Panic within a handler should return an HTTP 500

[sazzer]

(Apologies if this is already covered anywhere. I did look and couldn't find anything, but I may very well have missed it!)

Expected Behavior

If anything goes catastrophically wrong within a handler, it would be good to return an HTTP 500 response to the client.

Even better would be the option to customize what the error response is.

Current Behavior

Currently, the server just hangs up the network connection.
It does not seem to break the threading - I can make many more panicking requests to the server than it is running threads and they all connect just fine. I just don't get a decent error.

Steps to Reproduce (for bugs)

1. Write a handler
2. Call - e.g. unwrap() on an Err value from within the handler

Context

There are certain classes of errors that are catastrophic in nature. For example, the database not being present. Adding deliberate error propagation for these scenarios only serves to bloat the codebase - all of a sudden I've got to propagate the errors all the way from the bottom layer up to the handlers in order to return an error.

Alternatively, I can just not care about these. Just call pool.get().await.unwrap() to get a connection from the connection pool, for example. If I get a connection then that's great. If I don't then I have a catastrophic failure on my hands anyway, so panicking isn't unreasonable.

I could wrap every single handler in panic::catch_unwind() and handle it myself, but this is then a lot of duplication of effort, and has the need to return appropriate catastrophic errors from every handler. (I'm also not sure how to use catch_unwind in an async context, but that's my problem :) )

Alternatively, if Actix-web can do this then it only needs to be done once, and can have guaranteed consistent responses no matter which handler had the problem.

Obviously, this should only apply to actual catastrophic failures. Business errors, validation errors, etc are the domain of the application and not of Actix-web and should remain as such.

Your Environment

• Rust Version (I.e, output of rustc -V): rustc 1.45.0-nightly (a08c47310 2020-05-07)
• Actix Web Version:

-> % cargo tree | grep actix
├── actix-cors v0.2.0
├── actix-http v1.0.1 (*)
├── actix-rt v1.1.1 (*)
├── actix-web v2.0.0 (*)

[robjtede]

I would argue that terminating a connection is a suitable response to a handler panic. You should endevor to employ proper error handling at all levels. Things that return a Result do so because their errors are recoverable and should be either handled or bubbled.

Using pool.get().await is certainly common in handler code. Taking advantage of the ? operator is the best and cleanest way to handle this pool.get().await? where your handler's Error type impls From<PoolError> and can be converted to an error response (eg impl actix_web::ResponseError). There a plethora of error helper crates to make this pattern clean and easy to implement but using a plain global error enum with manual impls is also reasonably simple.

On catch_unwind, trying to employ a system that relies on catch_unwind has all sorts of gotchas including considerations of things that are or are not unwind-safe; it is not equivalent to try-catch in other languages that are built to handle clean up.

[sazzer]

I appreciate that catch_unwind is not a trivial thing to go for, and that it's not an equivalent to try/catch in other languages.

However, I'm also not suggesting that this is something to do lightly. You're absolutely right that returning a Result and using the ? operator is correct behaviour most of the time. But I'm not convinced it's correct behaviour all of the time.

Specifically I am talking about things that really are catastrophic failures. Things like talking to a database that just isn't there. Not reading a database record that is not found, but the entire database being inaccessible.

And yes, this can be done using Result and propagating an error value. That works, but it gets very tedious and repetitive when you have a multi-layered architecture. For example, in my app right now I'm following the Clean Architecture pattern (Which works remarkably well in Rust), which means I have:

• Handler function lookup_username() -> impl Responder
• Calls UserService.lookup_username() -> bool
• Calls UserRepository.find_user_by_username() -> Option<UserModel>
• Calls Database.checkout() -> PooledConnection (Where Database is a wrapper around bb8)
• Calls Pool.get() -> Result<PooledConnection, Error>

Right now, this works great. And the only way this can at all fail is in a catastrophic sense. If the database is missing, or the schema is corrupt. Anything else will cause a graceful result to be returned and all is good. (This design was based on reading around in blog posts, the Rust Book and The Rustonomicon.)

Now, I could return a Result here. That would mean that every step of the way I've got to have a Result type, with an appropriate Error type for that level - bearing in mind that other calls through could have business errors involved as well, so you'd now be mixing these catastrophic failures with normal business errors - and then have to handle it in every single handler function to correctly return an HTTP 500 indicating that something was seriously wrong.

