#903 Make cancellation thread-safe

Author: mrotteveel

devdoc/jdp/jdp-2026-01-additional-locking-for-sending-in-wire-protocol.adoc

@@ -5,8 +5,8 @@
 
 == Status
 
-* Draft
-* Proposed for: Jaybird 7
+* Published: 2026-01-10
+* Implemented in: Jaybird 7
 
 == Type
 
@@ -18,13 +18,13 @@ With Jaybird 3, we implemented support for protocol 12 and cancellation.
 We wanted to avoid an overly complex solution with overlapping locks to perform separate locking for sending and receiving, or switching to NIO.
 
 We decided to take the chance and implement cancellation in a way that is not thread-safe, by sending the cancellation message without taking out the connection lock.
-(The connection lock covers sending and receiving, making cancellation only occur after the operation if you try it under that lock.)
+(The connection lock covers sending and receiving, making cancellation only occur after the blocking operation if you try it under that lock.)
 This can lead to the cancellation message being sent in the middle of a normal message.
 This then results in the server receiving a corrupt message, with undefined results (e.g. errors, the server doing the wrong thing, or the connection being terminated).
-We tried to reduce this risk by first constructing the message on a separate `XdrOutputStream`, and then sending the resulting byte array at once.
+We tried to reduce this risk by first constructing the message on a separate `XdrOutputStream`, and then sending the resulting byte array at once, skipping the buffer of `XdrOutputStream`.
 
-We've now received reports that indicate this can occur when performing rapid cancellation, where the cancellation might overlap with the statement execute (or another action).
-We've been able to produce a broken connection with rapid cancellation;
+We've now received reports that problems can occur when performing rapid cancellation, where the cancellation might overlap with the statement execute (or another action).
+We have been able to produce a broken connection with rapid cancellation;
 this was a different issue than reported, though.
 
 The native implementation is not affected (and if it were, it is probably not an issue we can address within Jaybird).
@@ -33,60 +33,75 @@ The native implementation is not affected (and if it were, it is probably not an
 
 As we now have a clear case that our not thread-safe solution can actually fail in production, we will need to address the thread-safety of cancellation.
 
-For the wire protocol, we will add a "`transmit`"-lock which should _only_ cover transmitting (sending) messages to the server.
-This lock should _not_ cover receiving messages, and preferably not cover other actions unrelated to sending messages to the server.
-The "`transmit`"-lock should be held for the sending of an entire message.
+For the wire protocol, we will add a "`transmit`" lock which should _only_ cover transmitting (sending) messages to the server.
+This lock *must not* cover receiving messages, and preferably should not cover other actions unrelated to sending messages to the server.
+
+The transmit lock *must* be held for the sending of an entire message.
 When multiple messages are batched without an interleaved receive of responses, it should be considered carefully if the lock should cover individual messages or the entire batch.
+When deferred response are registered, this *must* be done outside the transmit lock, as registering a deferred response can trigger a blocking read from the server if too many messages are pending.
+
+Flushing *must* be done under transmit lock, but can be done separately if needed.
 
-For normal operations, the "`transmit`"-lock should be taken out while the normal connection lock is held (i.e. within a try-with-resources calling `withLock()`).
-For the cancellation operation, and possibly other "`out-of-band`" transmissions, only the "`transmit`"-lock should be taken out;
-this can probably be done within implementations of `FbWireOperations.writeDirect(byte[])`.
+For normal operations, the transmit lock *must* be obtained, held, and released while the normal connection lock is held (i.e. within a try-with-resources calling `withLock()`).
+For the cancellation operation -- and other "`out-of-band`" transmissions -- only the transmit lock should be obtained.
 
-The lock will use a `java.util.concurrent.locks.ReentrantLock` (see also <<rejected>>).
+The lock used is a `java.util.concurrent.locks.ReentrantLock` (see also <<rejected>>).
 
