184

What do you consider "best practice" when it comes to error handling errors in a consistent way in a C library.

There are two ways I've been thinking of:

Always return error code. A typical function would look like this:

MYAPI_ERROR getObjectSize(MYAPIHandle h, int* returnedSize);

The always provide an error pointer approach:

int getObjectSize(MYAPIHandle h, MYAPI_ERROR* returnedError);

When using the first approach it's possible to write code like this where the error handling check is directly placed on the function call:

int size;
if(getObjectSize(h, &size) != MYAPI_SUCCESS) {
  // Error handling
}

Which looks better than the error handling code here. 

MYAPIError error;
int size;
size = getObjectSize(h, &error);
if(error != MYAPI_SUCCESS) {
    // Error handling
}

However, I think using the return value for returning data makes the code more readable, It's obvious that something was written to the size variable in the second example.

Do you have any ideas on why I should prefer any of those approaches or perhaps mix them or use something else? I'm not a fan of global error states since it tends to make multi threaded use of the library way more painful.

EDIT: C++ specific ideas on this would also be interesting to hear about as long as they are not involving exceptions since it's not an option for me at the moment...

ubershmekel
  • 11,864
  • 10
  • 72
  • 89
Laserallan
  • 11,072
  • 10
  • 46
  • 67
  • 1
    I've only been learning C for about two weeks, but the feel I've gotten for it is that OUT parameters are the defacto return value for the majority of functions, as it it avoids the overhead of returning structs by-value and mitigates the need to deallocate memory as most variables are on the stack. So since I'm not using "return" for the actual value of the function, I'm free to use it for error handling most of the time. – Joel Roberts Sep 09 '18 at 23:40
  • I'd recommend to look at how Google handles errors in C++: https://abseil.io/docs/cpp/guides/status and implement something similar in C using Macros. – mercury0114 Apr 07 '23 at 15:56
  • Basically you have a struct: `struct DataAndError { int returned_data; int error; }` and then you get the value back making a regular call, and also check that the returned struct contains no error. – mercury0114 Apr 07 '23 at 16:16

23 Answers23

99

I've used both approaches, and they both worked fine for me. Whichever one I use, I always try to apply this principle:

If the only possible errors are programmer errors, don't return an error code, use asserts inside the function.

An assertion that validates the inputs clearly communicates what the function expects, while too much error checking can obscure the program logic. Deciding what to do for all the various error cases can really complicate the design. Why figure out how functionX should handle a null pointer if you can instead insist that the programmer never pass one?

AShelly
  • 34,686
  • 15
  • 91
  • 152
  • 1
    Got an example of asserts in C? (I'm very green to C) – thomthom Mar 28 '13 at 13:57
  • It's usually as simple as `assert(X)` where X is any valid C statement that you want to be true. see http://stackoverflow.com/q/1571340/10396. – AShelly Mar 28 '13 at 14:15
  • 24
    Ugh, **absolutely never use asserts in library code**! Also, [don’t mix various styles of error handling in one piece of code](http://blog.existentialize.com/the-story-of-the-gnutls-bug.html) like others did… – mirabilos Mar 05 '14 at 14:47
  • 11
    I certainly agree about not mixing styles. I'm curious about your reasoning on asserts. If my function documentation says "argument X must not be NULL" or "Y must be a member of this enum", than what is wrong with `assert(X!=NULL);` or `assert(Y – AShelly Mar 05 '14 at 16:52
  • +1 Making a distinction between programming errors that must be fixed and runtime errors that can always happen and must be handled makes so much sense now that I started doing it because of you. – Asics May 13 '14 at 13:36
  • 12
    @AShelly The problem with asserts that they usually not there in release builds. – Calmarius May 10 '15 at 20:08
  • @AShelly `assert()` is used for errors that are not recoverable. What would happen if the system were some kind of hospital device that keeps people's heartbeat and some part of system shut down due to `assert()`? – Andy Lin Apr 08 '22 at 09:58
84

I like the error as return-value way. If you're designing the api and you want to make use of your library as painless as possible think about these additions:

  • store all possible error-states in one typedef'ed enum and use it in your lib. Don't just return ints or even worse, mix ints or different enumerations with return-codes.

  • provide a function that converts errors into something human readable. Can be simple. Just error-enum in, const char* out.

