[Fizz] Recover from errors thrown by progressive enhancement form generation

[sebmarkbage]

This a follow up to #28564. It's alternative to #28609 which takes #28610 into account.

It used to be possible to return JSX from an action with useActionState.

async function action(errors, payload) {
  "use server";
  try {
    ...
  } catch (x) {
    return <div>Error message</div>;
  }
}

const [errors, formAction] = useActionState(action);
return <div>{errors}</div>;

Returning JSX from an action is itself not anything problematic. It's that it also has to return the previous state to the action reducer again that's the problem. When this happens we accidentally could serialize an Element back to the server.

I fixed this in #28564 so it's now blocked if you don't have a temporary reference set.

However, you can't have that for the progressive enhancement case. The reply is eagerly encoded as part of the SSR render. Typically you wouldn't have these in the initial state so the common case is that they show up after the first POST back that yields an error and it's only in the no-JS case where this happens so it's hard to discover.

As noted in #28609 there's a security implication with allowing elements to be sent across this kind of payload, so we can't just make it work.

When an error happens during SSR our general policy is to try to recover on the client instead. After all, SSR is mainly a perf optimization in React terms and it's not primarily intended for a no JS solution.

This PR takes the approach that if we fail to generate the progressive enhancement payload. I.e. if the serialization of previous state / closures throw. Then we fallback to the replaying semantics just client actions instead which will succeed.

The effect of this is that this pattern mostly just works:

• First render in the typical case doesn't have any JSX in it so it just renders a progressive enhanced form.
• If JS fails to hydrate or you click early we do a form POST. If that hits an error and it tries to render it using JSX, then the new page will render successfully - however this time with a Replaying form instead.
• If you try to submit the form again it'll have to be using JS.

Meaning if you use JSX as the error return value of form state and you make a first attempt that fails, then no JS won't work because either the first or second attempt has to hydrate.

We have ideas for potentially optimizing away serializing unused arguments like if you don't actually use previous state which would also solve it but it wouldn't cover all cases such as if it was deeply nested in complex state.

Another approach that I considered was to poison the prev state if you passed an element back but let it through to the action but if you try to render the poisoned value, it wouldn't work. The downside of this is when to error. Because in the progressive enhancement case it wouldn't error early but when you actually try to invoke it at which point it would be too late to fallback to client replaying. It would probably have to always error even on the client which is unfortunate since this mostly just works as long as it hydrates.

[react-sizebot]

Comparing: a493901...5ba7fda

Critical size changes

Includes critical production bundles, as well as any change greater than 2%:

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
oss-stable/react-dom/cjs/react-dom.production.min.js	=	176.84 kB	176.84 kB	=	54.92 kB	54.92 kB
oss-experimental/react-dom/cjs/react-dom.production.min.js	=	173.27 kB	173.27 kB	=	54.04 kB	54.04 kB
facebook-www/ReactDOM-prod.classic.js	=	594.30 kB	594.30 kB	=	104.45 kB	104.45 kB
facebook-www/ReactDOM-prod.modern.js	=	577.56 kB	577.56 kB	=	101.48 kB	101.48 kB
test_utils/ReactAllWarnings.js	Deleted	66.48 kB	0.00 kB	Deleted	16.26 kB	0.00 kB

Significant size changes

Includes any change greater than 0.2%:

Expand to show

Name	+/-	Base	Current	+/- gzip	Base gzip	Current gzip
test_utils/ReactAllWarnings.js	Deleted	66.48 kB	0.00 kB	Deleted	16.26 kB	0.00 kB

Generated by 🚫 dangerJS against 5ba7fda

[gnoff]

What was the old behavior if processReply errored? These changes make sense for the stated use case but could processReply error in a way where we wouldn't want the client action wait for hydration style treatement on SSR?

[sebmarkbage]

It used to just error the SSR render - which itself is just a client-render to recover so not really that different.

The nice thing about that is that if your previous state or closure contains something non-serializable it would give you an early hint that IF you submitted the form it would error. Now that happens after submitting.

In principle we could in DEV or something eagerly serialize these on the client to see if it would've failed on the client too early.

But in general it's just going to error when you try to invoke the form instead.

However, since most things with temporary references is serializable anyway we don't really error for anything other than if like a promise we're trying to serialize rejects (which should arguably error on the server instead as discussed before - if we wanted to support streaming replies). More likely the server will error when you try to inspect a Reference.

[gnoff]

Should we brand the temporaryReferenceSet errors so we can treat them passively like this but let the other errors error the SSR render?

[sebmarkbage]

Other than the promise thing - which should probably be serialized as an error instead. Any other error is really a bug in the serialization and it seems better to fallback in that case anyway.

Regardless it seems like it's better in production to fallback to client handling just for the form than client handling for the whole page.

[gnoff]

Maybe we only passively ignore the temporaryReferenceSet errors. but we can decide independent of landing since the existing semantics are preserved just we move where the error is encountered