[Python-ideas] PEP 3151: Reworking the OS and IO exception hierarchy

Antoine Pitrou solipsis at pitrou.net
Wed Jul 21 21:34:12 CEST 2010


I would like to propose the following PEP for feedback and review.
Permanent link to up-to-date version with proper HTML formatting:

Thank you,


PEP: 3151
Title: Reworking the OS and IO exception hierarchy
Version: $Revision: 83042 $
Last-Modified: $Date: 2010-07-21 21:16:49 +0200 (mer. 21 juil. 2010) $
Author: Antoine Pitrou <solipsis at pitrou.net>
Status: Draft
Type: Standards Track
Content-Type: text/x-rst
Created: 2010-07-21
Python-Version: 3.2 or 3.3
Resolution: TBD


The standard exception hierarchy is an important part of the Python
language.  It has two defining qualities: it is both generic and
selective.  Generic in that the same exception type can be raised
- and handled - regardless of the context (for example, whether you are
trying to add something to an integer, to call a string method, or to write
an object on a socket, a TypeError will be raised for bad argument types).
Selective in that it allows the user to easily handle (silence, examine,
process, store or encapsulate...) specific kinds of error conditions
while letting other errors bubble up to higher calling contexts.  For
example, you can choose to catch ZeroDivisionErrors without affecting
the default handling of other ArithmeticErrors (such as OverflowErrors).

This PEP proposes changes to a part of the exception hierarchy in
order to better embody the qualities mentioned above: the errors
related to operating system calls (OSError, IOError, select.error, and
all their subclasses).


Confusing set of OS-related exceptions

OS-related (or system call-related) exceptions are currently a diversity
of classes, arranged in the following subhierarchies::

    +-- EnvironmentError
        +-- IOError
            +-- io.BlockingIOError
            +-- io.UnsupportedOperation (also inherits from ValueError)
            +-- socket.error
        +-- OSError
            +-- WindowsError
        +-- mmap.error
    +-- select.error

While some of these distinctions can be explained by implementation
considerations, they are often not very logical at a higher level.  The
line separating OSError and IOError, for example, is often blurry.  Consider
the following::

    >>> os.remove("fff")
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    OSError: [Errno 2] No such file or directory: 'fff'
    >>> open("fff")
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: [Errno 2] No such file or directory: 'fff'

The same error condition (a non-existing file) gets cast as two different
exceptions depending on which library function was called.  The reason
for this is that the ``os`` module exclusively raises OSError (or its
subclass WindowsError) while the ``io`` module mostly raises IOError.
However, the user is interested in the nature of the error, not in which
part of the interpreter it comes from (since the latter is obvious from
reading the traceback message or application source code).

In fact, it is hard to think of any situation where OSError should be
caught but not IOError, or the reverse.

A further proof of the ambiguity of this segmentation is that the standard
library itself sometimes has problems deciding.  For example, in the
``select`` module, similar failures will raise either ``select.error``,
``OSError`` or ``IOError`` depending on whether you are using select(),
a poll object, a kqueue object, or an epoll object.  This makes user code
uselessly complicated since it has to be prepared to catch various
exception types, depending on which exact implementation of a single
primitive it chooses to use at runtime.

As for WindowsError, it seems to be a pointless distinction.  First, it
only exists on Windows systems, which requires tedious compatibility code
in cross-platform applications (such code can be found in ``Lib/shutil.py``).
Second, it inherits from OSError and is raised for similar errors as OSError
is raised for on other systems. Third, the user wanting access to low-level
exception specifics has to examine the ``errno`` or ``winerror`` attribute

Lack of fine-grained exceptions

The current variety of OS-related exceptions doesn't allow the user to filter
easily for the desired kinds of failures.  As an example, consider the task
of deleting a file if it exists.  The Look Before You Leap (LBYL) idiom
suffers from an obvious race condition::

    if os.path.exists(filename):

If a file named as ``filename`` is created by another thread or process
between the calls to ``os.path.exists`` and ``os.remove``, it won't be
deleted.  This can produce bugs in the application, or even security issues.

Therefore, the solution is to try to remove the file, and ignore the error
if the file doesn't exist (an idiom known as Easier to Ask Forgiveness
than to get Permission, or EAFP).  Careful code will read like the following
(which works under both POSIX and Windows systems)::

    except OSError as e:
        if e.errno != errno.ENOENT:

or even::

    except EnvironmentError as e:
        if e.errno != errno.ENOENT:

This is a lot more to type, and also forces the user to remember the various
cryptic mnemonics from the ``errno`` module.  It imposes an additional
cognitive burden and gets tiresome rather quickly.  Consequently, many
programmers will instead write the following code, which silences exceptions
too broadly::

    except OSError:

``os.remove`` can raise an OSError not only when the file doesn't exist,
but in other possible situations (for example, the filename points to a
directory, or the current process doesn't have permission to remove
the file), which all indicate bugs in the application logic and therefore
shouldn't be silenced.  What the programmer would like to write instead is
something such as::

    except FileNotFound:

Compatibility strategy

Reworking the exception hierarchy will obviously change the exact semantics
of at least some existing code.  While it is not possible to improve on the
current situation without changing exact semantics, it is possible to define
a narrower type of compatibility, which we will call **useful compatibility**,
and define as follows:

* *useful compatibility* doesn't make exception catching any narrower, but
  it can be broader for *naïve* exception-catching code.  Given the following
  kind of snippet, all exceptions caught before this PEP will also be
  caught after this PEP, but the reverse may be false::
      except OSError:

* *useful compatibility* doesn't alter the behaviour of *careful*
  exception-catching code.  Given the following kind of snippet, the same
  errors should be silenced or reraised, regardless of whether this PEP
  has been implemented or not::

      except OSError as e:
          if e.errno != errno.ENOENT:

The rationale for this compromise is that careless (or "naïve") code
can't really be helped, but at least code which "works" won't suddenly
raise errors and crash.  This is important since such code is likely to
be present in scripts used as cron tasks or automated system administration

Careful code should not be penalized.

Step 1: coalesce exception types

The first step of the resolution is to coalesce existing exception types.
The extent of this step is not yet fully determined.  A number of possible
changes are listed hereafter:

* alias both socket.error and select.error to IOError
* alias mmap.error to OSError
* alias IOError to OSError
* alias WindowsError to OSError

Each of these changes doesn't preserve exact compatibility, but it does
preserve *useful compatibility* (see "compatibility" section above).

Not only does this first step present the user a simpler landscape, but
it also allows for a better and more complete resolution of step 2
(see "Prerequisite" below).

Deprecation of names

It is not yet decided whether the old names will be deprecated (then removed)
or all alternative names will continue living in the root namespace.
Deprecation of names from the root namespace presents some implementation
challenges, especially where performance is important.

Step 2: define additional subclasses

The second step of the resolution is to extend the hierarchy by defining
subclasses which will be raised, rather than their parent, for specific
errno values.  Which errno values is subject to discussion, but a survey
of existing exception matching practices (see Appendix A) helps us
propose a reasonable subset of all values.  Trying to map all errno
mnemonics, indeed, seems foolish, pointless, and would pollute the root

Furthermore, in a couple of cases, different errno values could raise
the same exception subclass.  For example, EAGAIN, EALREADY, EWOULDBLOCK
and EINPROGRESS are all used to signal that an operation on a non-blocking
socket would block (and therefore needs trying again later).  They could
therefore all raise an identical subclass and let the user examine the
``errno`` attribute if (s)he so desires (see below "exception


Step 1 is a loose prerequisite for this.

Prerequisite, because some errnos can currently be attached to different
exception classes: for example, EBADF can be attached to both OSError and
IOError, depending on the context.  If we don't want to break *useful
compatibility*, we can't make an ``except OSError`` (or IOError) fail to
match an exception where it would succeed today.

Loose, because we could decide for a partial resolution of step 2
if existing exception classes are not coalesced: for example, EBADF could
raise a hypothetical BadFileDescriptor where an IOError was previously
raised, but continue to raise OSError otherwise.

