*: recover goroutines when they panic (#488)

djshow832 · web-flow · commit 233f4565b006 · 2024-03-20T02:02:13.000Z
diff --git a/lib/util/waitgroup/waitgroup.go b/lib/util/waitgroup/waitgroup.go
@@ -5,6 +5,8 @@ package waitgroup
 
 import (
 	"sync"
+
+	"go.uber.org/zap"
 )
 
 // WaitGroup is a wrapper for sync.WaitGroup
@@ -27,15 +29,25 @@ func (w *WaitGroup) Run(exec func()) {
 // and call done when function return. it will dump current goroutine stack into log if catch any recover result.
 // exec is that execute logic function. recoverFn is that handler will be called after recover and before dump stack,
 // passing `nil` means noop.
-func (w *WaitGroup) RunWithRecover(exec func(), recoverFn func(r interface{})) {
+func (w *WaitGroup) RunWithRecover(exec func(), recoverFn func(r interface{}), logger *zap.Logger) {
 	w.Add(1)
 	go func() {
 		defer func() {
 			r := recover()
+			defer func() {
+				// If it panics again in recovery, quit ASAP.
+				_ = recover()
+			}()
+			if r != nil && logger != nil {
+				logger.Error("panic in the recoverable goroutine",
+					zap.Reflect("r", r),
+					zap.Stack("stack trace"))
+			}
+			// Call Done() before recoverFn because recoverFn normally calls `Close()`, which may call `wg.Wait()`.
+			w.Done()
 			if r != nil && recoverFn != nil {
 				recoverFn(r)
 			}
-			w.Done()
 		}()
 		exec()
 	}()
diff --git a/lib/util/waitgroup/waitgroup_test.go b/lib/util/waitgroup/waitgroup_test.go
@@ -0,0 +1,31 @@
+// Copyright 2024 PingCAP, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package waitgroup
+
+import (
+	"testing"
+
+	"github.com/pingcap/tiproxy/lib/util/logger"
+	"github.com/stretchr/testify/require"
+)
+
+func TestWithRecoveryLog(t *testing.T) {
+	lg, text := logger.CreateLoggerForTest(t)
+	var wg WaitGroup
+	wg.RunWithRecover(func() {
+		panic("mock panic")
+	}, nil, lg)
+	wg.Wait()
+	require.Contains(t, text.String(), "mock panic")
+}
+
+func TestWithRecoveryPanic(t *testing.T) {
+	var wg WaitGroup
+	wg.RunWithRecover(func() {
+		panic("mock panic1")
+	}, func(r interface{}) {
+		panic("mock panic2")
+	}, nil)
+	wg.Wait()
+}
diff --git a/pkg/manager/cert/manager.go b/pkg/manager/cert/manager.go
@@ -98,6 +98,7 @@ func (cm *CertManager) SQLTLS() *tls.Config {
 // The proxy periodically reloads certs. If it fails, we will retry in the next round.
 // If configuration changes, it only affects new connections by returning new *tls.Config.
 func (cm *CertManager) reloadLoop(ctx context.Context, cfgch <-chan *config.Config) {
+	// Failing to reload certs may cause even more serious problems than TiProxy reboot, so we don't recover panics.
 	cm.wg.Run(func() {
 		for {
 			select {
diff --git a/pkg/manager/config/manager.go b/pkg/manager/config/manager.go
@@ -82,7 +82,7 @@ func (e *ConfigManager) Init(ctx context.Context, logger *zap.Logger, configFile
 			return err
 		}
 
-		e.wg.Run(func() {
+		e.wg.RunWithRecover(func() {
 			// Read the file periodically and reload the config if it changes.
 			//
 			// We tried other ways to watch file:
@@ -100,7 +100,7 @@ func (e *ConfigManager) Init(ctx context.Context, logger *zap.Logger, configFile
 					}
 				}
 			}
-		})
+		}, nil, e.logger)
 	} else {
 		if err := e.SetTOMLConfig(nil); err != nil {
 			return err
diff --git a/pkg/manager/infosync/info.go b/pkg/manager/infosync/info.go
@@ -109,9 +109,9 @@ func (is *InfoSyncer) Init(ctx context.Context, cfg *config.Config, certMgr *cer
 
 	childCtx, cancelFunc := context.WithCancel(ctx)
 	is.cancelFunc = cancelFunc
-	is.wg.Run(func() {
+	is.wg.RunWithRecover(func() {
 		is.updateTopologyLivenessLoop(childCtx, topologyInfo)
-	})
+	}, nil, is.lg)
 	return nil
 }
 
diff --git a/pkg/manager/logger/manager.go b/pkg/manager/logger/manager.go
@@ -47,9 +47,9 @@ func (lm *LoggerManager) Init(cfgch <-chan *config.Config) {
 	ctx, cancel := context.WithCancel(context.Background())
 	lm.cancel = cancel
 