  • I know this idea makes multithreaded use a bit difficult, but it would be nice if application programmer can set an global error-callback. That way they will be able to put a breakpoint into the callback during bug-hunt sessions.

starball
  • 20,030
  • 7
  • 43
  • 238
Nils Pipenbrinck
  • 83,631
  • 31
  • 151
  • 221
  • 6
    Why do you say, "this idea makes multi-threaded use a bit difficult." Which part is made difficult by multi-threading? Can you give a quick example? – SayeedHussain Jun 18 '13 at 09:57
  • 3
    @crypticcoder Simply said: a global error callback can be invoked in whatever thread context. If you just print out the error you will not face any problems. If you try to correct problems you will have to find out which calling thread caused the error, and that makes things difficult. – Nils Pipenbrinck Jun 22 '13 at 19:30
  • 9
    What if you want to communicate more details of the error? E.g. you have a parser error and want to provide line number and column of the syntax error and a way to print it all nicely. – panzi Oct 20 '13 at 23:44
  • 1
    @panzi then you obviously need to return a struct (or use a out pointer if struct is really large) and have a function to format the struct as a string. – wingerse Sep 27 '18 at 22:50
  • I demonstrate your first 2 bullets in code here: https://stackoverflow.com/questions/385975/error-handling-in-c-code/59221452#59221452 – Gabriel Staples Dec 06 '19 at 23:15
  • How this approach copes with functions which naturally return integers as boolean values? For example checking existence of something and then use it in if statement like `if (exists(my_item)) { ... }`? – MaxC Nov 13 '20 at 11:32
40

There's a nice set of slides from CMU's CERT with recommendations for when to use each of the common C (and C++) error handling techniques. One of the best slides is this decision tree:

Error Handling Decision Tree

I would personally change two things about this flowcart.

First, I would clarify that sometimes objects should use return values to indicate errors. If a function only extracts data from an object but doesn't mutate the object, then the integrity of the object itself is not at risk and indicating errors using a return value is more appropriate.

Second, it's not always appropriate to use exceptions in C++. Exceptions are good because they can reduce the amount of source code devoted to error handling, they mostly don't affect function signatures, and they're very flexible in what data they can pass up the callstack. On the other hand, exceptions might not be the right choice for a few reasons:

  1. C++ exceptions have very particular semantics. If you don't want those semantics, then C++ exceptions are a bad choice. An exception must be dealt with immediately after being thrown and the design favors the case where an error will need to unwind the callstack a few levels.

  2. C++ functions that throw exceptions can't later be wrapped to not throw exceptions, at least not without paying the full cost of exceptions anyway. Functions that return error codes can be wrapped to throw C++ exceptions, making them more flexible. C++'s new gets this right by providing a non-throwing variant.

  3. C++ exceptions are relatively expensive but this downside is mostly overblown for programs making sensible use of exceptions. A program simply shouldn't throw exceptions on a codepath where performance is a concern. It doesn't really matter how fast your program can report an error and exit.

  4. Sometimes C++ exceptions are not available. Either they're literally not available in one's C++ implementation, or one's code guidelines ban them.

Since the original question was about a multithreaded context, I think the local error indicator technique (what's described in SirDarius's answer) was underappreciated in the original answers. It's threadsafe, doesn't force the error to be immediately dealt with by the caller, and can bundle arbitrary data describing the error. The downside is that it must be held by an object (or I suppose somehow associated externally) and is arguably easier to ignore than a return code.

Praxeolitic
  • 22,455
  • 16
  • 75
  • 126
  • 6
    You might note that Google's C++ coding standards still say [We do not use C++ exceptions.](https://google.github.io/styleguide/cppguide.html#Exceptions) – Jonathan Leffler Dec 20 '16 at 23:27
20

I use the first approach whenever I create a library. There are several advantages of using a typedef'ed enum as a return code.

  • If the function returns a more complicated output such as an array and its length you do not need to create arbitrary structures to return.

    rc = func(..., int **return_array, size_t *array_length);

  • It allows for simple, standardized error handling.

    if ((rc = func(...)) != API_SUCCESS) {
   /* Error Handling */
}

  • It allows for simple error handling in the library function.

    /* Check for valid arguments */
if (NULL == return_array || NULL == array_length)
    return API_INVALID_ARGS;

  • Using a typedef'ed enum also allows for the enum name to be visible in the debugger. This allows for easier debugging without the need to constantly consult a header file. Having a function to translate this enum into a string is helpful as well.

The most important issue regardless of approach used is to be consistent. This applies to function and argument naming, argument ordering and error handling.

nirvdrum
  • 2,319
  • 17
  • 26
Jeffrey Cohen
  • 331
  • 1
  • 3
13

Here's a simple program to demonstrate the first 2 bullets of Nils Pipenbrinck's answer here.

His first 2 bullets are:

  • store all possible error-states in one typedef'ed enum and use it in your lib. Don't just return ints or even worse, mix ints or different enumerations with return-codes.

  • provide a function that converts errors into something human readable. Can be simple. Just error-enum in, const char* out.

Assume you have written a module named mymodule. First, in mymodule.h, you define your enum-based error codes, and you write some error strings which correspond to these codes. Here I am using an array of C strings (char *), which only works well if your first enum-based error code has value 0, and you don't manipulate the numbers thereafter. If you do use error code numbers with gaps or other starting values, you'll simply have to change from using a mapped C-string array (as I do below) to using a function which uses a switch statement or if / else if statements to map from enum error codes to printable C strings (which I don't demonstrate). The choice is yours.

You can run all of this code yourself, here: https://onlinegdb.com/nrUNrhcIC.

mymodule.h

/// Get the number of elements in any C array
/// - Usage example: [my own answer]:
///   https://arduino.stackexchange.com/a/80289/7727
#define ARRAY_LEN(array) (sizeof(array) / sizeof((array)[0]))

/// @brief Error codes for library "mymodule"
typedef enum mymodule_error_e
{
    /// No error
    MYMODULE_ERROR_OK = 0,
    
    /// Invalid arguments (ex: NULL pointer where a valid pointer is required)
    MYMODULE_ERROR_INVARG,

    /// Out of memory (RAM)
    MYMODULE_ERROR_NOMEM,

    /// Make up your error codes as you see fit
    MYMODULE_ERROR_MYERROR, 

    // etc etc
    
    /// Total # of errors in this list (NOT AN ACTUAL ERROR CODE);
    /// NOTE: that for this to work, it assumes your first error code is value 0 and you let it naturally 
    /// increment from there, as is done above, without explicitly altering any error values above
    MYMODULE_ERROR_COUNT,
} mymodule_error_t;

// Array of strings to map enum error types to printable strings
// - see important NOTE above!
const char* const MYMODULE_ERROR_STRS[] = 
{
    "MYMODULE_ERROR_OK",
    "MYMODULE_ERROR_INVARG",
    "MYMODULE_ERROR_NOMEM",
    "MYMODULE_ERROR_MYERROR",
};
_Static_assert(ARRAY_LEN(MYMODULE_ERROR_STRS) == MYMODULE_ERROR_COUNT,
    "You must keep your `mymodule_error_t` enum and your "
    "`MYMODULE_ERROR_STRS` array in-sync!");

// To get a printable error string
const char* mymodule_error_str(mymodule_error_t err);

// Other functions in mymodule
mymodule_error_t mymodule_func1(void);
mymodule_error_t mymodule_func2(void);
mymodule_error_t mymodule_func3(void);

mymodule.c contains my mapping function to map from enum error codes to printable C strings:

mymodule.c

#include <stdio.h>

/// @brief      Function to get a printable string from an enum error type
/// @param[in]  err     a valid error code for this module
/// @return     A printable C string corresponding to the error code input above, or NULL if an invalid error code
///             was passed in
const char* mymodule_error_str(mymodule_error_t err)
{
    const char* err_str = NULL;

    // Ensure error codes are within the valid array index range
    if (err >= MYMODULE_ERROR_COUNT)
    {
        goto done;
    }

    err_str = MYMODULE_ERROR_STRS[err];

done:
    return err_str;
}

// Let's just make some empty dummy functions to return some errors; fill these in as appropriate for your 
// library module

mymodule_error_t mymodule_func1(void)
{
    return MYMODULE_ERROR_OK;
}

mymodule_error_t mymodule_func2(void)
{
    return MYMODULE_ERROR_INVARG;
}

mymodule_error_t mymodule_func3(void)
{
    return MYMODULE_ERROR_MYERROR;
}

main.c contains a test program to demonstrate calling some functions and printing some error codes from them:

main.c

#include <stdio.h>

int main()
{
    printf("Demonstration of enum-based error codes in C (or C++)\n");

    printf("err code from mymodule_func1() = %s\n", mymodule_error_str(mymodule_func1()));
    printf("err code from mymodule_func2() = %s\n", mymodule_error_str(mymodule_func2()));
    printf("err code from mymodule_func3() = %s\n", mymodule_error_str(mymodule_func3()));

    return 0;
}

Output:

Demonstration of enum-based error codes in C (or C++)  
err code from mymodule_func1() = MYMODULE_ERROR_OK  
err code from mymodule_func2() = MYMODULE_ERROR_INVARG  
err code from mymodule_func3() = MYMODULE_ERROR_MYERROR

References

  1. My answer I frequently reference to see this type of error handling: STM32 how to get last reset status

See also

  1. The references in the bottom of my answer here for more on goto usage in error handling: Opaque C structs: various ways to declare them
Gabriel Staples
  • 36,492
  • 15
  • 194
  • 265
11

Returning error code is the usual approach for error handling in C.

But recently we experimented with the outgoing error pointer approach as well.

It has some advantages over the return value approach:

  • You can use the return value for more meaningful purposes.

  • Having to write out that error parameter reminds you to handle the error or propagate it. (You never forget checking the return value of fclose, don't you?)

  • If you use an error pointer, you can pass it down as you call functions. If any of the functions set it, the value won't get lost.

  • By setting a data breakpoint on the error variable, you can catch where does the error occurred first. By setting a conditional breakpoint you can catch specific errors too.

  • It makes it easier to automatize the check whether you handle all errors. The code convention may force you to call your error pointer as err and it must be the last argument. So the script can match the string err); then check if it's followed by if (*err. Actually in practice we made a macro called CER (check err return) and CEG (check err goto). So you don't need to type it out always when we just want to return on error, and can reduce the visual clutter.

Not all functions in our code has this outgoing parameter though. This outgoing parameter thing are used for cases where you would normally throw an exception.

Calmarius
  • 18,570
  • 18
  • 110
  • 157
  • +1, and I would add to `If you use an error pointer, you can pass it down as you call functions`: if you want to use an error/status object you do not need to re-allocate the error object at every function call, which can have a positive impact on the performance and can also make the usage simpler for the caller: no need to call a deleter after each function call. – Gabriel Devillers Sep 08 '21 at 10:12
  • Your approach sounds interesting. Do you have a sample where I can learn more about the usage? Thanks – Yasser Asmi Sep 24 '21 at 18:35
7

I personally prefer the former approach (returning an error indicator).

Where necessary the return result should just indicate that an error occurred, with another function being used to find out the exact error.

In your getSize() example I'd consider that sizes must always be zero or positive, so returning a negative result can indicate an error, much like UNIX system calls do.

I can't think of any library that I've used that goes for the latter approach with an error object passed in as a pointer. stdio, etc all go with a return value.

Alnitak
  • 334,560
  • 70
  • 407
  • 495
  • 1
    For the record, one library I've seen use the latter approach is the Maya programming API. It's a c++ library rather than C though. It's quite inconsistent in how it handles its errors and sometimes the error is passed as return value and other times it passes the result as a reference. – Laserallan Dec 22 '08 at 13:35
  • 1
    don't forget strtod, ok, the last argument is not only for indicating errors, but it does it, too. – quinmars Dec 22 '08 at 15:01
7

The UNIX approach is most similar to your second suggestion. Return either the result or a single "it went wrong" value. For instance, open will return the file descriptor on success or -1 on failure. On failure it also sets errno, an external global integer to indicate which failure occurred.

For what it's worth, Cocoa has also been adopting a similar approach. A number of methods return BOOL, and take an NSError ** parameter, so that on failure they set the error and return NO. Then the error handling looks like:

NSError *error = nil;
if ([myThing doThingError: &error] == NO)
{
  // error handling
}

which is somewhere between your two options :-).

7

Use setjmp.

http://en.wikipedia.org/wiki/Setjmp.h

http://aszt.inf.elte.hu/~gsd/halado_cpp/ch02s03.html

http://www.di.unipi.it/~nids/docs/longjump_try_trow_catch.html

#include <setjmp.h>
#include <stdio.h>

jmp_buf x;

void f()
{
    longjmp(x,5); // throw 5;
}

int main()
{
    // output of this program is 5.

    int i = 0;

    if ( (i = setjmp(x)) == 0 )// try{
    {
        f();
    } // } --> end of try{
    else // catch(i){
    {
        switch( i )
        {
        case  1:
        case  2:
        default: fprintf( stdout, "error code = %d\n", i); break;
        }
    } // } --> end of catch(i){
    return 0;
}

#include <stdio.h>
#include <setjmp.h>

#define TRY do{ jmp_buf ex_buf__; if( !setjmp(ex_buf__) ){
#define CATCH } else {
#define ETRY } }while(0)
#define THROW longjmp(ex_buf__, 1)

int
main(int argc, char** argv)
{
   TRY
   {
      printf("In Try Statement\n");
      THROW;
      printf("I do not appear\n");
   }
   CATCH
   {
      printf("Got Exception!\n");
   }
   ETRY;

   return 0;
}
Amir Saniyan
  • 13,014
  • 20
  • 92
  • 137
  • 2
    The second block of code is based on an earlier version of the code at [Francesco Nidito's page](http://www.di.unipi.it/~nids/docs/longjump_try_trow_catch.html) referenced at the top of the answer. The `ETRY` code has been revised since this answer was written. – Jonathan Leffler Jan 20 '17 at 22:11
  • 2
    Setjmp is a horrible error handling strategy. It's expensive, error prone (w/ nonvolatile changed locals not retaining their changed values and all) and leaks resources if you allocate any in between the setjmp and longjmp calls. You should be able to do like 30 returns and int-val checks before you recoup the cost of sigjmp/longjmp. Most callstacks don't go that deep especially if you don't go heavy on recursion (and if you do, you have perf problems other than the cost of returns+checks). – Petr Skocik Jun 23 '19 at 18:46
  • 1
    If you malloc'ed memory and then throw, the memory will just leak forever. Also `setjmp` is expensive, even if no error is ever thrown it will consume quite a bit of CPU time and stack space. When using gcc for Windows, you can choose between different exception handling methods for C++, one of them bases on `setjmp` and it makes your code up to 30% slower in practice. – Mecki May 14 '20 at 15:14
  • This answer does not explain any of the advantages or disadvantages to this approach. – qwr Dec 01 '21 at 20:27
7

When I write programs, during initialization, I usually spin off a thread for error handling, and initialize a special structure for errors, including a lock. Then, when I detect an error, through return values, I enter in the info from the exception into the structure and send a SIGIO to the exception handling thread, then see if I can't continue execution. If I can't, I send a SIGURG to the exception thread, which stops the program gracefully.

Henry
  • 121
  • 1
  • 2
  • 5
6

I have done a lot of C programming in the past. And I really apreciated the error code return value. But is has several possible pitfalls:

  • Duplicate error numbers, this can be solved with a global errors.h file.
  • Forgetting to check the error code, this should be solved with a cluebat and long debugging hours. But in the end you will learn (or you will know that someone else will do the debugging).
Toon Krijthe
  • 52,876
  • 38
  • 145
  • 202
  • 2
    second problem can be solved by proper compiler warning level, proper code review mechanism and by static code analyzer tools. – Ilya Dec 22 '08 at 11:15
  • 1
    You can also work on the principle: if the API function is called and the return value is not checked, there is a bug. – Jonathan Leffler Dec 22 '08 at 16:19
6

I ran into this Q&A a number of times, and wanted to contribute a more comprehensive answer. I think the best way to think about this is how to return errors to the caller, and what you return.

How

There are 3 ways to return information from a function:

  1. Return Value
  2. Out Argument(s)
  3. Out of Band, that includes non-local goto (setjmp/longjmp), file or global scoped variables, file system etc.

Return Value

You can only return a single value (object); however, it can be an arbitrarily complex value. Here is an example of an error returning function:

  enum error hold_my_beer(void);

One benefit of return values is that it allows chaining of calls for less intrusive error handling:

  !hold_my_beer() &&
  !hold_my_cigarette() &&
  !hold_my_pants() ||
  abort();

This not just about readability, but may also allow processing an array of such function pointers in a uniform way.

Out Argument(s)

You can return more via more than one object via arguments, but best practice does suggest to keep the total number of arguments low (say, <=4):

void look_ma(enum error *e, char *what_broke);

enum error e;
look_ma(e);
if(e == FURNITURE) {
  reorder(what_broke);
} else if(e == SELF) {
  tell_doctor(what_broke);
}

This forces caller to pass in object which may make it more likely that it's being checked. If you have a set of calls all returning errors, and you decide to allocate a new variable to each, then it add some clutter in the caller.

Out of Band

The best known example is probably the (thread-local) errno variable, which the called function sets. It's very easy for the callee to not check this variable, and you only get one which may be an issue if your function is complicated (for instance, two parts of the function returning the same error code).

With setjmp() you define a place and how you want to handle an int value, and you transfer control to that location via a longjmp(). See Practical usage of setjmp and longjmp in C.

What

  1. Indicator
  2. Code
  3. Object
  4. Callback

Indicator

An error indicator only tells you that there is a problem but nothing about the nature of said problem:

struct foo *f = foo_init();
if(!f) {
  /// handle the absence of foo
}

This is the least powerful way for a function to communicate error state; however, it's perfect if the caller cannot respond to the error in a graduated manner anyways.

Code

An error code tells the caller about the nature of the problem, and may allow for a suitable response (from the above). It can be a return value, or like the look_ma() example above an error argument.

Object

With an error object, the caller can be informed about arbitrarily complicated issues. For example, an error code and a suitable human-readable message. It can also inform the caller that multiple things went wrong, or an error per item when processing a collection:

struct collection friends;
enum error *e = malloc(c.size * sizeof(enum error));
...
ask_for_favor(friends, reason);
for(int i = 0; i < c.size; i++) {
   if(reason[i] == NOT_FOUND) find(friends[i]);
}

Instead of pre-allocating the error array, you can also (re)allocate it dynamically as needed of course.

Callback

Callback is the most powerful way to handle errors, as you can tell the function what behavior you would like to see happen when something goes wrong. A callback argument can be added to each function, or if customization uis only required per instance of a struct like this:

 struct foo {
    ...
    void (error_handler)(char *);
 };

 void default_error_handler(char *message) { 
    assert(f);
    printf("%s", message);
 }

 void foo_set_error_handler(struct foo *f, void (*eh)(char *)) {
    assert(f);
    f->error_handler = eh;
 }

 struct foo *foo_init() {
    struct foo *f = malloc(sizeof(struct foo));
    foo_set_error_handler(f, default_error_handler);
    return f;
 }


 struct foo *f = foo_init();
 foo_something();

One interesting benefit of a callback is that it can be invoked multiple times, or none at all in the absence of errors in which there is no overhead on the happy path.

There is, however, an inversion of control. The calling code does not know if the callback was invoked. As such, it may make sense to use an indicator as well.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Allan Wind
  • 23,068
  • 5
  • 28
  • 38
5

Here is an approach which I think is interesting, while requiring some discipline.

This assumes a handle-type variable is the instance on which operate all API functions.

The idea is that the struct behind the handle stores the previous error as a struct with necessary data (code, message...), and the user is provided with a function that returns a pointer to this error object. Each operation will update the pointed object so the user can check its status without even calling functions. As opposed to the errno pattern, the error code is not global, which make the approach thread-safe, as long as each handle is properly used.

Example:

MyHandle * h = MyApiCreateHandle();

/* first call checks for pointer nullity, since we cannot retrieve error code
   on a NULL pointer */
if (h == NULL)
     return 0; 

/* from here h is a valid handle */

/* get a pointer to the error struct that will be updated with each call */
MyApiError * err = MyApiGetError(h);

MyApiFileDescriptor * fd = MyApiOpenFile("/path/to/file.ext");

/* we want to know what can go wrong */
if (err->code != MyApi_ERROR_OK) {
    fprintf(stderr, "(%d) %s\n", err->code, err->message);
    MyApiDestroy(h);
    return 0;
}

MyApiRecord record;

/* here the API could refuse to execute the operation if the previous one
   yielded an error, and eventually close the file descriptor itself if
   the error is not recoverable */
MyApiReadFileRecord(h, &record, sizeof(record));

/* we want to know what can go wrong, here using a macro checking for failure */
if (MyApi_FAILED(err)) {
    fprintf(stderr, "(%d) %s\n", err->code, err->message);
    MyApiDestroy(h);
    return 0;
}
Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
SirDarius
  • 41,440
  • 8
  • 86
  • 100
5

I was pondering this issue recently as well, and wrote up some macros for C that simulate try-catch-finally semantics using purely local return values. Hope you find it useful.

naasking
  • 2,514
  • 1
  • 27
  • 32
4

I definitely prefer the first solution :

int size;
if(getObjectSize(h, &size) != MYAPI_SUCCESS) {
  // Error handling
}

i would slightly modify it, to: 

int size;
MYAPIError rc;

rc = getObjectSize(h, &size)
if ( rc != MYAPI_SUCCESS) {
  // Error handling
}

In additional i will never mix legitimate return value with error even if currently the scope of function allowing you to do so, you never know which way function implementation will go in the future.

And if we already talking about error handling i would suggest goto Error; as error handling code, unless some undo function can be called to handle error handling correctly.

Ilya
  • 3,104
  • 3
  • 23
  • 30
4

First approach is better IMHO:

  • It's easier to write function that way. When you notice an error in the middle of the function you just return an error value. In second approach you need to assign error value to one of the parameters and then return something.... but what would you return - you don't have correct value and you don't return error value.
  • it's more popular so it will be easier to understand, maintain
Klesk
  • 505
  • 6
  • 9
3

What you could do instead of returning your error, and thus forbidding you from returning data with your function, is using a wrapper for your return type:

typedef struct {
    enum {SUCCESS, ERROR} status;
    union {
        int errCode;
        MyType value;
    } ret;
} MyTypeWrapper;

Then, in the called function:

MyTypeWrapper MYAPIFunction(MYAPIHandle h) {
    MyTypeWrapper wrapper;
    // [...]
    // If there is an error somewhere:
    wrapper.status = ERROR;
    wrapper.ret.errCode = MY_ERROR_CODE;

    // Everything went well:
    wrapper.status = SUCCESS;
    wrapper.ret.value = myProcessedData;
    return wrapper;
}

Please note that with the following method, the wrapper will have the size of MyType plus one byte (on most compilers), which is quite profitable; and you won't have to push another argument on the stack when you call your function (returnedSize or returnedError in both of the methods you presented).

Antoine C.
  • 3,730
  • 5
  • 32
  • 56
2

In addition to what has been said, prior to returning your error code, fire off an assert or similar diagnostic when an error is returned, as it will make tracing a lot easier. The way I do this is to have a customised assert that still gets compiled in at release but only gets fired when the software is in diagnostics mode, with an option to silently report to a log file or pause on screen.

I personally return error codes as negative integers with no_error as zero , but it does leave you with the possible following bug

if (MyFunc())
 DoSomething();

An alternative is have a failure always returned as zero, and use a LastError() function to provide details of the actual error.

SmacL
  • 22,555
  • 12
  • 95
  • 149
1

EDIT:If you need access only to the last error, and you don't work in multithreaded environment.

You can return only true/false (or some kind of #define if you work in C and don't support bool variables), and have a global Error buffer that will hold the last error:

int getObjectSize(MYAPIHandle h, int* returnedSize);
MYAPI_ERROR LastError;
MYAPI_ERROR* getLastError() {return LastError;};
#define FUNC_SUCCESS 1
#define FUNC_FAIL 0

if(getObjectSize(h, &size) != FUNC_SUCCESS ) {
    MYAPI_ERROR* error = getLastError();
    // error handling
}
Igor
  • 26,650
  • 27
  • 89
  • 114
  • Indeed but it's not C it's might be provided by OS or not.If you are working on real time operating systems for example you wight not have it. – Ilya Feb 07 '12 at 15:37
  • Many environments have a special provision that a the pseudo-global `getLastError()` be specific to the current thread. – Anton Shepelev Jan 16 '21 at 11:12
1

Second approach lets the compiler produce more optimized code, because when address of a variable is passed to a function, the compiler cannot keep its value in register(s) during subsequent calls to other functions. The completion code usually is used only once, just after the call, whereas "real" data returned from the call may be used more often

dmityugov
  • 4,390
  • 23
  • 18
1

In addition the other great answers, I suggest that you try to separate the error flag and the error code in order to save one line on each call, i.e.:

if( !doit(a, b, c, &errcode) )
{   (* handle *)
    (* thine  *)
    (* error  *)
}

When you have lots of error-checking, this little simplification really helps.

Anton Shepelev
  • 922
  • 9
  • 19
  • It also makes `if (…) { … } else if (…) { … } else { … }` chains easier to write. – Jonathan Leffler Jan 15 '21 at 19:02
  • Probably, but I never use those chains, preferring something less worm-like and more structured, such as `break` within a loop, `goto` to the next code paragraph. `if-else` chains work when each link uses only the `then` branch, the `else` one containing the remaining tests. Putting error handling inside such a chain seems rather clumsy to me. – Anton Shepelev Jan 16 '21 at 11:05
1

I have seen five main approaches used in error reporting by functions in C:

  • return value with no error code reporting or no return value
  • return value that is an error code only
  • return value that is a valid value or an error code value
  • return value indicating an error with some way of fetching an error code possibly with error context information
  • function argument that returns a value with an error code possibly with error context information

In addition to the choice of function error return mechanism there is also the consideration of error code mnemonics and ensuring that the error code mnemonics do not clash with any other error code mnemonics being used. Typically this requires the use of a Three Letter Prefix approach to the naming of mnemonics defining them with #define, enum, or const static int. See this discussion "static const" vs "#define" vs "enum"

There are a couple of different outcomes once an error is detected and that may be a consideration how functions provide error codes and error information. These outcomes are really divided into two camps, recoverable errors and unrecoverable errors:

  • document the system state and then abort
  • wait and retry the failed action
  • notify a human being and request assistance
  • continue execution in a degraded state

An error type may use more than one of these outcomes depending on the context of the error. For instance a file open that fails because the file doesn't exist may be retried with a different file name or notify a user and ask for assistance or continue execution in a degraded state.

Details on Five Main Approaches

Some functions do not provide an error code. The functions either can't fail or if they fail, they fail silently. An example of this type of function are the various is character test functions such as isdigit() which indicates if a character value is a digit or is not. A character value either is or is not a digit or an alphabetic character. Similarly with the strcmp() function, comparing two strings results in a value indicating which one is higher in the collating sequence than the other should they not be the same.

In some cases an error code is not necessary because a value indicating failure is a valid result. For example the strchr() function from the Standard Library returns a pointer to the searched for character if found in the string to be scanned or NULL if it is not found. In this case a failure to find the character is a valid and useful indicator. A function using strchr() may require the character searched for not be in the string to be successful and finding the character is an error condition.

Other functions do not return an error code but instead report an error through an external mechanism. This is used by most of the math library functions in the Standard Library which require the user to set errno to a value of zero, call the function, and then check that the value of errno is still zero. The range of output values from many of the math functions do not allow a special return value to be used to indicate an error and they do not have an error reporting argument in their interfaces.

Some functions perform an action and return an error code value with one of the possible error code values indicating success and the rest of the range of values indicating an error code. For example a function may return a value of 0 if successful or a positive or negative non-zero value indicating an error with the value returned being the error code.

Some functions may perform an action and return either a value from a range of valid values if successful or a value from a range of invalid values indicating an error code. A simple approach is to use a positive value (0, 1, 2, ...) for valid values and a negative value for error codes allowing a check such as if(status < 0) return error;.

Some functions return a valid value or an invalid value indicating an error requiring the additional step of fetching the error code by some means. For example the fopen() function returns either a pointer to a FILE object or it returns an invalid pointer value of NULL and sets errno to an error code indicating the reason for the failure. A number of Windows API functions that return a HANDLE value to reference a resource may also return a value of INVALID_HANDLE_VALUE and the function GetLastError() is used to obtain the error code. The OPOS Control Objects standard requires an OPOS Control Object to provide two functions, GetResultCode() and GetResultCodeExtended(), to allow for the retrieval of error status information in the event a COM object method call fails.

