Testing panic handling

[MichaReiser]

Shuttle has been game-changing for us! I spent days trying to construct the exact case where some code would fail in production, only to show that my fix works. That's gone with shuttle :)

The only case that we currently can't test with shuttle is panic handling. Specifically, we want to test that if a thread A waits on a result of thread B and b panics, that A doesn't wait forever. However, this can't be tested with the shuttle today, at least to my knowledge, because the shuttle always thinks that the artificial panic is an error case and that it found a bug.

It would be very nice if shuttle provided a way to test this too. Maybe by having a special sentinel value that a test could throw that shuttle knows to pass through (and not abort with a test failure).

Our non-shuttle test that we would like to shuttle :)

#[salsa::tracked]
fn query_a(db: &dyn KnobsDatabase) -> u32 {
    query_b(db)
}

#[salsa::tracked]
fn query_b(db: &dyn KnobsDatabase) -> u32 {
    panic!("cancel!")
}

#[test]
fn execute() {
    let db = Knobs::default();

    let db_t1 = db.clone();
    let t1 = std::thread::spawn(move || query_a(&db_t1));

    let db_t2 = db.clone();
    let t2 = std::thread::spawn(move || query_b(&db_t2));

    // The main thing here is that we don't deadlock.
    let (r1, r2) = (t1.join(), t2.join());
    assert!(r1.is_err());
    assert!(r2.is_err());
}

[sarsko]

Thanks, Micha, very happy to hear that you've found Shuttle to be useful!

As for your issue:

This seems like a thing that would be nice to support, and I have sometimes wished Shuttle would more accurately model thread panics. I am happy to review any implementation which improves this, but it'll unfortunately be a bit before I have time to spend on implementing it myself. That said: the current implementation of Shuttle essentially says that uncaught thread panics should be avoided, and are a poor communication mechanism. If you want to allow thread panics then you can catch them, ie your test above becomes something ala:

fn query_a() -> u32 {
    query_b()
}

fn query_b() -> u32 {
    panic!("cancel!")
}

#[test]
fn execute() {
    check_dfs(
        || {
            use shuttle::thread::spawn;

            let t1 = spawn(move || std::panic::catch_unwind(query_a));
            let t2 = spawn(move || std::panic::catch_unwind(query_b));

            // The main thing here is that we don't deadlock.
            let (r1, r2) = (t1.join(), t2.join());
            assert!(r1.unwrap().is_err());
            assert!(r2.unwrap().is_err());
        },
        None,
    );
}

Do note that the test will be slightly noisy, as the Shuttle panic hook will be invoked, which will serialize the failing test schedule. This also means any failing test will not actually be reproducible with the serialized schedule, as we will serialize the schedule early, and then on the later failure not serialize the longer failure.

[MichaReiser]

Thanks @sarsko for your reply. I might be doing something wrong but this doesn't seem to be working for me (I admit, our test case is slightly more complicated). I do see multiple shuttle backtraces, and the last failing one is in check_dfs:

    pass that string to `shuttle::replay` to replay the failure
    stack backtrace:
       0: __rustc::rust_begin_unwind
                 at /rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/std/src/panicking.rs:697:5
       1: core::panicking::panic_fmt
                 at /rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/core/src/panicking.rs:75:14
       2: core::panicking::panic_display
                 at /Users/micha/.rustup/toolchains/stable-aarch64-apple-darwin/lib/rustlib/src/rust/library/core/src/panicking.rs:268:5
       3: shuttle::runtime::execution::Execution::step::panic_cold_display
                 at /Users/micha/.rustup/toolchains/stable-aarch64-apple-darwin/lib/rustlib/src/rust/library/core/src/panic.rs:100:13
       4: shuttle::runtime::execution::Execution::step
                 at /Users/micha/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/shuttle-0.8.1/src/runtime/execution.rs:203:17
       5: shuttle::runtime::execution::Execution::run::{{closure}}
                 at /Users/micha/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/shuttle-0.8.1/src/runtime/execution.rs:90:24
       6: scoped_tls::ScopedKey<T>::set
                 at /Users/micha/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/scoped-tls-1.0.1/src/lib.rs:137:9
       7: shuttle::runtime::execution::Execution::run
                 at /Users/micha/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/shuttle-0.8.1/src/runtime/execution.rs:80:25
       8: shuttle::runtime::runner::Runner<S>::run::{{closure}}::{{closure}}
                 at /Users/micha/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/shuttle-0.8.1/src/runtime/runner.rs:106:75
       9: tracing::span::Span::in_scope
                 at /Users/micha/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/tracing-0.1.41/src/span.rs:1102:9
      10: shuttle::runtime::runner::Runner<S>::run::{{closure}}
                 at /Users/micha/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/shuttle-0.8.1/src/runtime/runner.rs:106:53
      11: scoped_tls::ScopedKey<T>::set
                 at /Users/micha/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/scoped-tls-1.0.1/src/lib.rs:137:9
      12: shuttle::runtime::runner::Runner<S>::run
                 at /Users/micha/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/shuttle-0.8.1/src/runtime/runner.rs:81:27
      13: shuttle::check_pct
                 at /Users/micha/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/shuttle-0.8.1/src/lib.rs:362:12
      14: parallel::sync::check
                 at ./tests/parallel/main.rs:36:9
      15: parallel::cycle_panic::execute
                 at ./tests/parallel/cycle_panic.rs:33:5
      16: parallel::cycle_panic::execute::{{closure}}
                 at ./tests/parallel/cycle_panic.rs:32:13
      17: core::ops::function::FnOnce::call_once
                 at /Users/micha/.rustup/toolchains/stable-aarch64-apple-darwin/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5
      18: core::ops::function::FnOnce::call_once
                 at /rustc/29483883eed69d5fb4db01964cdf2af4d86e9cb2/library/core/src/ops/function.rs:250:5
    note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

