Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / 9ce452b6acd95899e9adb17c2935012625163dc6^! / . / libcurl_http_fetcher.cc
commit9ce452b6acd95899e9adb17c2935012625163dc6[log] [tgz]
authorDarin Petkov <petkov@chromium.org>Wed Nov 17 14:33:28 2010 -0800
committerDarin Petkov <petkov@chromium.org>Wed Nov 17 14:33:28 2010 -0800
treec20e9407270739c597b4846fa594f47668aed019
parente237d19031bbea506931f60708200e71008151e1 [diff] [blame]
AU: Fix potential issues with premature destruction of HTTP fetchers.

This patch adds a new TransferTerminated callback to the
HttpFetcher class. It fixes two potential memory corruption
issues with premature destruction of HttpFetcher instances:

1. When MultiHttpFetcher completes a range, it terminates
the current fetcher and starts the next one, if any. Change
so that the next fetcher is started when the
TransferTerminated callback is received from the current
fetcher. This prevents the multi fetcher from sending a
TransferComplete/TransferTerminated callbacks before the
underlying fetcher is cleaned up, which may lead to the
fetchers being destroyed prematurely.

2. If the download action fails due to a failed write,
terminate the transfer and then wait for the transfer
terminated callback before notifying the action processor
that the action is complete. Otherwise, the action may get
destroyed before the transfer is actually terminated
possibly leading to memory corruption, etc.

Hopefully these changes fix crosbug.com/8798.

BUG=8798
TEST=unit tests, tested on device with write errors

Change-Id: If416b95625ab31662f2e1308df6bdd1757a2ad78

Review URL: http://codereview.chromium.org/5009009

diff --git a/libcurl_http_fetcher.cc b/libcurl_http_fetcher.cc
index d5358bd..b65d6b1 100644
--- a/libcurl_http_fetcher.cc
+++ b/libcurl_http_fetcher.cc

@@ -28,6 +28,8 @@
 }  // namespace {}
 
 LibcurlHttpFetcher::~LibcurlHttpFetcher() {
+  LOG_IF(ERROR, transfer_in_progress_)
+      << "Destroying the fetcher while a transfer is in progress.";
   CleanUp();
 }
 
@@ -135,11 +137,20 @@
   CurlPerformOnce();
 }
 
+void LibcurlHttpFetcher::ForceTransferTermination() {
+  CleanUp();
+  if (delegate_) {
+    // Note that after the callback returns this object may be destroyed.
+    delegate_->TransferTerminated(this);
+  }
+}
+
 void LibcurlHttpFetcher::TerminateTransfer() {
-  if (in_write_callback_)
+  if (in_write_callback_) {
     terminate_requested_ = true;
-  else
-    CleanUp();
+  } else {
+    ForceTransferTermination();
+  }
 }
 
 void LibcurlHttpFetcher::CurlPerformOnce() {
@@ -152,7 +163,7 @@
   while (CURLM_CALL_MULTI_PERFORM == retcode) {
     retcode = curl_multi_perform(curl_multi_handle_, &running_handles);
     if (terminate_requested_) {
-      CleanUp();
+      ForceTransferTermination();
       return;
     }
   }