The ability to cleanup when application panics in any of the routines spawned by s.acceptConnectionsRoutine().

[ruseinov]

Tested with tendermint 0.31.5.

The issue is that when something goes wrong in abci app, for example, in InitChain method - we are forced to panic, as there is no other way to return an error and stop the app.

When this happens we cannot recover, because these panics happen in a goroutine

func (s *SocketServer) handleRequests(

which in turn is being spawned by

func (s *SocketServer) acceptConnectionsRoutine()

What this leads to is the socket not being closed and cleaned up, so when the application fails once it is not able to start again, there is a manual step required, which is basically rm /tmp/app.socket.

There are different options to fix that:

1. Recover from panic, log the error and allow main thread to exit gracefully, which will let the code looking like this:

	svr, err := server.NewServer(addr, "socket", app)
	if err != nil {
		return errors.Wrap(err, "failed to create a listener")
	}

	svr.SetLogger(logger.With("module", "abci-server"))

	done := make(chan bool)
	cleanupCallback := func() {
		// Cleanup
		_ = svr.Stop()
		done <- true
	}

	cmn.TrapSignal(logger, cleanupCallback)

	defer func() {
		if err := recover(); err != nil {
			logger.Error("recovered from panic", "err", err)
			cleanupCallback()
		}
	}()

	err = svr.Start()
	if err != nil {
		return errors.Wrap(err, "failed to start a server")
	}
	fmt.Println("123")
	// wait forever
	<-done

	return nil

to do proper cleanup.

2. Alternatively allow passing a cleanup callback to the socket server, and call that on recover() and then propagate panic. In our case such callback would still be something like
   func() {svr.Stop()}. I think the solution number one is preferred, because it would be easier to cleanup in the main thread as shown above.

3. Yet another solution is to modify ABCI interface to be able to return errors in responses or alongside them. Then instead of panicking the app could just return an error.

[ruseinov]

I would be happy to implement this feature if it gets any traction. It looks like all of this boils down to recovering in handleRequests and sending the contents of this panic to closeConn, then exiting.

[ruseinov]

@ethanfrey fyi ^^

[ethanfrey]

Yet another solution is to modify ABCI interface to be able to return errors in responses or alongside them. Then instead of panicking the app could just return an error.

I brought this up long ago re: abci design, and it was stated that we shouldn't return errors if we cannot handle them. I don't really agree, but I would ask if there is a big change of opinion in the cosmos team before looking more into that option (I think all abci response should be like Result<Response, Error>)

[ethanfrey]

In theory the out-of-process architecture was recommended. In practice the in-process is easier ops and used for cosmos-sdk, so the only really tested approach.

However, since abci should support out-of-process apps in many languages, it would be good to get more testing/attention to these issues. (Or drop unix socket support entirely and force us to use tcp sockets).

[ethanfrey]

I would propose that the tendermint/abci server just be updated to do the cleanup properly for the unix socket files (that it creates). The addition of an app-specific cleanup callback would be a nice addition, but not essential for the issue we have

[ruseinov]

I would propose that the tendermint/abci server just be updated to do the cleanup properly for the unix socket files (that it creates). The addition of an app-specific cleanup callback would be a nice addition, but not essential for the issue we have

Yes, I totally agree that the proper cleanup/recovery would be more than enough to support external apps fully.

[ruseinov]

I brought this up long ago re: abci design, and it was stated that we shouldn't return errors if we cannot handle them. I don't really agree, but I would ask if there is a big change of opinion in the cosmos team before looking more into that option (I think all abci response should be like Result<Response, Error>)

Yeah, I do remember internal discussions around that topic, cause this is one of the few places we still have to panic in.

I'd say that all the errors returned here could at least be handled by simply logging the error and shutting down the server. That would lead to a nicer api (no panics) and a graceful shutdown instead of a crash.

Similar to this code here:

	for {

		var req = &types.Request{}
		err := types.ReadMessage(bufReader, req)
		if err != nil {
			if err == io.EOF {
				closeConn <- err
			} else {
				closeConn <- fmt.Errorf("Error reading message: %v", err.Error())
			}
			return
		}
		s.appMtx.Lock()
		count++
		s.handleRequest(req, responses)
		s.appMtx.Unlock()
	}

where we have an unreadable message and shutdown.

[melekes]

When this happens we cannot recover, because these panics happen in a goroutine

do you have a stack trace of the panic at hand?

[melekes]

Normally the listener would unlink the socket file upon listener.Close(). But since here there's a panic, Close is not being called, right? If yes, then we should definitely recover and shutdown gracefully.

[ruseinov]

Normally the listener would unlink the socket file upon listener.Close(). But since here there's a panic, Close is not being called, right? If yes, then we should definitely recover and shutdown gracefully.

Exactly

do you have a stack trace of the panic at hand?

Here's the original ticket with a panic stack trace: iov-one/weave#851

[ruseinov]

@melekes do you want me to open a PR for this then or are you guys going to tackle it yourselves?

[melekes]

If you have time to fix it, that would be great!

[ruseinov]

@melekes will do!