The dependency on step 1 could be totally removed if the new subclasses
used multiple inheritance to match with all of the existing superclasses
(or, at least, OSError and IOError, which are arguable the most prevalent
ones).  It would, however, make the hierarchy more complicated and
therefore harder to grasp for the user.

New exception classes

The following tentative list of subclasses, along with a description and
the list of errnos mapped to them, is submitted to discussion:

* ``FileAlreadyExists``: trying to create a file or directory which already
  exists (EEXIST)

* ``FileNotFound``: for all circumstances where a file and directory is
  requested but doesn't exist (ENOENT)

* ``IsADirectory``: file-level operation (open(), os.remove()...) requested
  on a directory (EISDIR)

* ``NotADirectory``: directory-level operation requested on something else

* ``PermissionDenied``: trying to run an operation without the adequate access
  rights - for example filesystem permissions (EACCESS, optionally EPERM)

* ``BlockingIOError``: an operation would block on an object (e.g. socket) set
  for non-blocking operation (EAGAIN, EALREADY, EWOULDBLOCK, EINPROGRESS);
  this is the existing ``io.BlockingIOError`` with an extended role

* ``BadFileDescriptor``: operation on an invalid file descriptor (EBADF);
  the default error message could point out that most causes are that
  an existing file descriptor has been closed

* ``ConnectionAborted``: connection attempt aborted by peer (ECONNABORTED)

* ``ConnectionRefused``: connection reset by peer (ECONNREFUSED)

* ``ConnectionReset``: connection reset by peer (ECONNRESET)

* ``TimeoutError``: connection timed out (ECONNTIMEOUT); this could be re-cast
  as a generic timeout exception, useful for other types of timeout (for
  example in Lock.acquire())

This list assumes step 1 is accepted in full; the exception classes
described above would all derive from the now unified exception type
OSError.  It will need reworking if a partial version of step 1 is accepted
instead (again, see appendix A for the current distribution of errnos
and exception types).

Exception attributes

In order to preserve *useful compatibility*, these subclasses should still
set adequate values for the various exception attributes defined on the
superclass (for example ``errno``, ``filename``, and optionally


Since it is proposed that the subclasses are raised based purely on the
value of ``errno``, little or no changes should be required in extension
modules (either standard or third-party).  As long as they use the
``PyErr_SetFromErrno()`` family of functions (or the
``PyErr_SetFromWindowsErr()`` family of functions under Windows), they
should automatically benefit from the new, finer-grained exception classes.

Library modules written in Python, though, will have to be adapted where
they currently use the following idiom (seen in ``Lib/tempfile.py``)::

    raise IOError(_errno.EEXIST, "No usable temporary file name found")

Fortunately, such Python code is quite rare since raising OSError or IOError
with an errno value normally happens when interfacing with system calls,
which is usually done in C extensions.

If there is popular demand, the subroutine choosing an exception type based
on the errno value could be exposed for use in pure Python.

Possible objections

Namespace pollution

Making the exception hierarchy finer-grained makes the root (or builtins)
namespace larger.  This is to be moderated, however, as:

* only a handful of additional classes are proposed; 

* while standard exception types live in the root namespace, they are
  visually distinguished by the fact that they use the CamelCase convention,
  while almost all other builtins use lowercase naming (except True, False,
  None, Ellipsis and NotImplemented)

An alternative would be to provide a separate module containing the
finer-grained exceptions, but that would defeat the purpose of
encouraging careful code over careless code, since the user would first
have to import the new module instead of using names already accessible.

Earlier discussion

While this is the first time such as formal proposal is made, the idea
has received informal support in the past [1]_; both the introduction
of finer-grained exception classes and the coalescing of OSError and

The removal of WindowsError alone has been discussed and rejected
as part of another PEP [2]_, but there seemed to be a consensus that the
distinction with OSError wasn't meaningful.  This supports at least its
aliasing with OSError.


