fix(docs): update investigation report on flaky native crashes with multiple root causes and fixes

Author: mceachen

doc/todo/P02-investigate-flaky-native-crashes.md

@@ -7,9 +7,9 @@
 - **Key Constraints**: Must identify root cause (memory corruption, race condition, or CI environment issue)
 - **Success Validation**: 10 consecutive CI runs without native crashes
 
-## Current Status: FIX IMPLEMENTED ✅
+## Current Status: MULTIPLE FIXES IMPLEMENTED
 
-**Root cause found and fixed.** Remaining work is CI validation only.
+**Two distinct root causes found and fixed.** CI validation ongoing.
 
 ### Evidence of Original Flakiness
 
@@ -22,9 +22,11 @@ Same commit (`80fa40d`) showed different failures across runs:
 | 21347456610 | 5:36:26Z | x64/20, arm64/23      |
 
 Crash signals: `SIGSEGV` (segfault), `SIGTRAP` (assertion)
-Affected tests: `extension-loading.test.ts`, `session-lifecycle.test.ts`
+Affected tests: `extension-loading.test.ts`, `session-lifecycle.test.ts`, `session-callback-error-handling.test.ts`
 
-## Root Cause: BackupJob Use-After-Free
+---
+
+## Root Cause #1: BackupJob Use-After-Free (Fixed 2026-01-26)
 
 **The bug**: `BackupJob` held a raw pointer to `DatabaseSync*` but nothing prevented the database from closing while backup ran on worker thread.
 
@@ -35,120 +37,261 @@ Affected tests: `extension-loading.test.ts`, `session-lifecycle.test.ts`
 3. Database closes (test cleanup, GC, etc.)
 4. Worker thread accesses `source_->connection()` → **SIGSEGV**
 
-**Why flaky**: Only manifests when database closes during active backup. CI's higher resource pressure makes this timing more likely.
+**Fix**: Capture connection pointer at construction, track backups in database, finalize before close.
+
+---
+
+## Root Cause #2: Session Lifecycle Issues (Fixed 2026-01-27)
+
+**Three related bugs** in Session handling caused SIGSEGV specifically on Alpine/musl:
+
+### Bug 2a: Session Database Use-After-Free
+
+**The bug**: `Session` stored raw `DatabaseSync*` without preventing database from being garbage collected.
+
+**How it manifested**:
+
+1. Session is created, holds raw `database_` pointer
+2. JavaScript loses reference to database object
+3. GC runs and frees DatabaseSync
+4. Session accesses `database_->RemoveSession(this)` → **SIGSEGV**
+
+**Fix**: Added `Napi::ObjectReference database_ref_` to Session (matching StatementSync pattern).
+
+**Commit**: `a151cb6`
+
+### Bug 2b: DeleteAllSessions Bypassed Reference Release
+
+**The bug**: When `db.close()` calls `DeleteAllSessions()`, it directly sets `session->session_ = nullptr`, causing `Session::Delete()` to return early and never call `database_ref_.Reset()`.
+
+**How it manifested**: Reference leak, potential issues during environment teardown.
+
+**Fix**: Call `database_ref_.Reset()` in `DeleteAllSessions()` after cleaning up each session.
+
+**Commit**: `fb283df`
 
-**Evidence found**:
+### Bug 2c: Mutex Deadlock Causing SIGSEGV
 
-- Upstream Node.js tracks backups via `AddBackup()`, `RemoveBackup()`, `FinalizeBackups()`
-- Our implementation was **missing all backup tracking**
-- See: `src/upstream/node_sqlite.cc:685-791`
+**The bug**: `DeleteAllSessions()` held `sessions_mutex_` while calling `database_ref_.Reset()`. Reset can trigger GC, which finalizes other Session objects, which call `Delete()` → `RemoveSession()` → tries to lock already-held mutex → **undefined behavior**.
 
