photostructure
diff --git a/‎doc/todo/P02-investigate-flaky-native-crashes.md‎
Lines changed: 117 additions & 191 deletions b/‎doc/todo/P02-investigate-flaky-native-crashes.md‎
Lines changed: 117 additions & 191 deletions
@@ -7,223 +7,160 @@
 - **Key Constraints**: Must identify root cause (memory corruption, race condition, or CI environment issue)
 - **Success Validation**: 10 consecutive CI runs without native crashes
 
-## Current Status: FINAL FIX IMPLEMENTED
+## Current Status: ROOT CAUSE IDENTIFIED - REVERT REQUIRED
 
-**Five distinct root causes found and fixed.** Testing shows no crashes in local Alpine Docker tests.
+**The "fixes" since commit `a151cb6` have made things WORSE.** The root cause is adding `Napi::ObjectReference database_ref_` to Session class. This causes N-API reference manipulation during GC finalization, which corrupts V8 on Alpine/musl.
 
-### Evidence of Original Flakiness
-
-Same commit (`80fa40d`) showed different failures across runs:
-
-| Run ID      | Time     | Failed Alpine Jobs    |
-| ----------- | -------- | --------------------- |
-| 21346776312 | 4:56:24Z | **None - all passed** |
-| 21346793811 | 4:57:29Z | x64/23, arm64/24      |
-| 21347456610 | 5:36:26Z | x64/20, arm64/23      |
-
-Crash signals: `SIGSEGV` (segfault), `SIGTRAP` (assertion), `SIGABRT` (abort)
-Affected tests: Various, shifting between runs due to Jest worker assignment
+**CI was stable at commit `50354e1` (Dec 17, 2025 through Jan 12, 2026).** The crashes started after Session "fix" commits began on Jan 26, 2026.
 
 ---
 
-## Root Cause #1: BackupJob Use-After-Free (Fixed 2026-01-26)
-
-**The bug**: `BackupJob` held a raw pointer to `DatabaseSync*` but nothing prevented the database from closing while backup ran on worker thread.
+## Critical Research Findings
 
-**How it manifested**:
+### 1. Node.js Upstream Uses WEAK References for Session
 
-1. User starts backup (`db.backup(...)`)
-2. `BackupJob::Execute()` runs on worker thread
-3. Database closes (test cleanup, GC, etc.)
-4. Worker thread accesses `source_->connection()` → **SIGSEGV**
-
-**Fix**: Capture connection pointer at construction, track backups in database, finalize before close.
-
----
+From `src/upstream/node_sqlite.h`:
+```cpp
+class Session : public BaseObject {
+  Session(Environment* env,
+          v8::Local<v8::Object> object,
+          BaseObjectWeakPtr<DatabaseSync> database,  // WEAK pointer!
+          sqlite3_session* session);
+```
 
-## Root Cause #2: Session Lifecycle Issues (Fixed 2026-01-27/28)
+Node.js uses `BaseObjectWeakPtr` (weak reference), NOT a strong reference. This means:
+- Session does NOT keep database alive
+- Session checks if database is still valid before operations
+- If database is GC'd, Session operations fail gracefully
 
-**Five related bugs** in Session handling caused crashes specifically on Alpine/musl:
+### 2. better-sqlite3 Uses Raw Pointers
 
-### Bug 2a: Session Database Use-After-Free
+From `/home/mrm/src/better-sqlite3/src/objects/statement.cpp`:
+```cpp
+Statement::Statement(Database* db, ...) : db(db) { ... }  // Raw pointer
+Statement::~Statement() {
+  if (alive) db->RemoveStatement(this);  // Just uses raw pointer
+  CloseHandles();
+}
+```
 
-**The bug**: `Session` stored raw `DatabaseSync*` without preventing database from being garbage collected.
+better-sqlite3 relies on JavaScript to maintain references (Statement JS object has `.database` property). The C++ side uses raw pointers.
 
-**Fix**: Added `Napi::ObjectReference database_ref_` to Session (matching StatementSync pattern).
+### 3. N-API Reference Manipulation During GC Causes Crashes
 
-**Commit**: `a151cb6`
+From GitHub issues:
+- [nodejs/node-addon-api#660](https://github.com/nodejs/node-addon-api/issues/660): ObjectWrap destructor crashes due to double napi delete calls
+- [nodejs/node#37236](https://github.com/nodejs/node/issues/37236): Crash on node-api add-on finalization - double-free of RefBase
+- [nodejs/node#27085](https://github.com/nodejs/node/pull/27085): GC finalization stress issues
 
-### Bug 2b: DeleteAllSessions Bypassed Reference Release
+**Key insight**: Calling `Napi::ObjectReference::Reset()` during GC finalization (destructor path) is NOT safe on Alpine/musl. Even the ObjectReference destructor calling `napi_delete_reference` can cause issues.
 
-**The bug**: When `db.close()` calls `DeleteAllSessions()`, it directly sets `session->session_ = nullptr`, causing `Session::Delete()` to return early and never call `database_ref_.Reset()`.
+### 4. The Stable Version Had No `database_ref_`
 
-**Fix**: Call `database_ref_.Reset()` in `DeleteAllSessions()` after cleaning up each session.
+At commit `50354e1` (stable), Session class was simple:
+```cpp
+class Session : public Napi::ObjectWrap<Session> {
+  sqlite3_session *session_ = nullptr;
+  DatabaseSync *database_ = nullptr;  // Just a raw pointer, NO ObjectReference
+};
+```
 
-**Commit**: `fb283df`
+---
 
-### Bug 2c: Mutex Deadlock Causing SIGSEGV
+## Timeline of Changes
 
-**The bug**: `DeleteAllSessions()` held `sessions_mutex_` while calling `database_ref_.Reset()`. Reset can trigger GC, which finalizes other Session objects, which call `Delete()` → `RemoveSession()` → tries to lock already-held mutex → **undefined behavior**.
+| Date | Commit | Description | CI Status |
+|------|--------|-------------|-----------|
+| Dec 17 | `50354e1` | Stable release 0.3.0 | ✅ Green |
+| Jan 12 | - | Last confirmed green CI | ✅ Green |
+| Jan 26 | `a151cb6` | Added `database_ref_` to Session | ❌ Crashes started |
+| Jan 26 | `fb283df` | Release database_ref_ in DeleteAllSessions | ❌ Still crashing |
+| Jan 27 | `dadbb86` | Release mutex before GC operations | ❌ Still crashing |
+| Jan 27 | `3a6aaff` | Prevent double-free in DeleteAllSessions | ❌ Still crashing |
+| Jan 27 | `e1a3fcb` | Prevent dangling pointers | ❌ Still crashing |
+| Jan 29 | `413c93f` | Hold refs during cleanup | ❌ Still crashing |
+| Jan 29 | `611d330` | Skip Reset() in destructor | ❌ Still crashing |
 
-**Fix**: Release mutex before the cleanup loop.
+**Every "fix" commit has failed to resolve the issue because they all keep `database_ref_`.**
 
-**Commit**: `dadbb86`
+---
 
-### Bug 2d: Dangling Pointers During Iteration
+## Recommended Fix: Revert to Simple Design
 
-**The bug**: Calling `database_ref_.Reset()` during iteration could trigger GC, which may finalize Session JS objects still in the iteration list, creating dangling pointers.
+### Option 1: Full Revert (Recommended)
 
-**Initial fix attempt**: Removed `Reset()` calls entirely from `DeleteAllSessions()`.
+Revert Session-related changes back to `b5835fa` (before `a151cb6`):
 
-**Commit**: `e1a3fcb`
+```bash
+git checkout b5835fa -- src/sqlite_impl.cpp src/sqlite_impl.h
+```
 
-### Bug 2e: V8 JIT Corruption on Alpine During Jest Cleanup
+The simple design:
+- Session uses raw `DatabaseSync*` pointer (no ObjectReference)
+- `DeleteAllSessions()` just cleans up SQLite sessions
+- Session::Delete() removes from database's session list
+- No N-API reference manipulation in destructors
 
-**The bug**: When Sessions are GC'd during Jest cleanup (process exit), their `Napi::ObjectReference` destructors call `Reset()`. On Alpine/musl, this corrupts V8's JIT page allocations.
+### Option 2: Match Node.js Upstream Pattern
 
-**How it manifested**:
+If we want Session to survive database GC, implement weak reference pattern:
+1. Don't hold strong reference to database
+2. Check if database is still valid before operations
+3. Return error if database was closed/GC'd
 
-1. Tests pass, Jest begins cleanup
-2. V8 runs GC, finalizing Session objects
-3. Session destructors trigger `Napi::ObjectReference` cleanup
-4. V8 JIT corruption: `Check failed: it != jit_page_->allocations_.end()`
-5. **SIGSEGV** or **SIGABRT**
+### Why Raw Pointers Are OK
 
-**Partial Fix**: Hold strong references to Session JS objects during `DeleteAllSessions()` cleanup, preventing GC from destroying them while we iterate.
+The stable version used raw pointers and worked because:
+1. `db.close()` calls `DeleteAllSessions()` which cleans up SQLite sessions
+2. Session operations check `database_->IsOpen()` before proceeding
+3. If user GC's database without calling close() while holding sessions, that's undefined behavior (same as better-sqlite3)
 
-**Commit**: `413c93f`
+---
 
-### Bug 2f: Explicit Reset() in Destructor Path Corrupts V8 (FINAL FIX)
+## Files Changed by Session "Fixes"
 
-**The bug**: Even with the `DeleteAllSessions()` fix, crashes still occurred when Sessions were GC'd without an explicit `db.close()` call. The root cause: `Session::Delete()` was calling `database_ref_.Reset()` during GC finalization, which corrupts V8's JIT on Alpine/musl.
+All these changes should be reverted:
 
-**Key Insight**: The `Napi::ObjectReference` destructor is designed to be GC-safe. But **explicitly** calling `Reset()` during GC finalization is NOT safe on Alpine/musl.
+**src/sqlite_impl.h:**
+- Added `Napi::ObjectReference database_ref_;` to Session class
+- Added `bool in_destructor_ = false;` flag
 
-**The Fix**: Add an `in_destructor_` flag to Session. When `Delete()` is called from the destructor, skip the explicit `Reset()` call and let the ObjectReference destructor handle cleanup naturally.
+**src/sqlite_impl.cpp:**
+- `Session::SetSession()`: Added `database_ref_ = Napi::Persistent(database->Value());`
+- `Session::Delete()`: Added `database_ref_.Reset()` calls with complex conditional logic
+- `Session::~Session()`: Added `in_destructor_` flag and `SuppressDestruct()` attempts
+- `DeleteAllSessions()`: Changed from simple loop to complex two-pass with session_refs vector
 
-```cpp
-Session::~Session() {
-  in_destructor_ = true;  // Signal we're in destructor path
-  Delete();
-}
+---
 
-void Session::Delete() {
-  // ... existing cleanup code ...
+## Current Working Directory State
 
-  // Only call Reset() if NOT in destructor path
-  // On Alpine/musl, calling Reset() during GC corrupts V8's JIT
-  if (!in_destructor_ && !database_ref_.IsEmpty()) {
-    database_ref_.Reset();
-  }
-  // If in destructor, ObjectReference destructor handles cleanup (GC-safe)
-}
+The code has been reverted to `b5835fa` state:
+```bash
+git checkout b5835fa -- src/sqlite_impl.cpp src/sqlite_impl.h
 ```
 
-**Commit**: (pending)
+**Pending:**
+1. Rebuild: `npm run build:native:rebuild`
+2. Test locally: `npm test`
+3. Test in Alpine Docker
+4. Commit and push
 
 ---
 
-## Reproduction Steps
-
-The crash is **only reproducible in Alpine Docker containers running Jest**:
+## Reproduction Commands
 
 ```bash
-# This command reproduces the crash intermittently
+# Reproduces crash (with current broken code)
 docker run --rm -v "$(pwd)":/host:ro node:24-alpine sh -c '
   cp -r /host /work && cd /work &&
   apk add --no-cache build-base python3 py3-setuptools &&
   npm ci --ignore-scripts && npx node-gyp rebuild &&
   npm run build:dist &&
-  # Run full suite multiple times - crashes during cleanup
-  for i in $(seq 1 10); do
-    node --expose-gc node_modules/jest/bin/jest.js --no-coverage
-  done
-'
-
-# This does NOT crash (skips cleanup):
-node --expose-gc node_modules/jest/bin/jest.js --no-coverage --forceExit
-
-# This does NOT crash (not in Jest):
-node --expose-gc -e '
-  const { DatabaseSync } = require("./dist/index.cjs");
-  for (let i = 0; i < 1000; i++) {
-    const db = new DatabaseSync(":memory:");
-    db.createSession();
-    db.close();
-  }
-  if (global.gc) global.gc();
-  console.log("Success");
+  node --expose-gc node_modules/jest/bin/jest.js --no-coverage
 '
-```
-
----
 
