Fix deadlock when canceling queries stuck in VDBE or busy handler

[mjc]

Partially addresses elixir-sqlite/exqlite#192.

Summary

This PR fixes a deadlock where DBConnection.disconnect/2 could block forever while closing a connection whose dirty NIF thread was still inside SQLite. The dirty NIF execution model is unchanged; the fix is to make the blocked SQLite operation cancellable so it can release conn->mutex and allow close to finish.

The deadlock can happen in two important cases: a long-running statement inside SQLite VDBE execution, or a statement sleeping in SQLite's busy handler while waiting for a lock. In both cases the NIF call holds conn->mutex. If the pool times out and disconnect tries to close the connection, close also needs conn->mutex, so it waits behind the stuck operation.

What changed

This adds Exqlite.Sqlite3.cancel/1, which sets a connection cancellation flag and calls sqlite3_interrupt(). Exqlite.Connection.disconnect/2 now calls cancel/1 before close/1, so teardown can interrupt a running statement or cause a busy wait to stop retrying.

This replaces SQLite's default busy handler with an Exqlite busy handler. The handler preserves SQLite's default retry delay schedule, stores the timeout in conn->busy_timeout_ms, sleeps with sqlite3_sleep(), and checks the cancellation flag between sleeps. This avoids the non-cancellable behavior of SQLite's default busy handler while keeping the implementation portable.

This adds Exqlite.Sqlite3.set_busy_timeout/2 and changes connection setup to use it instead of PRAGMA busy_timeout. PRAGMA busy_timeout calls sqlite3_busy_timeout(), which installs SQLite's default busy handler and replaces any custom handler. The new API updates Exqlite's stored timeout without destroying the cancellable busy handler.

This adds a configurable progress handler interval through Exqlite.Sqlite3.set_progress_handler_steps/2 and the :progress_handler_steps connection option. The default is 1000 VDBE steps. Values less than 1 disable the progress handler for callers that want to avoid that overhead.

The shared cancellation flag is protected by interrupt_mutex. The busy handler, progress handler, cancel/1, and close/destructor paths read or write that flag under the same lock. The busy-timeout and progress-handler-step fields are also updated under interrupt_mutex.

User-facing behavior

High-level users who configure :busy_timeout on Exqlite.start_link/1 or an Ecto SQLite repo should not need to change anything. The connection setup path now applies that timeout through Exqlite.Sqlite3.set_busy_timeout/2.

Low-level users who execute PRAGMA busy_timeout = ... directly should migrate to Exqlite.Sqlite3.set_busy_timeout/2 if they want to keep cancellation of busy waits. Executing the pragma still works as SQLite behavior, but it replaces Exqlite's custom busy handler with SQLite's default handler, so cancel/1 can no longer stop the busy-handler retry loop before SQLite's busy timeout expires.

Exqlite.Sqlite3.interrupt/1 remains available for SQLite interruption. Exqlite.Sqlite3.cancel/1 is the stronger teardown-oriented API because it sets Exqlite's cancellation flag for the busy/progress handlers and also calls sqlite3_interrupt().

Implementation notes

The busy handler uses SQLite's default delay schedule: 1, 2, 5, 10, 15, 20, 25, 25, 25, 50, 50 ms, then 50 ms for later retries. Cancellation is observed between sleep intervals, so a busy wait exits after the current sleep finishes, with later sleeps capped at 50 ms.

The NIF stores the calling environment and pid while SQLite operations are running so the busy handler can detect when the caller process has died. If the caller is gone, the busy handler sets the cancellation flag and stops retrying.

cancel/1 and interrupt/1 avoid taking conn->mutex while a query may be running. A running SQLite call holds that mutex, so taking it in the cancellation path would block behind the operation we are trying to cancel. The timeout/progress configuration setters still take conn->mutex because they are not used to break a currently running SQLite call.

The NIF resource destructor and close path coordinate through conn->mutex and interrupt_mutex so connection teardown does not race with cancellation state updates or a concurrent interrupt.

The Mix project now tracks the C source files as external resources, and the Makefile emits dependency files for C headers, so C/NIF changes are rebuilt more reliably.

