.

I'm thinking that a reasonable place to start might be to implement a 
`contract->sanitizer` form that would allow using contracts to create 
sanitizers, ideally with no changes to `(guix records)`.

In addition to the questions about contract system design, I realized I 
have a few questions about Guix/Guile that would be relevant when 
starting a prototype.

What is the preferred mechanism for exceptions? I know about:

  * (rnrs exceptions)
  * (ice-9 exceptions)
  * (srfi srfi-34)
  * (srfi srfi-35)

and IIRC I've seen more than one of them used in the Guix codebase.

Likewise, what record system should I use? I think the answer should 
*not* be (guix records): instead, I think (guix records) should 
eventually use (guix contracts). But should I use:

  * (rnrs records syntactic)
  * (rnrs records procedural)
  * (srfi srfi-9)
  * (oop goops)

Of those, I'm most familiar with R6RS records. I know (guix records) is 
implemented on top of (srfi srfi-9), though I vaguely remember some 
discussion about potentially changing that.

Also, I don't know much about how the "abi" aspect of (guix records) 
works and what types of changes there would trigger rebuilds. (Though, 
again, I hope no changes would be needed for the proof-of-concept phase.)

Finally, when I looked again at the example at the top of this thread:

On 2/14/22 17:32, Ricardo Wurmus wrote:
> ice-9/boot-9.scm:1685:16: In procedure raise-exception:
> In procedure struct-vtable: Wrong type argument in position 1 (expecting 
> struct):
> --8<---------------cut here---------------end--------------->8---
>
> As you can probably tell easily by looking at this message, the
> “service” field of the operating system configuration looked something
> like this:
>
>   (services (append (list a b c %desktop-services) #;oops))
>
> instead of this
>
>   (services (append (list a b c) %desktop-services))
>
> This is because INSTANTIATE-MISSING-SERVICES — and FOLD-SERVICES, and
> many more — assumes that it is only passed a plain list of services.  It
> then proceeds to call SERVICE-KIND on what may or may not be a service.

Another problem here seems to be the fault of (srfi srfi-9). For example:

```
$ guile
GNU Guile 3.0.8
Copyright (C) 1995-2021 Free Software Foundation, Inc.

Guile comes with ABSOLUTELY NO WARRANTY; for details type `,show w'.
This program is free software, and you are welcome to redistribute it
under certain conditions; type `,show c' for details.

Enter `,help' for help.
scheme@(guile-user)> ,use (srfi srfi-9)
scheme@(guile-user)> (define-record-type container (make-container 
contents) container? (contents container-contents))
scheme@(guile-user)> (container-contents '())
ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure struct-vtable: Wrong type argument in position 1 (expecting 
struct): ()

Entering a new prompt.  Type `,bt' for a backtrace or `,q' to continue.
scheme@(guile-user) [1]> ,bt
In current input:
      3:0  1 (_)
In ice-9/boot-9.scm:
  1685:16  0 (raise-exception _ #:continuable? _)
```

It seems like `container-contents` and other field accessors ought to 
check their arguments with `container?` (or the applicable predicate) 
and not leave error reporting to `struct-vtable`.

Perhaps this could be fixed in the (guix records) layer?

-Philip

[1]: https://www2.ccs.neu.edu/racket/pubs/popl11-dfff.pdf
[2]: 
https://docs.racket-lang.org/reference/function-contracts.html#%28form._%28%28lib._racket%2Fcontract%2Fbase..rkt%29._-~3ei%29%29
[3]: 
https://docs.racket-lang.org/reference/function-contracts.html#%28form._%28%28lib._racket%2Fcontract%2Fbase..rkt%29._-~3ed%29%29
[4]: 
https://docs.racket-lang.org/reference/attaching-contracts-to-values.html#%28form._%28%28lib._racket%2Fcontract%2Fprivate%25in2Fbase..rkt%29._invariant-assertion%29%29
[5]: 
https://docs.racket-lang.org/reference/attaching-contracts-to-values.html#%28form._%28%28lib._racket%2Fcontract%2Fbase..rkt%29._struct-guard%2Fc%29%29