Add expo-sqlite, the ability to test it, and a promisifying wrapper

[gnprice]

This accomplishes a first stage of #4841, sound storage with SQLite. In this PR, we gain the ability to use SQLite from our JS code.

The core of this is that we use expo-sqlite, and we add a small wrapper to give a nice Promise-based interface atop its callbacks-based API.

The first complication is that expo-sqlite does not run in Jest: expo/expo#15125 . If we're going to write code that uses SQL to manage our users' data, we'll certainly want to have the ability to test that code. We fix that by pulling in sqlite3 to get SQLite in Node (where Jest runs), and then writing a small amount of JS code to provide a version of expo-sqlite atop that.

The next complication or two is that expo-sqlite (really its dependency @expo/websql, aka node-websql) does not handle transactions well (chat discussion):

• If you start a transaction which starts making some changes, then throws an exception before it makes the other half of the needed changes… the transaction gets committed, with the half-done changes you've made so far. Yikes!
• If you start a transaction which executes a SQL statement, the statement finishes, and then your resulting callback throws an exception… the transaction, and the whole database object, get stuck in a wedged state where nothing else you do will ever run.
  • This is better than committing a half-done transaction (because at least it won't permanently corrupt your actual data), but still not good. The right behavior would be to roll back the transaction.
• If you start a transaction and then do some asynchronous work, the transaction will go ahead and commit with the changes you've made so far, without waiting for the other statements you were about to try to add to it.
  • This is less severe than the first issue because code that hits it is likely to hit it 100% of the time, so that it's caught in development.
  • But it's a blocker for us being able to have, say, a transaction that reads some data from our upcoming AsyncStorage replacement, decompresses it to get meaningful app-level data, does something with that, compresses the results, and writes those back -- which is exactly what a typical migration will look like for us in that system as we continue making changes to the data structures we keep in Redux. That's because our compression and decompression is done asynchronously, with a round-trip to native code.
  • Transactions auto-close when queuing microtasks between executeSql() calls nolanlawson/node-websql#46 describes a narrowed-down version of this issue.

Happily we're able to work around those issues with a small amount of additional code in our promisifying wrapper. Then we also write tests, not only for the desired behavior in the wrapper but to exercise the underlying broken behavior. Those get somewhat more complicated, particularly because the bad behavior involves unhandled exceptions and Jest doesn't take those quietly.

Together that seems like plenty for one PR. The actual AsyncStorage replacement we'll save for the next PR after this one.

The workaround isn't awesome: in particular it busy-waits, so that if you do something async that could take a long time without needing the CPU, like a network request, the workaround will burn CPU (and hence power) while waiting for it. Moreover, while some of the issues are bugs that could be fixed in the underlying layers, others -- in particular the incompatibility with async work in a transaction -- are inherent in the API. So as a later followup we may want to cut out the JS code of expo-sqlite and its dependencies entirely, rather than working around it on top. But this version works correctly, which I think makes it good enough to build on and move forward for now.

(An earlier version of this, together with some of the changes to come after it, was a draft PR #5157.)

[chrisbobbe]

Great! See some comments below, including one (edit: #5184 (comment)) to help me get a better handle on the bundles of things we're fixing with these libraries. I'll also force-push with the ios/Podfile.lock change mentioned in one of the comments.

[chrisbobbe]

deps: Add expo-sqlite

We should also run pod install at this commit, so the change is propagated to ios/Podfile.lock. I'll force-push with this done in case you don't have your Mac handy. 🙂

[gnprice]

Thanks! 🙂 I do have the Mac handy (on my desk at home, it's here right next to my main desktop) but had forgotten to test there.

[chrisbobbe]

expo-sqlite tests: Get a working `immediate` in Jest

[…]

In Jest tests, that doesn't work; the symptom is that the test hangs
and then times out at 5 seconds, not having completed.  Looking at the
`immediate` implementation, it relies on `setTimeout` -- so that'd do it.

[…]

I don't yet understand this; is the issue that we can't expect setTimeout to be available in the Jest environment? We can, can't we?

