Skip to content
This repository has been archived by the owner on Nov 19, 2024. It is now read-only.

[FINAL] feat: Best-effort responses #268

Closed
wants to merge 41 commits into from
Closed
Changes from 9 commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
138ccc5
Introduce timeouts for function call
oggy-dfin Jan 29, 2024
5d7edb2
Clarify that only 1 response is delivered + fix wording around multip…
oggy-dfin Jan 29, 2024
d64a3f6
Weaken the timeout guarantees
oggy-dfin Jan 29, 2024
524929a
Fix the error code
oggy-dfin Jan 29, 2024
128c8eb
Fix typo
oggy-dfin Jan 29, 2024
78b1b0e
Reword the early timeout condition
oggy-dfin Jan 30, 2024
ff8d96c
Rename the API call, change the error codes, and allow the callee to …
oggy-dfin Jan 31, 2024
132de81
Fix typos
oggy-dfin Jan 31, 2024
e8d3e64
Apply suggestions from code review
oggy-dfin Jan 31, 2024
bf2132b
Apply suggestions from code review
oggy-dfin Feb 2, 2024
d8a82df
Clarify rejection time some more
oggy-dfin Feb 2, 2024
e7b29a8
Clarify the reject code.
oggy-dfin Feb 2, 2024
395ac97
Fix the description of call_with_best_effort_response
oggy-dfin Feb 2, 2024
046eda8
Try and improve the wording some more
oggy-dfin Feb 5, 2024
ae2a7d9
More word shuffling
oggy-dfin Feb 9, 2024
ed422ff
A first attempt at an abstract spec of deadlines
oggy-dfin Feb 9, 2024
26f0947
A few fixes for deadlines
oggy-dfin Feb 12, 2024
d424166
Remove the TODO/DONE markers for deadlines
oggy-dfin Feb 12, 2024
7531920
Retain the message ordering in the spontaneous reject transition
oggy-dfin Feb 12, 2024
4ac97b8
Also allow dropping expired requests
oggy-dfin Feb 12, 2024
feed505
Move the deadline field to FromCanister origin
oggy-dfin Mar 14, 2024
dde3ccb
Bind the reject_msg var in the text of the message expiry transition
oggy-dfin Mar 14, 2024
5ce4c7b
Accept best-effort-response related system API calls in more contexts
oggy-dfin Mar 14, 2024
d9d6a46
Describe effects of new System API calls more formally
oggy-dfin Mar 14, 2024
b83f5b3
A couple of small fixes
oggy-dfin Mar 14, 2024
03c75c0
Fix call context timeout condition
oggy-dfin Mar 26, 2024
6b895de
Update spec/index.md
oggy-dfin Mar 26, 2024
00c5d64
Update spec/index.md
oggy-dfin Mar 26, 2024
cf649cd
Update spec/index.md
oggy-dfin Mar 26, 2024
7340b95
Update spec/index.md
oggy-dfin Mar 26, 2024
4068ae3
Apply suggestions from code review
oggy-dfin Apr 2, 2024
fb131ac
Keep the timestamp when expiring messages
oggy-dfin Apr 2, 2024
dad83e4
Rename reject_msg to <implementation-specific>
oggy-dfin Apr 2, 2024
e6c21ae
Weaken the invariants for expired origins
oggy-dfin Apr 3, 2024
702281e
Remove spontaneous request rejection from the PR
oggy-dfin Apr 3, 2024
48e5876
Update spec/index.md
oggy-dfin Oct 3, 2024
53f30df
Update spec/index.md
oggy-dfin Oct 3, 2024
68fe8ef
Fix the update_methods et al and add a note on deadlines in queries
oggy-dfin Oct 7, 2024
cea138b
Update spec/index.md
oggy-dfin Oct 8, 2024
1a61d1d
Fix the types
oggy-dfin Oct 8, 2024
4005aa8
Merge branch 'master' into response_timeouts
oggy-dfin Oct 8, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions spec/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,10 @@ This specification may refer to certain constants and limits without specifying

Maximum wall clock time spent on evaluation of a query call.

- `MAX_CALL_TIMEOUT`

The maximum timeout (in seconds) for an inter-canister call.
dsarlis marked this conversation as resolved.
Show resolved Hide resolved

### Principals {#principal}

Principals are generic identifiers for canisters, users and possibly other concepts in the future. As far as most uses of the IC are concerned they are *opaque* binary blobs with a length between 0 and 29 bytes, and there is intentionally no mechanism to tell canister ids and user ids apart.
Expand Down Expand Up @@ -1008,6 +1012,8 @@ Rejection codes are member of the following enumeration:

- `CANISTER_ERROR` (5): Canister error (e.g., trap, no response)

- `SYS_UNKNOWN` (6): Response unknown; aborted waiting for it (e.g., timed out, or system under high load).
oggy-dfin marked this conversation as resolved.
Show resolved Hide resolved

The symbolic names of this enumeration are used throughout this specification, but on all interfaces (HTTPS API, System API), they are represented as positive numbers as given in the list above.

The error message is guaranteed to be a string, i.e. not arbitrary binary data.
Expand Down Expand Up @@ -1284,6 +1290,7 @@ The following sections describe various System API functions, also referred to a
ic0.msg_reject_code : () -> i32; // Ry Rt CRy CRt
ic0.msg_reject_msg_size : () -> i32; // Rt CRt
ic0.msg_reject_msg_copy : (dst : i32, offset : i32, size : i32) -> (); // Rt CRt
ic0.msg_deadline : () -> i64; // U Ry Rt
oggy-dfin marked this conversation as resolved.
Show resolved Hide resolved

ic0.msg_reply_data_append : (src : i32, size : i32) -> (); // U Q CQ Ry Rt CRy CRt
ic0.msg_reply : () -> (); // U Q CQ Ry Rt CRy CRt
Expand Down Expand Up @@ -1322,6 +1329,7 @@ The following sections describe various System API functions, also referred to a
) -> ();
ic0.call_on_cleanup : (fun : i32, env : i32) -> (); // U CQ Ry Rt CRy CRt T
ic0.call_data_append : (src : i32, size : i32) -> (); // U CQ Ry Rt CRy CRt T
ic0.call_with_best_effort_response : (timeout_seconds : i32) -> (); // U Ry Rt T
mraszyk marked this conversation as resolved.
Show resolved Hide resolved
ic0.call_cycles_add : (amount : i64) -> (); // U Ry Rt T
ic0.call_cycles_add128 : (amount_high : i64, amount_low: i64) -> (); // U Ry Rt T
ic0.call_perform : () -> ( err_code : i32 ); // U CQ Ry Rt CRy CRt T
Expand Down Expand Up @@ -1424,6 +1432,12 @@ The canister can access an argument. For `canister_init`, `canister_post_upgrade

The reject message. Traps if there is no reject message (i.e. if `reject_code` is `0`).

- `ic0.msg_deadline : () -> i64`

The deadline, in nanoseconds since 1970-01-01, after which the caller will stop waiting for a response.
oggy-dfin marked this conversation as resolved.
Show resolved Hide resolved

For calls with best-effort responses, the deadline is computed based on the time the call was made, and the `timeout_seconds` parameter provided by the caller. For other calls, the deadline will be set to 0.
oggy-dfin marked this conversation as resolved.
Show resolved Hide resolved

### Responding {#responding}

Eventually, the canister will want to respond to the original call, either by replying (indicating success) or rejecting (signalling an error):
Expand Down Expand Up @@ -1550,6 +1564,14 @@ If this traps (e.g. runs out of cycles), the state changes from the `cleanup` fu

There must be at most one call to `ic0.call_on_cleanup` between `ic0.call_new` and `ic0.call_perform`.

- `ic0.call_with_best_effort_response : (timeout_seconds : i32) -> ()`

Allows the system to generate a synthetic reject response without waiting for the actual response. The reject callback will be triggered with either `SYS_TRANSIENT` or `SYS_UNKNOWN` reject codes. If the code is `SYS_TRANSIENT`, the caller can be sure that the call never made it to the callee. If it is `SYS_UNKNOWN`, then the call **may or may not** have been processed by the callee; for example, it could be that processing the call took too long, that the reply took too long to deliver to the calling canister, or simply that the system decided that it needed to shed load. In this case, if the calling canister needs to know whether the call was successful, it must find an out-of-band way of doing so. For example, if the callee provides idempotent function calls, the calling canister can simply retry the call.
oggy-dfin marked this conversation as resolved.
Show resolved Hide resolved

The `timeout_seconds` parameter is a hint to the system when the reject should be produced. However, it is only advisory. First, it is silently bounded by the `MAX_CALL_TIMEOUT` system constant; i.e., larger timeouts are treated as equivalent to `MAX_CALL_TIMEOUT` and do not cause an error. Second, the system may invoke the reject callback earlier than requested (e.g., under high load); the calling canister should not rely on the timeout not occurring early. Finally, the reject callback may also be executed (possibly significantly) later than the specified time, e.g., if the canister is under high load.
oggy-dfin marked this conversation as resolved.
Show resolved Hide resolved

This method can be called only in between `ic0.call_new` and `ic0.call_perform`, and at most once at that. Otherwise, it traps. A different timeout can be specified for each call.

- `ic0.call_data_append : (src : i32, size : i32) -> ()`

Appends the specified bytes to the argument of the call. Initially, the argument is empty. Traps if the total appended data exceeds the [maximum inter-canister call payload](https://internetcomputer.org/docs/current/developer-docs/backend/resource-limits#resource-constraints-and-limits).
Expand Down
Loading