EEP 56 Update
Michael Truog
mjtruog@REDACTED
Wed Mar 10 03:17:28 CET 2021
On 3/9/21 2:48 AM, Maria Scott wrote:
> A specific point on which I would like more feedback is how a combination of "auto_shutdown => never" and child specs with "significant => true" (be it in the return from init/1 or given to start_child/2) settings.
> In actual meaning, the two options don't contradict each other, ie you may mark a child as significant, the supervisor just doesn't care in respect to auto-shutdown.
> It may be that this is rarely what is wanted in practice, but it also has no indisputable negative effects.
> So we think it should be accepted (ie, a "auto_shutdown => never" supervisor should not refuse to start a child marked as significant), but it might be good to log a warning in such a case. What do you think?
>
> A similar question concerns the combination of "restart => permanent" and "significant => true" in a child spec. A permanent child will always be restarted, it doesn't matter if it is marked as significant or not.
> Similar to what was said above, in meaning the two options don't contradict each other, but in practice you might care.
Hi Maria,
The supervisor behaviour is very central in Erlang/OTP and all other
behaviours build upon it with the usage of their separate modules. My
view is that the supervisor needs validation to ensure its process state
space is as minimal as possible. Ensuring its state is minimal makes it
easier to diagnose, test, trust and utilize.
I find it hard to argue for not having validation of arguments that are
invalid. You could say "We can't possibly consider every dumb thing a
developer may do, so let's keep our code as minimal as possible so
everything looks neat and simple in an effort to avoid bugs.". However,
if you choose to not block invalid options, it adds complexity that
makes the Erlang process more difficult to understand (i.e., more
difficult to understand "Why is this option here? What was this
developer thinking?").
So, I would urge you to check for "significant == true" when either
"auto_shutdown == never" or "restart == permanent", to block invalid use
and ensure the supervisor process doesn't contain invalid state (even if
the state doesn't cause functionality problems now, it can always become
a bug in the future).
A separate example of how the supervisor would benefit from more
validation is when shutdown > 1000 * (MaxT / MaxR) (i.e., if shutdown
and MaxR are both a pos_integer()). That situation could be called the
"immortal child" because the shutdown value can allow the child process
to infinitely restart if it always takes longer than 1000 * (MaxT /
MaxR) milliseconds to terminate. That situation contains a bit of
ambiguity because the time the child takes to terminate can vary
randomly, so it may be a transient problem. However, it is able to make
the supervisor ineffective for the child process.
The "immortal child" bug may not have been fixed to avoid breaking
legacy source code, I am not sure (hopefully legacy code doesn't exist
with that bug). The "significant == true" checks described above are
focused on keeping the supervisor process state minimal and relevant,
even though the option could be silently ignored if validation wasn't
present. Having the validation present is beneficial both for the
development of the supervisor module and developing with it because it
ensures the design lacks ambiguity and edge-cases (both can lead to
bugs, either in the supervisor module or in the usage of the supervisor
module).
Best Regards,
Michael
More information about the eeps
mailing list