Ecto error handling: let exceptions bubble up?

dogweather · July 20, 2025, 5:04am

In Ecto programming, could this be described as an anti-pattern?

# Database operation
Repo.some_operation(...)
rescue
  error ->
    Logger.error("Failed to do X: #{inspect(error)}")
    {:error, "Generic message"}  # ← System failure as business error

It seems like the answer is yes. I’m in the process of ripping out a bunch of this in a codebase.

FYI, the Dialyzer unmatched_return was the hint that I had a problem with my error handling. I’m a believer now.

EDIT: Here's ChatGPT o3-pro's answer to the question

Short answer – yes, it is an anti‑pattern.

Catching every exception that can bubble out of Repo.* and then returning a domain‑style {:error, …} tuple does more harm than good in most Elixir/Ecto codebases. Below is a breakdown of why it’s problematic and what to do instead.

1. What Ecto and Elixir’s “happy path” expect

Condition	Normal, non‑bang call ( Repo.insert/2, Repo.update/2, …)	Bang call ( Repo.insert!/2, …)
Validation / constraint failure (expected business error)	{:error, %Ecto.Changeset{…}}	Raises Ecto.InvalidChangesetError
DB connectivity, malformed SQL, serialization failure, etc. (system error)	raises (DBConnection.ConnectionError, Postgrex.Error, …)	raises (same)

Take‑away:

Business failures are already represented by return tuples.
System failures are already raised.You almost never need a rescue to tell them apart.

2. Why wrapping raised system errors in a generic

{:error, _}

is harmful

Loses signal The caller can no longer discriminate between user‑facing problems (e.g., “email already taken”) and infrastructure problems (e.g., “couldn’t reach the database”). They both look like {:error, “Generic message”}.
Breaks fault tolerance Elixir’s supervision philosophy is “let it crash.” A system error usually should crash the process so the supervisor can restart it (and you get a crash report with stack‑trace). Converting it into an ordinary return value prevents that safety net.
Hides stack‑trace & root cause You log inspect(error), but unless you also log STACKTRACE, you’ve lost the most useful bit. Even then, the caller still has no context.
Encourages defensive coding everywhere else Downstream functions must now handle phantom {:error, “Generic message”} tuples that were never in the Ecto contract, leading to boilerplate and accidental swallowing of real domain errors.

3. Better patterns

3.1 Use non‑bang APIs and pattern match

case Repo.insert(changeset) do
  {:ok, struct} ->
    {:ok, struct}

  {:error, %Ecto.Changeset{} = cs} ->
    {:error, cs}           # business error – propagate the changeset
end

If Repo.insert/2 raises (network down, bad migration, etc.) let it crash. Your supervisor, the Logger backend (or Sentry/AppSignal/etc.), and any retry strategy will handle the rest.

3.2 Use bang APIs

inside

supervised tasks

If you conceptually want “success or crash,” call the bang version in a short‑lived process you own (Task, GenServer handle‑call, etc.):

def create_user!(params) do
  changeset = User.changeset(%User{}, params)
  Repo.insert!(changeset)   # raises on infra failure OR bad changeset
end

The caller can choose whether to wrap that in try/rescue or link/monitor the task.

3.3 Translate only

expected

DB error codes

Occasionally you truly need to map a low‑level PG error to a domain error (e.g., unique‑violation for an idempotency key). Catch just that error and translate, preserving everything else:

try do
  Repo.insert!(row)
rescue
  e in Postgrex.Error ->
    if e.postgres.code == :unique_violation do
      {:error, :duplicate_key}
    else
      reraise e, __STACKTRACE__
    end
end

4. What to do with logging

Let your crash reporter or Logger backend capture uncaught errors globally.
Log business errors where they are handled (often in Phoenix controllers, Absinthe resolvers, or the calling service layer), not inside a blanket rescue.

5. When might rescuing be appropriate?

External API timeout that you must degrade gracefully (still distinct from business logic).
Known, isolated DB errors where retry or fallback is viable (e.g., transient serialization failures in a saga pattern).
Migration scripts / mix tasks where you want the script to continue processing subsequent items.

Even there, rescue only the specific exception types you care about and keep the original Exception.message/1 so the operator can see what went wrong.

Bottom line

Rescuing all Repo. exceptions and returning {:error, _} conflates system failures with domain logic, obscures diagnostics, and undercuts OTP supervision.*

Prefer the natural Ecto contracts—pattern‑match on {:error, changeset} for business cases and let unexpected failures crash (or handle them narrowly).

Adopting this discipline keeps your codebase idiomatic, debuggable, and resilient.

camatcode · July 20, 2025, 5:27am

Let it crash.

The only time I can think of when I catch ecto errors like that is when I want an invalid UUID to be the same as a UUID that doesnt exist

  @impl true
  def one(query, opts \\ []) do
    super(query, opts)
  rescue
    err in Ecto.Query.CastError ->
      if err.type == Ecto.UUID or match?({:in, Ecto.UUID}, err.type) do
        Logger.warning("Received invalid UUID #{err.value} in query #{inspect(query)}")
        nil
      else
        reraise err, __STACKTRACE__
      end
  end

krisleech · July 20, 2025, 12:23pm

I never knew about super

garrison · July 20, 2025, 2:32pm

If you need to do actual error handling (e.g. a web form) then pretty much all Ecto errors (coming from the DB) can be converted to Changeset errors.

Otherwise, yeah, just let it crash. You can catch the error and handle it like you have, but it’s probably best to do that as high up as possible. For example, Phoenix would display an error 500 page to the client for such a request, but that is done arbitrarily for every error so that it can cover as many “unknown unknown” bugs as possible. You probably don’t want to be using try blocks like this in every code path, only at the top. And even in that case you might want to use a process to isolate the work instead. It depends on what you’re doing.

tfwright · July 21, 2025, 11:00pm

The question you’re directly asking here has been thoroughly answered, and in fact it’s explicitly covered in Elixir docs, so you might want to give that whole section a read: Design-related anti-patterns — Elixir v1.18.4 (although personally I find that some of those issues are more stylistic decisions that come with tradeoffs than “genuine” anti-patterns).

But to go a bit further, since it sounds like you are new to the library… if you are getting exceptions from Ecto something may have already gone wrong. As you can see from the docs, most Ecto operations do not raise errors by default, instead they return error tuples already so there is no exception to let bubble up or not, and you have to use a separate ! version of the function to get it to raise, so you may want to check you are using the right API for your case. The operations that do raise errors “unexpectedly” mostly do so because the inputs are invalid (for example if you pass in value with a data type that doesn’t match the db field). In those cases you are missing some sort of validation higher up the call chain. If you want to provide more context about where you are running into this issue, we might be able to offer more specific advice.

garrison · July 22, 2025, 3:29pm

To be fair there actually are quite a few DB features (mostly constraint-related) which raise by default unless you have the right validations in your changeset. It is actually covered in the docs here, but if you’re unfamiliar with Ecto and you try to work with constraints it’s easy to get the impression that the exceptions are meant to be handled.

One thing I like about the new (to Ecto) Repo.transact is that, combined with a with, it encourages you to handle errors functionally instead of using exceptions/rollbacks. Repo.transaction essentially relying on an exception/short-circuit style of error handling really wasn’t helping.

But there are some situations where exceptions are justified. For example, if you had a unique constraint for a username field you would want to handle that in the changeset so you can display helpful errors to the user. But if you had a constraint which would only be triggered by a vanishingly rare race condition, it might be a better idea to just crash on the grounds that any error handling path would essentially never be tested in practice and isn’t worth trying to maintain.