-Exact details of use will be fleshed out during implementation, but `XdrStreamAccess` is probably the right place to provide access to this lock.
-We will provide two methods of taking out the lock:
+The transmit lock is located within the `XdrStreamAccess` implementation of `WireConnection`, and its API provides access to the lock.
+We provide one method for taking out the lock:
 
-. `LockCloseable withTransmitLock()` -- for use with try-with-resources in the same fashion as the `withLock()` method(s) for the connection lock
-. `void withTransmitLock(TransmitAction transmitAction) throws SQLException, IOException` where `TransmitAction` is a functional interface with a method `void transmit(XdrOutputStream xdrOut) throws SQLException, IOException`
-+
-If possible, the `IOException` should be left out of the throws lists of `withTransmitLock(TransmitAction)` and maybe `transmit(XdrOutputStream)` by using `FbExcepionBuilder.ioWriteError(IOException)`, but right now we can't oversee if that is always possible.
-On the other hand, we could always fall back on the first option if there are cases where an `IOException` must be thrown.
+`void withTransmitLock(TransmitAction transmitAction) throws SQLException, IOException` where `TransmitAction` is a functional interface with a method `void transmit(XdrOutputStream xdrOut) throws SQLException, IOException`.
 
-If needed, implementation classes (but not the `FbWireXXX` interfaces) may provide the same methods (e.g. as `protected`) for purposes of code simplication, as long as they ultimately call the actual locking methods.
+Implementation classes -- but not the `FbWireXXX` interfaces -- may provide the same method (e.g. as `protected`) for purposes of code simplication, as long as they ultimately call the actual locking method.
 
-The latter should also be viewed as an experiment if in the future we can use a similar alternative for `withLock()`.
-If during implementation this turns out to be too cumbersome, this may need to be revisited, and maybe we'll only implement the first option.
+The `withTransmitLock(TransmitAction)` method should also be viewed as an experiment if in the future we can use a similar alternative for the `withLock()` method for obtaining the connection lock.
 
-During implementation, this will be done first in the `FbWireStatement` implementations and the `FbWireOperations.writeDirect(byte[])` method as a proof of concept.
-If this proof of concept fails to resolve the broken connection issue we can reproduce, we will need to rethink this approach.
+The `writeDirect(byte[])` methods skipping the buffer are removed: out-of-band operations must be written through the normal `XdrOutputStream` under the transmit lock.
 
 Given the invasiveness of this change, it will not be backported to Jaybird 5 and 6.
-We will consider a reduced solution, only covering `FbWireStatement` implementations, to address the immediate thread-safety problem of statement cancellation.
+We will consider a reduced solution, for example only covering `FbWireStatement` implementations, to address the immediate thread-safety problem of statement cancellation.
 Such a reduced solution could still cause problems if statement cancellation is done while the connection is performing a non-statement operation.
 If we decide to go for such a solution for Jaybird 5 and/or 6, it will be covered by a separate JDP.
 
 [#rejected]
 === Rejected options
 
+==== Non-reentrant lock
+
 As the lock is generally uncontested, we considered using a simple spinlock on an `AtomicBoolean` or a volatile `int` field (with help of `AtomicIntegerFieldUpdater`) instead of a full-blown lock.
-Unfortunately, there may be cases where we need reentrancy of the lock due to implementation of protocol versioning (e.g. an overloaded method calling its parent and then doing something that should be done within the "`transmit`"-lock).
+Such a lock would not be reentrant.
+Unfortunately, there may be cases where we need reentrancy due to implementation of protocol versioning (e.g. overloads calling different methods that also obtain the transmit lock while it is already held).
+
+[NOTE]
+====
+Actual implementation has shown that reentrancy can be avoided.
+However, switching to a non-reentrant lock comes with risk of deadlock if we do -- intentionally or accidentally -- nest calls that (try to) obtain the transmit lock.
+We're also no convinced such a simpler lock would actually perform better in practice.
+
+In short, we'll stick with the reentrant lock as that is less brittle, and less surprising.
+====
+
+==== Providing a `withTransmitLock` method returning a `LockCloseable`
+
+Initially, we proposed adding a second method to `XdrStreamAccess`, `LockCloseable withTransmitLock()` which works similar as the `withLock()` methods for obtaining the connection lock.
 