[gnprice]

It's present but mocked out:
https://jestjs.io/docs/timer-mocks
(see also our async-test.js), and as a result when something running under a test creates a timer (as with setTimeout), the timer callback may not be run unless the test calls jest.runAllTimers() or one of its friends. Plus, as you can see in async-test.js, and more so in the "our promisified sqlite > transaction with internal asynchrony …" test added in this series, even doing that can get hairy because the jest.runAllTimers() isn't effective before the timer has actually been created.

As that same "transaction with internal asynchrony" test illustrates, this applies even if the setTimeout duration is zero, as it is in the immediate implementation (which just doesn't pass a second argument to setTimeout.)

---

After looking harder at that immediate implementation, I think the setTimeout is actually on a bit of a side path of the control flow -- the thing that's actually at issue here is process.nextTick. (Which is a Node thing that's a lot like setTimeout(…, 0) but runs before those do.)

But it looks like Jest's fake timers (the "modern" version, which we're using these days) override that too. If I put this in a test:

  const p = new Promise(r => process.nextTick(() => { console.log('B'); r(); }));
  console.log('A');
  //   await p; // this will hang
  jest.advanceTimersByTime(1);
  console.log('C');
  await p; // this is fine
  console.log('D');

it prints A, B, C, D in that order. And if I uncomment the await p that's before the advanceTimersByTime, then it hangs there.

[gnprice]

See also the comments I just left on https://gist.github.com/apieceofbart/e6dea8d884d29cf88cdb54ef14ddbcc4 , which I found when trying to understand how Jest interacts with process.nextTick and had some helpful examples.

[chrisbobbe]

Cool, this is making more sense.

There's some talk about having "modern" fake timers give you the option to not have nextTick mocked: jestjs/jest#10221 (comment)

But even with a not-mocked nextTick, it sounds like we'd still want this change, because setTimeout is involved—

[…] (The
implementation also uses `setTimeout`, in what seems to be a
convoluted substitute for try/catch.  So that'd be an additional
reason it wouldn't work, if it got that far.)

—and Jest's fake timers will always mock setTimeout.

[gnprice]

Yeah.

FWIW now that I understand process.nextTick better, I'm fairly confident that the right thing is for Jest to not mock it by default. (Previously I didn't feel I understood the issue well enough to have a firm opinion.)

Details in chat here: https://chat.zulip.org/#narrow/stream/243-mobile-team/topic/Node.20process.2EnextTick/near/1307747
(mainly so that if it ever comes up in the future, we have a good shot at finding the discussion again.)

[chrisbobbe]

  /**
   * Suppress some otherwise-unhandled Promise rejections.
   * 
   * […]
   */

"Some" is kind of vague; is that OK?

In _exec, we've wrapped one—of two—calls to callback with a try/catch. callback itself isn't an async function, so I guess it's appropriate that we don't await the callback call inside the try.

[gnprice]

I think being vague here is basically OK, because only a few tests will use it.

Probably a try/catch around that other callback call site would make sense. I'll add that. That might also give me a clean less-vague description to give this allowUnhandled method.

[chrisbobbe]

nit: invariant goes above the blank line, right, with the other third-party imports?

[chrisbobbe]

When I click the "Display the rich diff" button (a sheet-of-paper icon) on the yarn.lock changes in this commit in the GitHub UI, I see some security warnings about tar:

Here's yarn why tar:

yarn why v1.22.10
[1/4] 🤔  Why do we have the module "tar"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "tar@2.2.2"
info Reasons this module exists
   - "sqlite3#node-gyp" depends on it
   - Hoisted from "sqlite3#node-gyp#tar"
info Disk size without dependencies: "1.49MB"
info Disk size with unique dependencies: "1.67MB"
info Disk size with transitive dependencies: "2.14MB"
info Number of shared dependencies: 13
=> Found "node-pre-gyp#tar@4.4.19"
info This module exists because "sqlite3#node-pre-gyp" depends on it.
info Disk size without dependencies: "232KB"
info Disk size with unique dependencies: "508KB"
info Disk size with transitive dependencies: "612KB"
info Number of shared dependencies: 8
✨  Done in 0.65s.

Looks like sqlite3 brings in node-gyp which brings in tar at an offending version.

I can't yet tell how much we might or might not need to worry about these. I think TryGhost/node-sqlite3#1493 is the issue where the warnings are being tracked in sqlite3.

[gnprice]

Hmm. Yeah, seems like sqlite3 is not being particularly maintained.

Perhaps I'll switch to the vscode folks' fork of it, as discussed here: TryGhost/node-sqlite3#1493 (comment)

[gnprice]

OK, looking into it, I don't think the vscode fork is really any more maintained -- they've pretty clearly signaled it's for their own internal use, and the way they've treated it is all consistent with that: microsoft/vscode-node-sqlite3#14 (comment)

Instead, I'll just bump the node-gyp version in a Yarn resolution: TryGhost/node-sqlite3#1493 (comment)

[chrisbobbe]

@expo/websql

FYI expo/node-websql#1

[gnprice]

Yep, thanks for reporting that. I did locate (I forget how) that that seemed to be the repo that package was published from; it'd be good for it to update its "repository" metadata on NPM to match.

[chrisbobbe]

// […] to get the whole
// database object stuck if a statement callback throws an exception.

Wow, glad you caught this! Do you think there might be lingering cases to be handled where the whole DB object can get stuck? I wonder if we could get good logging to Sentry when this happens.

Does this happen when an error is thrown from within an error callback, not a success callback, and should we handle that as well?

[gnprice]

Do you think there might be lingering cases to be handled where the whole DB object can get stuck? I wonder if we could get good logging to Sentry when this happens.

Yeah, good question. I'm not prepared to rule out that that could happen, but I think it would at least be a distinct issue -- I think this issue is completely resolved by what's in the wrapper now.

Specifically the issue is that in node_modules/@expo/websql/lib/websql/WebSQLDatabase.js, the _running property on the WebSQLDatabase instance gets set to true, blocking any new transactions, and won't get set back to false until _onTransactionComplete is called. Looking at its sibling WebSQLTransaction.js, it won't call that until the transaction's own _running property gets set back to false. And at the call sites of batchTask.sqlCallback and batchTask.sqlErrorCallback, if those throw an exception then that propagates right past where we were going to call the local onDone, which was the place that was supposed to set ._running back to false.

In our wrapper, the callbacks passed to executeSql are always trivial and shouldn't throw; they just resolve or reject a promise. So their caller in WebSQLTransaction.js should always get through them and make it to onDone, so things don't get stuck. (If app code hits an error, that happens in the promise's callback (or further down the line), after we resolve or reject it and after we've returned to the WebSQLTransaction code to let it complete its work.) That leaves the danger it'll go ahead and commit when it shouldn't.

And that in turn is resolved by the hold loop keeping something in the queue, and putting something error-causing there when the transaction should fail.

Does this happen when an error is thrown from within an error callback, not a success callback, and should we handle that as well?

Yeah, as described above, it does and we do. "A statement callback" was meant to cover both kinds of callbacks from executeSql, but could perhaps be more explicit.

[gnprice]

Added a link in that code comment back to this subthread.

[chrisbobbe]

Interesting. It looks like tx.executeSql('SELECT error') is meant to cause an error beneath the application-level code, and that's how we cause the transaction to roll back (rather than, I dunno, some bit of API on the transaction object).

[gnprice]

Exactly. There is no such API on the transaction object, sadly… unless you count this, and other variations of "attempt an invalid statement".

That aspect goes back to the old proposed Web standard that the API is based on:
https://www.w3.org/TR/webdatabase/#asynchronous-database-api

[chrisbobbe]

I guess it'd be pretty pathological for a future/different @expo/websql implementation to have executeSql call the callback synchronously. When that occurred to me, I was more convinced that we can't have an infinite recursion problem here. (Right?)

I wonder about a strain on performance caused by these rapid-fire 'SELECT 1' statements at all the different layers. There will be more two-way traffic on the React Native bridge; I'm not sure what that might mean for memory. Worth at least manually testing how it feels when we're writing something huge, like users on CZO, in a future PR where we start actually using this new storage setup.

