feat: CallError redesign

[lwshang]

Description

There are a few reason we need a redesign of the CallError:

• The previous design made it hard to get the RejectCode which is the most common used field to do error handling.
• There is an initiative to expose error_code in system API. To avoid breaking changes at that time, we start to include error_code now.

Error types

Aside from the CallError, I introduced SystemError. SystemError is a variant of CallError.

The error type of call_raw() and call_oneway() is SystemError. It implies that the call is rejected by the system.

pub struct SystemError {
    pub reject_code: RejectCode,
    pub reject_message: String,
    pub error_code: ErrorCode,
    pub sync: bool,
}

The error type of call() and call_tuple is CallError. They might also failed when decoding the reply.

pub enum CallError {
    CallRejected(SystemError),
    CandidDecodeFailed(String),
}

Error codes

Borrowed the ErrorCode implementation from pocket-ic.

How Has This Been Tested?

ic-cdk-timers internally make inter-canister calls to itself. The change there demonstrates that the error handling is simplified.

Checklist:

• The title of this PR complies with Conventional Commits.
• I have edited the CHANGELOG accordingly.
• I have made corresponding changes to the documentation.

[ericswanson-dfinity]

What's the purpose of having this 'pub' when the value is generally incorrect (from reject_to_error) and the error codes haven't been officially finalized?

[lwshang]

We can remove the pub for now. But when ic0.msg_error_code is officially supported, we will need to add back the pub. Then that will be a breaking change.

One alternative is to make the fields private and provide public getters. But that will harm the UX when users want to extract multiple fields.

After more thinking, I feel that the alternative approach above could be better. I will followup with Martin.

[mraszyk]

would it make sense to assert that the code is not zero?

[lwshang]

There is no need of assertion right? Since there is no variant for 0 now. And the RejectCode instances are constructed using TryFrom<u32> which will panic for 0.

[mraszyk]

And the RejectCode instances are constructed using TryFrom which will panic for 0.

I missed that panic which is actually dangerous - please see my other comment. Panicking in case of 0 makes sense though since 0 can never become a new reject code.

[mraszyk]

the reject message can also be produced by the system (canister stopped, out of cycles etc.) or come from crate::api::trap (including a wrapper by the system in case of traps)

[lwshang]

That's a typo.
I wanted to mention

[`msg_reject_msg`](crate::api::msg_reject_msg).

[mraszyk]

I'd recommend to stick to the current message:

• for the sake of backward-compatibility (no change in behavior)
• "failed to enqueue the call" sounds like the queue is the issue, but the failure could also be due to cycles (for instance)

[mraszyk]

if the heap memory is exhausted, the canister traps anyway

[mraszyk]

Could we define this as a string constant given that it is used at multiple places?

[mraszyk]

this unwrap could be dangerous for canisters with an outdated CDK version if the replica introduces a new reject code