This same approach is used in other APIs that use a handle or reference to a resource in which there is a range of valid values with one or more values outside of that range used to indicate an error. A mechanism is then provided to fetch additional error information such as an error code.

A similar approach is used with functions that return a boolean value of true to indicate the function was successful or false to indicate an error. The programmer must then examine other data to determine an error code such as GetLastError() with the Windows API.

Some functions have a pointer argument containing the address of a memory area for the function called to provide an error code or error information. Where this approach really shines is when in addition to a simple error code there is additional, error context information that helps to pin point the error. For example a JSON string parsing function may not only return an error code but also a pointer to where in the JSON string the parsing failed.

I have also seen functions where the function returned an error indicator such as a boolean value with the argument used for error information. I recall that the error information argument could in some cases be NULL indicating the caller didn't want to know the specifics of a failure.

This approach to returning error code or error information seems to be uncommon in my experience though for some reason I think I've seen it used in the Windows API from time to time or perhaps with an XML parser.

Considerations for multi-threading

When using the approach of an additional error code access through a mechanism as in checking a global such as errno or using a function such as GetLastError() there is the problem of sharing the global across multiple threads.

Modern compilers and libraries deal with this by using thread local storage to ensure that each thread has its own storage that is not shared by other threads. However there is still the issue of multiple functions sharing the same thread local storage location for status information which may require some accomodation. For instance, a function that uses several files may need to work around the issue that all of the fopen() calls that may fail share a single errno in the same thread.

If the API uses some type of handle or reference then error code storage can be made handle specific. The fopen() function could be wrapped in another function which performs the fopen() and then sets an API control block with both the FILE * returned by the fopen() as well as the value of errno.

The approach I prefer

My preference is for an error code to be returned as a function return value so that I can either check it at the point of call or save it for later. In most cases, an error is something to be dealt with immediately which is why I prefer this approach.

An approach I have used with functions is to have the function return a simple struct which contains two members, a status code and the return value. For example:

struct FuncRet {
   short  sStatus;  // status or error code
   double dValue;   // calculated value
};

struct FuncRet Func(double dInput)
{
    struct FuncRet = {0, 0};  // sStatus == 0 indicates success

    // calculate return value FuncRet.dValue and set
    // status code FuncRet.sStatus in the event of an error.

    return FuncRet;
}


//  ... source code before using our function.

{
    struct FuncRet s;

    if ((s = Func(aDble)).sStatus == 0) {
        // do things with the valid value s.dValue
    } else {
        // error so deal with the error reported in s.sStatus
    }
}

This allows me to do an immediate check for an error. Many functions end up returning a status without returning an actual value as well because the data returned is complex. One or more arguments may be modified by the function but the function doesn't return a value other than a status code.

Richard Chambers
  • 16,643
  • 4
  • 81
  • 106
1

I prefer error handling in C using the following technique:

struct lnode *insert(char *data, int len, struct lnode *list) {
    struct lnode *p, *q;
    uint8_t good;
    struct {
            uint8_t alloc_node : 1;
            uint8_t alloc_str : 1;
    } cleanup = { 0, 0 };

   // allocate node.
    p = (struct lnode *)malloc(sizeof(struct lnode));
    good = cleanup.alloc_node = (p != NULL);

   // good? then allocate str
    if (good) {
            p->str = (char *)malloc(sizeof(char)*len);
            good = cleanup.alloc_str = (p->str != NULL);
    }

   // good? copy data
    if(good) {
            memcpy ( p->str, data, len );
    }

   // still good? insert in list
    if(good) {
            if(NULL == list) {
                    p->next = NULL;
                    list = p;
            } else {
                    q = list;
                    while(q->next != NULL && good) {
                            // duplicate found--not good
                            good = (strcmp(q->str,p->str) != 0);
                            q = q->next;
                    }
                    if (good) {
                            p->next = q->next;
                            q->next = p;
                    }
            }
    }

   // not-good? cleanup.
    if(!good) {
            if(cleanup.alloc_str)   free(p->str);
            if(cleanup.alloc_node)  free(p);
    }

   // good? return list or else return NULL
    return (good ? list : NULL);
}

Source: http://blog.staila.com/?p=114

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Nitin Kunal
  • 565
  • 5
  • 7
  • 1
    Good technique. I find even neater with `goto`'s instead of repeated `if`'s. References: [one](https://softwareengineering.stackexchange.com/questions/360844/calling-multiple-fail-able-code-parts-in-a-row/363180#363180), [two](http://koblents.com/Ches/Links/Month-Mar-2013/20-Using-Goto-in-Linux-Kernel-Code/). – Anton Shepelev Mar 01 '18 at 20:05