-	lm.wg.Run(func() {
+	lm.wg.RunWithRecover(func() {
 		lm.watchCfg(ctx, cfgch)
-	})
+	}, nil, lm.logger)
 }
 
 func (lm *LoggerManager) watchCfg(ctx context.Context, cfgch <-chan *config.Config) {
diff --git a/pkg/manager/router/backend_observer.go b/pkg/manager/router/backend_observer.go
@@ -123,6 +123,7 @@ func NewBackendObserver(logger *zap.Logger, eventReceiver BackendEventReceiver,
 func (bo *BackendObserver) Start() {
 	childCtx, cancelFunc := context.WithCancel(context.Background())
 	bo.cancelFunc = cancelFunc
+	// Failing to observe backends may cause even more serious problems than TiProxy reboot, so we don't recover panics.
 	bo.wg.Run(func() {
 		bo.observe(childCtx)
 	})
diff --git a/pkg/manager/router/router_score.go b/pkg/manager/router/router_score.go
@@ -50,6 +50,7 @@ func (r *ScoreBasedRouter) Init(fetcher BackendFetcher, hc HealthCheck, cfg *con
 	r.observer = observer
 	childCtx, cancelFunc := context.WithCancel(context.Background())
 	r.cancelFunc = cancelFunc
+	// Failing to rebalance backends may cause even more serious problems than TiProxy reboot, so we don't recover panics.
 	r.wg.Run(func() {
 		r.rebalanceLoop(childCtx)
 	})
diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go
@@ -79,9 +79,9 @@ func (mm *MetricsManager) setupMonitor(ctx context.Context) {
 			KeepAliveCounter.Inc()
 		}
 	}
-	mm.wg.Run(func() {
+	mm.wg.RunWithRecover(func() {
 		systimemon.StartMonitor(ctx, mm.logger, time.Now, systimeErrHandler, successCallBack)
-	})
+	}, nil, mm.logger)
 }
 
 // registerProxyMetrics registers metrics.
diff --git a/pkg/proxy/backend/backend_conn_mgr.go b/pkg/proxy/backend/backend_conn_mgr.go
@@ -203,9 +203,13 @@ func (mgr *BackendConnManager) Connect(ctx context.Context, clientIO *pnet.Packe
 	childCtx, cancelFunc := context.WithCancel(ctx)
 	mgr.cancelFunc = cancelFunc
 	mgr.lastActiveTime = endTime
-	mgr.wg.Run(func() {
+	mgr.wg.RunWithRecover(func() {
 		mgr.processSignals(childCtx)
-	})
+	}, func(_ any) {
+		// If we do not clean up, the router may retain the connection forever and the TiDB won't be released in the
+		// Serverless Tier.
+		_ = mgr.Close()
+	}, mgr.logger)
 	return nil
 }
 
@@ -422,22 +426,26 @@ func (mgr *BackendConnManager) processSignals(ctx context.Context) {
 	for {
 		select {
 		case s := <-mgr.signalReceived:
-			// Redirect the session immediately just in case the session is finishedTxn.
-			mgr.processLock.Lock()
-			switch s {
-			case signalTypeGracefulClose:
-				mgr.tryGracefulClose(ctx)
-			case signalTypeRedirect:
-				mgr.tryRedirect(ctx)
-			}
-			mgr.processLock.Unlock()
+			func() {
+				// Redirect the session immediately just in case the session is finishedTxn.
+				mgr.processLock.Lock()
+				defer mgr.processLock.Unlock()
+				switch s {
+				case signalTypeGracefulClose:
+					mgr.tryGracefulClose(ctx)
+				case signalTypeRedirect:
+					mgr.tryRedirect(ctx)
+				}
+			}()
 		case rs := <-mgr.redirectResCh:
 			mgr.notifyRedirectResult(ctx, rs)
 		case <-checkBackendTicker.C:
-			mgr.checkBackendActive()
-			mgr.processLock.Lock()
-			mgr.setKeepAlive()
-			mgr.processLock.Unlock()
+			func() {
+				mgr.checkBackendActive()
+				mgr.processLock.Lock()
+				defer mgr.processLock.Unlock()
+				mgr.setKeepAlive()
+			}()
 		case <-ctx.Done():
 			checkBackendTicker.Stop()
 			return
diff --git a/pkg/proxy/backend/backend_conn_mgr_test.go b/pkg/proxy/backend/backend_conn_mgr_test.go
@@ -1340,6 +1340,33 @@ func TestDisconnectLog(t *testing.T) {
 	}
 }
 