-## Fix Implemented (2026-01-26)
+**How it manifested**:
+
+1. `DeleteAllSessions()` acquires `sessions_mutex_`
+2. Calls `database_ref_.Reset()` on a Session
+3. GC is triggered and finalizes another Session
+4. That Session's destructor calls `Delete()` → `RemoveSession()`
+5. `RemoveSession()` tries to lock `sessions_mutex_` (same thread!)
+6. `std::mutex` is NOT recursive → **undefined behavior** → SIGSEGV on musl
+
+**Why only Alpine/musl?**: musl's more aggressive GC timing and different memory layout made this race condition more likely to trigger than on glibc.
+
+**Fix**: Release mutex before the cleanup loop. Since `sessions_` is cleared first, any `RemoveSession()` calls become no-ops.
 
-### Changes Made
+**Commit**: `dadbb86`
+
+---
+
+## Fixes Implemented
+
+### Session Fixes (Commits: a151cb6, fb283df, dadbb86)
 
 **[src/sqlite_impl.h](../../src/sqlite_impl.h)**:
 
-- Added forward declaration for `BackupJob`
-- Added `std::set<BackupJob*> backups_` and `std::mutex backups_mutex_`
-- Added `AddBackup()`, `RemoveBackup()`, `FinalizeBackups()` declarations
-- Added `BackupJob::Cleanup()` (public) and `ClearSource()` methods
-- Added `sqlite3* source_connection_` to capture connection at construction
+```cpp
+// Added to Session class (matching StatementSync pattern)
+Napi::ObjectReference database_ref_;
+```
 
 **[src/sqlite_impl.cpp](../../src/sqlite_impl.cpp)**:
 
-- `BackupJob` constructor captures `source_->connection()` and calls `source_->AddBackup(this)`
-- `BackupJob` destructor calls `source_->RemoveBackup(this)` if source valid
-- `BackupJob::Execute()` uses `source_connection_` (not `source_->connection()`)
-- `DatabaseSync::InternalClose()` calls `FinalizeBackups()` before closing
+1. `Session::SetSession()` - Create persistent reference:
 
-### Key Safety Mechanisms
+   ```cpp
+   database_ref_ = Napi::Persistent(database->Value());
+   ```
 
-1. **Connection captured at construction** - while known valid on main thread
-2. **Backup registration** - database tracks all active backups
-3. **Cleanup on close** - `FinalizeBackups()` runs before database closes
-4. **Deadlock prevention** - mutex released before calling `Cleanup()`
+2. `Session::Delete()` - Release reference:
 
-## Validation
+   ```cpp
+   if (!database_ref_.IsEmpty()) {
+     database_ref_.Reset();
+   }
+   ```
 
-- [x] Root cause identified and documented
-- [x] Fix implemented
-- [x] Local tests pass: `npm t` (793 tests)
-- [x] Local Alpine x64 Docker test passes (780 tests)
-- [x] Linting passes: `npm run lint`
-- [ ] **REMAINING: 10 consecutive CI runs pass**
+3. `DeleteAllSessions()` - Release mutex before cleanup loop:
+
+   ```cpp
+   std::set<Session *> sessions_copy;
+   {
+     std::lock_guard<std::mutex> lock(sessions_mutex_);
+     sessions_copy = sessions_;
+     sessions_.clear();  // RemoveSession() becomes no-op
+   }
+   // Now iterate WITHOUT holding mutex
+   for (auto *session : sessions_copy) {
+     // ... cleanup including database_ref_.Reset()
+   }
+   ```
 
 ### Verification Commands
 
 ```bash
-# Native rebuild and test
-npm run build:native:rebuild && npm test
+# Find all session-related reference handling
+grep -n "database_ref_" src/sqlite_impl.cpp src/sqlite_impl.h
 
-# Local Alpine test (faster than CI)
-docker run --rm -v "$(pwd)":/host:ro node:20-alpine sh -c '\
-  cp -r /host /work && cd /work && \
-  apk add build-base python3 py3-setuptools && \
-  npm ci --ignore-scripts && npx node-gyp rebuild && \
-  npm run build:dist && npm test -- --no-coverage'
+# Verify mutex release pattern in DeleteAllSessions
+grep -A30 "void DatabaseSync::DeleteAllSessions" src/sqlite_impl.cpp
 
-# Verify fix exists
-grep -n "FinalizeBackups\|AddBackup\|source_connection_" src/sqlite_impl.cpp
+# Verify similar pattern exists in StatementSync (known-good)
+grep -n "database_ref_" src/sqlite_impl.cpp | grep -i statement
 ```
 
