Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 9ce452b6acd95899e9adb17c2935012625163dc6^! / . / download_action.cc
commit9ce452b6acd95899e9adb17c2935012625163dc6[log] [tgz]
authorDarin Petkov <petkov@chromium.org>Wed Nov 17 14:33:28 2010 -0800
committerDarin Petkov <petkov@chromium.org>Wed Nov 17 14:33:28 2010 -0800
treec20e9407270739c597b4846fa594f47668aed019
parente237d19031bbea506931f60708200e71008151e1 [diff] [blame]
AU: Fix potential issues with premature destruction of HTTP fetchers.

This patch adds a new TransferTerminated callback to the
HttpFetcher class. It fixes two potential memory corruption
issues with premature destruction of HttpFetcher instances:

1. When MultiHttpFetcher completes a range, it terminates
the current fetcher and starts the next one, if any. Change
so that the next fetcher is started when the
TransferTerminated callback is received from the current
fetcher. This prevents the multi fetcher from sending a
TransferComplete/TransferTerminated callbacks before the
underlying fetcher is cleaned up, which may lead to the
fetchers being destroyed prematurely.

2. If the download action fails due to a failed write,
terminate the transfer and then wait for the transfer
terminated callback before notifying the action processor
that the action is complete. Otherwise, the action may get
destroyed before the transfer is actually terminated
possibly leading to memory corruption, etc.

Hopefully these changes fix crosbug.com/8798.

BUG=8798
TEST=unit tests, tested on device with write errors

Change-Id: If416b95625ab31662f2e1308df6bdd1757a2ad78

Review URL: http://codereview.chromium.org/5009009

diff --git a/download_action.cc b/download_action.cc
index c17d7e2..d06fb79 100644
--- a/download_action.cc
+++ b/download_action.cc

@@ -25,6 +25,7 @@
     : prefs_(prefs),
       writer_(NULL),
       http_fetcher_(http_fetcher),
+      code_(kActionCodeSuccess),
       delegate_(NULL),
       bytes_received_(0) {}
 
@@ -101,10 +102,12 @@
     LOG_IF(WARNING, writer_->Close() != 0) << "Error closing the writer.";
     writer_ = NULL;
   }
-  http_fetcher_->TerminateTransfer();
   if (delegate_) {
     delegate_->SetDownloadStatus(false);  // Set to inactive.
   }
+  // Terminates the transfer. The action is terminated, if necessary, when the
+  // TransferTerminated callback is received.
+  http_fetcher_->TerminateTransfer();
 }
 
 void DownloadAction::SeekToOffset(off_t offset) {
@@ -119,8 +122,11 @@
     delegate_->BytesReceived(bytes_received_, install_plan_.size);
   if (writer_ && writer_->Write(bytes, length) < 0) {
     LOG(ERROR) << "Write error -- terminating processing.";
+    // Don't tell the action processor that the action is complete until we get
+    // the TransferTerminated callback. Otherwise, this and the HTTP fetcher
+    // objects may get destroyed before all callbacks are complete.
+    code_ = kActionCodeDownloadWriteError;
     TerminateProcessing();
-    processor_->ActionComplete(this, kActionCodeDownloadWriteError);
     return;
   }
   // DeltaPerformer checks the hashes for delta updates.
@@ -194,4 +200,10 @@
   processor_->ActionComplete(this, code);
 }
 
+void DownloadAction::TransferTerminated(HttpFetcher *fetcher) {
+  if (code_ != kActionCodeSuccess) {
+    processor_->ActionComplete(this, code_);
+  }
+}
+
 };  // namespace {}