The moratorium in effect on language builtins means this PEP has little
chance to be accepted for Python 3.2.

Possible alternative

Pattern matching

Another possibility would be to introduce an advanced pattern matching
syntax when catching exceptions.  For example::

    except OSError as e if e.errno == errno.ENOENT:

Several problems with this proposal:

* it introduces new syntax, which is perceived by the author to be a heavier
  change compared to reworking the exception hierarchy
* it doesn't decrease typing effort significantly
* it doesn't relieve the programmer from the burden of having to remember
  errno mnemonics

Exceptions ignored by this PEP

This PEP ignores ``EOFError``, which signals a truncated input stream in
various protocol and file format implementations (for example ``GzipFile``).
``EOFError`` is not OS- or IO-related, it is a logical error raised at
a higher level.

This PEP also ignores ``SSLError``, which is raised by the ``ssl`` module
in order to propagate errors signalled by the ``OpenSSL`` library.  Ideally,
``SSLError`` would benefit from a similar but separate treatment since it
defines its own constants for error types (``ssl.SSL_ERROR_WANT_READ``,

Appendix A: Survey of common errnos

This is a quick recension of the various errno mnemonics checked for in
the standard library and its tests, as part of ``except`` clauses.

Common errnos with OSError

* ``EBADF``: bad file descriptor (usually means the file descriptor was

* ``EEXIST``: file or directory exists

* ``EINTR``: interrupted function call

* ``EISDIR``: is a directory

* ``ENOTDIR``: not a directory

* ``ENOENT``: no such file or directory

* ``EOPNOTSUPP``: operation not supported on socket
  (possible confusion with the existing io.UnsupportedOperation)

* ``EPERM``: operation not permitted (when using e.g. os.setuid())

Common errnos with IOError

* ``EACCES``: permission denied (for filesystem operations)

* ``EBADF``: bad file descriptor (with select.epoll); read operation on a
  write-only GzipFile, or vice-versa

* ``EBUSY``: device or resource busy

* ``EISDIR``: is a directory (when trying to open())

* ``ENODEV``: no such device

* ``ENOENT``: no such file or directory (when trying to open())

* ``ETIMEDOUT``: connection timed out

Common errnos with socket.error

All these errors may also be associated with a plain IOError, for example
when calling read() on a socket's file descriptor.

* ``EAGAIN``: resource temporarily unavailable (during a non-blocking socket
  call except connect())

* ``EALREADY``: connection already in progress (during a non-blocking

* ``EINPROGRESS``: operation in progress (during a non-blocking connect())

* ``EINTR``: interrupted function call

* ``EISCONN``: the socket is connected

* ``ECONNABORTED``: connection aborted by peer (during an accept() call)

* ``ECONNREFUSED``: connection refused by peer

* ``ECONNRESET``: connection reset by peer

* ``ENOTCONN``: socket not connected

* ``ESHUTDOWN``: cannot send after transport endpoint shutdown

* ``EWOULDBLOCK``: same reasons as ``EAGAIN``

Common errnos with select.error

* ``EINTR``: interrupted function call

Appendix B: Survey of raised OS and IO errors

Interpreter core

Handling of PYTHONSTARTUP raises IOError (but the error gets discarded)::

    $ PYTHONSTARTUP=foox ./python
    Python 3.2a0 (py3k:82920M, Jul 16 2010, 22:53:23) 
    [GCC 4.4.3] on linux2
    Type "help", "copyright", "credits" or "license" for more information.
    Could not open PYTHONSTARTUP
    IOError: [Errno 2] No such file or directory: 'foox'

``PyObject_Print()`` raises IOError when ferror() signals an error on the
`FILE *` parameter (which, in the source tree, is always either stdout or

Unicode encoding and decoding using the ``mbcs`` encoding can raise
WindowsError for some error conditions.