[gnprice]

I guess it'd be pretty pathological for a future/different @expo/websql implementation to have executeSql call the callback synchronously. When that occurred to me, I was more convinced that we can't have an infinite recursion problem here. (Right?)

Yeah, that would be quite pathological. Generally in a callback-based API, it's a principle of good API behavior that if the callback's invocation is usually asynchronous, or ever asynchronous, or the API looks like it might be asynchronous, then it's only ever invoked asynchronously and never synchronously, i.e. it's never invoked before the API function has returned to its caller. When a callback is sometimes unexpectedly called synchronously, it's tricky for users of the API to avoid having subtle bugs.

There's a bit of discussion of this on a page of Node's docs that I ran across while trying to understand process.nextTick:
https://nodejs.org/en/docs/guides/event-loop-timers-and-nexttick/#why-would-that-be-allowed

More concretely, the Web SQL Database spec which this library generally aims to follow specifically requires that the statement just gets queued up, not synchronously executed:
https://www.w3.org/TR/webdatabase/#executing-sql-statements
and so a fortiori the statement callbacks.

[gnprice]

I wonder about a strain on performance caused by these rapid-fire 'SELECT 1' statements at all the different layers. There will be more two-way traffic on the React Native bridge; I'm not sure what that might mean for memory. Worth at least manually testing how it feels when we're writing something huge, like users on CZO?

Indeed.

Note that as one mitigating factor, the statements are run in order -- so when we queue one of these SELECT 1 statements after some other statement, its callback won't get run (and possibly put another one on the queue) until that other statement completes. I believe that means that in a transaction with N actual app-level statements, this workaround will only add N+2 of these queue-keepalive SELECT 1 statements, no matter how big or slow the app-level statements are.

[chrisbobbe]

when we queue one of these SELECT 1 statements after some other statement, its callback won't get run (and possibly put another one on the queue) until that other statement completes

Mm, interesting, I didn't think of that. That's good, I guess!

I believe that means that in a transaction with N actual app-level statements, this workaround will only add N+2 of these queue-keepalive SELECT 1 statements, no matter how big or slow the app-level statements are.

I think I'm counting N+1. Where do you get the 2 in N+2?

Also, if one of these SELECT 1 statements is alone in the queue and other app-level statements aren't being enqueued, can't we accidentally break such a bound by running SELECT 1 over and over until another app-level statement gets enqueued and gets its turn? I think that could happen if there's some async non-statement work we're waiting for, like compression/decompression steps you mention in the issue description, for migrations. You've mentioned here:

We'll need to be mindful not to put real slow non-database steps in the middle of a transaction, which would be a similarly bad user experience.

I'm not sure what if any noticeable strain on performance these SELECT 1 statements will have. Possibly none or not much.

[gnprice]

I think I'm counting N+1. Where do you get the 2 in N+2?

Hmm, not sure. When I think through it again now I only see N+1 🙂 -- one before each app-level statement, and one at the end.

Also, that is a valid upper bound but here's a tighter one: if the app-level code awaits a tx.executeSql only M times, then we'll have at most M+1 of these SELECT 1 statements. In particular, if you have code like

  db.transaction(tx => {
    tx.executeSql(…);
    tx.executeSql(…);
    tx.executeSql(…);
    tx.executeSql(…);
  });

where you just issue a bunch of statements but don't wait for any of their results, then we'll only do SELECT 1 once.

Also, if one of these SELECT 1 statements is alone in the queue and other app-level statements aren't being enqueued, can't we accidentally break such a bound by running SELECT 1 over and over until another app-level statement gets enqueued and gets its turn? I think that could happen if there's some async non-statement work we're waiting for, like compression/decompression steps you mention in the issue description, for migrations.

Ah, yeah, my comment above was stated too broadly. That's right -- this bound is really about what happens if the app-level code is doing a bunch of SQL statements but not doing anything else that waits for I/O (or for a timer); in other words, if the only things it ever awaits are either a tx.executeSql(…) or a promise that's already resolved.

