ADR 022 - Custom baseapp panic handling

[iTiky]

/cc @alexanderbez

---

For contributor use:

• Targeted PR against correct branch (see CONTRIBUTING.md)
• Linked to Github issue with discussion and accepted design OR link to spec that describes this work.
• Code follows the module structure standards.
• Wrote unit and integration tests
• Updated relevant documentation (docs/) or specification (x/<module>/spec/)
• Added relevant godoc comments.
• Added a relevant changelog entry to the Unreleased section in CHANGELOG.md
• Re-reviewed Files changed in the Github PR explorer

---

For admin use:

• Added appropriate labels to PR (ex. WIP, R4R, docs, etc)
• Reviewers assigned
• Squashed all commits, uses message "Merge pull request #XYZ: [title]" (coding standards)

[codecov]

Codecov Report

Merging #6072 into master will decrease coverage by 0.24%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #6072      +/-   ##
==========================================
- Coverage   54.64%   54.39%   -0.25%     
==========================================
  Files         426      430       +4     
  Lines       25890    26106     +216     
==========================================
+ Hits        14148    14201      +53     
- Misses      10763    10922     +159     
- Partials      979      983       +4     

[aaronc]

I think we should allow more customizability of these sorts of things in general. The approach in #6053 handles one such case and I don't think we should block it. But I do think we should reconsider a composable middleware approach to BaseApp, rather than handling each edge case one by one.

[alexanderbez]

Thanks @iTiky! Left some minor feedback.

[fedekunze]

Well written ADR. Left a few suggestions. Thanks @iTiky! 👍

[alexanderbez]

I took another pass through over this ADR and things started to make more sense to me. I think certain sections can be either clarified or omitted entirely. But overall, the premise looks solid and I see no reason why we can't support this.

One thing I would like note (I've mentioned this in a comment), is that we should guarantee or assert that the last handler in the decorator/middleware stack is guaranteed to return an error -- a fail-safe/terminator.

[alexanderbez]

conceptACK as I'm generally in favor of (opinionated) flexibility where the concept is clean and modular and extensible. I would like to see an ACK from @aaronc and @cwgoes potentially before proceeding with the implementation.

[cwgoes]

Concept ACK but I would like to see more clearly explained examples

[cwgoes]

I do not understand how this would work. Would every node make an HTTP call to Sentry?

[iTiky]

Those are examples of how developers can use those middlewares. They can send panic logs to Sentry if they need to or do other struf needed.

[cwgoes]

I still don't understand how Sentry would be used in a replicated state machine.

[iTiky]

Those are just examples of what developers of Cosmos SDK based project could use those handlers for. May be they want to get notifications on every panic() event (Sentry), that doesn't collide with state machine ideology.

[cwgoes]

The issue is that (in a production blockchain) the state machine is replicated, so many copies of every error would be sent to Sentry, and you would need to be careful to ensure that making HTTP requests doesn't introduce non-determinism. It's an alright example, but these points need to be clarified.

[iTiky]

Actually Sentry can aggregate multiple similar event into one issue with some meta and statistics. As for non-deterministic behavior: developers can do that in so many ways including the proposed middlewares =)

[cwgoes]

That's nice. The determinism bit is more important. I think it would be sufficient if we add a warning that middlewares must be deterministic, or consensus safety will be lost.

[aaronc]

Why are we hard-coding newOutOfGasRecoveryMiddleware into BaseApp? I thought the idea was to defer to app.runTxRecoveryMiddleware?

[iTiky]

That is because OutOfGas error handling needs some extra context and can't be statically created.

[aaronc]

Generally I'm in favor of well-reasoned customizability. As I noted before, I would like us to think of a more general framework for BaseApp being composed of middleware in the future.

But, this seems like a good starting point with a concrete use case and I'd like to see it move forward.

[cwgoes]

ACK

[AdityaSripal]

Should middleware decorators simply pass recoveryObj along to the next middleware if it isn't an error they handle instead of returning?

[iTiky]

Actually they do. The example above creates a handler and passes it to func newRecoveryMiddleware which creates a middleware. That way developer only needs to create a RecoveryHandler (which only return an error / nil). The rest is done with helper functions automatically.

[iTiky]

@alexanderbez ADR's PR is approved, what are the next steps? I can update the implementation PR (add link to the ADR, make some minor improvements proposed in the discussion).

[alexanderbez]

@iTiky, yes let's update this PR so we can merge it and then we can proceed with reviewing the implementation 👍

Thank you for all the hard work :)

[aaronc]

Looks like the main thing needed to move this forward is merging master into this branch. @iTiky can you do that and then we'll merge.

[iTiky]

@alexanderbez Can we merge this ADR as it breaks the markdown analyser for PR (invalid link to the ADR file).

[alexanderbez]

Yes, we just need to rebase 👍

[alexanderbez]

Something did not go right in the rebase @iTiky

[iTiky]

@alexanderbez Yes, you're right. Can I just close this PR and make a new cleaner one preserving all changes? I'm not sure I can do the force push right.

[alexanderbez]

I don't think that is necessary. Revert back to 35fc451, checkout and pull latest master, and finally merge master into this branch.

[iTiky]

@alexanderbez Thanks! I did the rollback and merged the latest master.