New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Exception Messages #4402
Comments
Follow up: Also, the question is if strategically these issues should be pursued. (*) actually i'm not so sure if it's a perfect example, since on unix and windows we have different path formats. It might be somewhat difficult to determine what kind of constraints to apply to both (all) and when to test/enforce them. List of exception messages to improve:
|
cc @stephentoub |
Not really sure if this is a valid concern but when an exception leaks through to the end user (because of missing catch; program error) you might give away more info which might not be desired. For example you might give away a local path on a webserver. Again, might not be the best example but sometimes I'm a bit paranoid ;) That being said, your suggestion would definitely help with detecting where the error lies :) |
Same issue, KeyNotFoundException. *Hibernating Rhinos Ltd * Oren Eini* l CEO l *Mobile: + 972-52-548-6969 Office: +972-4-622-7811 *l *Fax: +972-153-4-622-7811 On Thu, Jul 30, 2015 at 10:03 AM, Bruno Juchli notifications@github.com
|
Shouldn't the developer be able to infer the problem from the stacktrace ? I mean the last thing you want is bubbling up very explicit details to the user interface/user. |
It is often not possible to do that from the stack trace. *Hibernating Rhinos Ltd * Oren Eini* l CEO l *Mobile: + 972-52-548-6969 Office: +972-4-622-7811 *l *Fax: +972-153-4-622-7811 On Thu, Jul 30, 2015 at 1:07 PM, Marius Gheorghe notifications@github.com
|
And I think that the security concerns are not relevant. If this worries *Hibernating Rhinos Ltd * Oren Eini* l CEO l *Mobile: + 972-52-548-6969 Office: +972-4-622-7811 *l *Fax: +972-153-4-622-7811 On Thu, Jul 30, 2015 at 1:12 PM, Oren Eini (Ayende Rahien) <
|
I think the feature desired is actually core dump support for CoreCLR. With it you can get back the core dump from your remote/production system and load it into your debugger and see the exact state of things when it crashed. |
That would be cool, sure, but it isn't valid. *Hibernating Rhinos Ltd * Oren Eini* l CEO l *Mobile: + 972-52-548-6969 Office: +972-4-622-7811 *l *Fax: +972-153-4-622-7811 On Thu, Jul 30, 2015 at 2:00 PM, OtherCrashOverride <
|
I am saying there should be an option for the unhandled exception handler to generate a core dump and support in the debugging tools to use it. At unhandled exception time, the problem state should still be on the stack. [Edit] |
@ayende I fixed a similar thing a while back: dotnet/corefx#185. The security point came up there as well, but the conclusion was it doesn't apply to .NET Core. |
@akoeplinger My personal take: I think that in case leaking information is a security concern one should not leak the exception or stack trace at all. So this is a higher-level problem and concern than the design of exception / exception messages. Adding this kind of security through obscurity to such a low layer in a fixed manner robs us of any chance of re-configuring it to function more "debug friendly". Also, while core-dumps are a great thing (especially because they're kind of an universal solution), they also require more tools/work. Especially for novice programmers this means an unnecessary high threshold. Also for expert programmers this is often problematic (debugging remote machines w/o internet access, not having the necessary debugging tools with you,...). to conclude, i think that @OtherCrashOverride 's suggestion should be a separate issue / feature request ;-) |
I think so too. In fact, I wanted to open it as one because I think the functionality would be really beneficial for many CoreCLR scenarios. |
ok so i'll leave this open for a while to see if there's some more feedback. As dotnet/coreclr#185 shows similar PRs have been accepted. Can we also discuss some guidelines for exception messages? Any ideas?
How about this: |
I would suggest creating a feature tag for the new enhanced message. The changes can then be #ifdef FEATURE_XYZ wrapped so that the old behavior can be preserved for those with concerns. |
That would mean quite a lot of upfront extra and some future work. |
Out of curiosity, why do you say that NREs are not easy to fix? I generally think of them as the easiest error to fix, because once you reproduce it under the debugger, about 95% of the time it's immediately obvious what's going wrong just by looking at the code and the locals. |
Assume that you can't reproduce this in the debugger. foo.Bar.Baz.ToString().ToLower() Any of which might be null. That can cause it to be pretty hard to use. *Hibernating Rhinos Ltd * Oren Eini* l CEO l *Mobile: + 972-52-548-6969 Office: +972-4-622-7811 *l *Fax: +972-153-4-622-7811 On Fri, Jul 31, 2015 at 5:43 PM, masonwheeler notifications@github.com
|
It should not really be that much extra effort:
|
I'd be against doing this as it'd require anyone interested in using the "old" verison to recompile coreclr themselves. Even putting these behind an AppContext-esque feature switch would result in a lot of code bloat and duplicate effort for the Core developers. For a subtle example of this, your code would actually be more like: #ifdef FEATURE_ENHANCED_EXCEPTION_MESSAGES
// New code written here
throw new ArgumentException(String.Format(Strings.DuplicateKeyEx, key));
#else
// This code already exists
throw new ArgumentException(Strings.DuplicateKey);
#endif |
@ayende: If for some reason it wouldn't reproduce under the debugger--which usually implies the sort of memory corruption that managed code is theoretically supposed to make impossible, but anyway--it would still be trivial to fix if I could get a reproducible bug report and stack trace with a line number. I'd rewrite that one statement with 4 operations as 4 statements with 1 operation, and before each line, I'd add code to print/log the full name of the class of the variable I'm about to perform an operation on. Then rebuild, reproduce the bug, and check the line number and the output, and I know exactly where to look. |
@masonwheeler actually i was trying to say that it's hard to make a good NRE which states the exact problem. Not fixing the problem which caused the NRE. |
Ah, I see. That makes more sense. |
@OtherCrashOverride @RichiCoder1
So all in all I'd say we'd be talking about dozens if not hundreds of additional hours. I'd rather invest them in something more useful. |
There are many that do not want information leaked in exceptions. I don't accept the "its not a security risk" argument at all. How long until a key called "; DROP TABLES *;" ends up in an exception that gets written to your SQL log? |
If you do that. It is your own fault. There is a limit to how much you can
|
@OtherCrashOverride If it's more an argument that a secret (password, private key...) might be written to a log file, i'd agree that this is a security concern/risk. Incidentally i don't think that i ever denied that - i just think it's not that relevant here. Such concerns are about tradeoff as well. People still drive cars even though they have potential to kill (accidentially or on purpose) - even though both happens a lot of times every year. |
Its not uncommon for someone to write an exception to log that happens to be contained in a database rather than a file. string sql = "INSERT INTO [blah blah blah]' " + exception.Message + "';".
