Fix #189: don't fall back to fork() on macOS; redirect worker stderr

Two changes for the macOS Tahoe segfault reported in issue #189:

1. process_worker_client.py: drop the spawn -> fork fallback when running
   on darwin. macOS Tahoe (26+) widened the set of system libraries that
   abort if initialized after fork() — CoreFoundation, Security.framework,
   libsystem_trace, libsystem_info — so any library the parent has loaded
   (psycopg, getaddrinfo, setproctitle, NSCharacterSet) can crash the
   forked child. Letting spawn fail and surfacing it to the caller lets
   the in-process fallback in query_execution take over instead.

   Cost: query cancellation isn't available when spawn fails. Gain: no
   hard crashes ("Worker connection closed.") on macOS.

2. process_worker.py: redirect the worker's stdout/stderr to a log file
   and enable faulthandler at entry. The worker can SIGPIPE on libpq
   notice writes when its inherited FDs point to a Textual-managed pipe,
   and any future C-level fault on the worker side is otherwise invisible
   to the parent (the pipe just dies). The log path honors
   $SQLIT_WORKER_LOG and defaults to <tmpdir>/sqlit-worker.log.

Refs the celery (Tahoe + setproctitle, celery#9894) and gunicorn
(Tahoe + NSCharacterSet, gunicorn#3526) reports for the broader fork-
safety regression on Tahoe.

Author: brentrager

sqlit/domains/process_worker/app/process_worker.py

@@ -2,14 +2,39 @@
 
 from __future__ import annotations
 
+import faulthandler
+import os
 import pickle
+import sys
+import tempfile
 import threading
 import time
 from collections import deque
 from dataclasses import dataclass, field
 from multiprocessing.connection import Connection
+from pathlib import Path
 from typing import Any
 
+
+def _open_worker_log() -> Any | None:
+    """Open the worker log file, honoring SQLIT_WORKER_LOG when set.
+
+    The parent process may attach this worker to a Textual-managed pipe;
+    libpq notice writes or unexpected stderr output would then SIGPIPE the
+    child. Redirecting both streams to a real file avoids that and gives a
+    place to land C-level fault tracebacks for future diagnosis.
+    """
+    override = os.environ.get("SQLIT_WORKER_LOG")
+    if override:
+        path = Path(override).expanduser()
+    else:
+        path = Path(tempfile.gettempdir()) / "sqlit-worker.log"
+    try:
+        path.parent.mkdir(parents=True, exist_ok=True)
+        return path.open("a", buffering=1)
+    except OSError:
+        return None
+
 from sqlit.domains.connections.domain.config import ConnectionConfig
 from sqlit.domains.connections.providers.catalog import get_provider
 from sqlit.domains.connections.providers.config_service import normalize_connection_config
@@ -493,6 +518,14 @@ def _get_provider(self, db_type: str) -> Any | None:
 
 def run_process_worker(conn: Connection) -> None:
     """Process entrypoint for query execution."""
+    log_file = _open_worker_log()
+    if log_file is not None:
+        sys.stdout = log_file
+        sys.stderr = log_file
+        try:
+            faulthandler.enable(file=log_file)
+        except (RuntimeError, ValueError):
+            pass
     state = _WorkerState(conn=conn)
     try:
         while True:

sqlit/domains/process_worker/app/process_worker_client.py

@@ -63,6 +63,14 @@ def _maybe_fallback_start(self, error: Exception) -> None:
             raise error
         if os.name != "posix" or sys.platform.startswith("win"):
             raise error
+        # macOS (especially Tahoe 26+) aborts in the child whenever a forked
+        # process touches CoreFoundation / Security.framework / os_log —
+        # which happens inside psycopg, getaddrinfo, and many other stdlib
+        # paths. Forking here causes hard segfaults (issue #189), so we
+        # surface the spawn failure and let the caller fall back to
+        # in-process execution.
+        if sys.platform == "darwin":
+            raise error
         try:
             self._start_with_context(get_context("fork"))
         except Exception: