\chapter{Exception Features}
\label{c:features}

This chapter covers the design and user interface of the \CFA EHM
and begins with a general overview of EHMs. It is not a strict
definition of all EHMs nor an exhaustive list of all possible features.
However it does cover the most common structure and features found in them.

\section{Overview of EHMs}
% We should cover what is an exception handling mechanism and what is an
% exception before this. Probably in the introduction. Some of this could
% move there.
\subsection{Raise / Handle}
An exception operation has two main parts: raise and handle.
These terms are sometimes known as throw and catch but this work uses
throw/catch as a particular kind of raise/handle.
These are the two parts that the user writes and may
be the only two pieces of the EHM that have any syntax in a language.

\paragraph{Raise}
The raise is the starting point for exception handling
by raising an exception, which passes it to
the EHM.

Some well known examples include the @throw@ statements of \Cpp and Java and
the \code{Python}{raise} statement of Python. In real systems, a raise may
perform some other work (such as memory management) but for the
purposes of this overview that can be ignored.

\paragraph{Handle}
The primary purpose of an EHM is to run some user code to handle a raised
exception. This code is given, with some other information, in a handler.

A handler has three common features: the previously mentioned user code, a
region of code it guards, and an exception label/condition that matches
the raised exception.
Only raises inside the guarded region and raising exceptions that match the
label can be handled by a given handler.
If multiple handlers could can handle an exception,
EHMs define a rule to pick one, such as ``best match" or ``first found".

The @try@ statements of \Cpp, Java and Python are common examples. All three
show the common features of guarded region, raise, matching and handler.
\begin{cfa}
try {				// guarded region
	...	 
	throw exception;	// raise
	...	 
} catch( exception ) {	// matching condition, with exception label
	...				// handler code
}
\end{cfa}

\subsection{Propagation}
After an exception is raised comes what is usually the biggest step for the
EHM: finding and setting up the handler for execution. The propagation from raise to
handler can be broken up into three different tasks: searching for a handler,
matching against the handler and installing the handler.

\paragraph{Searching}
The EHM begins by searching for handlers that might be used to handle
the exception. The search is restricted to
handlers that have the raise site in their guarded
region.
The search includes handlers in the current function, as well as any in
callers on the stack that have the function call in their guarded region.

\paragraph{Matching}
Each handler found is matched with the raised exception. The exception
label defines a condition that is used with the exception and decides if
there is a match or not.
In languages where the first match is used, this step is intertwined with
searching; a match check is performed immediately after the search finds
a handler.

\paragraph{Installing}
After a handler is chosen, it must be made ready to run.
The implementation can vary widely to fit with the rest of the
design of the EHM. The installation step might be trivial or it could be
the most expensive step in handling an exception. The latter tends to be the
case when stack unwinding is involved.

If a matching handler is not guaranteed to be found, the EHM needs a
different course of action for this case.
This situation only occurs with unchecked exceptions as checked exceptions
(such as in Java) are guaranteed to find a matching handler.
The unhandled action is usually very general, such as aborting the program.

\paragraph{Hierarchy}
A common way to organize exceptions is in a hierarchical structure.
This pattern comes from object-orientated languages where the
exception hierarchy is a natural extension of the object hierarchy.

Consider the following exception hierarchy:
\begin{center}
\input{exception-hierarchy}
\end{center}
A handler labeled with any given exception can handle exceptions of that
type or any child type of that exception. The root of the exception hierarchy
(here \code{C}{exception}) acts as a catch-all, leaf types catch single types,
and the exceptions in the middle can be used to catch different groups of
related exceptions.

This system has some notable advantages, such as multiple levels of grouping,
the ability for libraries to add new exception types, and the isolation
between different sub-hierarchies.
This design is used in \CFA even though it is not a object-orientated
language; so different tools are used to create the hierarchy.

% Could I cite the rational for the Python IO exception rework?

\subsection{Completion}
After the handler has finished, the entire exception operation has to complete
and continue executing somewhere else. This step is usually simple,
both logically and in its implementation, as the installation of the handler
is usually set up to do most of the work.

The EHM can return control to many different places, where
the most common are after the handler definition (termination)
and after the raise (resumption).

\subsection{Communication}
For effective exception handling, additional information is often passed
from the raise to the handler and back again.
So far, only communication of the exception's identity is covered.
A common communication method for passing more information is putting fields into the exception instance
and giving the handler access to them.
Using reference fields pointing to data at the raise location allows data to be
passed in both directions.

\section{Virtuals}
\label{s:Virtuals}
Virtual types and casts are not part of \CFA's EHM nor are they required for
an EHM.
However, one of the best ways to support an exception hierarchy
is via a virtual hierarchy and dispatch system.
Ideally, the virtual system should have been part of \CFA before the work
on exception handling began, but unfortunately it was not.
Hence, only the features and framework needed for the EHM were
designed and implemented for this thesis. Other features were considered to ensure that
the structure could accommodate other desirable features in the future
but are not implemented.
The rest of this section only discusses the implemented subset of the
virtual-system design.

The virtual system supports multiple ``trees" of types. Each tree is
a simple hierarchy with a single root type. Each type in a tree has exactly
one parent -- except for the root type which has zero parents -- and any
number of children.
Any type that belongs to any of these trees is called a virtual type.
For example, the following hypothetical syntax creates two virtual-type trees.
\begin{flushleft}
\lstDeleteShortInline@
\begin{tabular}{@{\hspace{20pt}}l@{\hspace{20pt}}l}
\begin{cfa}
vtype V0, V1(V0), V2(V0);
vtype W0, W1(W0), W2(W1);
\end{cfa}
&
\raisebox{-0.6\totalheight}{\input{vtable}}
\end{tabular}
\lstMakeShortInline@
\end{flushleft}
% A type's ancestors are its parent and its parent's ancestors.
% The root type has no ancestors.
% A type's descendants are its children and its children's descendants.
Every virtual type (tree node) has a pointer to a virtual table with a unique
@Id@ and a list of virtual members (see \autoref{s:VirtualSystem} for
details). Children inherit their parent's list of virtual members but may add
and/or replace members.  For example,
\begin{cfa}
vtable W0 | { int ?<?( int, int ); int ?+?( int, int ); }
vtable W1 | { int ?+?( int, int ); int w, int ?-?( int, int ); }
\end{cfa}
creates a virtual table for @W0@ initialized with the matching @<@ and @+@
operations visible at this declaration context.  Similarly, @W1@ is initialized
with @<@ from inheritance with @W0@, @+@ is replaced, and @-@ is added, where
both operations are matched at this declaration context. It is important to
note that these are virtual members, not virtual methods of object-orientated
programming, and can be of any type. Finally, trait names can be used to
specify the list of virtual members.

\PAB{Need to look at these when done.

\CFA still supports virtual methods as a special case of virtual members.
Function pointers that take a pointer to the virtual type are modified
with each level of inheritance so that refers to the new type.
This means an object can always be passed to a function in its virtual table
as if it were a method.
\todo{Clarify (with an example) virtual methods.}
}%

Up until this point the virtual system is similar to ones found in
object-orientated languages but this is where \CFA diverges. Objects encapsulate a
single set of methods in each type, universally across the entire program,
and indeed all programs that use that type definition. Even if a type inherits and adds methods, it still encapsulate a
single set of methods. In this sense,
object-oriented types are ``closed" and cannot be altered.

In \CFA, types do not encapsulate any code. Traits are local for each function and
types can satisfy a local trait, stop satisfying it or, satisfy the same
trait in a different way at any lexical location in the program where a function is call.
In this sense, the set of functions/variables that satisfy a trait for a type is ``open" as the set can change at every call site.
This capability means it is impossible to pick a single set of functions
that represent a type's implementation across a program.

\CFA side-steps this issue by not having a single virtual table for each
type. A user can define virtual tables that are filled in at their
declaration and given a name. Anywhere that name is visible, even if it is
defined locally inside a function \PAB{What does this mean? (although that means it does not have a
static lifetime)}, it can be used.
Specifically, a virtual type is ``bound" to a virtual table that
sets the virtual members for that object. The virtual members can be accessed
through the object.

While much of the virtual infrastructure is created, it is currently only used
internally for exception handling. The only user-level feature is the virtual
cast, which is the same as the \Cpp \code{C++}{dynamic_cast}.
\label{p:VirtualCast}
\begin{cfa}
(virtual TYPE)EXPRESSION
\end{cfa}
Note, the syntax and semantics matches a C-cast, rather than the function-like
\Cpp syntax for special casts. Both the type of @EXPRESSION@ and @TYPE@ must be
a pointer to a virtual type.
The cast dynamically checks if the @EXPRESSION@ type is the same or a sub-type
of @TYPE@, and if true, returns a pointer to the
@EXPRESSION@ object, otherwise it returns @0p@ (null pointer).

\section{Exception}
% Leaving until later, hopefully it can talk about actual syntax instead
% of my many strange macros. Syntax aside I will also have to talk about the
% features all exceptions support.

Exceptions are defined by the trait system; there are a series of traits, and
if a type satisfies them, then it can be used as an exception. The following
is the base trait all exceptions need to match.
\begin{cfa}
trait is_exception(exceptT &, virtualT &) {
	// Numerous imaginary assertions.
};
\end{cfa}
The trait is defined over two types, the exception type and the virtual table
type. Each exception type should have a single virtual table type.
There are no actual assertions in this trait because the trait system
cannot express them yet (adding such assertions would be part of
completing the virtual system). The imaginary assertions would probably come
from a trait defined by the virtual system, and state that the exception type
is a virtual type, is a descendant of @exception_t@ (the base exception type),
and note its virtual table type.

% I did have a note about how it is the programmer's responsibility to make
% sure the function is implemented correctly. But this is true of every
% similar system I know of (except Agda's I guess) so I took it out.

There are two more traits for exceptions defined as follows:
\begin{cfa}
trait is_termination_exception(
		exceptT &, virtualT & | is_exception(exceptT, virtualT)) {
	void defaultTerminationHandler(exceptT &);
};

trait is_resumption_exception(
		exceptT &, virtualT & | is_exception(exceptT, virtualT)) {
	void defaultResumptionHandler(exceptT &);
};
\end{cfa}
Both traits ensure a pair of types are an exception type, its virtual table
type,
and defines one of the two default handlers. The default handlers are used
as fallbacks and are discussed in detail in \vref{s:ExceptionHandling}.

However, all three of these traits can be tricky to use directly.
While there is a bit of repetition required,
the largest issue is that the virtual table type is mangled and not in a user
facing way. So these three macros are provided to wrap these traits to
simplify referring to the names:
@IS_EXCEPTION@, @IS_TERMINATION_EXCEPTION@, and @IS_RESUMPTION_EXCEPTION@.

All three take one or two arguments. The first argument is the name of the
exception type. The macro passes its unmangled and mangled form to the trait.
The second (optional) argument is a parenthesized list of polymorphic
arguments. This argument is only used with polymorphic exceptions and the
list is be passed to both types.
In the current set-up, the two types always have the same polymorphic
arguments so these macros can be used without losing flexibility.

For example consider a function that is polymorphic over types that have a
defined arithmetic exception:
\begin{cfa}
forall(Num | IS_EXCEPTION(Arithmetic, (Num)))
void some_math_function(Num & left, Num & right);
\end{cfa}

\section{Exception Handling}
\label{s:ExceptionHandling}
As stated,
\CFA provides two kinds of exception handling: termination and resumption.
These twin operations are the core of \CFA's exception handling mechanism.
This section covers the general patterns shared by the two operations and
then goes on to cover the details of each individual operation.

Both operations follow the same set of steps.
First, a user raises an exception.
Second, the exception propagates up the stack.
Third, if a handler is found, the exception is caught and the handler is run.
After that control continues at a raise-dependent location.
Fourth, if a handler is not found, a default handler is run and, if it returns, then control
continues after the raise.

%This general description covers what the two kinds have in common.
The differences in the two operations include how propagation is performed, where execution continues
after an exception is caught and handled, and which default handler is run.

\subsection{Termination}
\label{s:Termination}
Termination handling is the familiar EHM and used in most programming
languages with exception handling.
It is a dynamic, non-local goto. If the raised exception is matched and
handled, the stack is unwound and control (usually) continues in the function
on the call stack that defined the handler.
Termination is commonly used when an error has occurred and recovery is
impossible locally.

% (usually) Control can continue in the current function but then a different
% control flow construct should be used.

