Fix race condition in consensus.State code

[sergio-mena]

Closes #487

This PR contains changes in the test infra to repro #487, and the the fix needed to avoid the race condition.
Similarly to #539, I have pushed the commits that make up this PR one by one, so that those interested can track how I repro'ed the race condition using e2e tests, and how the fix prevents the race from happening again. To do so, click on the little ❌ or ✅ next to the relevant commits.

• Commit#1: Add race option to e2e tests for builtin app. We also activate "halt on error", so e2e tests are able to catch this (otherwise it just shows up in the logs, but the tests pass). e2e check detected that this commit has no changes in the node's code, so it did not build and run the tests; hence everything is still passing in this commit.
• Commit#2: Added an innocuous change in the concerned code to trigger e2e tests. With this commit, e2e are failing. If the reader examines the output of the e2e tests, they will see the data race in validator05.
• Commit#3: The fix. e2e test are now passing. It is worth noting that, when I ran the e2e tests locally on Commit#1, without "halt on error", I hit the race condition around 120 times across all nodes in one single run.
• Commit#4: Revert Commit#1. We're not ready to leave Commit#1 in place because we know there are other race conditions lurking.

---

PR checklist

• Tests written/updated
• Changelog entry added in .changelog (we use unclog to manage our changelog)
• Updated relevant documentation (docs/ or spec/) and code comments

[08d2]

reconstructLastCommit and updateToState can panic, which will leave conS.mtx in a locked state, producing deadlock for any concurrent lockers.

[thanethomson]

@08d2, are you deeply familiar with the SwitchToConsensus function and where it's called? If so, please point out where, exactly (which files/lines of code), you see conS.mtx being locked concurrently during this specific SwitchToConsensus call.

[cason]

While 08d2 has a point (we should not panic while holding a lock), updateToState is also called while holding the same lock, as part of finalizeCommit.

[sergio-mena]

By design, CometBFT never tries to recover from a panic (crash failures always being preferable to general byzantine behaviour in both crash-tolerant and BFT algorithms), so, strictly speaking, this is a non-issue.
Nevertheless, I've changed the locking I had added to a RAII-style

[08d2]

By design, CometBFT never tries to recover from a panic

cometbft/abci/server/socket_server.go

Lines 167 to 183 in dedfda4

	defer func() {
	// make sure to recover from any app-related panics to allow proper socket cleanup.
	// In the case of a panic, we do not notify the client by passing an exception so
	// presume that the client is still running and retying to connect
	r := recover()
	if r != nil {
	const size = 64 << 10
	buf := make([]byte, size)
	buf = buf[:runtime.Stack(buf, false)]
	err := fmt.Errorf("recovered from panic: %v\n%s", r, buf)
	if !s.isLoggerSet {
	fmt.Fprintln(os.Stderr, err)
	}
	closeConn <- err
	s.appMtx.Unlock()
	}
	}()

cometbft/p2p/transport.go

Lines 304 to 320 in dedfda4

	go func(c net.Conn) {
	defer func() {
	if r := recover(); r != nil {
	err := ErrRejected{
	conn: c,
	err: fmt.Errorf("recovered from panic: %v", r),
	isAuthFailure: true,
	}
	select {
	case mt.acceptc <- accept{err: err}:
	case <-mt.closec:
	// Give up if the transport was closed.
	_ = c.Close()
	return
	}
	}
	}()

cometbft/p2p/conn/connection.go

Lines 424 to 425 in dedfda4

	func (c *MConnection) sendRoutine() {
	defer c._recover()

[08d2]

@08d2, are you deeply familiar with the SwitchToConsensus function and where it's called? If so, please point out where, exactly (which files/lines of code), you see conS.mtx being locked concurrently during this specific SwitchToConsensus call.

My mistake for qualifying the error as only for "concurrent callers". This was not accurate. If any caller, concurrent or otherwise, were to panic in the ways I described previously, the conS mutex would deadlock for all subsequent callers. Panics do not reliably terminate the process.

[cason]

This is a short-term possible solution for the race condition observed while switching to consensus. While it is straightforward, it is similar to the first solution proposed when this problem was discovered, it may produce undesired and unforeseen consequences.

But I think we should trust Sergio's investigation and approve this solution, while investigating the whole locking and parallelism within the consensus reactor.