Standard library


Raises IOError throughout (OSError is unused)::

    >>> bz2.BZ2File("foox", "rb")
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: [Errno 2] No such file or directory
    >>> bz2.BZ2File("LICENSE", "rb").read()
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: invalid data stream
    >>> bz2.BZ2File("/tmp/zzz.bz2", "wb").read()
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: file is not ready for reading


Not examined.

dbm.gnu, dbm.ndbm

_dbm.error and _gdbm.error inherit from IOError::

    >>> dbm.gnu.open("foox")
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    _gdbm.error: [Errno 2] No such file or directory


Raises IOError throughout (OSError is unused).

imp module

Raises IOError for bad file descriptors::

    >>> imp.load_source("foo", "foo", 123)
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: [Errno 9] Bad file descriptor

io module

Raises IOError when trying to open a directory under Unix::

    >>> open("Python/", "r")
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: [Errno 21] Is a directory: 'Python/'

Raises IOError or io.UnsupportedOperation (which inherits from the former)
for unsupported operations::

    >>> open("LICENSE").write("bar")
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: not writable
    >>> io.StringIO().fileno()
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    io.UnsupportedOperation: fileno
    >>> open("LICENSE").seek(1, 1)
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: can't do nonzero cur-relative seeks

Raises either IOError or TypeError when the inferior I/O layer misbehaves
(i.e. violates the API it is expected to implement).

Raises IOError when the underlying OS resource becomes invalid::

    >>> f = open("LICENSE")
    >>> os.close(f.fileno())
    >>> f.read()
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: [Errno 9] Bad file descriptor

...or for implementation-specific optimizations::

    >>> f = open("LICENSE")
    >>> next(f)
    >>> f.tell()
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: telling position disabled by next() call

Raises BlockingIOError (inheriting from IOError) when a call on a non-blocking
object would block.


Undex Unix, raises its own ``mmap.error`` (inheriting from EnvironmentError)

    >>> mmap.mmap(123, 10)
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    mmap.error: [Errno 9] Bad file descriptor
    >>> mmap.mmap(os.open("/tmp", os.O_RDONLY), 10)
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    mmap.error: [Errno 13] Permission denied

Under Windows, however, it mostly raises WindowsError (the source code
also shows a few occurrences of ``mmap.error``)::

    >>> fd = os.open("LICENSE", os.O_RDONLY)
    >>> m = mmap.mmap(fd, 16384)
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    WindowsError: [Error 5] Accès refusé
    >>> sys.last_value.errno
    >>> errno.errorcode[13]

    >>> m = mmap.mmap(-1, 4096)
    >>> m.resize(16384)
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    WindowsError: [Error 87] Paramètre incorrect
    >>> sys.last_value.errno
    >>> errno.errorcode[22]


Not examined.

os / posix

The ``os`` (or ``posix``) module raises OSError throughout, except under
Windows where WindosError can be raised instead.


Raises IOError throughout (OSError is unused)::

    >>> ossaudiodev.open("foo", "r")
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: [Errno 2] No such file or directory: 'foo'


Raises IOError in various file-handling functions::

    >>> readline.read_history_file("foo")
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: [Errno 2] No such file or directory
    >>> readline.read_init_file("foo")
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: [Errno 2] No such file or directory
    >>> readline.write_history_file("/dev/nonexistent")
    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
    IOError: [Errno 13] Permission denied


* select() and poll objects raise ``select.error``, which doesn't inherit from
  anything (but poll.modify() raises IOError);
* epoll objects raise IOError;
* kqueue objects raise both OSError and IOError.


``signal.ItimerError`` inherits from IOError.


``socket.error`` inherits from IOError.


``sys.getwindowsversion()`` raises WindowsError with a bogus error number
if the ``GetVersionEx()`` call fails.


Raises IOError for internal errors in time.time() and time.sleep().


zipimporter.get_data() can raise IOError.


.. [1] "IO module precisions and exception hierarchy"

.. [2] Discussion of "Removing WindowsError" in PEP 348


This document has been placed in the public domain.

   Local Variables:
   mode: indented-text
   indent-tabs-mode: nil
   sentence-end-double-space: t
   fill-column: 70
   coding: utf-8

More information about the Python-ideas mailing list