A termination raise is started with the @throw@ statement:
\begin{cfa}
throw EXPRESSION;
\end{cfa}
The expression must return a reference to a termination exception, where the
termination exception is any type that satisfies the trait
@is_termination_exception@ at the call site.
Through \CFA's trait system, the trait functions are implicitly passed into the
throw code for use by the EHM.
A new @defaultTerminationHandler@ can be defined in any scope to
change the throw's behaviour when a handler is not found (see below).

The throw copies the provided exception into managed memory to ensure
the exception is not destroyed if the stack is unwound.
It is the user's responsibility to ensure the original exception is cleaned
up whether the stack is unwound or not. Allocating it on the stack is
usually sufficient.

% How to say propagation starts, its first sub-step is the search.
Then propagation starts with the search. \CFA uses a ``first match" rule so
matching is performed with the copied exception as the search key.
It starts from the raise in the throwing function and proceeds towards the base of the stack,
from callee to caller.
At each stack frame, a check is made for termination handlers defined by the
@catch@ clauses of a @try@ statement.
\begin{cfa}
try {
	GUARDED_BLOCK
} catch (EXCEPTION_TYPE$\(_1\)$ * [NAME$\(_1\)$]) {
	HANDLER_BLOCK$\(_1\)$
} catch (EXCEPTION_TYPE$\(_2\)$ * [NAME$\(_2\)$]) {
	HANDLER_BLOCK$\(_2\)$
}
\end{cfa}
When viewed on its own, a try statement simply executes the statements
in the \snake{GUARDED_BLOCK}, and when those are finished,
the try statement finishes.

However, while the guarded statements are being executed, including any
invoked functions, all the handlers in these statements are included in the
search path.
Hence, if a termination exception is raised, these handlers may be matched
against the exception and may handle it.

Exception matching checks the handler in each catch clause in the order
they appear, top to bottom. If the representation of the raised exception type
is the same or a descendant of @EXCEPTION_TYPE@$_i$, then @NAME@$_i$
(if provided) is
bound to a pointer to the exception and the statements in @HANDLER_BLOCK@$_i$
are executed. If control reaches the end of the handler, the exception is
freed and control continues after the try statement.

If no termination handler is found during the search, then the default handler
(\defaultTerminationHandler) visible at the raise statement is called.
Through \CFA's trait system the best match at the raise statement is used.
This function is run and is passed the copied exception.
If the default handler finishes, control continues after the raise statement.

There is a global @defaultTerminationHandler@ that is polymorphic over all
termination exception types.
The global default termination handler performs a cancellation
(see \vref{s:Cancellation} for the justification) on the current stack with the copied exception.
Since it is so general, a more specific handler is usually
defined, possibly with a detailed message, and used for specific exception type, effectively overriding the default handler.

\subsection{Resumption}
\label{s:Resumption}

Resumption exception handling is the less familar EHM, but is
just as old~\cite{Goodenough75} and is simpler in many ways.
It is a dynamic, non-local function call. If the raised exception is
matched, a closure is taken from up the stack and executed,
after which the raising function continues executing.
The common uses for resumption exceptions include
potentially repairable errors, where execution can continue in the same
function once the error is corrected, and
ignorable events, such as logging where nothing needs to happen and control
should always continue from the raise point.

A resumption raise is started with the @throwResume@ statement:
\begin{cfa}
throwResume EXPRESSION;
\end{cfa}
\todo{Decide on a final set of keywords and use them everywhere.}
It works much the same way as the termination throw.
The expression must return a reference to a resumption exception,
where the resumption exception is any type that satisfies the trait
@is_resumption_exception@ at the call site.
The assertions from this trait are available to
the exception system while handling the exception.

At run-time, no exception copy is made, since
resumption does not unwind the stack nor otherwise remove values from the
current scope, so there is no need to manage memory to keep the exception in scope.

Then propagation starts with the search. It starts from the raise in the
resuming function and proceeds towards the base of the stack,
from callee to caller.
At each stack frame, a check is made for resumption handlers defined by the
@catchResume@ clauses of a @try@ statement.
\begin{cfa}
try {
	GUARDED_BLOCK
} catchResume (EXCEPTION_TYPE$\(_1\)$ * [NAME$\(_1\)$]) {
	HANDLER_BLOCK$\(_1\)$
} catchResume (EXCEPTION_TYPE$\(_2\)$ * [NAME$\(_2\)$]) {
	HANDLER_BLOCK$\(_2\)$
}
\end{cfa}
% PAB, you say this above.
% When a try statement is executed, it simply executes the statements in the
% @GUARDED_BLOCK@ and then finishes.
% 
% However, while the guarded statements are being executed, including any
% invoked functions, all the handlers in these statements are included in the
% search path.
% Hence, if a resumption exception is raised, these handlers may be matched
% against the exception and may handle it.
% 
% Exception matching checks the handler in each catch clause in the order
% they appear, top to bottom. If the representation of the raised exception type
% is the same or a descendant of @EXCEPTION_TYPE@$_i$, then @NAME@$_i$
% (if provided) is bound to a pointer to the exception and the statements in
% @HANDLER_BLOCK@$_i$ are executed.
% If control reaches the end of the handler, execution continues after the
% the raise statement that raised the handled exception.
% 
% Like termination, if no resumption handler is found during the search,
% then the default handler (\defaultResumptionHandler) visible at the raise
% statement is called. It will use the best match at the raise sight according
% to \CFA's overloading rules. The default handler is
% passed the exception given to the raise. When the default handler finishes
% execution continues after the raise statement.
% 
% There is a global @defaultResumptionHandler{} is polymorphic over all
% resumption exceptions and performs a termination throw on the exception.
% The \defaultTerminationHandler{} can be overridden by providing a new
% function that is a better match.

The @GUARDED_BLOCK@ and its associated nested guarded statements work the same
for resumption as for termination, as does exception matching at each
@catchResume@. Similarly, if no resumption handler is found during the search,
then the currently visible default handler (\defaultResumptionHandler) is
called and control continues after the raise statement if it returns. Finally,
there is also a global @defaultResumptionHandler@, which can be overridden,
that is polymorphic over all resumption exceptions but performs a termination
throw on the exception rather than a cancellation.

Throwing the exception in @defaultResumptionHandler@ has the positive effect of
walking the stack a second time for a recovery handler. Hence, a programmer has
two chances for help with a problem, fixup or recovery, should either kind of
handler appear on the stack. However, this dual stack walk leads to following
apparent anomaly:
\begin{cfa}
try {
	throwResume E;
} catch (E) {
	// this handler runs
}
\end{cfa}
because the @catch@ appears to handle a @throwResume@, but a @throwResume@ only
matches with @catchResume@. The anomaly results because the unmatched
@catchResuem@, calls @defaultResumptionHandler@, which in turn throws @E@.

% I wonder if there would be some good central place for this.
Note, termination and resumption handlers may be used together
in a single try statement, intermixing @catch@ and @catchResume@ freely.
Each type of handler only interacts with exceptions from the matching
kind of raise.

\subsubsection{Resumption Marking}
\label{s:ResumptionMarking}
A key difference between resumption and termination is that resumption does
not unwind the stack. A side effect is that, when a handler is matched
and run, its try block (the guarded statements) and every try statement
searched before it are still on the stack. There presence can lead to
the \emph{recursive resumption problem}.

The recursive resumption problem is any situation where a resumption handler
ends up being called while it is running.
Consider a trivial case:
\begin{cfa}
try {
	throwResume (E &){};
} catchResume(E *) {
	throwResume (E &){};
}
\end{cfa}
When this code is executed, the guarded @throwResume@ starts a
search and matches the handler in the @catchResume@ clause. This
call is placed on the stack above the try-block. Now the second raise in the handler
searches the same try block, matches, and puts another instance of the
same handler on the stack leading to infinite recursion.

While this situation is trivial and easy to avoid, much more complex cycles can
form with multiple handlers and different exception types.  The key point is
that the programmer's intuition expects every raise in a handler to start
searching \emph{below} the @try@ statement, making it difficult to understand
and fix the problem.

