Revisit linked failure mechanism

[brson]

Our mechanism for propagating failure between tasks is not fully realized, has race conditions, and imposes complex interactions between the runtime and libcore.

The current rules are something like this:

• Children that fail cause their parents to fail
• Parents that fail do not cause their children to fail
• Children can be 'unsupervised', after which their failure does not propagate to their parents
• Children of dead parents that fail cause their grandparents (and so on) to fail
• The main task is supervised by the kernel
• When the kernel fails all tasks are killed

Issues:

• Parents should probably also cause children to fail
• Task notification (by which tasks can be informed of what the fate of other tasks was) is related, but the current semantics are not clear when linked failure is involved.
• There is a known race condition between children killing their parents and the parent blocking on a port in which it is possible for the parent to yield forever.
• Kernel level failure, upon which all tasks fail, is incredibly racy, basically broken.

See also: #1788 (redesign task API), #1857 (task-local data), #1078 (task notification)

[brson]

Also #1189 (move linked failure into library)

[brson]

My primary goals are a) to move complexity out of the runtime, b) use the standard comm API for implementing linked failure, c) eliminate the special rules around kernel failure, d) make task notification work correctly with linked failure

[brson]

#1789 is also related but probably impossible to solve to any degree if linked failure is moved into the library.

[brson]

Not happening for 0.3

[bblum]

I think we should settle for failure-vs-notification races being nondeterministic. I don't think any meaningful solution exists that covers general cases.

[bblum]

Hmm. With the way I've currently got it, it's nondeterministic whether the grandchild here will get killed:

do task::spawn_unlinked_parented() {
    do task::spawn_unlinked_parented() {
        loop { task::yield(); }
    }
}
fail;

Is this desirable? My instinct says no, but it's slightly harder to implement..! (requires each task have a list of ancestor parent task-groups that might kill it; also O(n) space and time in the number of generations)

(cc @graydon)

[bblum]

https://github.com/mozilla/rust/wiki/Proposal-for-linked-task-failure

[brson]

I gave it a close read and am very happy with how this works now. Great work.

[bblum]

Thanks so much! :)