Underlying issue

Reactor run method (https://github.com/jenkinsci/lib-task-reactor/blob/master/src/main/java/org/jvnet/hudson/reactor/Reactor.java#L115) only catches TunnelException.

If another exception occurs in the task run method,

• done is set to true
• fatal is not set
• but pending variable is not decremented

This makes Reactor execute method wait for ever (https://github.com/jenkinsci/lib-task-reactor/blob/master/src/main/java/org/jvnet/hudson/reactor/Reactor.java#L266) as pending will never reach 0.

How can task.run throw something else than a TunnelException?

task run method (https://github.com/jenkinsci/lib-task-reactor/blob/master/src/main/java/org/jvnet/hudson/reactor/Reactor.java#L207) catches exceptions from the runTask method and wraps them in a TunnelException.

But listener methods are not protected by try/catch blocks (except onTaskCompleted for technical reasons)

So if an exception occurs in any of the onTaskStarted or onTaskFailed, it won't be wrapped in a TunnelException, making the problem arise.

For milestones, another type of run method is used (https://github.com/jenkinsci/lib-task-reactor/blob/master/src/main/java/org/jvnet/hudson/reactor/Reactor.java#L176), calling the listener's onAttained method, unprotected by try/catch.

 Even if it can make sense not to protect listener methods, I am wondering if this is a good idea to have different behaviors depending on the listener method as one of them is in fact protected?

Where does a listener throw an exception?

InitReactorRunner provides a listener implementation calling InitReactorRunner's onInitMilestoneAttained method, when onAttained is called on a milestone of type InitMilestone.

https://github.com/jenkinsci/jenkins/blob/a82a47a8f2a90727d873c637c99aa0d087500dfe/core/src/main/java/jenkins/InitReactorRunner.java#L83

onInitMilestoneAttained implementation in Jenkins class (https://github.com/jenkinsci/jenkins/blob/a82a47a8f2a90727d873c637c99aa0d087500dfe/core/src/main/java/jenkins/model/Jenkins.java#L1092) can throw if ExtensionList.lookup(ExtensionFinder.class).getComponents(); throws.

Exceptions can occur through a static call to a plugin class in an exception point if this same plugin will not start for a dependency reason

• example of this use case can be found here: https://github.com/jenkinsci/build-failure-analyzer-plugin/pull/80/commits/343a9b21c60a411b6cc7e48b05a9936e6f0c937b#diff-475044ef0a13791f000702f5f3e09874L83, which throws a AssertionException when plugin is null in the static field initialization.
• Symptom (in unit tests) can be seen there: https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fclaim-plugin/detail/PR-39/1/ => InjectedTests never run. Note that this was not the case with Jenkins 2.7.3.

 Note that even if this seems an advanced scenario, other implementations of _ReactorListener_s could be provided through https://github.com/jenkinsci/jenkins/blob/a82a47a8f2a90727d873c637c99aa0d087500dfe/core/src/main/java/jenkins/InitReactorRunner.java#L63, and they might provide implementations which throw exception.

How to correct?

I would have proposed a fix, but I'm not sure of the direction to take:

• enhance the Reactor component
  • by protecting listeners calls ?
  • by adding a way for listener methods to mark the task as fatal for milestones?
• work around the limitations on listeners error-handling in Jenkins core code 
  • by try catching, logging, and swallowing the exception (not sure of the consequences) ?
  • or by adding back to the reactor a task designed to throw the exception in case of errors (will occur at some unknown point in the future, but at least will stop Jenkins startup) ?
• just fix all plugins ?
• some other way?