Tests

This PR adds regression coverage for busy-timeout behavior, low-level set_busy_timeout/2, configurable progress-handler steps, cancel/1, connection reuse after cancellation, pool recovery after timeouts, cancellation of busy-handler waits, and close/cancel races.

It also adds sanitizer-tagged stress tests for the cancellation and busy-timeout update paths. Those tests are excluded from the default suite and can be run explicitly with --include sanitizer.

[Copilot]

Pull request overview

This PR addresses a deadlock that can occur when DBConnection.disconnect/2 closes a SQLite connection while a dirty NIF thread is blocked in VDBE execution or the busy handler, by adding a cancellable busy handler plus a new Sqlite3.cancel/1 path to wake/interrupt blocked operations before close/1.

Changes:

• Add a custom busy handler (condvar-based) + progress handler, and new NIF APIs set_busy_timeout/2 and cancel/1 to support fast cancellation.
• Update Exqlite.Connection.disconnect/2 to call Sqlite3.cancel/1 before close/1, and migrate busy-timeout setting away from PRAGMA busy_timeout.
• Expand tests around busy-timeout and cancellation behavior; add build dependency tracking for NIF compilation.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
test/exqlite/sqlite3_test.exs	Adds baseline busy-timeout tests plus coverage for new set_busy_timeout/2 and cancel/1 behavior.
test/exqlite/integration_test.exs	Updates timeout test expectations given query interruption on disconnect.
test/exqlite/cancellation_test.exs	Adds a larger cancellation/deadlock regression suite (tagged :slow_test).
lib/exqlite/sqlite3_nif.ex	Adds NIF function specs for set_busy_timeout/2 and cancel/1, plus external resource tracking.
lib/exqlite/sqlite3.ex	Exposes set_busy_timeout/2 and cancel/1 in the public Elixir API.
lib/exqlite/connection.ex	Calls Sqlite3.cancel/1 during disconnect and switches busy-timeout setup to the new NIF.
c_src/sqlite3_nif.c	Implements cancellable busy handler, progress handler, and the new NIFs.
Makefile	Adds -MMD -MP and includes .d files for header dependency tracking.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[warmwaffles]

This does not fix that issue that is open. There's stuff in that issue that pertains to this, but this does not replace the Dirty NIF execution model.

I'll need to check this out and understand what is going on before we merge it.

[mjc]

Fair point on the execution model — this PR doesn't replace dirty NIFs and doesn't attempt to. The scope is narrower: fixing the specific deadlock where disconnect/2 blocks forever because the dirty NIF thread is stuck sleeping in SQLite's busy handler (with the mutex held), so close() can never acquire it.

The timed_wait_t abstraction is essentially a one-shot binary semaphore — condvar + mutex used purely for signaling. You're right that it has that shape. I chose condvar+mutex over a POSIX semaphore mainly because sem_timedwait has the same CLOCK_REALTIME portability constraint as condvars, and OTP already uses pthreads internally, so it's a closer match to what the runtime does. Happy to rename it cancel_sem_t or add a comment calling it out if that makes the intent clearer.

What this does fix:

• The deadlock: disconnect/2 → cancel() → signals the condvar → busy handler wakes, returns 0 → SQLite releases db->mutex → close() proceeds. Previously it would block until the full busy_timeout expired (up to 30+ seconds).
• VDBE stuck queries: progress handler + sqlite3_interrupt() together let the runtime interrupt long-running in-process queries.

What this does NOT do:

• Replace the dirty NIF execution model
• Fix any of the non-deadlock concerns from Replace DirtyNIF execution model with a different mechanism #192 (e.g., general throughput, non-dirty scheduling)

[warmwaffles]

I would like to stick to using the built in cond and mutex afforded by erl_nif. I don't know what that means for the pthread_cond_timedwait implementation and how that looks with replicating it, but if we stick to the primitives that we have, this will mean we don't have to worry about cross compilation issues as much.

[mjc]

The reason we use pthread_cond_timedwait / SleepConditionVariableCS directly is that OTP doesn't provide enif_cond_timedwait — it was deliberately omitted due to CLOCK_REALTIME portability concerns on POSIX. The busy handler needs "sleep up to N ms, or wake early if cancelled," and enif_cond_wait blocks indefinitely with no timeout parameter, so it can't do this alone.