To prevent all of these cases, each try statement is ``marked" from the
time the exception search reaches it to either when a matching handler
completes or when the search reaches the base
of the stack.
While a try statement is marked, its handlers are never matched, effectively
skipping over it to the next try statement.

\begin{center}
\input{stack-marking}
\end{center}

There are other sets of marking rules that could be used,
for instance, marking just the handlers that caught the exception,
would also prevent recursive resumption.
However, the rule selected mirrors what happens with termination,
and hence, matches programmer intuition that a raise searches below a try.

In detail, the marked try statements are the ones that would be removed from
the stack for a termination exception, \ie those on the stack
between the handler and the raise statement.
This symmetry applies to the default handler as well, as both kinds of
default handlers are run at the raise statement, rather than (physically
or logically) at the bottom of the stack.
% In early development having the default handler happen after
% unmarking was just more useful. We assume that will continue.

\section{Conditional Catch}
Both termination and resumption handler clauses can be given an additional
condition to further control which exceptions they handle:
\begin{cfa}
catch (EXCEPTION_TYPE * [NAME] ; CONDITION)
\end{cfa}
First, the same semantics is used to match the exception type. Second, if the
exception matches, @CONDITION@ is executed. The condition expression may
reference all names in scope at the beginning of the try block and @NAME@
introduced in the handler clause. If the condition is true, then the handler
matches. Otherwise, the exception search continues as if the exception type
did not match.

The condition matching allows finer matching by checking
more kinds of information than just the exception type.
\begin{cfa}
try {
	handle1 = open( f1, ... );
	handle2 = open( f2, ... );
	handle3 = open( f3, ... );
	...
} catch( IOFailure * f ; fd( f ) == f1 ) {
	// Only handle IO failure for f1.
} catch( IOFailure * f ; fd( f ) == f3 ) {
	// Only handle IO failure for f3.
}
// Handle a failure relating to f2 further down the stack.
\end{cfa}
In this example the file that experienced the IO error is used to decide
which handler should be run, if any at all.

\begin{comment}
% I know I actually haven't got rid of them yet, but I'm going to try
% to write it as if I had and see if that makes sense:
\section{Reraising}
\label{s:Reraising}
Within the handler block or functions called from the handler block, it is
possible to reraise the most recently caught exception with @throw@ or
@throwResume@, respectively.
\begin{cfa}
try {
	...
} catch( ... ) {
	... throw;
} catchResume( ... ) {
	... throwResume;
}
\end{cfa}
The only difference between a raise and a reraise is that reraise does not
create a new exception; instead it continues using the current exception, \ie
no allocation and copy. However the default handler is still set to the one
visible at the raise point, and hence, for termination could refer to data that
is part of an unwound stack frame. To prevent this problem, a new default
handler is generated that does a program-level abort.
\end{comment}

\subsection{Comparison with Reraising}
Without conditional catch, the only approach to match in more detail is to reraise
the exception after it has been caught, if it could not be handled.
\begin{center}
\begin{tabular}{l|l}
\begin{cfa}
try {
	do_work_may_throw();
} catch(excep_t * ex; can_handle(ex)) {

	handle(ex);



}
\end{cfa}
&
\begin{cfa}
try {
	do_work_may_throw();
} catch(excep_t * ex) { 
	if (can_handle(ex)) {
		handle(ex);
	} else {
		throw;
	}
}
\end{cfa}
\end{tabular}
\end{center}
Notice catch-and-reraise increases complexity by adding additional data and
code to the exception process. Nevertheless, catch-and-reraise can simulate
conditional catch straightforwardly, when exceptions are disjoint, \ie no
inheritance.

However, catch-and-reraise simulation becomes unusable for exception inheritance.
\begin{flushleft}
\begin{cfa}[xleftmargin=6pt]
exception E1;
exception E2(E1); // inheritance
\end{cfa}
\begin{tabular}{l|l}
\begin{cfa}
try {
	... foo(); ... // raise E1/E2
	... bar(); ... // raise E1/E2
} catch( E2 e; e.rtn == foo ) {
	...
} catch( E1 e; e.rtn == foo ) {
	...
} catch( E1 e; e.rtn == bar ) {
	...
}

