Hardened thread pool

[abi87]

Why this should be merged

@darioush introduced goleak to ava-labs/coreth#273.
I applied it to some avalanchego packages and realized we can't currently shutdown the thread pool we use in avalanchego.
This PR fixes the issue and unlock fixing of leaking goroutines (tbd in subsequent PR).

How this works

Hardened thread pool to:

1. be able to cleanly shut it down
2. make it able to behave sanely (no panic) when Send/Shutdown are called out of order (e.g. before Start is called)

How this was tested

New UTs (100% package coverage) + CI

[joshua-kim]

1. Do we expect Start to be called multiple times? I see we're using sync.Once to guard against it.

2. We can also get rid of this edge-case by leaving the goroutine initialization in NewPool. Instead of having a Shutdown code we can pass in a channel/context into NewPool so the caller can shutdown the pool via context/close channel. I think this will simplify a lot of the Start/Shutdown code.

If we go with (2) I would recommend renaming NewPool to StartWorkers or something to make it clear that some goroutines are spinning up.

[joshua-kim]

Ignore this comment in favor of using errgroup

[abi87]

used to make Send a no-op after Shutdown is called

[StephenButtolph]

I don't follow what this is needed for. The request queue isn't buffered... so I don't really see what we are gaining out of having this flag at all.

[abi87]

The idea is to avoid requests being executed after shutdown is called. Indeed this is guaranteed that once quit channel is closed and selected, there won't be any worker listening anymore. Dropped the flag

[StephenButtolph]

What is this testing?

[abi87]

Inserted booleans to check request has been executed and testing them.

[StephenButtolph]

Why is this sleeping for a minute?

[abi87]

The idea is to show that the request is not executed at all. If it was, one minute sleep is enough to make the test be terminated. In hindsight it's better to signal job done with a boolean and check that.

[joshua-kim]

I chatted w/ Alberto offline but I think we can replace most of the code in the existing worker.Pool with an errgroup.Group, since SetLimit caps the amount of goroutines (ref). The semantics of our Send and errgroup.Go are the same, where both block until a worker goroutine is free to accept the task so it should work as a drop-in replacement to the worker loops we manage.

[abi87]

I chatted w/ Alberto offline but I think we can replace most of the code in the existing worker.Pool with an errgroup.Group, since SetLimit caps the amount of goroutines (ref). The semantics of our Send and errgroup.Go are the same, where both block until a worker goroutine is free to accept the task so it should work as a drop-in replacement to the worker loops we manage.

@joshua-kim, thanks for the input! I tried it out and I think there is a difference in the way worker.Pool and errgroup.Group terminate that makes them non equivalent for our use.
We'd like worker.Pool to stop accepting requests after shutdown. IIUC, errgroup.Group has not such a feature built in.
What I think I could do is replace worker.Pool internal goroutines with an errgroup.Group and use the quit channel to ensure Shutdown.
But maybe it's just simpler to keep the goroutines?

[joshua-kim]

We'd like worker.Pool to stop accepting requests after shutdown. IIUC, errgroup.Group has not such a feature built in.

Yeah we can use an atomic bool to indicate the worker pool is closed

[joshua-kim]

Suggested change

	// Send can be safely called after [Shutdown] and it'll be no-op.
	// Send is a no-op if [Shutdown] has been called.

[abi87]

Done

[joshua-kim]

nit: leaving this to your preference but I personally don't write comments on variables that are self-documenting. I think these are all being used in pretty idiomatic ways so I don't think these are necessary to have. Feel free to ignore this comment.

[abi87]

dropped

[joshua-kim]

nit: undo diff

[abi87]

done

[joshua-kim]

nit: this comment isn't necessary

[abi87]

indeed, dropped

[joshua-kim]

If someone handles us a nil request I feel like it's okay to just fail obviously and die instead of silently dropping a nil request somewhere. I think we can remove this check?

[abi87]

removed the test. It wasn't there indeed, so it should be fine

[joshua-kim]

nit: move this comment above the close line. I personally would probably not comment this because i feel like this line is self-documenting but leaving this inclusion of this to your preference

[joshua-kim]

We also no longer close p.requests here, is that okay?

[abi87]

if we close p.request we risk a panic if another goroutine invoke Send. I tried to express this in the comment

[StephenButtolph]

Should have caught this on the first pass... sorry

[StephenButtolph]

This can cause the chain router's shutdown to hang indefinitely on a chain that isn't shutting down correctly... (Stop should never block. Can we add that to the comment on Stop?)

Actually looking at this which a fresh set of eyes... I'm not sure the existing code is incorrect at all. It seems like the goroutines are shutdown correctly - and the handler exposes the ability to block on the goroutine shutdown by calling AwaitStopped.

fwiw - I still think the pool changes are good... But I don't think we should be calling shutdown here.

[abi87]

@joshua-kim, @StephenButtolph, I ended up re-introducing the start method.I believe I need it to avoid some goroutines leak in some UTs.
In production code we always call pool.Start after its creaton in snow/networking/handler/handler.go. However there are some UTs where we don't want to call handler.Start since we want to inspect handler queues with Len() (see TestRouterCrossChainMessages).
TestRouterCrossChainMessages woud leak the pool goroutines if those are started upon NewPool().
Launching goroutines in handler.Start solves the issue: goroutines are never started, since handler.Start is not called, hence no leak. You can see the fully fixed TestRouterCrossChainMessages in my next PR

[abi87]

Closing this PR in favor of #1940