Worth noting: the CLOCK_REALTIME concern that led OTP to omit enif_cond_timedwait
doesn't really apply here — a clock jump during a 50ms busy handler wait just means
one slightly longer iteration before we check the cancel flag. The total timeout is
tracked independently so it self-corrects on the next wake. But the polling approach
sidesteps this entirely since sqlite3_sleep() is a relative sleep.

The #ifdef _WIN32 / POSIX split covers the same two threading backends OTP uses internally — enif_cond_wait itself is a thin wrapper around pthread_cond_wait on POSIX and SleepConditionVariableCS on Windows. Any target that can run BEAM already provides one of these two (there's no third backend — OTP fails to compile without one). So cross-compiling for e.g. Nerves/ARM works the same as native — the target toolchain provides pthread.h.

Two alternatives if you'd prefer to avoid raw pthreads:

1. enif_cond_wait + watchdog thread: a per-connection enif_thread signals the cond after the timeout expires. Stays within OTP primitives but adds more moving parts.

2. Polling: drop the condvar entirely — busy handler calls sqlite3_sleep(10) in a loop and checks a volatile int cancelled flag after each sleep. No platform #ifdef, no threading primitives at all. Cancel latency goes from instant to worst-case 10ms, which is fine since disconnect timeouts are measured in seconds. This is the simplest approach by far.

Happy to refactor to either if you have a preference.

[warmwaffles]

I'll need to think on this a little more.

I peeked at a pthread_cond_timedwait implementation. Don't know if enif_monotonic_time would be a good choice for the clock portability issue.

[mjc]

If you're open to the polling approach, the busy handler simplifies to roughly:

static int exqlite_busy_handler(void *arg, int count) {
    connection_t *conn = (connection_t *)arg;
    
    if (conn->cancelled) return 0;
    if (!enif_is_process_alive(conn->callback_env, &conn->caller_pid)) return 0;
    
    conn->busy_elapsed_ms += 10;
    if (conn->busy_elapsed_ms >= conn->busy_timeout_ms) return 0;
    
    sqlite3_sleep(10);
    return !conn->cancelled;
}

The entire timed_wait_t platform abstraction goes away — no condvar, no mutex, no #ifdef, no clock concerns. cancel just sets conn->cancelled = 1 and calls sqlite3_interrupt. Happy to refactor to this if it works for you.

[warmwaffles]

The polling solution is a busy wait and would eat unnecessary cpu.

[mjc]

It's not a busy wait — sqlite3_sleep(10) calls through to the SQLite VFS xSleep, which calls usleep()/nanosleep() on POSIX and Sleep() on Windows. The thread is fully descheduled by the OS and consumes zero CPU while sleeping.

In fact, this is exactly what SQLite's own built-in busy handler ( sqliteDefaultBusyCallback does) on the released version of exqlite right now — it calls sqlite3OsSleep() in a loop with increasing delays (1, 2, 5, 10, 15, 20, 25, 50, 100ms). Our polling handler would do the same thing with a fixed 10ms interval, plus a cancellation flag check. The only trade-off vs. a condvar is up to 10ms latency before responding to cancellation.

We could even replicate the same delay ramp that sqliteDefaultBusyCallback uses if desired — since that's what sqlite3_busy_timeout() already does internally, just without the ability to interrupt.

I just liked the condvar solution because it felt more elegant.

[warmwaffles]

Does this current implementation work on Apple silicon?

[mjc]

@warmwaffles yes; I built the condvar version on an M1 Mac originally and tested on Ryzen 9 5950X on Linux. I have not tested windows yet but I can if you wish, I just don't have elixir on my windows machine atm so it'll take a minute.

The sqlite_sleep(n) approach should necessarily work since that's what exqlite was already doing, it's definitely the most portable and simplest choice.

[warmwaffles]

In my other failed game projects I had to use mach_timebase_info_data to get the absolute time.

mach_timebase_info_data_t clock_timebase;
mach_timebase_info(&clock_timebase);

uint64_t mach_absolute = mach_absolute_time();

uint64_t nanos = (double)(mach_absolute * (uint64_t)clock_timebase.numer) / (double)clock_timebase.denom;
return nanos / 1.0e9;

[mjc]

Yeah, mach_absolute_time() is the only way to get monotonic time on macOS since it doesn't support pthread_condattr_setclock(CLOCK_MONOTONIC) for condvars.

But we don't actually need it for either approach:

Condvar approach: We use CLOCK_REALTIME (the pthread_cond_init default) and it works fine — I built and tested it on an M1 Mac. A clock jump during a 50ms condvar wait just means one iteration sleeps slightly too long or too short; the total timeout is tracked by counting elapsed ms across iterations (same as sqliteDefaultBusyCallback), so it self-corrects. Worst case is one extra retry or one early timeout by a few tens of ms, which doesn't meaningfully affect busy handler behavior.

Polling approach: sqlite3_sleep() is a relative sleep with no clock dependency at all — SQLite handles the platform #ifdef internally. We'd replicate sqliteDefaultBusyCallback's backoff ramp (1→2→5→10→...→100ms) and check the cancel flag between each sleep.

Either way, mach_absolute_time isn't needed.

[mjc]

I did a deep dive into the alternative execution models from #192 to see if any of them change what's needed here:

• Yielding NIFs: Not possible — sqlite3_step() is a single opaque C call that can't be paused/resumed, only aborted.
• Threaded NIFs: Worker thread is still inside sqlite3_step() when the caller times out, so you need the exact same cancel flag + sqlite3_interrupt() machinery — but now you've also added a worker thread per connection, a work queue with mutex/condvar, argument marshaling into process-independent envs on every call, and enif_send/receive overhead.
• ADBC's GenServer pattern: ADBC works because its NIFs are non-blocking (return a stream ref, read batches incrementally). sqlite3_step blocks for the entire write/busy-wait, so a GenServer would just deadlock itself.
• NIF resource destructors: Fire on GC, but the process can't be GC'd while blocked on a dirty scheduler — that is the deadlock.

Every execution model ends up requiring the same SQLite-level cancellation: custom busy handler with a cancel flag + sqlite3_interrupt(). The dirty NIF model just determines where the caller blocks, not how you cancel. This matches where #192 landed — José said "I don't think you can replace dirty nifs, that's the way to do C integration."

[mjc]

sorry about all the force pushes; noticed somehow I didn't sign two of the commits. current version has the simpler sleep-based approach.

[warmwaffles]

I don't really mind signed or unsigned commits ¯\_(ツ)_/¯

I just haven't had time to look at this lately

[mjc]

No worries at all, this fix works for me locally so I have no need to rush it to get merged or anything.

[mjc]

rebased to address a conflict. I could also clean up the history when you're ready to give it another look. but also no rush as I can just keep using my branch

[warmwaffles]

revert this

[warmwaffles]

I'll be getting to this soon. I've been extremely busy lately.

[warmwaffles]

I am probably going to merge this and work on it some in another branch.

What is the benefit of throwing volatile here versus just having it be a basic int? I know that volatile is a signal to ensure the compiler doesn't re-arrange order of execution, but what I want to know, is this actually a risk?

[mjc]

That was an oversight from when I backed out the initial proposed handler. No real benefit now that all reads/writes are guarded by interrupt_mutex. volatile does not make this thread-safe, and the mutex is what provides the synchronization here, so I removed it.

[warmwaffles]

@mjc can you update the PR description with the most accurate information you can? I'm going to proof it and then use it for the commit message.

[mjc]

Updated! Happy to help as much as I can, also.

I've been running the previous version (with the condvar) since Feb 1 in a bunch of environments with none of the previous issues and no segfaults.

I still get busy timeouts but that is largely due to not yet quite having exactly the right concurrency model in that specific distributed app - the timeouts make sense and are traced to obvious things I know I need to fix. down like 90% from before though

[warmwaffles]

I still get busy timeouts but that is largely due to not yet quite having exactly the right concurrency model in that specific distributed

I still get this as well, it's been a minor irritant because it backs an MCP server I am running.

[warmwaffles]

If you figure it out, don't hesitate to open another PR.