-## Tribal Knowledge
+---
 
-### What Didn't Work / Red Herrings
+## Tribal Knowledge
 
-1. **"musl/glibc incompatibility"** - Previous engineer suspected this, but extension loading works fine on Alpine. The real issue was the race condition.
+### Pattern: Preventing GC of Parent Objects
 
-2. **Trying to reproduce with prebuilds** - Spent time on Task 1 (downloading CI prebuilds), but the bug reproduced even with source builds once we understood the timing.
+When a child object (Session, Statement) holds a pointer to a parent (DatabaseSync), you **must** also hold a reference to prevent GC:
 
-3. **Looking for weak_ptr issues** - Searched for `weak_ptr` patterns but found none. The codebase uses raw pointers.
+```cpp
+// BAD: Raw pointer allows parent to be GC'd
+DatabaseSync *database_;
 
-### Key Insights
+// GOOD: Reference keeps parent alive
+DatabaseSync *database_;              // For fast access
+Napi::ObjectReference database_ref_;  // Prevents GC
+```
 
-1. **Compare with upstream** - The Node.js source (`src/upstream/node_sqlite.cc`) shows proper patterns. Our implementation was missing backup tracking that upstream has.
+**Why both?** The ObjectReference holds the parent alive, but calling methods via `database_ref_.Value()` on every access is expensive. Keep the raw pointer for performance.
+
+### Pattern: Mutex and GC Don't Mix
+
+**Never** hold a mutex while calling code that can trigger GC:
+
+```cpp
+// BAD: Reset() can trigger GC, which may try to acquire same mutex
+std::lock_guard<std::mutex> lock(mutex_);
+for (auto* obj : objects_) {
+  obj->ref_.Reset();  // GC → destructor → tries to lock mutex_ → UB
+}
+
+// GOOD: Release mutex before operations that can trigger GC
+std::set<Object*> copy;
+{
+  std::lock_guard<std::mutex> lock(mutex_);
+  copy = objects_;
+  objects_.clear();  // Makes RemoveObject() a no-op
+}
+// Now safe - no mutex held
+for (auto* obj : copy) {
+  obj->ref_.Reset();
+}
+```
 
-2. **Race conditions in AsyncProgressWorker** - The worker thread can outlive the main-thread objects. Any data accessed from `Execute()` must either be:
-   - Copied at construction time, OR
-   - Protected by tracking/synchronization
+### Why Only Alpine/musl?
 
-3. **Mutex ordering matters** - `FinalizeBackups()` must release the lock before calling `Cleanup()` to avoid deadlock when destructor calls `RemoveBackup()`.
+1. **Different GC timing**: musl's allocator has different behavior
+2. **Different memory layout**: Affects when/how freed memory gets reused
+3. **Smaller default stack**: May affect call depth where crashes happen
+4. **No recursive mutex protection**: glibc may be more forgiving of mistakes
 
 ### Files to Study
 
-| File                                  | What to Look For                     |
-| ------------------------------------- | ------------------------------------ |
-| `src/upstream/node_sqlite.cc:685-791` | Upstream backup tracking pattern     |
-| `src/sqlite_impl.cpp:1530-1560`       | Our new backup tracking              |
-| `src/sqlite_impl.cpp:3097-3135`       | BackupJob constructor (registration) |
-| `src/sqlite_impl.cpp:1001-1005`       | InternalClose calls FinalizeBackups  |
+| File                            | What to Look For                    |
+| ------------------------------- | ----------------------------------- |
+| `src/sqlite_impl.cpp:1516-1545` | DeleteAllSessions mutex pattern     |
+| `src/sqlite_impl.cpp:2977-2989` | Session::SetSession reference setup |
+| `src/sqlite_impl.cpp:2991-3013` | Session::Delete cleanup             |
+| `src/sqlite_impl.cpp:1787-1797` | StatementSync reference pattern     |
+
+---
+
+## Audit: Other Potential Issues
+
+### Checked and Safe
+
+| Component      | Has Reference? | Bulk Cleanup?    | Status |
+| -------------- | -------------- | ---------------- | ------ |
+| StatementSync  | Yes            | No bulk cleanup  | Safe   |
+| Session        | Yes (fixed)    | DeleteAllSessions| Fixed  |
+| BackupJob      | N/A (captures) | FinalizeBackups  | Safe   |
+
+### How to Check for Similar Issues
+
+```bash
+# Find all ObjectReference members
+grep -n "ObjectReference\|FunctionReference" src/sqlite_impl.h
+
+# Find all bulk cleanup functions
+grep -n "DeleteAll\|FinalizeAll\|ClearAll" src/sqlite_impl.cpp
+
+# Find all mutex usages
+grep -n "lock_guard\|mutex_" src/sqlite_impl.cpp
+```
+
+---
+
+## Validation
+
+- [x] Root causes identified and documented
+- [x] Session fixes implemented (3 commits)
+- [x] Local tests pass: `npm t` (793 tests)
+- [x] Linting passes: `npm run lint`
+- [ ] **REMAINING: CI validation on Alpine**
+
+### Test Commands
+
+```bash
+# Full test suite
+npm run build:native:rebuild && npm run build:dist && npm test
+
+# Session-specific tests
+npm test -- session-lifecycle session-callback
+
+# Local Alpine test
+docker run --rm -v "$(pwd)":/host:ro node:22-alpine sh -c '\
+  cp -r /host /work && cd /work && \
+  apk add build-base python3 py3-setuptools && \
+  npm ci --ignore-scripts && npx node-gyp rebuild && \
+  npm run build:dist && npm test -- --no-coverage'
+```
+
+---
 
 ## Remaining Work
 
 ### Task: Validate CI Stability
 
-**Success**: 10 consecutive CI runs pass without native crashes
+**Success**: CI runs pass without SIGSEGV on Alpine
 
 **Implementation**:
 
-1. Push the fix to trigger CI
-2. Monitor CI runs for crashes
-3. If crashes persist, they're a different bug (open new TPP)
+1. Push fixes (already committed locally)
+2. Monitor CI runs for Alpine test-alpine jobs
+3. If crashes persist on different tests, investigate new location
 
 **If crashes continue**:
 
-- Check crash location (different from `source_->connection()`?)
-- Look for other raw pointers in async contexts
-- Grep: `grep -rn "AsyncProgressWorker\|AsyncWorker" src/*.cpp`
+1. Check which test file crashes (may shift around due to Jest worker assignment)
+2. Look for pattern: Does crash always involve Session, Statement, or Backup?
+3. Check for other `ObjectReference` cleanup paths: `grep -n "\.Reset()" src/*.cpp`
 
 **Completion checklist**:
 
 - [ ] Push changes
-- [ ] 10 CI runs complete
-- [ ] No SIGSEGV/SIGTRAP crashes
+- [ ] test-alpine jobs pass for all Node versions (20, 22, 23, 24)
+- [ ] test-alpine jobs pass for both architectures (x64, arm64)
+- [ ] No SIGSEGV/SIGTRAP crashes in 5+ consecutive runs
 - [ ] Move TPP to `doc/done/`
 
-## Notes
+---
+
+## Commits Summary
 
-The fix is complete and tested locally. The only remaining step is CI validation to confirm the flaky crashes are resolved in the actual CI environment where they occurred.
+| Commit    | Description                                      |
+| --------- | ------------------------------------------------ |
+| `a151cb6` | Add `database_ref_` to Session                   |
+| `fb283df` | Release `database_ref_` in DeleteAllSessions     |
+| `dadbb86` | Release mutex before GC-triggering operations    |
+| `5d86172` | Fix multi-process test expected values (unrelated) |