Guard against subscriber exceptions in ActiveSupport::Notifications

[theojulienne]

Summary

Currently the fanout loops in ActiveSupport::Notifications::Fanout to send notifications to subscribers performs no exception handling, meaning any exceptions in a subscriber immediately break out of the notification loop.

This means notifications are delivered to an arbitrary subset of the listeners, depending on subscription order. Additionally, some of these listeners (especially the ones defined in the Fanout class) rely on a Thread.current stack to store information about start events for when finish events are later emitted. If an exception occurs during either the start or finish process in one listener, other listeners will unfortunately be left uncalled, leaving a consistency problem because the stack will still contain the elements that are complete but never had #finish called due to an earlier exception.

This PR improves this situation by ensuring that fanout events will always run on all listeners, with any exceptions accumulated and then wrapped in an InstrumentationSubscriberError. This means an erroring #finish subscriber (the most likely) will cause all working instrumentation to succeed, before a InstrumentationSubscriberError is finally raised for any broken ones. This ensures that the minimal number of subscribers are impacted, and in the case of the Thread.current stack, also ensures that the stack is cleaned up for all the Timed, MonotonicTimed, etc listener classes defined here.

Callers can catch InstrumentationSubscriberError and inspect the exceptions attribute to find the original exceptions from subscribers and handle them accordingly.

This PR touches the same code paths as #43241, and will be trivial to adjust for that PR by specifying the iteration type like iterate_guarding_exceptions(..., :each) and iterate_guarding_exceptions(..., :map), but I left this additional complexity out of this PR so it was simpler, and can update the other PR as needed if this one is accepted.

[theojulienne]

One open question here is whether to adjust the default implementation to be safer as is done in this PR (but requires changes to tests that rely on this behaviour, which may mean it's too expected), or whether to use an optional subclassed Fanout or an option to enable it. It would be pretty easy to leave the changes to use a method like #iterate_guarding_exceptions that a subclass could use to introduce this behaviour, which would make it optional to adopt.

That said, I do think the consistency issues with the unfortunate usage of Thread.current do suggest it may be worth changing behaviour.

[rafaelfranca]

Should not we use rescue Exception => e here? If our goal is make sure no exception will stop the chain I think it makes sense,

[theojulienne]

👍 I think that does make sense, given the consistency issues would be equally bad regardless of exception type.

[jhawthorn]

Thanks!

That said, I do think the consistency issues with the unfortunate usage of Thread.current do suggest it may be worth changing behaviour.

If we solve these with an approach like #43241 does that make this less necessary or is there still a need?

[theojulienne]

If we solve these with an approach like #43241 does that make this less necessary or is there still a need?

I think there is an argument that it would be nice to see instrumenters work as independently as possible from each-other, regardless of whether the rails internals use a Thread.current or not.

In any case, #43241 still relies on Thread.current for backwards-compatibility and so would fall into the same trap, unless the path without state was fully deprecated.