-If during implementation it turns out that this is not a problem (e.g. because the lock can be taken out by the callers of such overloaded methods), we can revisit this decision.
+During implementation, we discovered that we don't really needed this method, and providing only the `withTransmitLock(TransmitAction)` methods provides a simpler, intention-revealing API.
+So, we removed this method from the design described under <<_decision>>.
 
 == Consequences
 
-The entire wire protocol implementation is revised to take out the "`transmit`"-lock during sending.
+The entire wire protocol implementation is revised to obtain the transmit lock for the duration of sending a message.
 
-The javadoc of `FbWireOperations.writeDirect(byte[])` is revised to remove mention of race conditions.
-The javadoc of other methods, etc., are revised as needed.
+Various methods in the implementation classes change signature, or are removed or renamed for consistency.
+(Some more details are provided in the Jaybird 7 release notes.)
 
 "`Normal`" users of the JDBC driver and the internal GDS-ng API, are not affected -- there is no change in the methods they call, or the operation or behaviour of the driver (except cancellation is now thread-safe).
 
-Implementers of Jaybird forks or alternative wire protocol versions building on the `org.firebirdsql.gds.ng.wire` package and related packages and classes will need to change their code to correctly take out the "`transmit`"-lock during transmission to the server.
+Implementers of Jaybird forks or alternative wire protocol versions building on classes in `org.firebirdsql.gds.ng.wire` package and "`sub`"-packages will need to change their code to correctly obtain the transmit lock during transmission to the server.
 
-It is possible that this change will not fully address cancellation issues (e.g. we suspect deferred response handling might need additional work, and result sets may need to be invalidated/closed by cancellation);
-this will be subject to further investigation after this thread-safety issue has been addressed.
+It is possible that this change will not fully address cancellation issues.
+We suspect deferred response handling might need additional work, and result sets may need to be invalidated/closed by cancellation.
+This will be subject to further investigation after this thread-safety issue has been addressed.
 
 [appendix]
 == License Notice

src/docs/asciidoc/release_notes.adoc

@@ -17,11 +17,11 @@
 :fb-canonical-html: https://firebirdsql.org/docs/drivers/java/7.0.x/release_notes.html
 
 ////
-SPDX-FileCopyrightText: Copyright 2021-2025 Firebird development team and individual contributors
+SPDX-FileCopyrightText: Copyright 2021-2026 Firebird development team and individual contributors
 SPDX-FileCopyrightText: Copyright 2002 David Jencks
 SPDX-FileCopyrightText: Copyright 2002-2003 Rick Fincher
 SPDX-FileCopyrightText: Copyright 2004-2010 Roman Rokytskyy
-SPDX-FileCopyrightText: Copyright 2012-2025 Mark Rotteveel
+SPDX-FileCopyrightText: Copyright 2012-2026 Mark Rotteveel
 SPDX-License-Identifier: LicenseRef-PDL-1.0
 ////
 
@@ -58,7 +58,7 @@ Possible workarounds:
 --
 +
 This is caused by https://github.com/FirebirdSQL/firebird/issues/4971[firebird#4971]
-* In Java 24, the mapping of some named `WITH TIME ZONE` values changed as Java's mapping of short IDs changed.
+* In Java 24 and higher, the mapping of some named `WITH TIME ZONE` values changed as Java's mapping of short IDs changed.
 This should only affect cases where you explicitly obtain `ZonedDateTime` or `ZonedTime` instances with these named zones.
 +
 --
@@ -627,6 +627,13 @@ For further details, see https://github.com/FirebirdSQL/jaybird/blob/master/devd
 
