Skip to content
This repository has been archived by the owner on Nov 19, 2024. It is now read-only.

[FINAL] feat: Best-effort responses #268

Closed
wants to merge 41 commits into from
Closed
Changes from 5 commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
138ccc5
Introduce timeouts for function call
oggy-dfin Jan 29, 2024
5d7edb2
Clarify that only 1 response is delivered + fix wording around multip…
oggy-dfin Jan 29, 2024
d64a3f6
Weaken the timeout guarantees
oggy-dfin Jan 29, 2024
524929a
Fix the error code
oggy-dfin Jan 29, 2024
128c8eb
Fix typo
oggy-dfin Jan 29, 2024
78b1b0e
Reword the early timeout condition
oggy-dfin Jan 30, 2024
ff8d96c
Rename the API call, change the error codes, and allow the callee to …
oggy-dfin Jan 31, 2024
132de81
Fix typos
oggy-dfin Jan 31, 2024
e8d3e64
Apply suggestions from code review
oggy-dfin Jan 31, 2024
bf2132b
Apply suggestions from code review
oggy-dfin Feb 2, 2024
d8a82df
Clarify rejection time some more
oggy-dfin Feb 2, 2024
e7b29a8
Clarify the reject code.
oggy-dfin Feb 2, 2024
395ac97
Fix the description of call_with_best_effort_response
oggy-dfin Feb 2, 2024
046eda8
Try and improve the wording some more
oggy-dfin Feb 5, 2024
ae2a7d9
More word shuffling
oggy-dfin Feb 9, 2024
ed422ff
A first attempt at an abstract spec of deadlines
oggy-dfin Feb 9, 2024
26f0947
A few fixes for deadlines
oggy-dfin Feb 12, 2024
d424166
Remove the TODO/DONE markers for deadlines
oggy-dfin Feb 12, 2024
7531920
Retain the message ordering in the spontaneous reject transition
oggy-dfin Feb 12, 2024
4ac97b8
Also allow dropping expired requests
oggy-dfin Feb 12, 2024
feed505
Move the deadline field to FromCanister origin
oggy-dfin Mar 14, 2024
dde3ccb
Bind the reject_msg var in the text of the message expiry transition
oggy-dfin Mar 14, 2024
5ce4c7b
Accept best-effort-response related system API calls in more contexts
oggy-dfin Mar 14, 2024
d9d6a46
Describe effects of new System API calls more formally
oggy-dfin Mar 14, 2024
b83f5b3
A couple of small fixes
oggy-dfin Mar 14, 2024
03c75c0
Fix call context timeout condition
oggy-dfin Mar 26, 2024
6b895de
Update spec/index.md
oggy-dfin Mar 26, 2024
00c5d64
Update spec/index.md
oggy-dfin Mar 26, 2024
cf649cd
Update spec/index.md
oggy-dfin Mar 26, 2024
7340b95
Update spec/index.md
oggy-dfin Mar 26, 2024
4068ae3
Apply suggestions from code review
oggy-dfin Apr 2, 2024
fb131ac
Keep the timestamp when expiring messages
oggy-dfin Apr 2, 2024
dad83e4
Rename reject_msg to <implementation-specific>
oggy-dfin Apr 2, 2024
e6c21ae
Weaken the invariants for expired origins
oggy-dfin Apr 3, 2024
702281e
Remove spontaneous request rejection from the PR
oggy-dfin Apr 3, 2024
48e5876
Update spec/index.md
oggy-dfin Oct 3, 2024
53f30df
Update spec/index.md
oggy-dfin Oct 3, 2024
68fe8ef
Fix the update_methods et al and add a note on deadlines in queries
oggy-dfin Oct 7, 2024
cea138b
Update spec/index.md
oggy-dfin Oct 8, 2024
1a61d1d
Fix the types
oggy-dfin Oct 8, 2024
4005aa8
Merge branch 'master' into response_timeouts
oggy-dfin Oct 8, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions spec/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,10 @@ This specification may refer to certain constants and limits without specifying

Maximum wall clock time spent on evaluation of a query call.

