Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FINAL] feat: Best-effort responses #268

Open
wants to merge 41 commits into
base: master
Choose a base branch
from
Open
Changes from 14 commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
138ccc5
Introduce timeouts for function call
oggy-dfin Jan 29, 2024
5d7edb2
Clarify that only 1 response is delivered + fix wording around multip…
oggy-dfin Jan 29, 2024
d64a3f6
Weaken the timeout guarantees
oggy-dfin Jan 29, 2024
524929a
Fix the error code
oggy-dfin Jan 29, 2024
128c8eb
Fix typo
oggy-dfin Jan 29, 2024
78b1b0e
Reword the early timeout condition
oggy-dfin Jan 30, 2024
ff8d96c
Rename the API call, change the error codes, and allow the callee to …
oggy-dfin Jan 31, 2024
132de81
Fix typos
oggy-dfin Jan 31, 2024
e8d3e64
Apply suggestions from code review
oggy-dfin Jan 31, 2024
bf2132b
Apply suggestions from code review
oggy-dfin Feb 2, 2024
d8a82df
Clarify rejection time some more
oggy-dfin Feb 2, 2024
e7b29a8
Clarify the reject code.
oggy-dfin Feb 2, 2024
395ac97
Fix the description of call_with_best_effort_response
oggy-dfin Feb 2, 2024
046eda8
Try and improve the wording some more
oggy-dfin Feb 5, 2024
ae2a7d9
More word shuffling
oggy-dfin Feb 9, 2024
ed422ff
A first attempt at an abstract spec of deadlines
oggy-dfin Feb 9, 2024
26f0947
A few fixes for deadlines
oggy-dfin Feb 12, 2024
d424166
Remove the TODO/DONE markers for deadlines
oggy-dfin Feb 12, 2024
7531920
Retain the message ordering in the spontaneous reject transition
oggy-dfin Feb 12, 2024
4ac97b8
Also allow dropping expired requests
oggy-dfin Feb 12, 2024
feed505
Move the deadline field to FromCanister origin
oggy-dfin Mar 14, 2024
dde3ccb
Bind the reject_msg var in the text of the message expiry transition
oggy-dfin Mar 14, 2024
5ce4c7b
Accept best-effort-response related system API calls in more contexts
oggy-dfin Mar 14, 2024
d9d6a46
Describe effects of new System API calls more formally
oggy-dfin Mar 14, 2024
b83f5b3
A couple of small fixes
oggy-dfin Mar 14, 2024
03c75c0
Fix call context timeout condition
oggy-dfin Mar 26, 2024
6b895de
Update spec/index.md
oggy-dfin Mar 26, 2024
00c5d64
Update spec/index.md
oggy-dfin Mar 26, 2024
cf649cd
Update spec/index.md
oggy-dfin Mar 26, 2024
7340b95
Update spec/index.md
oggy-dfin Mar 26, 2024
4068ae3
Apply suggestions from code review
oggy-dfin Apr 2, 2024
fb131ac
Keep the timestamp when expiring messages
oggy-dfin Apr 2, 2024
dad83e4
Rename reject_msg to <implementation-specific>
oggy-dfin Apr 2, 2024
e6c21ae
Weaken the invariants for expired origins
oggy-dfin Apr 3, 2024
702281e
Remove spontaneous request rejection from the PR
oggy-dfin Apr 3, 2024
48e5876
Update spec/index.md
oggy-dfin Oct 3, 2024
53f30df
Update spec/index.md
oggy-dfin Oct 3, 2024
68fe8ef
Fix the update_methods et al and add a note on deadlines in queries
oggy-dfin Oct 7, 2024
cea138b
Update spec/index.md
oggy-dfin Oct 8, 2024
1a61d1d
Fix the types
oggy-dfin Oct 8, 2024
4005aa8
Merge branch 'master' into response_timeouts
oggy-dfin Oct 8, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions spec/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,10 @@ This specification may refer to certain constants and limits without specifying

Maximum wall clock time spent on evaluation of a query call.

- `MAX_CALL_TIMEOUT`

The maximum timeout (in seconds) for an inter-canister call.
dsarlis marked this conversation as resolved.
Show resolved Hide resolved

### Principals {#principal}

Principals are generic identifiers for canisters, users and possibly other concepts in the future. As far as most uses of the IC are concerned they are *opaque* binary blobs with a length between 0 and 29 bytes, and there is intentionally no mechanism to tell canister ids and user ids apart.
Expand Down Expand Up @@ -1008,6 +1012,8 @@ Rejection codes are member of the following enumeration:

- `CANISTER_ERROR` (5): Canister error (e.g., trap, no response)

- `SYS_UNKNOWN` (6): Response unknown; system stopped waiting for it (e.g., timed out, or system under high load).

The symbolic names of this enumeration are used throughout this specification, but on all interfaces (HTTPS API, System API), they are represented as positive numbers as given in the list above.

The error message is guaranteed to be a string, i.e. not arbitrary binary data.
Expand Down Expand Up @@ -1284,6 +1290,7 @@ The following sections describe various System API functions, also referred to a
ic0.msg_reject_code : () -> i32; // Ry Rt CRy CRt
ic0.msg_reject_msg_size : () -> i32; // Rt CRt
ic0.msg_reject_msg_copy : (dst : i32, offset : i32, size : i32) -> (); // Rt CRt
ic0.msg_deadline : () -> i64; // U Ry Rt
oggy-dfin marked this conversation as resolved.
Show resolved Hide resolved

ic0.msg_reply_data_append : (src : i32, size : i32) -> (); // U Q CQ Ry Rt CRy CRt
ic0.msg_reply : () -> (); // U Q CQ Ry Rt CRy CRt
Expand Down Expand Up @@ -1322,6 +1329,7 @@ The following sections describe various System API functions, also referred to a
) -> ();
ic0.call_on_cleanup : (fun : i32, env : i32) -> (); // U CQ Ry Rt CRy CRt T
ic0.call_data_append : (src : i32, size : i32) -> (); // U CQ Ry Rt CRy CRt T
ic0.call_with_best_effort_response : (timeout_seconds : i32) -> (); // U Ry Rt T
mraszyk marked this conversation as resolved.
Show resolved Hide resolved
ic0.call_cycles_add : (amount : i64) -> (); // U Ry Rt T
ic0.call_cycles_add128 : (amount_high : i64, amount_low: i64) -> (); // U Ry Rt T
ic0.call_perform : () -> ( err_code : i32 ); // U CQ Ry Rt CRy CRt T
Expand Down Expand Up @@ -1424,6 +1432,12 @@ The canister can access an argument. For `canister_init`, `canister_post_upgrade

The reject message. Traps if there is no reject message (i.e. if `reject_code` is `0`).

- `ic0.msg_deadline : () -> i64`

The deadline, in nanoseconds since 1970-01-01, after which the caller will stop waiting for a response.
oggy-dfin marked this conversation as resolved.
Show resolved Hide resolved

For calls with best-effort responses, the deadline is computed based on the time the call was made, and the `timeout_seconds` parameter provided by the caller. For other calls, a deadline of 0 will be returned.
Dfinity-Bjoern marked this conversation as resolved.
Show resolved Hide resolved

### Responding {#responding}

Eventually, the canister will want to respond to the original call, either by replying (indicating success) or rejecting (signalling an error):
Expand Down Expand Up @@ -1550,6 +1564,16 @@ If this traps (e.g. runs out of cycles), the state changes from the `cleanup` fu

There must be at most one call to `ic0.call_on_cleanup` between `ic0.call_new` and `ic0.call_perform`.

- `ic0.call_with_best_effort_response : (timeout_seconds : i32) -> ()`

Relaxes the response delivery guarantee to be best effort, asking the system to respond at the latest after `timeout_seconds` have elapsed. The system can then also respond with a `SYS_UNKNOWN` reject code. This reject code signifies that the call **may or may not** have been processed by the callee; even if the callee produces a response, it will not be delivered to the caller.
mraszyk marked this conversation as resolved.
Show resolved Hide resolved

The `timeout_seconds` is silently bounded from above by the `MAX_CALL_TIMEOUT` system constant; i.e., larger timeouts are treated as equivalent to `MAX_CALL_TIMEOUT` and do not cause an error. The reject callback may be executed (possibly significantly) later than the specified time, e.g., if the canister is under high load. The reject callback can also executed before timeout expiration, and possibly with a `SYS_UNKNOWN` code if the system is under load.
mraszyk marked this conversation as resolved.
Show resolved Hide resolved

A caller that receives a `SYS_UNKNOWN` node, yet needs to learn the call outcome, must find an out-of-band way of doing so. For example, if the callee provides idempotent function calls, the caller can simply retry the call. Sample causes of `SYS_UNKNOWN` include the call not being delivered in time, call processing not completing in time, reply delivery taking too long, and the system shedding load.
oggy-dfin marked this conversation as resolved.
Show resolved Hide resolved

This method can be called only in between `ic0.call_new` and `ic0.call_perform`, and at most once at that. Otherwise, it traps. A different timeout can be specified for each call.

- `ic0.call_data_append : (src : i32, size : i32) -> ()`

Appends the specified bytes to the argument of the call. Initially, the argument is empty. Traps if the total appended data exceeds the [maximum inter-canister call payload](https://internetcomputer.org/docs/current/developer-docs/backend/resource-limits#resource-constraints-and-limits).
Expand Down
Loading