 * Changed the documentation of `FirebirdDatabaseMetaData` methods `getProcedureSourceCode`, `getTriggerSourceCode` and `getViewSourceCode` that the object not being found is reported by a `null` value, not a `SQLException`.
 With this change, the documentation reflects the actual behaviour.
+* Fixed: race condition during cancellation (https://github.com/FirebirdSQL/jaybird/issues/903[#903])
++
+This change introduce an additional lock during transmit (sending to the server).
+Maintainers of Jaybird forks, or implementers of custom wire protocol implementations subclassing classes in `org.firebirdsql.gds.ng.wire` and related packages will need to take out this transmit lock when sending to the server.
+The change also lead to incompatible changes to protected methods in the various protocol implementation classes, like adding an `XdrOutputStream` parameter to various methods, and methods renamed for consistency.
++
+See also https://github.com/FirebirdSQL/jaybird/blob/master/devdoc/jdp/jdp-2026-01-additional-locking-for-sending-in-wire-protocol.adoc[jdp-2026-01: Additional locking for sending in wire protocol].
 * ...
 
 [#compatibility-changes]
@@ -812,12 +819,49 @@ If you are confronted with such a change, let us know on {firebird-java}[firebir
 
 * `FbAttachment`
 ** The `close()` method should no longer throw an exception if already closed, or not connected/attached.
+* `WireConnection`
+** Method `writeDirect(byte[])` was removed;
+use the `XdrOutputStream` under the transmit lock.
 * `FbWireAsynchronousChannel`
 ** `connect(String, int, int)` was replaced by `connect(String, int)`
 * `FbWireOperations`
 ** The `ProcessAttachCallback` parameter of `authReceiveResponse` was removed, as all implementations did nothing, and since protocol 13, it wasn't only called for the attach response
 ** Interface `ProcessAttachCallback` was removed
+** Method `writeDirect(byte[])` was removed;
+use the `XdrOutputStream` under the transmit lock.
 * The internal interface `org.firdsql.jdbc.field.BlobListenableField` was renamed to `BlobField` due to increased responsibilities
+* `XdrOutputStream`
+* `writeDirect(byte[])` was removed;
+use the `XdrOutputStream` under the transmit lock.
+* `XdrStreamAccess`
+** Method `withTransmitLock(TransmitAction)` was added for using the `XdrOutputStream` under the transmit lock.
+This method should be preferred over calling `getXdrOut()`.
+`TransmitAction` is a functional interface with method `transmit(XdrOutputStream xdrOut) throws IOException, SQLException`.
+* Various wire protocol implementation classes (in `org.firebirdsql.gds.ng.wire` and "`sub`"-packages)
++
+See also https://github.com/FirebirdSQL/jaybird/blob/master/devdoc/jdp/jdp-2026-01-additional-locking-for-sending-in-wire-protocol.adoc[jdp-2026-01: Additional locking for sending in wire protocol].
++
+** Methods `protected XdrOutputStream getXdrOut()` were removed;
+the replacement is `protected void withTransmitLock(TransmitAction)`.
+This was done to enforce use of the transmit lock.
+** When sending data to the server, the transmit lock *must* be taken out, and it *must* be released before performing another blocking action like reading (receiving) data from the server.
+For this purpose, use `withTransmitLock(TransmitAction)`.
+** Some protected methods for sending messages to the server were renamed for consistency;
+in general, methods of the form `sendXxx`, `sendXxxPacket`, `sendXxxMessage`, or `doXxxPacket`, or similar, to `sendXxxMsg` (where _Xxx_ is a name of the message action or type).
+** Some protected methods for sending messages or (partial) data to the server received an additional `XdrOutputStream` parameter.
++
+Usually, callers of these methods are responsible for taking out the transmit lock.
+** The protected methods for sending messages to the server (the `sendXxxMsg` methods mentioned earlier) now consistently do not call `flush()` on the `XdrOutputStream` to simplify protocol versioning of the messages.
+The caller is now responsible for flushing (if needed).
+** Additional protected methods were added (or were changed from private) for sending messages to the server.
+* `V10Statement`
+** `sendPrepareMsg` (previously `sendPrepare`) no longer calls `switchState(StatementState.PREPARING)`;
+this is now done by its callers.
++
+Subclasses overriding this method must ensure they do not switch state to `PREPARING` themselves, and callers must ensure they switch state before calling this method.
+* `V16Statement`
+** the `sendBatchMsg` protected method -- accepting `RowDescriptor` and `Collection<RowValue>` -- was made private.
+The new protected method of the same name is _only_ responsible for sending the `op_batch_msg` itself, not the subsequent row data.
 
