|
| 1 | + |
| 2 | +# 2024-09 Discard database connections when carried across fork()of fork safety |
| 3 | + |
| 4 | +## Status |
| 5 | + |
| 6 | +Accepted, but we can revisit more complex solutions if we learn something that indicates that effort is worth it. |
| 7 | + |
| 8 | + |
| 9 | +## Context |
| 10 | + |
| 11 | +In August 2024, Andy Croll opened an issue[^issue] describing sqlite file corruption related to solid queue. After investigation, we were able to reproduce corruption under certain circumstances when forking a process with open sqlite databases.[^repro] |
| 12 | + |
| 13 | +SQLite is known to not be fork-safe[^howto], so this was not entirely surprising though it was the first time your author had personally seen corruption in the wild. The corruption became much more likely after the sqlite3-ruby gem improved its memory management with respect to open statements[^gemleak] in v2.0.0. |
| 14 | + |
| 15 | +Advice from upstream contributors[^advice] is, essentially: don't fork if you have open database connections. Or, if you have forked, don't call `sqlite3_close` on those connections (which will result in a memory leak in the child process). Neither of these options are great, see below. |
| 16 | + |
| 17 | + |
| 18 | +## Decision |
| 19 | + |
| 20 | +Open database connections carried across a `fork()` will not be fully closed, to avoid the risk of corrupting the database file. |
| 21 | + |
| 22 | +The sqlite3-ruby gem will track the ID of the process that opened each database connection. If, when the database is closed (either explicitly with `Database#close` or implicitly via GC) the current process ID is different from the original process, then we "discard" the connection. |
| 23 | + |
| 24 | +"Discard" here means: |
| 25 | + |
| 26 | +- The `Database` object acts "closed", including returning `true` from `#closed?`. |
| 27 | +- `sqlite3_close_v2` is not called on the object, because it is unsafe to do so per sqlite instructions[^howto]. As a result, some memory will be lost permanently (a one-time "memory leak"). |
| 28 | +- Open file descriptors associated with the database are closed. |
| 29 | + |
| 30 | + |
| 31 | +## Consequences |
| 32 | + |
| 33 | +The positive consequence is that we remove a potential cause of database corruption for applications that fork with active sqlite database connections. |
| 34 | + |
| 35 | +The negative consequence is that, for each discarded connection, some memory will be permanently lost (leaked) in the child process. |
| 36 | + |
| 37 | + |
| 38 | +## Alternatives considered. |
| 39 | + |
| 40 | +### 1. Require applications to close database connections before forking. |
| 41 | + |
| 42 | +This is the advice[^advice] given by the upstream maintainers of sqlite, and so was the first thing we tried to implement in Rails in [rails/rails#52931](https://github.com/rails/rails/pull/52931)[^before_fork]. That first simple implementation was not thread safe, however, and in order to make it thread-safe it would be necessary to pause all sqlite database activity, close the open connections, and then fork. At least one Rails core team member was not happy that this would interfere with database connections in the parent, and the complexity of a thread-safe solution seemed high, so this work was paused. |
| 43 | + |
| 44 | +### 2. Memory arena |
| 45 | + |
| 46 | +Sqlite offers a configuration option to specify custom memory functions for malloc et al. It seems possible that the sqlite3-ruby gem could implement a custom arena that would be used by sqlite so that in a new process, after forking, all the memory underlying the sqlite Ruby objects could be discarded in a single operation. |
| 47 | + |
| 48 | +I think this approach is promising, but complex and risky. Sqlite is a complex library and uses shared memory in addition to the traditional heap. Would throwing away the heap memory (the arena) result in a segfault or other undefined behaviors or corruption? Determining the answer to that question feels expensive in and of itself, and any solution along these lines would not be supported by the sqlite authors. We can explore this space if the memory leak from `Database#discard` turns out to be a large source of pain. |
| 49 | + |
| 50 | + |
| 51 | +## References |
| 52 | + |
| 53 | +- [Database#discard by flavorjones · Pull Request #558 · sparklemotion/sqlite3-ruby](https://github.com/sparklemotion/sqlite3-ruby/pull/558) |
| 54 | +- TODO rails pr implementing sqlite3adapter discard |
| 55 | + |
| 56 | + |
| 57 | +## Footnotes |
| 58 | + |
| 59 | +[^issue]: [SQLite queue database corruption · Issue #324 · rails/solid_queue](https://github.com/rails/solid_queue/issues/324) |
| 60 | +[^repro]: [flavorjones/2024-09-13-sqlite-corruption: Temporary repo, reproduction of sqlite database corruption.](https://github.com/flavorjones/2024-09-13-sqlite-corruption) |
| 61 | +[^howto]: [How To Corrupt An SQLite Database File: §2.6 Carrying an open database connection across a fork()](https://www.sqlite.org/howtocorrupt.html#_carrying_an_open_database_connection_across_a_fork_) |
| 62 | +[^gemleak]: [Always call sqlite3_finalize in deallocate func by haileys · Pull Request #392 · sparklemotion/sqlite3-ruby](https://github.com/sparklemotion/sqlite3-ruby/pull/392) |
| 63 | +[^advice]: [SQLite Forum: Correct way of carrying connections over forked processes](https://sqlite.org/forum/forumpost/1fa07728204567a0a136f442cb1c59e3117da96898b7fa3290b0063ae7f6f012) |
| 64 | +[^before_fork]: [SQLite3Adapter: Ensure fork-safety by flavorjones · Pull Request #52931 · rails/rails](https://github.com/rails/rails/pull/52931#issuecomment-2351365601) |
| 65 | +[^config]: [SQlite3 Configuration Options](https://www.sqlite.org/c3ref/c_config_covering_index_scan.html) |
0 commit comments