MultiRangeHttpFetcher::ReceivedBytes should signal the caller correctly.
HttpFetcherDelegate::ReceivedBytes requires a delegate to return false
to signal the caller to terminate. However, the overload in
MultiRangeHttpFetcher::ReceivedBytes missed that and wrongly returned
true instead.
As a result, we observed the following crash while running an ASAN
build.
FileFetcher::OnReadDoneCallback()
|
| called its delegate of MultiRangeHttpFetcher
|
-- MultiRangeHttpFetcher::ReceivedBytes()
|
| requested fetchers to terminate
|
-- fetcher->TerminateTransfer()
|
|-- MultiRangeHttpFetcher::TerminateTransfer()
|
-- FileFetcher::TerminateTransfer()
|
-- MultiRangeHttpFetcher::TransferTerminated()
|
|-- DownloadAction::TransferTerminated()
|
|-- ActionProcessor::ActionComplete()
|
| DownloadAction / MultiRangeHttpFetcher /
| FileFetcher all destroyed
|
| (but it didn't signal the caller to terminate)
|
| FileFetcher proceeded to call FileFetcher::ScheduleRead() that accessed
| already freed memory
While fixing the above issue, a separate bug in
LibcurlHttpFetcher::LibcurlWrite was uncovered, where in_write_callback_
wasn't properly reset.
Bug: 120577143
Test: Build and flash an ASAN build on taimen. Applying a payload with
file:// no longer crashes with tag-mismatch.
Test: Run update_engine_unittests.
Change-Id: I66c862ae40accbfaddc41fb8590b152c2169eea6
diff --git a/common/multi_range_http_fetcher.cc b/common/multi_range_http_fetcher.cc
index 0a19c6a..d39b7f9 100644
--- a/common/multi_range_http_fetcher.cc
+++ b/common/multi_range_http_fetcher.cc
@@ -111,6 +111,7 @@
pending_transfer_ended_ = true;
LOG(INFO) << "Terminating transfer.";
fetcher->TerminateTransfer();
+ return false;
}
return true;
}