 [#breaking-changes-unlikely]
 === Unlikely breaking changes
@@ -841,7 +885,7 @@ The following methods will be removed in Jaybird 8:
 
 * `WireConnection.getProtocolMinimumType()` -- use `WireConnection.getProtocolType()`
 +
-Might still be removed before Jaybird 7 final release as this is internal API, and unlikely to be used in user code.
+This method might still be removed before Jaybird 7 final release as this is internal API, and unlikely to be used in user code.
 
 [#removal-of-deprecated-classes-8]
 ===== Removal of deprecated classes
@@ -904,9 +948,9 @@ you may only use this Documentation if you comply with the terms of this License
 A copy of the License is available at https://firebirdsql.org/en/public-documentation-license/.
 
 The Original Documentation is "`Jaybird {version_wo_target} Release Notes`".
-The Initial Writer of the Original Documentation is Mark Rotteveel, Copyright © 2012-2025.
+The Initial Writer of the Original Documentation is Mark Rotteveel, Copyright © 2012-2026.
 All Rights Reserved.
-(Initial Writer contact(s): _unknown_).
+(Initial Writer contact(s): mark (at) lawinegevaar (dot) nl).
 
 Contributor(s): David Jencks, Rick Fincher, Roman Rokytskyy. +
 Portions created by David Jencks are Copyright © 2002.

src/main/org/firebirdsql/gds/impl/wire/XdrOutputStream.java

@@ -7,7 +7,7 @@
  SPDX-FileCopyrightText: Copyright 2003 Ryan Baldwin
  SPDX-FileCopyrightText: Copyright 2005 Steven Jardine
  SPDX-FileCopyrightText: Copyright 2015 Hajime Nakagami
- SPDX-FileCopyrightText: Copyright 2011-2024 Mark Rotteveel
+ SPDX-FileCopyrightText: Copyright 2011-2026 Mark Rotteveel
  SPDX-License-Identifier: LGPL-2.1-or-later
 */
 package org.firebirdsql.gds.impl.wire;
@@ -44,7 +44,7 @@ public final class XdrOutputStream extends BufferedOutputStream implements Encry
     public static final int SPACE_BYTE = 0x20;
     public static final int NULL_BYTE = 0x0;
     private static final int TEXT_PAD_LENGTH = BUF_SIZE;
-    private static final byte[] TEXT_PAD = createPadding(BUF_SIZE, SPACE_BYTE);
+    private static final byte[] TEXT_PAD = createPadding(TEXT_PAD_LENGTH, SPACE_BYTE);
     private static final int ZERO_PAD_LENGTH = 3;
     private static final byte[] ZERO_PADDING = new byte[ZERO_PAD_LENGTH];
 
@@ -363,19 +363,6 @@ public void setCipher(Cipher cipher) throws IOException {
         encrypted = true;
     }
 
-    /**
-     * Writes directly to the {@code OutputStream} of the underlying socket.
-     *
-     * @param data
-     *         data to write
-     * @throws IOException
-     *         for errors writing to the socket
-     */
-    public void writeDirect(byte[] data) throws IOException {
-        out.write(data);
-        out.flush();
-    }
-
     @SuppressWarnings("java:S2177")
     private void flushBuffer() throws IOException {
         if (count > 0) {