Test code

#[test]
fn execute() {
    crate::sync::check(move || {
        let db = Knobs::default();

        let db_t1 = db.clone();
        let t1 = crate::sync::thread::spawn(move || {
            let db = AssertUnwindSafe(db_t1);
            std::panic::catch_unwind(move || {
                let db = &db;
                query_a(&db.0)
            })
        });

        let db_t2 = db.clone();
        let t2 = crate::sync::thread::spawn(move || {
            let db = AssertUnwindSafe(db_t2);
            std::panic::catch_unwind(move || {
                let db = &db;
                query_b(&db.0)
            })
        });

        // The main thing here is that we don't deadlock.
        let (r1, r2) = (t1.join(), t2.join());
        assert!(matches!(r1, Ok(Err(_))));
        assert!(matches!(r2, Ok(Err(_))));
    });
}

crate::sync is our facade for all sync APIs and they map to shuttle or non-shuttle types. crate::sync is a thin wrapper around check_pct

#[cfg(feature = "shuttle")]
pub(crate) mod sync {
    pub use shuttle::sync::*;
    pub use shuttle::thread;

    pub fn check(f: impl Fn() + Send + Sync + 'static) {
        shuttle::check_pct(f, 1000, 50);
    }
}

[sarsko]

Thanks. I cloned Salsa and was able to get a repro.

With PCT I run into the same issue you do. After pulling Shuttle and changing persist_failure to return message directly instead of persisted_message, we get the actual panic:

thread '<unnamed>' panicked at /Users/sarekhs/Programming/ShuttleSalsa/shuttle/src/runtime/execution.rs:203:17:
deadlock! blocked tasks: [main-thread (task main-thread(0)), <unknown> (task main-thread(1), pending future)]

Hard for me to tell whether this is a real deadlock or not without knowing your application.

---

Interestingly, after swapping to DFS I get the following assertion violation

thread 'cycle_panic::meow_meow' panicked at /Users/sarekhs/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/shuttle-0.8.1/src/runtime/execution.rs:710:13:
assertion failed: task.runnable() || task.blocked()
stack backtrace:

After adding a bit more logging I see that it's Task 1 and that its state is Finished. Clearly we have some issue in Shuttle, but I don't immediately have any idea what the issue might be.

---

To get a bit better idea of the things that can go wrong, I tried the RandomScheduler as well, and got the following panics:

thread '<unnamed>' panicked at /Users/sarekhs/Programming/ShuttleSalsa/shuttle/src/runtime/execution.rs:203:17:
deadlock! blocked tasks: [main-thread (task main-thread(0)), <unknown> (task main-thread(2), pending future)]

thread '<unnamed>' panicked at /Users/sarekhs/Programming/ShuttleSalsa/shuttle/src/runtime/execution.rs:203:17:
deadlock! blocked tasks: [main-thread (task main-thread(0)), <unknown> (task main-thread(1), pending future)]

thread '<unnamed>' panicked at /Users/sarekhs/Programming/ShuttleSalsa/shuttle/src/sync/mutex.rs:62:48:
called `Result::unwrap()` on an `Err` value: AcquireError(())
stack backtrace:
[REMOVED]

thread '<unnamed>' panicked at /Users/sarekhs/Programming/ShuttleSalsa/shuttle/src/runtime/execution.rs:203:17:
deadlock! blocked tasks: [main-thread (task main-thread(0)), <unknown> (task main-thread(2), pending future)]

I wasn't able to find the DFS panic again.

---

Not sure how much that helps, but either you have a deadlock or there is an issue in Shuttle (or both).

[MichaReiser]

Wow, thanks for digging so deep. Yeah, there's a fair chance that we have a bug that results in a deadlock. I'll hopefully find some time soon to take a quick look at the salsa traces to narrow down if there's a bug indeed. I'll make sure to report back.