\end{cfa}
&
\begin{cfa}
try {
	... foo(); ...
	... bar(); ...
} catch( E2 e ) {
	if ( e.rtn == foo ) { ...
	} else throw; // reraise
} catch( E1 e ) {
	if (e.rtn == foo) { ...
	} else if (e.rtn == bar) { ...
	else throw; // reraise
}
\end{cfa}
\end{tabular}
\end{flushleft}
The derived exception @E2@ must be ordered first in the catch list, otherwise
the base exception @E1@ catches both exceptions. In the catch-and-reraise code
(right), the @E2@ handler catches exceptions from both @foo@ and
@bar@. However, the reraise misses the following catch clause. To fix this
problem, an enclosing @try@ statement is need to catch @E2@ for @bar@ from the
reraise, and its handler must duplicate the inner handler code for @bar@. To
generalize, this fix for any amount of inheritance and complexity of try
statement requires a technique called \emph{try-block
splitting}~\cite{Krischer02}, which is not discussed in this thesis. It is
sufficient to state that conditional catch is more expressive than
catch-and-reraise in terms of complexity.

\begin{comment}
That is, they have the same behaviour in isolation.
Two things can expose differences between these cases.

One is the existence of multiple handlers on a single try statement.
A reraise skips all later handlers for a try statement but a conditional
catch does not.
% Hence, if an earlier handler contains a reraise later handlers are
% implicitly skipped, with a conditional catch they are not.
Still, they are equivalently powerful,
both can be used two mimic the behaviour of the other,
as reraise can pack arbitrary code in the handler and conditional catches
can put arbitrary code in the predicate.
% I was struggling with a long explanation about some simple solutions,
% like repeating a condition on later handlers, and the general solution of
% merging everything together. I don't think it is useful though unless its
% for a proof.
% https://en.cppreference.com/w/cpp/language/throw

The question then becomes ``Which is a better default?"
We believe that not skipping possibly useful handlers is a better default.
If a handler can handle an exception it should and if the handler can not
handle the exception then it is probably safer to have that explicitly
described in the handler itself instead of implicitly described by its
ordering with other handlers.
% Or you could just alter the semantics of the throw statement. The handler
% index is in the exception so you could use it to know where to start
% searching from in the current try statement.
% No place for the `goto else;` metaphor.

The other issue is all of the discussion above assumes that the only
way to tell apart two raises is the exception being raised and the remaining
search path.
This is not true generally, the current state of the stack can matter in
a number of cases, even only for a stack trace after an program abort.
But \CFA has a much more significant need of the rest of the stack, the
default handlers for both termination and resumption.

% For resumption it turns out it is possible continue a raise after the
% exception has been caught, as if it hadn't been caught in the first place.
This becomes a problem combined with the stack unwinding used in termination
exception handling.
The stack is unwound before the handler is installed, and hence before any
reraises can run. So if a reraise happens the previous stack is gone,
the place on the stack where the default handler was supposed to run is gone,
if the default handler was a local function it may have been unwound too.
There is no reasonable way to restore that information, so the reraise has
to be considered as a new raise.
This is the strongest advantage conditional catches have over reraising,
they happen before stack unwinding and avoid this problem.

% The one possible disadvantage of conditional catch is that it runs user
% code during the exception search. While this is a new place that user code
% can be run destructors and finally clauses are already run during the stack
% unwinding.
%
% https://www.cplusplus.com/reference/exception/current_exception/
%   `exception_ptr current_exception() noexcept;`
% https://www.python.org/dev/peps/pep-0343/
\end{comment}

\section{Finally Clauses}
\label{s:FinallyClauses}
Finally clauses are used to preform unconditional clean-up when leaving a
scope and are placed at the end of a try statement after any handler clauses:
\begin{cfa}
try {
	GUARDED_BLOCK
} ... // any number or kind of handler clauses
... finally {
	FINALLY_BLOCK
}
\end{cfa}
The @FINALLY_BLOCK@ is executed when the try statement is removed from the
stack, including when the @GUARDED_BLOCK@ finishes, any termination handler
finishes, or during an unwind.
The only time the block is not executed is if the program is exited before
the stack is unwound.

Execution of the finally block should always finish, meaning control runs off
the end of the block. This requirement ensures control always continues as if
the finally clause is not present, \ie finally is for cleanup not changing
control flow.
Because of this requirement, local control flow out of the finally block
is forbidden. The compiler precludes any @break@, @continue@, @fallthru@ or
@return@ that causes control to leave the finally block. Other ways to leave
the finally block, such as a long jump or termination are much harder to check,
and at best requiring additional run-time overhead, and so are only
discouraged.