Yes, but they don't drive cars on sidewalks which is why I feel this should be #Ifdef as a feature. So the 'sidewalks' are still safe for us pedestrians. An you can operate your exception enhanced cars in the street and we can all live to see tomorrow. Exceptions are not a replacement for a debugger. Not everyone is using DNX or ASP.Net. Its far to easy to get lost in the mindset that CoreCLR = ASP.Net. For the rest of us, its enough to know that a key was not found. Does it matter what that key is? Not at all. All that matters is that its not found. This point of this conversation was to be informative. It should not dissuade anyone from creating the enhanced exception messages. I will ask that if they are not #ifdef marked, then at least the commit messages should be keyworded to make it easier to search for so that i can remove them from my own build. |
@OtherCrashOverride If you're writing anything into SQL that way, instead of using Parameters like you know you should, whatever ends up happening to your database is your own fault. Willful stupidity is not a security hole. |
That was just one example. In the case where the exception output is displayed as part of a web page, it opens up the possibility for cross-site scripting (XSS) exploits. This does not happen with a static set of exception messages that are trusted. |
@OtherCrashOverride By the way I'm not a web developer. The last time I've developed some web stuff was with classic asp / vbscript. I mostly develop desktop apps or client/server apps. And tooling for the development. And i care greatly for better exception messages because it would make my work much more enjoyable (and somewhat more efficient, too). ok regarding the security stuff. I think we're turning in circles. My personal conclusion is that dotnet/coreclr#185 has discussed this already and there have not been brought new arguments to the table (yet). As such i will take dotnet/coreclr#185 as an indicator which means its not necessary to have a conditional compilation symbol. Having said that i would like to have some discussion / statements regarding what i wrote here. |
This issue hasn't progressed in four years. And lots of exception message-related changes have been made in the interim. @danmosemsft, is there anything left to do here? |
Yes, I'm passionate about this and we made key improvements here including (1) including the key in key not found exceptions (2) including the path in many IO related exceptions. I know myself and others have improved some other messages to include more data as well. This is all on by default in 3.1 or earlier. I don't see anything else actionable here -- if there is, please open distinct issues. We hear you and we do care a lot about the actionability of exception messages. Specific feedback will help motivate future improvements. |
There's several places in the .net framework where exception messages can be vastly improved by providing more or the correct information. Vastly improved? Yes. It's that cases where we need to fire up a debugger to find out what exactly has gone wrong. Now imagine the exception doesn't occur in your code but a 3rd party library. Or even worse, it occurs when you execute some executable you aren't even developing. It requires more and more work to acquire the necessary source, build tools etc. to actually create a debug build and then debug it.
The good news is, that the need for doing so could often be eliminated by providing a better exception message.
Let me pick an example
System.Security.Util.StringExpressionSet.CanonicalizePath()
NotSupportedException
with generic messageThe given path's format is not supported.
. The actual trigger for the exception is a path containing a colon (:
) at any index > 1 (soC:
is ok,::
is okay, butC:
is not ok).Now let's pick a tool everyone knows. Nuget.exe.
When you run
nuget.exe pack foo.nuspec
and the nuspec file contains an invalid path - what will happen?The console will show
Let's configure nuget to be more verbose by adding
-Verbosity detailed
. The console will now show:(yes i've removed part of the stack trace ;-) ).
This is still not very helpful. Of course, at this point i don't know whether the actual issue was caused by me writing an invalid .nuspec or by a bug in nuget. If the exception message would state the offending path i could check if it's one that i wrote like this in my *.nuspec. In most cases it'll just be that the user made a simple mistake. In all of these cases, an improved exception message would improve the user experience, as it makes it easier to find the actual mistake (there could be a lot of paths in the nuspec file).
Now that i made my case, i have a few questions for the community:
How should exception messages be improved?
Alternatives (combinations thereof are valid, too)
exception.GetType() == typeof(NotSupportedException
(granted, checks as these should not occur too often as usually there exist better alternatives)Which exception messages should be improved?
I'd suggest one should start with the ones which are easy to improve. Example for an exception which isn't easy to improve:
NullReferenceException
- see #3858What work is involved?
Will Pull-Requests be accepted?
As this kind of issue is not on the priority list, the question is, will any work put into this bear fruits?
The text was updated successfully, but these errors were encountered: