Cosmos-sdk: Error Codespacing

Goal

We want some logical code unit (modules/keepers/handlers or something) to not have to worry about de-duping codes at an ecosystem-scale. (though project-scale would be fine e.g. if it were done in a central place like app.go... but given the number of errors this is not ideal, so we need something more course in granularity.)

Premises

• Even if we were to register a human readable "name" for namespacing errors, there can still be conflicts, unless we tie the error code to the implementation itself (e.g. "github.com/tendermint/..."), which sounds like a bad idea for everyone. So, if we're going to solve this problem, we might as well solve it "correctly", by explicit registration/reservation of some "codespace" in app.go.
• There will be many codespaces, and for each codespace, we want to support many codes. 16 bits for each gives us 64,000 codespaces and 64,000 codes for each codespace. While 64,000 codes for a codespace might seem excessive, it may come in handy if the module wants to dynamically generate codes to a small degree.
• We don't necessarily want to require namespacing by module or otherwise make it too implementation specific, as error codes are primarily about user concerns, and should be implementation agnostic (e.g. ideally others should be able to implement the Cosmos SDK using alternative codebases/libraries/architecture).
• The global func Err*(...) sdk.Error constructors in */errors.go are really nice, but we want to preserve least-authority model. This means we have to pass in the codespace into the sdk.Error constructor somehow, or at least set it later after construction. (I recommend the former approach here).
• We don't want to use tags, as that's conflating two things... the error identity (which must be short for Tendermint generality, and thus is a fixed numerical type) and further details about the error. More specifically, the codespace+code SHOULD uniquely identify an internationalized message, or a message formatter in the client. If the message includes a formatter (e.g. "{{name}}"), the client SHOULD be able to format it using the tag system.
• We now have a canonical version of the Tracing error implemented in tmlibs/common (see ErrorWrap and NewError..., it was derived from cosmos-sdk's Error). We should use that somehow.
• Each module/keeper/handler MUST be able to import/use codespace/codes from other modules/keepers/handlers. For example, a gov transaction must be able to return a "invalid input" error with the same codespace as the coinKeeper, if it's going to have a reference to the coinKeeper, and gets an error from the coinKeeper's methods. (Least-authority kinda bleeds here, but we can fix this in the future by making the codespace a key as well, but lets not do this yet).

Observations

Further, some observations from the way we're using the SDK for staking/bank/ibc:

• There are 2 broad places where an sdk.Error gets returned... from ValidateBasic(), and from Keeper/Mapper functions.
• x/stake/handler.go has methods that return sdk.Error outside the context of a Keeper, but there's still a "primary" stake keeper.
• x/ibc/mapper.go has IBCMapper.PostIBCPacket(ctx,packet) sdk.Error and IBCMapper.ReceiveIBCPacket(ctx,packet) sdk.Error, but the mapper itself doesn't make use of the sdk.Error system yet.
• x/auth/mapper.go doesn't return sdk.Error at all, it just returns errors.

Proposal

Given these premises and observations, I suggest we adopt the following:

• By convention lets say that a Mapper doesn't return an sdk.Error. Mappers by convention will return normal "error" errors. Mapper methods can take other mappers as arguments, but not other Keepers. Keeper methods can take both as arguments. This makes the Mapper more of a "lower-level" abstraction, whereas Keepers are "high-level", or "closer" to the ABCI result where the code ultimately matters.
• Rename IBCMapper to IBCKeeper.
• sdk.Error.ABCICode() should be an ABCICodeType (new) which is uint32.
• sdk.Error.Code() should be a CodeType which is uint16 (currently uint32).
• sdk.Error.Codespace() should be CodespaceType (new) which is uint16.
• sdk.Error.ABCICode() is (Codespace << 16) | Code
• sdk.Router.AddRoute should take a Codespace as an argument, which applies both in BaseApp.runTx which uses the router to set the err Codespace upon ValidateBasic failure. The context should also be initialized with the codespace, e.g. app.checkState.ctx.WithTxBytes(txBytes).WithCodespace(codeSpace).
• Each handler can thus use ctx.GetCodespace() uint16 if it wanted to, even without any Keepers as arguments.
• If the Keeper returns an sdk.Error, the handler should ideally just return it, as the Keeper is also responsible for setting the namespace for convenience, and to override it is confusing.
• In app.go, we should reserve/register codespaces for each keeper, by using some object called a Codespacer.

