fix: host_bindgen! returns Result instead of panicking on guest errors#1317
fix: host_bindgen! returns Result instead of panicking on guest errors#1317jsturtevant wants to merge 1 commit into
Conversation
21ca91e to
eadb9f1
Compare
ludfjig
left a comment
There was a problem hiding this comment.
I think I am fine with this, but I suspect this is intentional. I think we generally want to avoid Result types as much as possible where it makes sense, but since this matches the current guest calling convention maybe let's defer that discussion to later
Open to other ways of addressing this I guess but a panic in the guest shouldn't panic this host. It seemed practical to match existing behavoir |
|
I agree with @ludfjig that, generally speaking, the semantic gap of lifting everything from the interface into Option isn't particularly attractive. However, I do see the need to deal with errors that fundamentally can happen during execution on the host side. Is there a reason that this is also applied to the host functions imported by the guest? I think that generally speaking it is the ability to export a function implementing an interface, but actually implement a different interface (i.e. one with more optionality) that is the most semantically damaging---so the implicit Let me know what you think about the usability of that. As I think about this more, from the wasm perspective especially, I do think that having the |
This was to match the current non-wit implementation. We had improved the situation with errors in #868.
Agree with the general sentiment that's its not ideal. I am not so sure we don't want host function to return errors, it seems useful to me to be able to say something went wrong across the boundry. Be interesting in what others think |
actually, was thinking on this some more and WIT does have the ability capture "result" types so we probalby don't need this on the guest side (I don't see the equivalent |
I'm with you on that one :)
I'm still not totally convinced on this, although I can see the arguments. Can you elaborate a little more on the use cases you see? If we did allow this, I think it's important that it not be semantically visible in the guest, which shouldn't know whether its imported component is implemented across a hyperlight-host boundary or by any other component, so we would need to propagate the error return up, and I would think that it would probably make sense to poison the sandbox (probably by panicking the guest?). If there's not a super strong use case, having the optionality just on the host->guest calls and not the hostcall returns seems like it is a starting point that gets rid of the main issue and is minimally invasive?
There is an unwrap on the host call result here. Precisely the thing that I want to be careful about here is conflating WIT-level semantically-there-in-the-API optionality with this unconditionally-added-everywhere Hyperlight-level optionality. As I said in the paragraph above, even if we did add this for host function return types, I would not want to see it meaningfully exposed to the guest code. |
Yes I am in agree that we shouldn't do this now. I'm going to revisit this and see if I can come up with something different for consideration. |
|
@jsturtevant should we close this one? |
|
We need a version of this, let me see if I can fix it up this week |
eadb9f1 to
498499a
Compare
There was a problem hiding this comment.
Pull request overview
This PR updates the host_bindgen!-generated host-side export wrappers so that guest call failures (e.g., abort/trap/timeout) are surfaced to callers as Result<_, HyperlightError> instead of crashing the host via panic!. This aligns exported guest calls with other Hyperlight call paths that already return errors.
Changes:
- Change host export wrapper generation to propagate
Callable::call()failures via?and returnOk(...)on success. - Update generated host-side export trait method signatures to return
Result<T, HyperlightError>(while keeping constructors unaffected). - Update tests to unwrap successful guest calls and add a synthetic error-propagation test; also add some codegen deduplication state to avoid duplicate emitted types.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/hyperlight_host/tests/wit_test.rs | Updates callers for new Result-returning export methods and adds a test ensuring errors are returned instead of panicking. |
| src/hyperlight_component_util/src/rtypes.rs | Changes generated host-side export trait method return types to Result<_, HyperlightError> and adjusts export-instance trait naming. |
| src/hyperlight_component_util/src/resource.rs | Makes generated resource-table new() constructor pub(crate) (needed by new/updated usage patterns). |
| src/hyperlight_component_util/src/host.rs | Removes panic! on guest call errors in generated wrappers; returns Result and propagates failures with ?. |
| src/hyperlight_component_util/src/emit.rs | Adds module-level tracking (emitted_type_names) to prevent duplicate type emissions during codegen. |
Make generated host-side WIT export calls return HyperlightError instead of panicking when guest execution fails, while keeping guest-imported host function traits non-fallible. Add a real WIT guest panic export to cover the host error path. Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
cefb1ac to
cae31c2
Compare
fixes: #1316
host_bindgen!export wrappers no longer panic whenCallable::call()returnsErr(guest abort/trap/timeout). Host callers now receive theHyperlightError.Breaking change
Host-side guest export traits are now fallible and use a
*Exportssuffix. Host functions imported by the guest keep the original WIT signatures.Example WIT:
Generated/used Rust shape:
Signed-off-by: James Sturtevant jsturtevant@gmail.com