As such, it seemed reasonable to have this level of handling be something that was more common and shared so that everyone can benefit automatically. :)

Since these are the level of errors that means that everything is broken anyway, I'm not totally invested in whether it is decided to go ahead with this or not. If you still deem it better to leave it alone then you are significantly more experienced than I am and I bow to that wisdom :)

Cheers

[Lesiuk]

I am writing my code without using any panics but some external libraries are using panics in some cases so returning 500 if it happens should be better idea than just closing connection. I will research this possibility (https://docs.rs/futures/0.3.5/futures/future/trait.FutureExt.html#method.catch_unwind) this weekend and maybe create my first PR.

[robjtede]

Anyone from @actix/contributors got experiences or opinions on handler panicking?

[Dowwie]

I'm sorry but I don't suppose this proposal. Rust offers first-class error handling to manage this situation. Impress upon the authors of 3rd party libraries to manage errors rather than panic.

[robjtede]

@sazzer if you want the feeling of throwing from functions this crate gets you pretty close to the syntax: https://docs.rs/fehler/1.0.0/fehler/attr.throws.htm

[fafhrd91]

catch unwind is not possible with actix, period.

[sazzer]

@robjtede It's not that I want exceptions or throws. I actually like the Result<> handling that Rust gives us (Despite coming from a predominantly overwhelming Java background!)

What I wasn't keen on was the need to do that for error conditions that are truly catastrophic, and that wouldn't need to have a Result<> return for any reason other than this catastrophic case.

For example, my case above with "lookup_username". Assuming that the database is present, the network is working and the schema is valid, this can not fail. Putting in multiple levels of Result<> to handle a case that should never happen just feels like busywork for no real benefit. That's why I've got it panicking in that case - if the database isn't there then there really is nothing that can be done within the code to deal with that. (As opposed to, for example, trying to persist a record with a duplicate username which really should return a Result<> since that's an error that is expected and can be handled)

However, based on the comment from @fafhrd91 that turned up as I was typing this, it's all a non-starter anyway so I'm going to shut up now :)

Cheers

[mamcx]

Exist another very simple reason to support this.

Is the expected behavior. Specially on development, where the browser IS the main interface.

In any other web framework I have used (in .net, python, delphi,...) is how things are done. To the point that when this happened to me, I was wonder why?? Is something I haven't done?.

Exist many quality-of-life stuff that come for "free" in things like https://flask.palletsprojects.com/ that in actix and other rust frameworks are "missing".

I'm totally 100% in agreement that this must be done with correctness in mind. This is what I have bet on rust for rewrite a very large .net web backend, and the payoff is very good. But also I think that provide this small touches (maybe as additions or as part of "extras" crate or something like) will make rust even more attractive to the crow of python/.net/ruby...

[fafhrd91]

This is not matter of new feature. This is just not possible

[Lesiuk]

@fafhrd91 Could you explain us why catch_unwind don't work for actix so we all can learn something? Just curious.

[fafhrd91]

Did you check definition?

[onelson]

I was about to write a thoughtful response to this, but #1501 (comment) pretty much sums up my point of view.

Signaling failure with Result is a win-win and is well supported. 90% of my error handling code comes in the form of an impl actix_web::ResponseError. At that point, my handler code uses ? to focus on the "happy path" and the rest is automatic.

Using things like catch_unwind in my mind is a last resort, probably most useful in stuff like test runners or what have you.

[robjtede]

From std::panic::catch_unwind docs:

It is not recommended to use this function for a general try/catch mechanism.

From futures::future::FutureExt::catch_unwind docs:

It's not recommended to use this for error handling.

From the Rust book ch 9.3:

When code panics, there’s no way to recover.

From the edition guide:

Panics thus abort execution up to some "isolation boundary", with code on the other side of the boundary still able to run, and perhaps to "recover" from the panic in some very coarse-grained way.

Fundamentally, panicking is Rust's solution to prevent memory errors/corruption and generally prevent invalid states in situations where recovery is not possible. Such cases are exceeding rare in HTTP request handling, therefore Result should be used where possible.

The "isolation boundary" should be well defined and not let states become invalid. In the case of actix-web, since workers are naturally isolated by their arbiter/thread, it is sensible for that boundary to be the thread and nothing more granular.