A module can crash for a number of reasons, including:

• persistence becomes fatally unwritable
• the current replica is demoted as the leader
• some unknown / unhandled panic

Desired behavior

When a module crashes, all currently connected clients should be disconnected (or, reset in some other way).

Observed behavior

All crash scenarios described above manifest in a panic that is intercepted by the ModuleHost executing a reducer call. The module is removed from the HostController and the unwinding is resumed.

This disconnects the caller, but not other clients connected to the same replica.

When those other clients attempt to call a reducer, a NoSuchModule error will be propagated to the client, but the client connection is not terminated (cf. subscribe.rs#L369). Note that module hot-swapping should never manifest in a NoSuchModule error at this point.