I'm not sure what if any noticeable strain on performance these SELECT 1 statements will have. Possibly none or not much.

I think a key thing in our usage will be that outside of migrations, all our transactions will be entirely synchronous: they're all inside the replacement AsyncStorage, and those never have a transaction callback wait for anything before enqueueing all the statements it wants to do. So they only ever have a single SELECT 1 added here.

That means the performance impact should be basically limited to migrations. It's pretty OK if those run somewhat slower, because they're infrequent. A migration would have to take over a second for its performance to start really being a problem. Compressing or decompressing a few megabytes should take a very small fraction of that, so it'd have to be a very large slowdown to be a problem.

[chrisbobbe]

Cool, sounds good! Thanks!

[chrisbobbe]

expo-sqlite tests: Show transactions' (non-)handling of exceptions

Is there a connection between the "(non-)handling of exceptions" and the "broken asynchrony handling" (from an earlier commit) that you'd like to highlight? For example, is one a consequence of the other in some interesting way?

Or can I think of these as separate messes that we're cleaning up, as I try to follow everything we're doing in this PR? 🙂

I'll take a closer look once I have your answer. 🙂

[gnprice]

I think they can basically be thought of as separate.

In particular, the Web standards approached these issues in basically the opposite order:

• The Web SQL Database spec requires that exceptions be handled, in a basically reasonable way: if the transaction callback, or a statement callback, raises, then the transaction gets rolled back.

  • So the fact that node-websql doesn't do this is simply a bug.
  • (Reading closely, in the case of a statement error callback the text isn't totally clear about what happens if it raises. But I believe it does end up requiring that that's a rollback -- "the error callback did not return false" includes the case where the error callback didn't return anything and instead threw.)

• But the eager auto-committing that's incompatible with asynchrony in the app code is faithful to the spec.

  And the IndexedDB spec, which is the actual Web standard that came after it, makes the same choice and explicitly explains it:

  Transactions are expected to be short lived. This is encouraged by the automatic committing functionality described below.

  Authors can still cause transactions to run for a long time; however, this usage pattern is not advised as it can lead to a poor user experience.

So in a perfect implementation of the Web SQL draft standard, or of the related actual Web standard, the second of our issues is fixed, but the one we fix first remains unfixed.

---

Re that warning in the IndexedDB spec:

I think what they have in mind for "Authors can still cause transactions to run for a long time" is basically to do something just like our workaround, and to do so in a situation where the thing the workaround waits for is something that potentially takes a truly long time, like a network request. Then the user's device would sit there with its CPU spinning in a loop of SELECT 1 filler requests (just spelled differently because IndexedDB isn't SQL), while the request takes 60 seconds timing out.

We'll need to be mindful not to put real slow non-database steps in the middle of a transaction, which would be a similarly bad user experience. But I have more confidence in us avoiding that than the browser developers have (reasonably!) in the authors of, say, the ad-targeting scripts that are all over any news site and much of the rest of the Web.

[chrisbobbe]

Great, thanks! This is very helpful.

[gnprice]

Thanks @chrisbobbe for the careful review! Replied to threads above, and pushed a revision that I believe addresses all the discussions. Please take a look!

[chrisbobbe]

Great, thanks! I agree that the previous discussions here on the PR are resolved.

I've just gone and caught up on the discussion on CZO. I have one specific comment from that (see below), and I replied there with a more general question: https://chat.zulip.org/#narrow/stream/243-mobile-team/topic/sqlite.20.23M4841/near/1307676

[chrisbobbe]

I think this should say that the query is run in its own transaction.

I think we want to design our wrapper to never expose a way to execute SQL statements outside of a transaction, right? That would solve a potential problem Anders points out on CZO:

[…] you could get incorrect interleaving if the external event triggers a non-transactional query during an asynchronous action inside a transaction?

(It solves it because it prevents us from ever triggering non-transactional queries anywhere.)

[gnprice]

Sure, good thought.

[gnprice]

OK, and merged! Thanks again @chrisbobbe for the thorough reviews.

[chrisbobbe]

Yay, glad to have this in! 😄