Fix ActionListener.map exception handling

[henningandersen]

map would call listener.onFailure for exceptions from
listener.onResponse, but this means we could double trigger some
listeners which is generally unexpected. Instead, we should assume that
a listener's onResponse (and onFailure) implementation is responsible
for its own exception handling.

This affects many APIs across the code base. This is the first of a series
of PRs changing exception handling to adhere to the principle that an
ActionListener implementation is responsible for its own exception handling.

The demo program test here illustrates the current inconsistencies in how exceptions in listeners are handled.

[elasticmachine]

Pinging @elastic/es-core-infra (:Core/Infra/Core)

[elasticmachine]

Pinging @elastic/es-distributed (:Distributed/Distributed)

[pugnascotia]

Changes look good.

How do you feel about adding some JavaDoc to the new test cases, to explain what the expectations are?

[original-brownbear]

I see the point in this change, but note that I added the .map shortcut back when I added it to dry up a bunch of ActionListener.wrap(..., listener::onFailure) spots.
I think we'd basically have to audit every spot that we use .map in now and make sure that the listener/delegate will actually handle it's own onResponse failures (from a quick read over the spots we use map in this may already hold true).

Maybe we should assert this and do something like:

try {
   delegate.onResponse(mapped);
} catch (Exception e) {
   assert false: e;
   throw e;
}

[henningandersen]

I added the assert. Local CI seems happy about it.

[henningandersen]

Thanks @pugnascotia , I added javadoc here: 198651b

[henningandersen]

Failure already reported here.

[henningandersen]

Removed WIP on this, since I think this can go in alone.

[ywelsch]

I have not gone through all callers of this method to check whether this is safe, but left a few small comments here.

[ywelsch]

why assert here but not when calling delegate.onFailure(e);?

[henningandersen]

Thanks, added that in ca31964 and tests seems unaffected.

[ywelsch]

ChannelActionListener also has this weird double-sending logic.

[henningandersen]

Yes, but the code used to propagate the exception out. This seemed to be a left-over from when the ChannelActionListener was introduced. The old map exception handling would ensure onFailure were called on exception. This means this change is effectively a no-op now (with the caveat that onFailure will be called on exceptions like for all other ChannelActionListener usages).

We should notice that DirectTransportChannel will not bubble out exceptions from invoking the TransportResponseHandler. So it seems likely that the primary exceptions bubbled out are related to communicating the response over a wire, in which case invoking onFailure might be desirable (for instance an NPE on serialization).

So I would like to keep using ChannelActionListener here and then deal with ChannelActionListener in a follow-up. WDYT?

[ywelsch]

++

[original-brownbear]

LGTM thanks Henning :)

[henningandersen]

@elasticmachine test this please

[henningandersen]

Build failure looks unrelated, reported it here: #51347 .
@elasticmachine run elasticsearch-ci/2

[henningandersen]

One more test round:
@elasticmachine test this please

[henningandersen]

I have not gone through all callers of this method to check whether this is safe

I went through all calls in production (not test) code. Most are "clearly" OK, falling into one of these categories:

1. Clearly not able to throw except in severe bug cases like NPE.
2. Inner listener will not throw since it is either ActionListener.wrap og ChannelActionListener - though there is an addendum to that statement below.
3. Guarded by assertions enabled check (i.e. not active in production).
4. A choice is made to use map or not, clearly the intention was not to get the exception behavior (e.g. TransportBulkAction.BulkRequestModifier.wrapActionListenerIfNeeded).
5. Ultimately caught and onFailure called (transport service, security, ActionRunnable, StepListener/ListenableFuture).
6. Used with NotifyOnceListener inside only.

Following I did not follow to the end:

PersistentTasksService: this affects all methods here. I checked a subset of the usages only:

• startPersistentTask:
  • CCR/resume follow ends in CCR ResponseHandler which does counting that will disregard an additional onFailure call anyway.
  • Rollup and transform uses wrap to create the listener
• sendCompletionRequest: only has trace logging listeners.
• updatePersistentTaskState: has a variety of listeners sent to it. Many use wrap, but some are complex and hard to chase to the end (so I did not).

The small addendum mentioned previously is that I did not consider the effect of having for instance map(map(wrap(onResponse, onFailure))) where onResponse and onFailure are functions that both throw. In that case, each additional map wrapping would previously invoke onFailure once more, such that onFailure in this case would be called 3 times.

[henningandersen]

Notice that this PR was merged, then reverted. After #51646 was merged, the commit was cherry-picked (identical, no changes) to reintroduce it.