fix: panic recovery in PrepareProposal and ProcessProposal Handlers

[alexanderbez]

Description

Closes: #14375

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

• included the correct type prefix in the PR title
• added ! to the type prefix if API or client breaking change
• targeted the correct branch (see PR Targeting)
• provided a link to the relevant issue or specification
• followed the guidelines for building modules
• included the necessary unit and integration tests
• added a changelog entry to CHANGELOG.md
• included comments for documenting Go code
• updated the relevant documentation or specification
• reviewed "Files changed" and left comments if necessary
• confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

• confirmed the correct type prefix in the PR title
• confirmed ! in the type prefix if API or client breaking change
• confirmed all author checklist items have been addressed
• reviewed state machine logic
• reviewed API design and naming
• reviewed documentation is accurate
• reviewed tests and test coverage
• manually tested (if applicable)

[julienrbrt]

Wouldn't the blockchain stop producing blocks if there is a deterministic bug that makes all proposal to be rejected? Does not it has effectively the same effect than a halt? 🤔

[julienrbrt]

I mean it is still better than stopping the node, but it is still stuck then?

[alexanderbez]

Since ProcessProposal is defined by the application and could very well define behavior that depends on the proposal's contents, i.e. txs, then the behavior cannot be guaranteed to be deterministic.

That being said, if a panic is triggered, the proposal is rejected. As such, Tendermint will proceed to the next validator to propose a new proposal in PrepareProposal and the round starts again. At some point a valid proposal will need to be produced and accepted. If no such proposal occurs, then yes, the chain will face a liveness halt, but this will be very clear and investigation will need to occur.

[alexanderbez]

Just a quick followup in case folks come back to this comment in the future:

• PrepareProposal MAY be non-deterministic
• ProcessProposal MAY NOT be non-deterministic, i.e. it must be deterministic

This means if ProcessProposal panics and we reject, all honest validator processes p will prevote nil and the round will proceed again until a valid proposal is proposed.

[tac0turtle]

we should document this here: https://docs.cosmos.network/main/building-apps/app-mempool

[alexanderbez]

#14393

[sonarcloud]

[Cosmos SDK] Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
2 Code Smells

No Coverage information
No Duplication information