Panic inside a resource function does not kill the application

[xlight05]

Description:
Came up during a code review session, Consider the following sample.

service / on new http:Listener(8900) {
    resource function get greeting() returns string {
        panic error("test panic");
    }
}

When the following resource function is invoked the application is not killed. It simply prints an error in the log.
Is this intended? Platforms like Kubernetes automatically restart the pod if it is killed.

@shafreenAnfar

[shafreenAnfar]

I think when the code panics it is better to crash the service. As @xlight05 mentioned it will result in a crash loop, crash loop results in alerts (in proper deployment). Alerts results in human attention. I think that is what we need for services that panics.

@sameerajayasoma @chamil321 any thoughts.

[sameerajayasoma]

Panics are abnormal errors. It makes sense to kill the instance when a panic happens.

[chamil321]

Shall we call System.exit() rather stopping listeners individually.
@warunalakshitha Do we have such function which is provided by the lang runtime?

Also is it fair to stop the listener due to some misbehaviour of a single request flow which can be due to a invalid input values of a certain request? What we really need at this point the proper logging and event notification to make the devs aware of such incident. Thoughts?

[shafreenAnfar]

I think what you explained above falls under normal errors but panics are abnormal errors. Here is what James' slide deck says "Abnormal errors should typically result in immediate program termination".

we call System.exit() rather stopping listeners individually.

Even if you stop the listeners, eventually you need to immediately terminate the program. Therefore, we can start with terminating.

[warunalakshitha]

IMO calling System.exit is wrong since that will skip properly shutdown of the ballerina program including scheduler, module stops and any other cleanup etc. Panics are abnormal errors but if main strand does not have impact ATM we do not terminate the program.

As an example we do not terminate the program if name worker panic unless you wait on the worker.

Shall we creare a spec issue and discuss there?

[warunalakshitha]

May be it should be a internal server response (5XX)

[chamil321]

@jclark Could you please shade some light here.

The question is, should the application (A service in this context) be terminated when a panic occurs from a resource function?

service / on new http:Listener(8900) {
    resource function get greeting() returns string {
        panic error("test panic");
    }
}

Current behaviour is similar to error return and does stop the listener.

[jclark]

A panic means either an application bug or resource exhaustion. If there's an application bug, then the application state may be in an inconsistent state and it is not safe to continue executing. I would expect panic to terminate the application. If the user doesn't want this they should explicitly trap the panic.

If a resource function returns an error, then the HTTP listener should report an error to the client, but continue to handle other requests.

[chamil321]

A panic means either an application bug or resource exhaustion. If there's an application bug, then the application state may be in an inconsistent state and it is not safe to continue executing. I would expect panic to terminate the application. If the user doesn't want this they should explicitly trap the panic.

If a resource function returns an error, then the HTTP listener should report an error to the client, but continue to handle other requests.

Appreciate the input and it aligns with initial suggestion. We can proceed accordingly.