[PoC] Cross-silo error broadcasting

[NKcqx]

Background

Before this PR, when the execution of a DAG encounters an error in 'alice', below is what will happen:

In alice, both main thread and data sending thread will raise the error, and the process will exit.
In bob, since it needs the input from 'alice', it will waits for 'alice' forever no matter whether 'alice' exists or not.

Therefore, we need a mechanism to inform the other participant when the DAG execution raises error.

What's in this PR

The below graph shows what will happen now after this PR:

In alice, when the data-sending thread finds a RayTaskError indicating a execution failure, it will wrap it to a RemoteError object and replace the original data object in place to send to bob.
In bob, the main thread will poll data from receiver actor, where it finds out the data is in the type of RemoteError and re-raises it, and gets an exception just as what happens in "alice".

The threading model in this PR is shown below:

The explanation of the _atomic_shutdown_flag

When the failure happens, both main thread and data thread get the error and trigger the shutdown, which will execute the "failure handler" twice. The typical method to ensure the failure_handler is executed only once is to set up a flag to check whether it has been executed or not, and wrap it with threading.lock because it's a critical section.

However, this will cause the dead lock as shown in below's graph.
The data thread triggers the shutdown stage by sending SIGINT signal that is implemented by causing KeyboardInterrupt error (step 8). In order to handle the exception, OS will hold the context of the current process, including the acquired threading.lock in step 6, and change the context to error handler, i.e. the signal handler in step 9. Since the lock has not yet released, acquiring the same lock will cause the dead lock (step 10).

The solution is to check the lock before sending the signal. That lock is _atomic_shutdown_flag.

[fengsp]

Is this thread-safe?

[NKcqx]

The inner implementation, i.e. deque is thread-safe and the MessageQueue is only used inside RayFed instead a public util.

[fengsp]

Why do we need seperate queues instead of sharing one queue

[NKcqx]

Errors should be sent out-of-band.

[jovany-wang]

How to understand the outofband in this context?

[fengsp]

I think we only need to expose exc_type and src_party, the exception message should be private

[NKcqx]

Indeed, the exception will be wrap to a RemoteException that only contains type and src_party and send to other parties

[fengsp]

Good docs, maybe it is better we maintain a RayFed Enhancement Proposals directory and put this in it? So that these docs are better managed.

[fengsp]

Is {str(self._cause)} only the type of exception? We need to make sure this will not include error message detail.

[NKcqx]

No, this includes all the error stacks.
May I ask why can't details be included?

[fengsp]

Users might use sensitive error messages which is private.

[NKcqx]

Got it, I'll add a flag to set whether exposing stack trace, default to False

[fengsp]

Is get_global_context thread safe?

[NKcqx]

No, it's not. The risk only exists when intended=False, because other functions except for the user-defined failure_handler can be executed multiple times without side effects; and failure_handler only gets called when intended=False .

As for the time intended=False:

1. The entrance of shutdown(intended=False) inside RayFed is thread-safe, other calls in driver codes are not; There indeed exists risks that user calls shutdown(intended=False) in driver without acquiring the lock, which will accidentally execute the failure_handler twice. What do you think if we only expose shutdown(intended=True) as API, and make shutdown(intended=False) as private method?

2. As described in "The explanation of the _atomic_shutdown_flag", since shutdown(where get_global_context called) will be entered by OS interrupt's error handler, any lock inside shutdown may get hang if it's already been acquired but not yet released before the interrupt. Therefore, making get_global_context() thread-safe is not recommended.

[fengsp]

What if the global context is set to None by other threads?

[NKcqx]

This SHOULD only be done by calling shutdown.
Though there's risk that our developer didn't following the rule by mistake, the shutdown is indeed can't using lock to be thread-safe.

[fengsp]

I believe we have to broadcast to all parties, for example A -> B -> C，A triggers error then A and B exit, however C will hang forever?

[NKcqx]

I'll start another PR to implement, since this PR is already hard to understand

[jovany-wang]

Solid work! I'm going to review soon.

[jovany-wang]

It's too weird to pass the method to cleanup manager. A better practice I believe is implementing it in cleanup manager and then use it in anywhere.

[NKcqx]

I understand. The reason to do so is that:
The lock has to be maintained in GlobalContext , because it's indeed a part of the job context;
, but directly accessing it in CleanupManager needs to import "global_context" which causes a cross-import.

[jovany-wang]

How to understand the outofband in this context?

[NKcqx]

In this context, "out-of-band" refers to apart control messages, including the error message, from data messages.

[jovany-wang]

LGTM. Just left some minor comments.

@fengsp @zhouaihui Please take a look and do you think it's ok to add the flag in the next PR?

[jovany-wang]

I believe this should be an assertion statement or it should be raising an error instead of just logging, because it's a bug if the code path gets reached.

[jovany-wang]

And let's pending to merge before the REP's done.

[NKcqx]

Good docs, maybe it is better we maintain a RayFed Enhancement Proposals directory and put this in it? So that these docs are better managed.

Has filed a Rayfed enhancement proposal, pls take a look: #179

cc @jovany-wang

[jovany-wang]

Thanks. It got approved!