+func TestProcessSignalsPanic(t *testing.T) {
+	ts := newBackendMgrTester(t)
+	runners := []runner{
+		// 1st handshake
+		{
+			client:  ts.mc.authenticate,
+			proxy:   ts.firstHandshake4Proxy,
+			backend: ts.handshake4Backend,
+		},
+		{
+			proxy: func(clientIO, backendIO *pnet.PacketIO) error {
+				// Mock panic in `mgr.processSignals()`.
+				ts.mp.handler.onHandshake = func(connContext ConnContext, s string, err error, source ErrorSource) {
+					panic("mock panic")
+				}
+				ts.mp.Redirect(newMockBackendInst(ts))
+				// Panic won't set error so it's still treated as success. It's fine because it will close anyway.
+				ts.mp.getEventReceiver().(*mockEventReceiver).checkEvent(t, eventSucceed)
+				// Do not wait for eventClose because `clean` will wait for it.
+				return nil
+			},
+			backend: ts.redirectSucceed4Backend,
+		},
+	}
+	ts.runTests(runners)
+}
+
 func BenchmarkSyncMap(b *testing.B) {
 	for i := 0; i < b.N; i++ {
 		var m sync.Map
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -19,7 +19,6 @@ import (
 	"github.com/pingcap/tiproxy/pkg/proxy/client"
 	"github.com/pingcap/tiproxy/pkg/proxy/keepalive"
 	pnet "github.com/pingcap/tiproxy/pkg/proxy/net"
-	"github.com/pingcap/tiproxy/pkg/util"
 	"go.uber.org/zap"
 )
 
@@ -108,7 +107,7 @@ func (s *SQLServer) Run(ctx context.Context, cfgch <-chan *config.Config) {
 	// Create another context because it still needs to run after graceful shutdown.
 	ctx, s.cancelFunc = context.WithCancel(context.Background())
 
-	s.wg.Run(func() {
+	s.wg.RunWithRecover(func() {
 		for {
 			select {
 			case <-ctx.Done():
@@ -121,7 +120,7 @@ func (s *SQLServer) Run(ctx context.Context, cfgch <-chan *config.Config) {
 				s.reset(ach)
 			}
 		}
-	})
+	}, nil, s.logger)
 
 	for i := range s.listeners {
 		j := i
@@ -141,9 +140,7 @@ func (s *SQLServer) Run(ctx context.Context, cfgch <-chan *config.Config) {
 						continue
 					}
 
-					s.wg.Run(func() {
-						util.WithRecovery(func() { s.onConn(ctx, conn, s.addrs[j]) }, nil, s.logger)
-					})
+					s.wg.RunWithRecover(func() { s.onConn(ctx, conn, s.addrs[j]) }, nil, s.logger)
 				}
 			}
 		})
diff --git a/pkg/server/api/server.go b/pkg/server/api/server.go
@@ -130,9 +130,9 @@ func NewServer(cfg config.API, lg *zap.Logger,
 		IdleTimeout:       DefConnTimeout,
 	}
 
-	h.wg.Run(func() {
+	h.wg.RunWithRecover(func() {
 		lg.Info("HTTP closed", zap.Error(hsrv.Serve(h.listener)))
-	})
+	}, nil, h.lg)
 
 	return h, nil
 }
diff --git a/pkg/util/misc.go b/pkg/util/misc.go
diff --git a/pkg/util/misc_test.go b/pkg/util/misc_test.go

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ func (e ConfigManager) Init(ctx context.Context, logger zap.Logger, configFile`
`82`	`82`	`return err`
`83`	`83`	`}`
`84`	`84`
`85`		`- e.wg.Run(func() {`
	`85`	`+ e.wg.RunWithRecover(func() {`
`86`	`86`	`// Read the file periodically and reload the config if it changes.`
`87`	`87`	`//`
`88`	`88`	`// We tried other ways to watch file:`
`@@ -100,7 +100,7 @@ func (e ConfigManager) Init(ctx context.Context, logger zap.Logger, configFile`
`100`	`100`	`}`
`101`	`101`	`}`
`102`	`102`	`}`
`103`		`- })`
	`103`	`+ }, nil, e.logger)`
`104`	`104`	`} else {`
`105`	`105`	`if err := e.SetTOMLConfig(nil); err != nil {`
`106`	`106`	`return err`
Original file line number	Diff line number	Diff line change
`@@ -79,9 +79,9 @@ func (mm *MetricsManager) setupMonitor(ctx context.Context) {`
`79`	`79`	`KeepAliveCounter.Inc()`
`80`	`80`	`}`
`81`	`81`	`}`
`82`		`- mm.wg.Run(func() {`
	`82`	`+ mm.wg.RunWithRecover(func() {`
`83`	`83`	`systimemon.StartMonitor(ctx, mm.logger, time.Now, systimeErrHandler, successCallBack)`
`84`		`- })`
	`84`	`+ }, nil, mm.logger)`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`// registerProxyMetrics registers metrics.`