|
| 1 | + |
| 2 | +# 2024-09 Implement `Database#discard` to mitigate sqlite's lack of fork safety |
| 3 | + |
| 4 | +## Status |
| 5 | + |
| 6 | +Proposed, seeking feedback and suggestions for other alternative solutions. |
| 7 | + |
| 8 | + |
| 9 | +## Context |
| 10 | + |
| 11 | +In August 2024, Andy Croll opened an issue[^issue] describing sqlite file corruption related to solid queue. After investigation, we were able to reproduce corruption under certain circumstances when forking a process with open sqlite databases.[^repro] |
| 12 | + |
| 13 | +SQLite is known to not be fork-safe[^howto], so this was not entirely surprising though it was the first time your author had personally seen corruption in the wild. The corruption became much more likely after the sqlite3-ruby gem improved its memory management with respect to open statements[^gemleak] in v2.0.0. |
| 14 | + |
| 15 | +Advice from upstream contributors[^advice] is, essentially: don't fork if you have open database connections. Or, if you have forked, don't call `sqlite3_close` on those connections (which will result in a memory leak in the child process). Neither of these options are great, see below. |
| 16 | + |
| 17 | + |
| 18 | +## Decision |
| 19 | + |
| 20 | +The sqlite3-ruby gem will introduce support for `Database#discard` in v2.1.0, which can be called by frameworks like Rails that have made the decision to allow forking while connections are open. This method will close the underlying file descriptors, but will not free any of the memory or call `sqlite3_close` to clean up internal data structures. |
| 21 | + |
| 22 | + |
| 23 | +## Consequences |
| 24 | + |
| 25 | +The positive consequence is that frameworks like Rails can prevent database file corruption as a result of allowing forks by simply `discard`ing the inherited connections in the child process. |
| 26 | + |
| 27 | +The negative consequence is that, when choosing this option, some memory will be permanently lost (leaked) in the child process. |
| 28 | + |
| 29 | + |
| 30 | +## Alternatives considered. |
| 31 | + |
| 32 | +### 1. Require applications to close database connections before forking. |
| 33 | + |
| 34 | +This is the advice[^advice] given by the upstream maintainers of sqlite, and so was the first thing we tried to implement in Rails in [rails/rails#52931](https://github.com/rails/rails/pull/52931)[^before_fork]. That first simple implementation was not thread safe, however, and in order to make it thread-safe it would be necessary to pause all sqlite database activity, close the open connections, and then fork. At least one Rails core team member was not happy that this would interfere with database connections in the parent, and the complexity of a thread-safe solution seemed high, so this work was paused. |
| 35 | + |
| 36 | +### 2. Memory arena |
| 37 | + |
| 38 | +Sqlite offers a configuration option to specify custom memory functions for malloc et al. It seems possible that the sqlite3-ruby gem could implement a custom arena that would be used by sqlite so that in a new process, after forking, all the memory underlying the sqlite Ruby objects could be discarded in a single operation. |
| 39 | + |
| 40 | +I think this approach is promising, but complex and risky. Sqlite is a complex library and uses shared memory in addition to the traditional heap. Would throwing away the heap memory (the arena) result in a segfault or other undefined behaviors or corruption? Determining the answer to that question feels expensive in and of itself, and any solution along these lines would not be supported by the sqlite authors. We can explore this space if the memory leak from `Database#discard` turns out to be a large source of pain. |
| 41 | + |
| 42 | + |
| 43 | +## References |
| 44 | + |
| 45 | +- [Database#discard by flavorjones · Pull Request #558 · sparklemotion/sqlite3-ruby](https://github.com/sparklemotion/sqlite3-ruby/pull/558) |
| 46 | +- TODO rails pr implementing sqlite3adapter discard |
| 47 | + |
| 48 | + |
| 49 | +## Footnotes |
| 50 | + |
| 51 | +[^issue]: [SQLite queue database corruption · Issue #324 · rails/solid_queue](https://github.com/rails/solid_queue/issues/324) |
| 52 | +[^repro]: [flavorjones/2024-09-13-sqlite-corruption: Temporary repo, reproduction of sqlite database corruption.](https://github.com/flavorjones/2024-09-13-sqlite-corruption) |
| 53 | +[^howto]: [How To Corrupt An SQLite Database File: §2.6 Carrying an open database connection across a fork()](https://www.sqlite.org/howtocorrupt.html#_carrying_an_open_database_connection_across_a_fork_) |
| 54 | +[^gemleak]: [Always call sqlite3_finalize in deallocate func by haileys · Pull Request #392 · sparklemotion/sqlite3-ruby](https://github.com/sparklemotion/sqlite3-ruby/pull/392) |
| 55 | +[^advice]: [SQLite Forum: Correct way of carrying connections over forked processes](https://sqlite.org/forum/forumpost/1fa07728204567a0a136f442cb1c59e3117da96898b7fa3290b0063ae7f6f012) |
| 56 | +[^before_fork]: [SQLite3Adapter: Ensure fork-safety by flavorjones · Pull Request #52931 · rails/rails](https://github.com/rails/rails/pull/52931#issuecomment-2351365601) |
| 57 | +[^config]: [SQlite3 Configuration Options](https://www.sqlite.org/c3ref/c_config_covering_index_scan.html) |
0 commit comments