- `MAX_CALL_TIMEOUT`

The maximum timeout (in seconds) for an inter-canister call.
dsarlis marked this conversation as resolved.
Show resolved Hide resolved

### Principals {#principal}

Principals are generic identifiers for canisters, users and possibly other concepts in the future. As far as most uses of the IC are concerned they are *opaque* binary blobs with a length between 0 and 29 bytes, and there is intentionally no mechanism to tell canister ids and user ids apart.
Expand Down Expand Up @@ -1008,6 +1012,8 @@ Rejection codes are member of the following enumeration:

- `CANISTER_ERROR` (5): Canister error (e.g., trap, no response)

- `SYS_TIMEOUT` (6): Timed out while waiting for a response.

The symbolic names of this enumeration are used throughout this specification, but on all interfaces (HTTPS API, System API), they are represented as positive numbers as given in the list above.

The error message is guaranteed to be a string, i.e. not arbitrary binary data.
Expand Down Expand Up @@ -1322,6 +1328,7 @@ The following sections describe various System API functions, also referred to a
) -> ();
ic0.call_on_cleanup : (fun : i32, env : i32) -> (); // U CQ Ry Rt CRy CRt T
ic0.call_data_append : (src : i32, size : i32) -> (); // U CQ Ry Rt CRy CRt T
ic0.call_set_timeout : (seconds : i32) -> (); // U Ry Rt T
ic0.call_cycles_add : (amount : i64) -> (); // U Ry Rt T
ic0.call_cycles_add128 : (amount_high : i64, amount_low: i64) -> (); // U Ry Rt T
ic0.call_perform : () -> ( err_code : i32 ); // U CQ Ry Rt CRy CRt T
Expand Down Expand Up @@ -1550,6 +1557,16 @@ If this traps (e.g. runs out of cycles), the state changes from the `cleanup` fu

There must be at most one call to `ic0.call_on_cleanup` between `ic0.call_new` and `ic0.call_perform`.

- `ic0.call_set_timeout : (seconds : i32) -> ()`

Requests the system to generate a synthetic timeout reject if no reply is received within the specified amount of seconds. The returned reject code will be `SYS_TIMEOUT`.

The `seconds` parameter is only advisory. First, it is silently bounded by the `MAX_CALL_TIMEOUT` system constant; i.e., larger timeouts are treated as equivalent to `MAX_CALL_TIMEOUT` and do not cause an error. Second, while the system will attempt not to time out the call too early, it may in exceptional circumstances trigger the timeout earlier than requested; the calling canister should not rely on the timeout not occurring early. Finally, even under normal circumstances, the timeout may trigger significantly later than the specified time.
derlerd-dfinity marked this conversation as resolved.
Show resolved Hide resolved
derlerd-dfinity marked this conversation as resolved.
Show resolved Hide resolved

Note that a timeout reject does **not** guarantee that the call failed. It is possible that the call was still successfully received by the canister, but that processing the call took too long, or that the reply took too long to deliver to the calling canister. After the timeout reject is delivered to the calling canister, no further response (reply or reject) for this call will be delivered, even if the callee produces one. If the calling canister needs to know whether the call was successful, it must find an out-of-band way of doing so. For example, if the callee provides idempotent function calls, the calling canister can simply retry the call.

This method can be called only in between `ic0.call_new` and `ic0.call_perform`, and at most once at that. Otherwise, it traps. A different timeout can be specified for each call.

- `ic0.call_data_append : (src : i32, size : i32) -> ()`

Appends the specified bytes to the argument of the call. Initially, the argument is empty. Traps if the total appended data exceeds the [maximum inter-canister call payload](https://internetcomputer.org/docs/current/developer-docs/backend/resource-limits#resource-constraints-and-limits).
Expand Down
Loading