Skip to content

fix: host_bindgen! returns Result instead of panicking on guest errors#1317

Open
jsturtevant wants to merge 2 commits intomainfrom
rally/1316-host-bindgen-generated-code-panics-on-guest-error
Open

fix: host_bindgen! returns Result instead of panicking on guest errors#1317
jsturtevant wants to merge 2 commits intomainfrom
rally/1316-host-bindgen-generated-code-panics-on-guest-error

Conversation

@jsturtevant
Copy link
Contributor

@jsturtevant jsturtevant commented Mar 17, 2026
edited
Loading

fixes: #1316

The host_bindgen! macro generated export wrapper functions that called panic! when Callable::call() returned Err (e.g., guest abort, trap, timeout). This crashed the host process instead of letting callers handle the error gracefully.

Breaking Change

Host-side trait implementations generated by host_bindgen! must now return Result<T, HyperlightError> instead of bare T. Existing implementations need to wrap return values in Ok(...). Constructors (fn new) are unaffected.

This more closely matches the non-wit function calls which have errors that are returned.

Signed-off-by: James Sturtevant jsturtevant@gmail.com

@jsturtevant
fix: host_bindgen! returns Result instead of panicking on guest errors
97082c7 
The host_bindgen! macro generated export wrapper functions that would
    panic when Callable::call() returned Err (e.g., guest abort, trap,
    timeout). This crashed the host process.

Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
@jsturtevant
Make project work in git worktrees
eadb9f1 
Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
@jsturtevant jsturtevant force-pushed the rally/1316-host-bindgen-generated-code-panics-on-guest-error branch from 21ca91e to eadb9f1 Compare March 17, 2026 21:19
@jsturtevant jsturtevant added the kind/bugfix For PRs that fix bugs label Mar 17, 2026
ludfjig
ludfjig reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

@ludfjig ludfjig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I am fine with this, but I suspect this is intentional. I think we generally want to avoid Result types as much as possible where it makes sense, but since this matches the current guest calling convention maybe let's defer that discussion to later

@jsturtevant
Copy link
Contributor Author

jsturtevant commented Mar 17, 2026

I think I am fine with this, but I suspect this is intentional. I think we generally want to avoid Result types as much as possible where it makes sense, but since this matches the current guest calling convention maybe let's defer that discussion to later

Open to other ways of addressing this I guess but a panic in the guest shouldn't panic this host. It seemed practical to match existing behavoir

@syntactically
Copy link
Member

syntactically commented Mar 18, 2026

I agree with @ludfjig that, generally speaking, the semantic gap of lifting everything from the interface into Option isn't particularly attractive. However, I do see the need to deal with errors that fundamentally can happen during execution on the host side.

Is there a reason that this is also applied to the host functions imported by the guest? I think that generally speaking it is the ability to export a function implementing an interface, but actually implement a different interface (i.e. one with more optionality) that is the most semantically damaging---so the implicit Results are particularly unattractive on guest->host function calls (and to some extent in the implementation of guest functions, although the ability to trap/panic/etc is perhaps equivalent). It seems like splitting this (so that host->guest function calls can return errors, but host functions can't be implemented by returning errors) is what is common in the prior art e.g. the wasmtime host bindgen. Is it just about continuing to be able to use the same trait for the import and export versions of an interface? Maybe a type parameter to track whether this is an imported or exported usage would make sense?

Let me know what you think about the usability of that. As I think about this more, from the wasm perspective especially, I do think that having the Results on host function calls is slightly unattractive, but it's not quite as bad as I would have guessed, since from wasm's perspective, a (wasm) import that's called always does in fact have the option of causing the entire world to be torn town via purposefully causing a trap, and this is perhaps in some ways similar behaviour.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ludfjig ludfjig ludfjig left review comments

@danbugs danbugs Awaiting requested review from danbugs danbugs is a code owner

@dblnz dblnz Awaiting requested review from dblnz dblnz is a code owner

@devigned devigned Awaiting requested review from devigned devigned is a code owner

@syntactically syntactically Awaiting requested review from syntactically syntactically is a code owner

@marosset marosset Awaiting requested review from marosset marosset is a code owner

@jprendes jprendes Awaiting requested review from jprendes jprendes is a code owner

@simongdavies simongdavies Awaiting requested review from simongdavies simongdavies is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

kind/bugfix For PRs that fix bugs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

host_bindgen! generated code panics on guest errors instead of returning Result

3 participants

@jsturtevant @syntactically @ludfjig