Not all languages with unwinding have finally clauses. Notably \Cpp does
without it as destructors, and the RAII design pattern, serve a similar role.
Although destructors and finally clauses can be used for the same cases,
they have their own strengths, similar to top-level function and lambda
functions with closures.
Destructors take more work for their creation, but if there is clean-up code
that needs to be run every time a type is used, they are much easier
to set-up.
On the other hand finally clauses capture the local context, so is easy to
use when the clean-up is not dependent on the type of a variable or requires
information from multiple variables.

\section{Cancellation}
\label{s:Cancellation}
Cancellation is a stack-level abort, which can be thought of as as an
uncatchable termination. It unwinds the entire current stack, and if
possible forwards the cancellation exception to a different stack.

Cancellation is not an exception operation like termination or resumption.
There is no special statement for starting a cancellation; instead the standard
library function @cancel_stack@ is called passing an exception. Unlike a
raise, this exception is not used in matching only to pass information about
the cause of the cancellation.
Finaly, since a cancellation only unwinds and forwards, there is no default handler.

After @cancel_stack@ is called the exception is copied into the EHM's memory
and the current stack is unwound.
The behaviour after that depends on the kind of stack being cancelled.

\paragraph{Main Stack}
The main stack is the one used by the program main at the start of execution,
and is the only stack in a sequential program.
After the main stack is unwound there is a program-level abort. 

The reasons for this semantics in a sequential program is that there is no more code to execute.
This semantics also applies to concurrent programs, too, even if threads are running.
That is, if any threads starts a cancellation, it implies all threads terminate.
Keeping the same behaviour in sequential and concurrent programs is simple.
Also, even in concurrent programs there may not currently be any other stacks
and even if other stacks do exist, main has no way to know where they are.

\paragraph{Thread Stack}
A thread stack is created for a \CFA @thread@ object or object that satisfies
the @is_thread@ trait.
After a thread stack is unwound, the exception is stored until another
thread attempts to join with it. Then the exception @ThreadCancelled@,
which stores a reference to the thread and to the exception passed to the
cancellation, is reported from the join to the joining thread.
There is one difference between an explicit join (with the @join@ function)
and an implicit join (from a destructor call). The explicit join takes the
default handler (@defaultResumptionHandler@) from its calling context while
the implicit join provides its own; which does a program abort if the
@ThreadCancelled@ exception cannot be handled.

The communication and synchronization are done here because threads only have
two structural points (not dependent on user-code) where
communication/synchronization happens: start and join.
Since a thread must be running to perform a cancellation (and cannot be
cancelled from another stack), the cancellation must be after start and
before the join, so join is used.

% TODO: Find somewhere to discuss unwind collisions.
The difference between the explicit and implicit join is for safety and
debugging. It helps prevent unwinding collisions by avoiding throwing from
a destructor and prevents cascading the error across multiple threads if
the user is not equipped to deal with it.
It is always possible to add an explicit join if that is the desired behaviour.

With explicit join and a default handler that triggers a cancellation, it is
possible to cascade an error across any number of threads, cleaning up each
in turn, until the error is handled or the main thread is reached.

\paragraph{Coroutine Stack}
A coroutine stack is created for a @coroutine@ object or object that
satisfies the @is_coroutine@ trait.
After a coroutine stack is unwound, control returns to the @resume@ function
that most recently resumed it. @resume@ reports a
@CoroutineCancelled@ exception, which contains a references to the cancelled
coroutine and the exception used to cancel it.
The @resume@ function also takes the \defaultResumptionHandler{} from the
caller's context and passes it to the internal report.

A coroutine only knows of two other coroutines, its starter and its last resumer.
The starter has a much more distant connection, while the last resumer just
(in terms of coroutine state) called resume on this coroutine, so the message
is passed to the latter.

With a default handler that triggers a cancellation, it is possible to
cascade an error across any number of coroutines, cleaning up each in turn,
until the error is handled or a thread stack is reached.

\PAB{Part of this I do not understand. A cancellation cannot be caught. But you
talk about handling a cancellation in the last sentence. Which is correct?}