Ensure exceptions in handlers are handled equally for sync and async

[fjetter]

I do not have a strong opinion at the moment about what should happen if a handler raises an exception but regardless, I believe an async and sync handler should show the same behaviour. Everything else is pretty hard to distinguish for any developer.

One easy way to achieve this is to simply await the handler during handle_stream. I am not sure if it was implemented this way hoping that messages would be faster worked off or what the motivation behind this was.
If we want to stick to the old add_callback we need to implement exception handling on the returned future/task.

[fjetter]

Test failure in test_no_danglng_asyncio_tasks is a genuine failure and I can reproduce locally

[fjetter]

I tracked down the dangling task and this was the ensure_compute scheduled here. In particular it concerned the ensure_computing which uses the async interface to offload deserialisation. This was introduced in #4307 just before the infamous 2020.12.0 release

[fjetter]

This situation is a bit awkward and I see two options

1. We await both handler and every-cycle-callbacks and let asyncio/python deal with the exceptions themselves. This puts us at risk of having a slow handler or slow cycle-callback. This could, for instance, cause the worker to accumulate messages in the queue faster than it could work off. Even worse, I believe there is a chance for the comm / tcp socket to overflow which either results in weird exceptions or dropped messages, I'd need to research this a bit. In either case this would probably only happen if there is a quite significant load on the entire system in which case I'd wonder if we're coming out of this alive, anyhow. Not an expert though.
2. We implement the task offloading to the loop ourselves and take care that the exceptions are properly handled. The way tornado deals with this is not 100% well suited to our use case here. In the cases where we put tasks on the loop, we often would like to check if they completed, erred or cancel them even. Currently we do not have this possibility.

Note: this problem pops up in many places in the worker so solving 2.) once might benefit other situations as well.

@mrocklin Any thoughts on this? Do we have any asyncio/tornado experts we can loop into this discussion?

---

Note: The PR grew again in scope. I ignored the warning in the gen.coroutine comment and figured it was easy to rewrite. Turns out this introduces race conditions during closing since the behaviour of gen.coroutine and plain async coroutines differ in the way they are cancelled (or not). Will break this off into another PR (At least I hope this is the explanation and the changes can be decoupled :/ )

[mrocklin]

This could, for instance, cause the worker to accumulate messages in the queue faster than it could work off

I'm not sure that this is true. There is a handle_stream coroutine for every comm. Comms are most often used with the rpc objects as follows:

## caller side
await worker.some_handler(arg=foo)

The caller side generally waits until the call to the handler completes before moving on, so the backup won't be inside the socket on the receiver side, it will be in application code on the caller side, which seems safe. Previously this call would have completed very quickly and now it will take longer. That's probably ok.

In summary, if things aren't breaking here I think that we're ok. In principle this change feels safe to me. I wouldn't be surprised if it did break some things, but even if it did, those things were probably broken beforehand and relying on bad logic in the worker. For example, if the caller side was doing the following:

await worker.some_handler(arg=1)
await worker.some_handler(arg=2)
await worker.some_handler(arg=3)
await worker.some_handler(arg=4)

Then with async handlers this would have previously run much more quickly than it should have. In a situation like the following:

await asyncio.gather(
    worker.some_handler(arg=1),
    worker.some_handler(arg=2),
    ...
)

The caller side will actually open many comms to the server to handle the requests in parallel, and so we'll get many handle_stream coroutines, and everything should behave nicely.

(Usual disclaimer of "I'm a bit rusty on all of this, so please don't believe me")

[fjetter]

I'm not sure that this is true. There is a handle_stream coroutine for every comm. Comms are most often used with the rpc objects as follows:

I'm mostly concerned about the primary link between scheduler and worker which is based on a single comm. Most of the communication between the two is done via this single comm using a BatchedSend. For instance all "compute-task", "forget-task" msgs are moving along this single comm and I'm wondering if this becomes an issue.

However, with the exception of Worker.close all of our stream handlers seem to be sync anyhow, so I'm worrying unnecessarily 🤦

[mrocklin]

However, with the exception of Worker.close all of our stream handlers seem to be sync anyhow, so I'm worrying unnecessarily

Yeah, anything sent by a BatchedSend is intended to run immediately.

If you wanted to be careful though you could add a read into the BatchedSend._background_send method. This would close the loop and establish back pressure. Really we would want to allow a few of these to be in flight before awaiting. I'm not too worried about this though.

[fjetter]

This await self without the guard I introduced in __await__ would allow an incoming comm to restart a currently shutting down scheduler. There is a time window while the scheduler is handling its affairs, before the actual server closes, where it still accepts incoming comms. If during this time a new comm is opened, the scheduler is restarted although it is currently trying to shutdown.

distributed/distributed/scheduler.py

Lines 3759 to 3808 in d9bc3c6

	self.status = Status.closing
	logger.info("Scheduler closing...")
	setproctitle("dask-scheduler [closing]")
	for preload in self.preloads:
	await preload.teardown()
	if close_workers:
	await self.broadcast(msg={"op": "close_gracefully"}, nanny=True)
	for worker in parent._workers_dv:
	self.worker_send(worker, {"op": "close"})
	for i in range(20): # wait a second for send signals to clear
	if parent._workers_dv:
	await asyncio.sleep(0.05)
	else:
	break
	await asyncio.gather(*[plugin.close() for plugin in self.plugins])
	for pc in self.periodic_callbacks.values():
	pc.stop()
	self.periodic_callbacks.clear()
	self.stop_services()
	for ext in parent._extensions.values():
	with suppress(AttributeError):
	ext.teardown()
	logger.info("Scheduler closing all comms")
	futures = []
	for w, comm in list(self.stream_comms.items()):
	if not comm.closed():
	comm.send({"op": "close", "report": False})
	comm.send({"op": "close-stream"})
	with suppress(AttributeError):
	futures.append(comm.close())
	for future in futures: # TODO: do all at once
	await future
	for comm in self.client_comms.values():
	comm.abort()
	await self.rpc.close()
	self.status = Status.closed
	self.stop()
	await super().close()

[fjetter]

I didn't add a dedicated test for this since there are actually many failing tests once the close coroutines are shielded

[fjetter]

This is not absolutely required but with this decorator we can define methods which are always shielded (e.g. close) instead of relying on remembering it on every invocation

[mrocklin]

I'm curious about the reason for a few of the changes here. Also, do we know why tests aren't happy yet?

[mrocklin]

Can we call asyncio.wait here and avoid the tasks variable entirely?

[fjetter]

sure

[mrocklin]

Why this change?

[fjetter]

same argument as above about cleaning up

[mrocklin]

Why this change?

[fjetter]

It is redundant since we do the same in Server.close. it looked like being redundant and I felt removing it would reduce complexity. If there is some purpose to stopping earlier, I can revert this logic. This is only my sense of cleaning up

[mrocklin]

Why this change?

[fjetter]

this is performed by super().close() since there are no other things happening in between, letting the server close itself felt like the right thing to do to reduce complexity.

[mrocklin]

Why this change?

[fjetter]

This change adds close=False (default is True). This causes in most situations to issue a close_worker call twice since there is a dedicated close_worker call above.

It might be the correct thing to change this to close=not close_workers to avoid the duplication

[jrbourbeau]

Sorry @fjetter, it looks like #4966 caused some merge conflicts here

[fjetter]

I'm hitting a lot of known "flaky" tests here (cannot reproduce locally, yet)

[fjetter]

This MultiWorker is a bit strange since it isn't a Server although Workers are always Servers