Return errors instead of panic

[MarinX]

• Targeted PR against correct branch (see CONTRIBUTING.md)

• Linked to github-issue with discussion and accepted design OR link to spec that describes this work.

This is related to issue #3741 where fetching data from invalid store, package panic.
This PR modifies subspace.go to return errors instead of panic.
It also updates other packages that import subspace and handles error.

• Modify tests
• Updated relevant documentation (docs/)
• Added entries in PENDING.md with issue #
• rereviewed Files changed in the github PR explorer

---

For Admin Use:

• Added appropriate labels to PR (ex. wip, ready-for-review, docs)
• Reviewers Assigned
• Squashed all commits, uses message "Merge pull request #XYZ: [title]" (coding standards)

[alexanderbez]

I think these changes are fine, but we should keep consistency. What are your thoughts on updating the remaining begin/end blockers?

[codecov]

Codecov Report

Merging #3782 into develop will decrease coverage by 0.22%.
The diff coverage is 25%.

@@             Coverage Diff             @@
##           develop    #3782      +/-   ##
===========================================
- Coverage    60.02%   59.79%   -0.23%     
===========================================
  Files          212      212              
  Lines        15107    15158      +51     
===========================================
- Hits          9068     9064       -4     
- Misses        5418     5450      +32     
- Partials       621      644      +23

[MarinX]

@alexanderbez should be all good now.
Since I did not want to go deeper into packages and change all panics to errors, I suggest maybe to panic only on commands and main (if we want to recover from it).
Packages should not panic.

I see there is a thread #870 so I will put my input there to discuss if this something to consider.

[cwgoes]

Needs a rebase for #3828.

[jackzampolin]

A failing lint here as well as some conflicts in PENDING.md. Looks great otherwise tho @MarinX !

[MarinX]

I fixed the merge problem.
The problem with lint is that if we return(handle) the error, we need to fix interfaces which again follows handling the errors in core packages and single value returns.

Its not a problem for me to do it, but since it will be a significant change, I need your input before tackling this.

[alexanderbez]

Which interfaces need adjustment @MarinX ?

[MarinX]

For example, fixing the lint issue for the func:

func (keeper Keeper) GetTallyParams(ctx sdk.Context) TallyParams

will become

func (keeper Keeper) GetTallyParams(ctx sdk.Context) (TallyParams, error)

which then needs adjustment to interfaces which will yield an error in build for other packages by using single value context.
We have around 20 functions that needs to return error, in which I suspect more packages will trigger an error.
So its a big rewrite of modifying interfaces, catching the errors and returning it to main caller.

EDIT:
So the question is, do we fix those lints in this PR ( which will require rewrites) or do we create a new PR where we continue handling the error?

[fedekunze]

is there a NewResponseEndBlock function on the abci pkg we could use to replace this everywhere?

[fedekunze]

So the question is, do we fix those lints in this PR ( which will require rewrites) or do we create a new PR where we continue handling the error?

this PR is big enough now, let's continue on a separate PR

[MarinX]

Exactly,
This PR is just a fix for returning the error instead of panic.
Handling the error should be another PR which will be a huge rewrite (hopefully lints would be also fixed)

[alexanderbez]

So what is the consensus on this @MarinX? Seems like lint is failing. What is the bare minimum we need to change to fix the root issue?

[MarinX]

rebased

[MarinX]

@alexanderbez solution I found is to check the error and add TODO when we are going to rewrite the handling of errors. This new commit suppresses the lint errors.

[rigelrozanski]

This is bit crazy with 8K line additions... I'm assuming key commits haven't been merged into this branch, obviously need to merge recent develop before I'm able to review here

[alexanderbez]

Needs a pending log entry, but otherwise LGTM. Thanks @MarinX.

[alessio]

I have to block this due to the lack of a changelog entry file; otherwise this looks good to me. May I suggest to run sdkch add breaking sdk @MarinX?

[MarinX]

I have to block this due to the lack of a changelog entry file; otherwise this looks good to me. May I suggest to run sdkch add breaking sdk @MarinX?

Added.
Also, merged with latest changes

[fedekunze]

LGTM

[alessio]

Approving. Hence merging (@rigelrozanski dismissing your review as the author did ultimately merge latest develop)

The author merged develop latest changes

[jackzampolin]

Thank you very much for the contribution @MarinX!!!

[rigelrozanski]

So this PR was just reverted and I wanted to take some time to briefly reflect on design decisions which this PR breaks. Again, I do want to apologize for any wasted energy, I am grateful for new excited developers to be contributing to this code base. If after reading this comment, you still believe there are places where the panic should be converted to an error, I suggest a new similar PR (however, substantially smaller) be opened which I will review.

Design notes:
Overall, within the SDK we value safety over liveness.
When an a value is expected in state and cannot be properly retrieved, the state of the blockchain is broken and should panic immediately at that location. Notably the k.paramSpace.Get(...) functions should in fact not be returning an error but panicking in place. If within the codebase it is expected behaviour that the parameter may not exist in the substore, the k.paramSpace.GetIfExists(...) function should be used (this function will not panic if the value does not exist).

Within this PR there are also a number of highly unsafe TODO's introduced whereby old panics are left as unchecked errors - these changes effectively allow for unsafe state to be introduced into the blockchain without halting it! This means that by forgetting to add an important parameter into the genesis state would not be caught when the blockchain started and would continue to operate potentially with a vital parameter simply set to zero.

Within unmarshal functionality (which I there were a few changes), if an improper unmarshal is made it means there is improper state stored within the blockchain which of course means that the blockchain state is in error and should halt. There are of course certain situations when retrieving input from the user that possible faulty input is plausible and should not panic, but this should be all limited to the client/rest receivers (and not unmarshalling state already stored in the blockchain)

Lastly I wanted to mention an error return arguments were introduced into endblocker functionality of the modules needlessly the state still panicked instead of returning an error - which is fine however because it never should have been returning an error - but I'm assuming this was not the intention of the PR.