ctxgroup,*: catch panics when using workers in jobs

[ajwerner]

Is your feature request related to a problem? Please describe.

In light of #58164 / #62243 and general prevailing winds that crashing the process is bad, we should be more proactive to catch panics when spinning off helper goroutines when operating underneath jobs or query execution. Already the initial goroutine in those settings is set up to recover from panics; it feels wrong to not give the same treatment to goroutines launched by those goroutines. The stopper too has long-ago been endowed with support to recover from such panics and send valuable information in the form of sentry reports.

The use of ctxgroup is largely confined to jobs at the time of writing. Other parts of the codebase have a stronger tendency towards using the stopper directly (for better or for worse).

Describe the solution you'd like

I'm not sure how heavy-handed to be on this topic with this issue. As a first pass, I'd like there to be some feature that makes it easy for me to gain peace of mind that panics will be translated in a uniform way. What I propose is a new method GoSafe (🚲🏠 on the name) which takes an opName as a redact.SafeString that looks like this:

func (g Group) GoCtxSafe(op redact.SafeString, f func(context.Context) error) {
	g.wrapped.Go(func() (err error) {
		defer func() {
			switch r := recover().(type) {
			case nil:
				return
			case error:
				err = errors.Wrapf(r, "failed to %s", op)
			default:
				err = errors.AssertionFailedf("failed to %s: %v", op, r)
			}
		}()
		return f(g.ctx)
	})
}

Describe alternatives you've considered

I think there's an argument to be made that just adding the above method doesn't go far enough. Instead we should make this the only way and go and audit all existing calls. That transition could be made over some time by first adding the new one method, updating the old ones, and then renaming.

Another question is how and whether this should get hooked directly into sentry reporting. My 2c is no, it shouldn't. We should rely on existing error propagation to bring the error up to the right point in the call stack where a report will be generated if the error is an assertion failure. That said, should all panic'd errors be treated that way? I can certainly imagine use cases where panics are used soundly at API boundaries to propagate errors and unwind the stack cleanly. In those cases, it'd be a bummer to have the error marked as an assertion failure. I think I'd see some logic in letting the user control that behavior on the group itself, but making it an option where the default is to mark all panics, even of errors, as assertion failures.

On the note about reporting, we should confirm that assertion failures returned from jobs get reported.

Additional context

Some motivation follows from #76715 (comment).

Jira issue: CRDB-13253

[dt]

My vote would be to just be heavy handed and do this across the board: make the existing GoCtx always defer a recover and return panics as errors.

Almost all our panics are we hit in bulk code are either NPEs or slice index OOB, which are bugs in some job's code that prevent that job from completing successfully, but generally don't call for killing the whole process; if someone really wants to tear down the proc because we've strayed out of safe operation, we already say elsewhere you gotta use log.fatal for that instead. Unless the overhead of the defer is significant, I'd just do it for all existing users and map them to errors.

[dt]

The addition of op to label the error seems like a separate question from whether we should recover panics and return them as errors.

If we're going to do that, think we should Wrap() any error that came from that GoCtx()'s func with the op label, whether the func returned it or it came from a recovered panic. I'm sure wrapping with op labels that identify which worker error'ed would be useful to us when debugging, but I suspect the op names will probably not be very end-user friendly. I guess that's one reason not to label if a returned error is intended for an end user, where the wrap label would just clutter it up / create confusion. Hmm.

[dt]

Maybe we should sniff the error type and wrap it with the op label unless it is already a pgerror (which could be inferred to mean its creator has already decided how to present it to the user)?

[blathers-crl]

cc @cockroachdb/bulk-io

[erikgrinaker]

My vote would be to just be heavy handed and do this across the board: make the existing GoCtx always defer a recover and return panics as errors.

We've had discussions about this further down the stack, e.g. during Raft application and such, and concluded that we really don't want to recover from panics and keep running with potentially inconsistent state. I think it's fine to do it for auxiliary functionality, but we should be deliberate about when it's safe to do so, and it should be opt-in such that we'll err on the side of correctness.

Of course, I don't believe core KV code is a heavy user of ctxgroup anyway, but we could become one, and it might be worth having a consistent approach to this.