Ruby

...I guess my search was broken. I did another and found a whole lot of "rescue exception" that don't seem to always re-raise. But the logger is a big one because it's supposed to be usable everywhere, and someone who logs a lot will run into this bug.

The behavior has changed in Ruby 2.1, and the default rescue no longer rescues Timeout unless Timeout was given an explicit exception class to raise. Could you try Ruby 2.1 and see if it behaves according to your expectation here?

The source code for 2.1.2 doesn't seem to have changed: the LogDevice::write method still does a rescue Exception and ignores the result.
Our application ran into this problem when one thread raises an exception in another thread that's doing a LogDevice::write(). The exception is supposed to be handled at a higher level, so write() rescuing it and ignoring it causes our application to hang.
A write() method without this problem looks like

  def write(message)
    @mutex.synchronize do
      if @shift_age and @dev.respond_to?(:stat)
        begin
          check_shift_log
        rescue IOError
          warn("log shifting failed. #{$!}")
        end
      end
      begin
        @dev.write(message)
      rescue IOError
        warn("log writing failed. #{$!}")
      end
    end
  end

I confirm that this bug is reproducible up to 2.2 and it's pretty easy to trigger.

require 'timeout'
require 'logger'

class MyExc < RuntimeError; end

def long_call(logger)
  Timeout.timeout(3, MyExc) do
    a = 1
    loop do
      a += 1
      logger.warn "Test #{a}"
    end
  end
end

Aaron Stone is right though that using 2.1+ it would work if you don't provide a custom exception or if your exception inherits from TimeoutError.

Beware that it must inherit from Object::TimeoutError and not Timeout::Error.

Having said that, it'd be nice to have a proper fix at logger.rb level.

@Bill, I don't think your code would fix it though, because the underlying device might throw a different exception.

Correction: providing an exception to Timeout#timeout would break it also in trunk.

It seems that by design inner blocks are able to rescue the exception provided to that method.

It makes sense for Logger to handle all exceptions by default

I'm not sure I agree with this. There must be some well-defined set of exceptions that could be raised by the code it's executing that should be handled/ignored, e.g. IOError, EPERM, ENOSPC, etc. I think it's going to be much better to solve this problem by catching only specific errors that related to the operations that might fail.

See the code again before discuss.

    def write(message)
      begin
        synchronize do
          if @shift_age and @dev.respond_to?(:stat)
            begin
              check_shift_log
            rescue
              warn("log shifting failed. #{$!}")
            end
          end
          begin
            @dev.write(message)
          rescue
            warn("log writing failed. #{$!}")
          end
        end
      rescue Exception => ignored
        warn("log writing failed. #{ignored}")
      end
    end

https://github.com/ruby/ruby/blob/5a384e2c08704dc7af9d8d3bdfc475eb8c0723aa/lib/logger/log_device.rb#L29-L48

With the code, the intention of rescue Exception is clear. It wants to rescue exceptions which is raised by synchronize.

And note that synchronize is Monitor's and it only raises ThreadError.
https://github.com/ruby/ruby/blob/master/lib/monitor.rb
I don't understand why it loosely rescues all exceptions.

There're also rescue-clauses for check_shift_log and @dev.write(message).
They may raise various exceptions and logger.rb never knows that.

Explicitly passing those exceptions are general way, but are there any exceptions other than the family of Timeout::Error?

"defensive" code like that is just broken, no one should rescue Exception.
Let's remove that outer rescue?
If synchronize raises there is a serious bug worth fixing and not ignoring.

Similarly I think the inner rescues should either be removed or only rescue IOError if really needed.

Discussed at the dev meeting.

• It is clear that Logger has the intention not to interfere with the execution of the application on a log write failure.
• On the other hand, it is also clear that Logger is not considering about asynchronous exceptions.

As a better-than-nothing mitigation, it is proposed to enclose the entire Logger::LogDevice#write in Thread.handle_interrupt(:never) { ... }.
It could be a problem if the method takes a very long time because Timeout.timeout cannot interrupt the execution, but such a case will be rare (hopefully).

What exception Timeout.timeout raises is user-configurable, so it would be difficult to reraise only a specific exception class.

It is ultimately up to the maintainer, @sonots (Naotoshi Seo), to decide.

mame (Yusuke Endoh) wrote in #note-11:

As a better-than-nothing mitigation, it is proposed to enclose the entire Logger::LogDevice#write in Thread.handle_interrupt(:never) { ... }.
It could be a problem if the method takes a very long time because Timeout.timeout cannot interrupt the execution, but such a case will be rare (hopefully).

This sounds problematic, especially since that is doing IO, possibly even network IO (e.g. NFS, or logging over some API).

I believe all libraries should only catch specific errors they want to rescue and if that's hard to determine than StandardError at most, never Exception.
Rescuing Exception without re-raise is always a bug (e.g. NoMemoryError/SystemStackError can be silent and that can cause pretty serious inconsistencies and indirectly what looks like memory corruption).

Eregon (Benoit Daloze) wrote in #note-12:

mame (Yusuke Endoh) wrote in #note-11:

As a better-than-nothing mitigation, it is proposed to enclose the entire Logger::LogDevice#write in Thread.handle_interrupt(:never) { ... }.
It could be a problem if the method takes a very long time because Timeout.timeout cannot interrupt the execution, but such a case will be rare (hopefully).

This sounds problematic, especially since that is doing IO, possibly even network IO (e.g. NFS, or logging over some API).

Right. It's never an ultimate fix. However considering the way a log destination is designed generally, I think it's rare for that blocking IO to block indefinitely. Sure, with handle_interrupt a timeout can delay for seconds. That's better than never, and "never" is the way it is now.

I believe all libraries should only catch specific errors they want to rescue and if that's hard to determine than StandardError at most, never Exception.
Rescuing Exception without re-raise is always a bug (e.g. NoMemoryError/SystemStackError can be silent and that can cause pretty serious inconsistencies and indirectly what looks like memory corruption).

The Logger author seems hesitating to interface with its callers at any cost (understandable). It is unfortunate that we currently have no idiomatic ways to achieve their goals.

Sorry to be late. Because I've been a bit busy lately, so I'll leave this to Jeremy Evans.