Codespacer in app.go

// in app.go, after keepers are created:
spacer := app.GetCodespacer()
coinKeeper.ReserveCoinspace(spacer)             // default is 100, panics if 100 is already reserved.
stakeKeeper.ReserveCodespace(spacer)            // default is 200
govKeeper.ReserveCodespace(spacer)              // default is 300
govExtensionKeeper.ReserveCodespace(spacer)     // default is 310
ibcKeeper.ReserveCodespace(spacer)              // default is 400
someKeeper.ReserveCodespaceWith(spacer, 401)    // default is 400

// or may be more conveniently,
type CodespaceReserver interface {
  ReserveCodespace(Codespacer)
  ReserveCodespaceWith(Codespacer, Codespace)
}
spacer := app.GetCodespacer()
spacer.Register(coinKeeper, stakeKeeper, govKeeper, govExtensionKeeper, ibcKeeper,
  someKeeper, 401,
  otherKeeper, 402,
  ...)

these in turn call spacer.ReserveCodespace(codespace uint16) which panics and suggests the next largest codespace number available. It makes no sense to return an error, as it's programmer error, and we definitely don't want to encourage post-app-init dynamic codespacing.

In the example above, govExtensionKeeper is a separate keeper from govKeeper, but since it's in the same "concern/family" of governance, they're both in the 300~399 range. someKeeper's default codespace is 400 which conflicts with our own (perhaps it's an alternative IBC implementation.). So we need to override it with a custom codespace of 401. Declaring a codespace family to be 100 codespaces large means we can have 2^16/100 = 655 codespace families. Governance, staking, ibc, ... seems like 655 might be sufficient for 99% of use-cases. Within the 100 range, perhaps by convention the 10's are used for standard extensions, while the 1's are used for de-duping. (See 310 vs 401 above).

There's nothing forcing the SDK programmer to register these keepers, and nothing forcing Keepers to be CodespaceReservers. A good app.go just does so by convention. If the app doesn't do this, the worst case is that the error codespace is incorrect.

Error constructors

The Error constructors should look like the following:

func ErrInvalidInput(codespace uint16, msg string) sdk.Error {
    return newError(codespace, CodeInvalidInput, msg)
}
func ErrNoInputs(codespace uint16) sdk.Error {
    return newError(codespace, CodeInvalidInput, "")
}
...

Error implementation

type sdkError struct {
        codespace CodespaceType // uint16
    code      CodeType      // uint16
    err       cmn.Error
}

cmn.WrapError is cool in that it can prevent double-wrapping a cmn.Error, but (a) this wouldn't work well with sdk.Error wrapping a cmn.Error without some "system" that I can't think of off the top of my head if it's possible to do well at all, and (b) the SDK is creating a new ecosystem of libraries, so we can just enforce that Keepers pass on the sdk.Error rather than wrapping. Wrapping is necessary in the greater Go ecosystem because many interfaces require using the error return argument type. In SDK-land we can start using sdk.Error in the return argument type instead.

sdkError.err.Message() MUST return a human-readable message. It SHOULD be one internationalized/rendered message that can also be derived by the client from the codespace/code. If the error codespace/code is one that requires formatting, sdkError.err.Message() should contain the fully formatted message, and the sdk.Result should include tags (along with the uint32 ABCICodeType) such that the client can render the message itself. It's a "nondeterministic" field of ResponseDeliverTx, so ultimately it doesn't affect consensus. For now we should use this to render English response codes, and then move to client-side internationalization.

sdkError should expose tracing functionality on the unexposed cmn.Error field named err by calling err.TraceFrom. It should not expose T() or WithT(), as sdk.Error doesn't need to be "handled" by the SDK, but merely recorded on the chain. If some module/function happens to return a cmn.Error, since we can't override the cmn.Error's Message, the sdk.Error.err should wrap the cmn.Error as a "cause" of sdk.Error.err. See the comment about WithCauser here: https://github.com/tendermint/tmlibs/blob/develop/common/errors.go#L71 . This is an exception to the rule stated in that comment, so we'd want to use WithCauser to wrap any error when constructing sdk.Error.err.