-## Tribal Knowledge
-
-### Pattern: Preventing GC of Parent Objects
-
-When a child object (Session, Statement) holds a pointer to a parent (DatabaseSync), you **must** also hold a reference to prevent GC:
-
-```cpp
-DatabaseSync *database_;              // For fast access
-Napi::ObjectReference database_ref_;  // Prevents GC
-```
-
-### Pattern: Safe Bulk Cleanup with GC
-
-When cleaning up multiple Napi objects that hold ObjectReferences:
-
-```cpp
-// BAD: GC can destroy objects during iteration
-for (auto* obj : objects_copy) {
-  obj->ref_.Reset();  // May trigger GC, destroying other objects in list
-}
-
-// GOOD: Hold references to prevent GC during iteration
-std::vector<Napi::ObjectReference> refs;
-for (auto* obj : objects_copy) {
-  refs.push_back(Napi::Persistent(obj->Value()));
-}
-// Now safe to clean up
-for (auto* obj : objects_copy) {
-  obj->ref_.Reset();
-}
-// refs destructor releases, objects can be GC'd safely
-```
-
-### Why Only Alpine/musl?
-
-1. **Different GC timing**: musl's allocator triggers GC at different points
-2. **V8 JIT sensitivity**: musl's memory layout affects JIT page management
-3. **Process exit behavior**: Cleanup phase differs from glibc
-4. **No recursive mutex protection**: glibc may be more forgiving
-
-### Files to Study
-
-| File                            | What to Look For                    |
-| ------------------------------- | ----------------------------------- |
-| `src/sqlite_impl.cpp:1516-1560` | DeleteAllSessions final fix         |
-| `src/sqlite_impl.cpp:2980-3020` | Session::Delete cleanup             |
-| `src/sqlite_impl.cpp:1845-1853` | StatementSync reference pattern     |
-
----
-
-## Validation
-
-- [x] Root causes identified and documented
-- [x] Session fixes implemented
-- [x] Local tests pass: `npm t` (793 tests)
-- [x] Alpine Docker tests pass without crashes (5+ runs)
-- [x] Linting passes: `npm run lint`
-- [ ] **REMAINING: CI validation on Alpine**
-
-### Test Commands
-
-```bash
-# Full test suite
-npm run build:native:rebuild && npm run build:dist && npm test
-
-# Local Alpine test (the definitive test)
+# Should pass after revert
 docker run --rm -v "$(pwd)":/host:ro node:24-alpine sh -c '
   cp -r /host /work && cd /work &&
   apk add --no-cache build-base python3 py3-setuptools &&
@@ -238,35 +175,24 @@ docker run --rm -v "$(pwd)":/host:ro node:24-alpine sh -c '
 
 ---
 
-## Commits Summary
+## References
 
-| Commit    | Description                                               |
-| --------- | --------------------------------------------------------- |
-| `a151cb6` | Add `database_ref_` to Session                            |
-| `fb283df` | Release `database_ref_` in DeleteAllSessions              |
-| `dadbb86` | Release mutex before GC-triggering operations             |
-| `e1a3fcb` | Remove Reset() from DeleteAllSessions (incomplete fix)    |
-| `413c93f` | Hold refs during cleanup to prevent V8 JIT corruption     |
-| (pending) | Skip Reset() in destructor path - let ObjectRef handle it |
+- [nodejs/node-addon-api#660](https://github.com/nodejs/node-addon-api/issues/660) - ObjectWrap destructor crashes
+- [nodejs/node#37236](https://github.com/nodejs/node/issues/37236) - Crash on node-api add-on finalization
+- [nodejs/node#27085](https://github.com/nodejs/node/pull/27085) - GC finalization stress
+- [lovell/sharp#2570](https://github.com/lovell/sharp/issues/2570) - Segfault on Alpine/musl
+- Node.js upstream: `src/upstream/node_sqlite.h` - Uses `BaseObjectWeakPtr` for Session
+- better-sqlite3: Uses raw pointers, JavaScript manages lifetime
 
 ---
 
-## Remaining Work
-
-### Task: Push and Validate CI
-
-**Success**: CI runs pass without SIGSEGV on Alpine
-
-**Implementation**:
-
-1. Commit the final fix (in_destructor_ flag approach)
-2. Push to trigger CI
-3. Monitor Alpine test jobs
-
-**Completion checklist**:
+## Completion Checklist
 
-- [ ] Commit pushed
-- [ ] test-alpine jobs pass for all Node versions (20, 22, 24, 25)
-- [ ] test-alpine jobs pass for both architectures (x64, arm64)
-- [ ] No SIGSEGV/SIGABRT crashes in 5+ consecutive runs
+- [x] Root cause identified: `database_ref_` ObjectReference added in `a151cb6`
+- [x] Research completed: Node.js upstream and better-sqlite3 patterns documented
+- [x] Code reverted to simple design (b5835fa state)
+- [x] Rebuild and test locally (793 tests passed)
+- [x] Test in Alpine Docker (5 consecutive runs - all passed)
+- [x] Commit revert with clear explanation (8441235)
+- [ ] Push and validate CI
 - [ ] Move TPP to `doc/done/`