Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(gov): handle panics when executing x/gov proposals #17780

Merged
merged 10 commits into from
Sep 18, 2023

Conversation

robert-zaremba
Copy link
Collaborator

Description

x/gov proposal execution is done in ABCI EndBlock. Proposals contain a custom, potentially untrusted code, which can panic, and putting the whole chain down.

Today, the proposal handler execution is not recoverable, making the chain halt rather than erroring the proposal executing.

In this PR I propose to guard the Msg handler executing in a recoverable block, safely failing the proposal if the panics occurs.


Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • included the correct type prefix in the PR title
  • added ! to the type prefix if API or client breaking change
  • targeted the correct branch (see PR Targeting)
  • provided a link to the relevant issue or specification
  • followed the guidelines for building modules
  • included the necessary unit and integration tests
  • added a changelog entry to CHANGELOG.md
  • included comments for documenting Go code
  • updated the relevant documentation or specification
  • reviewed "Files changed" and left comments if necessary
  • run make lint and make test
  • confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • confirmed the correct type prefix in the PR title
  • confirmed ! in the type prefix if API or client breaking change
  • confirmed all author checklist items have been addressed
  • reviewed state machine logic
  • reviewed API design and naming
  • reviewed documentation is accurate
  • reviewed tests and test coverage
  • manually tested (if applicable)

@robert-zaremba robert-zaremba requested a review from a team as a code owner September 18, 2023 07:59
@robert-zaremba
Copy link
Collaborator Author

NOTE: I'm adding backport to v0.50, I think it should be backported (v0.50 is not yet released).

@robert-zaremba robert-zaremba added C:x/gov T:tech debt Tech debt that should be cleaned up backport/v0.50.x PR scheduled for inclusion in the v0.50's next stable release labels Sep 18, 2023
@github-prbot github-prbot requested review from a team, facundomedica and samricotta and removed request for a team September 18, 2023 08:01
@github-actions

This comment has been minimized.

Copy link
Member

@tac0turtle tac0turtle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for adding this, the change makes sense same with the backport

x/gov/abci.go Outdated

defer func() {
if r := recover(); r != nil {
err = fmt.Errorf("handling x/gov poposal msg [%s] PANICED: %v", msg, r)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is another typo I think PANICED -> PANICKED

x/gov/abci.go Show resolved Hide resolved
Copy link
Collaborator

@odeke-em odeke-em left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @robert-zaremba and nice to catch you here after a very long time!

For the commit message and change log entries, please use this

Recover panics and turn them into errors when executing x/gov proposals

Otherwise LGTM. Thank you

x/gov/abci.go Outdated Show resolved Hide resolved
CHANGELOG.md Outdated
@@ -46,6 +46,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
* (x/bank) [#17569](https://github.com/cosmos/cosmos-sdk/pull/17569) Introduce a new message type, `MsgBurn `, to burn coins.
* (genutil) [#17571](https://github.com/cosmos/cosmos-sdk/pull/17571) Allow creation of `AppGenesis` without a file lookup.
* (server) [#17094](https://github.com/cosmos/cosmos-sdk/pull/17094) Add duration `shutdown-grace` for resource clean up (closing database handles) before exit.
* (x/gov) [#17780](https://github.com/cosmos/cosmos-sdk/pull/17780) Handle panics when executing x/gov proposals.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recover panics and turn them into errors when executing x/gov proposals

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@odeke-em thanks for suggestion. I will update the changelog. However I don't think this kind of comment should be blocking, because now we need to wait for you to unblock.

@robert-zaremba
Copy link
Collaborator Author

I'm thinking more about the backports. What do you think about backporting to 0.47? I think it won't break consensus, because nodes which won't upgrade will halt, without submitting any change, and nodes which will update will continue. So we won't have hash missmatch. Nodes which failed, after update will continue safely.

Copy link
Member

@julienrbrt julienrbrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@julienrbrt
Copy link
Member

Could you run make lint-fix?

@robert-zaremba
Copy link
Collaborator Author

I'm thinking more about the backports. What do you think about backporting to 0.47? I think it won't break consensus, because nodes which won't upgrade will halt, without submitting any change, and nodes which will update will continue. So we won't have hash missmatch. Nodes which failed, after update will continue safely.

@julienrbrt , @tac0turtle could you 👍 about the proposal to backport to v0.47 as well?

@robert-zaremba robert-zaremba added this pull request to the merge queue Sep 18, 2023
Merged via the queue into main with commit a0b39a1 Sep 18, 2023
48 checks passed
@robert-zaremba robert-zaremba deleted the robert/handle-gov-panics branch September 18, 2023 15:07
mergify bot pushed a commit that referenced this pull request Sep 18, 2023
(cherry picked from commit a0b39a1)

# Conflicts:
#	CHANGELOG.md
@julienrbrt
Copy link
Member

Your reasoning makes sense, this behavior change would not be consensus breaking, unless I am missing something (cc @alexanderbez). So that would make sense to backport to v0.47.

tac0turtle pushed a commit that referenced this pull request Sep 18, 2023
@robert-zaremba robert-zaremba added the backport/v0.47.x PR scheduled for inclusion in the v0.47's next stable release label Sep 18, 2023
mergify bot pushed a commit that referenced this pull request Sep 18, 2023
(cherry picked from commit a0b39a1)

# Conflicts:
#	CHANGELOG.md
#	x/gov/abci.go
julienrbrt added a commit that referenced this pull request Sep 18, 2023
mmsqe pushed a commit to mmsqe/cosmos-sdk that referenced this pull request Oct 9, 2023
@faddat faddat mentioned this pull request Mar 20, 2024
12 tasks
@faddat faddat mentioned this pull request Nov 8, 2024
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/v0.47.x PR scheduled for inclusion in the v0.47's next stable release backport/v0.50.x PR scheduled for inclusion in the v0.50's next stable release C:x/gov T:tech debt Tech debt that should be cleaned up
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants