| blob | 07b34ae8033a073f4221c53f12d83a69efcd8c5a |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
28 #ifdef XP_WIN
29 # include <windows.h>
30 # include <softpub.h>
31 # include <wintrust.h>
37 // MOZ_LOG=BackgroundFileSaver:5
39 #define LOG(args) MOZ_LOG(prlog, mozilla::LogLevel::Debug, args)
40 #define LOG_ENABLED() MOZ_LOG_TEST(prlog, mozilla::LogLevel::Debug)
42 ////////////////////////////////////////////////////////////////////////////////
43 //// Globals
45 /**
46 * Buffer size for writing to the output file or reading from the input file.
47 */
48 #define BUFFERED_IO_SIZE (1024 * 32)
50 /**
51 * When this upper limit is reached, the original request is suspended.
52 */
53 #define REQUEST_SUSPEND_AT (1024 * 1024 * 4)
55 /**
56 * When this lower limit is reached, the original request is resumed.
57 */
58 #define REQUEST_RESUME_AT (1024 * 1024 * 2)
60 ////////////////////////////////////////////////////////////////////////////////
61 //// NotifyTargetChangeRunnable
63 /**
64 * Runnable object used to notify the control thread that file contents will now
65 * be saved to the specified file.
66 */
79 };
81 ////////////////////////////////////////////////////////////////////////////////
82 //// BackgroundFileSaver
89 }
93 }
95 // Called on the control thread.
110 sThreadCount++;
113 }
116 }
118 // Called on the control thread.
119 NS_IMETHODIMP
124 }
126 // Called on the control thread.
127 NS_IMETHODIMP
131 }
133 // Called on the control thread.
134 NS_IMETHODIMP
142 }
144 // Called on the control thread.
145 NS_IMETHODIMP
148 {
156 }
157 }
159 // After the worker thread wakes up because attention is requested, it will
160 // rename or create the target file as requested, and start copying data.
162 }
164 // Called on the control thread.
165 NS_IMETHODIMP
167 nsresult rv;
169 // This will cause the NS_AsyncCopy operation, if it's in progress, to consume
170 // all the data that is still in the pipe, and then finish.
174 // Ensure that, when we get attention from the worker thread, if no pending
175 // rename operation is waiting, the operation will complete.
176 {
181 }
182 }
184 // After the worker thread wakes up because attention is requested, it will
185 // process the completion conditions, detect that completion is requested, and
186 // notify the main thread of the completion. If this function was called with
187 // a success code, we wait for the copy to finish before processing the
188 // completion conditions, otherwise we interrupt the copy immediately.
190 }
192 NS_IMETHODIMP
196 // Ensure Personal Security Manager is initialized. This is required for
197 // PK11_* operations to work.
204 }
206 NS_IMETHODIMP
209 // We acquire a lock because mSha256 is written on the worker thread.
213 }
216 }
218 NS_IMETHODIMP
222 // Ensure Personal Security Manager is initialized.
229 }
231 NS_IMETHODIMP
235 // We acquire a lock because mSignatureInfo is written on the worker thread.
239 }
243 }
245 }
247 // Called on the control thread.
250 nsresult rv;
254 // We only require attention one time. If this function is called two times
255 // before the worker thread wakes up, and the first has aShouldInterruptCopy
256 // false and the second true, we won't forcibly interrupt the copy from the
257 // control thread. However, that never happens, because calling Finish with a
258 // success code is the only case that may result in aShouldInterruptCopy being
259 // false. In that case, we won't call this function again, because consumers
260 // should not invoke other methods on the control thread after calling Finish.
261 // And in any case, Finish already closes one end of the pipe, causing the
262 // copy to finish properly on its own.
265 }
268 // Background event queues are not shutdown and could be called after
269 // the queue is reset to null. To match the behavior of nsIThread
270 // return NS_ERROR_UNEXPECTED
273 }
275 // Copy is not in progress, post an event to handle the change manually.
279 NS_DISPATCH_EVENT_MAY_BLOCK);
283 // Interrupt the copy. The copy will be resumed, if needed, by the
284 // ProcessAttention function, invoked by the AsyncCopyCallback function.
286 }
288 // Indicate that attention has been requested successfully, there is no need
289 // to post another event until the worker thread processes the current one.
293 }
295 // Called on the worker thread.
296 // static
298 // We called NS_ADDREF_THIS when NS_AsyncCopy started, to keep the object
299 // alive even if other references disappeared. At the end of this method,
300 // we've finished using the object and can safely release our reference.
303 {
306 // Now that the copy was interrupted or terminated, any notification from
307 // the control thread requires an event to be posted to the worker thread.
310 // When detecting failures, ignore the status code we use to interrupt.
314 }
315 }
318 }
320 // Called on the worker thread.
322 nsresult rv;
324 // This function is called whenever the attention of the worker thread has
325 // been requested. This may happen in these cases:
326 // * We are about to start the copy for the first time. In this case, we are
327 // called from an event posted on the worker thread from the control thread
328 // by GetWorkerThreadAttention, and mAsyncCopyContext is null.
329 // * We have interrupted the copy for some reason. In this case, we are
330 // called by AsyncCopyCallback, and mAsyncCopyContext is null.
331 // * We are currently executing ProcessStateChange, and attention is requested
332 // by the control thread, for example because SetTarget or Finish have been
333 // called. In this case, we are called from from an event posted through
334 // GetWorkerThreadAttention. While mAsyncCopyContext was always null when
335 // the event was posted, at this point mAsyncCopyContext may not be null
336 // anymore, because ProcessStateChange may have started the copy before the
337 // event that called this function was processed on the worker thread.
338 // If mAsyncCopyContext is not null, we interrupt the copy and re-enter
339 // through AsyncCopyCallback. This allows us to check if, for instance, we
340 // should rename the target file. We will then restart the copy if needed.
342 // mAsyncCopyContext is only written on the worker thread (which we are on)
344 {
345 // Even though we're the only thread that writes this, we have to take the
346 // lock
351 }
352 }
353 // Use the current shared state to determine the next operation to execute.
356 // If something failed while processing, terminate the operation now.
357 {
362 }
363 }
364 // Ensure we notify completion now that the operation failed.
366 }
369 }
371 // Called on the worker thread.
373 nsresult rv;
375 // We might have been notified because the operation is complete, verify.
378 }
380 // Get a copy of the current shared state for the worker thread.
387 {
397 // From now on, another attention event needs to be posted if state changes.
399 }
401 // The initial target can only be null if it has never been assigned. In this
402 // case, there is nothing to do since we never created any output file.
405 }
407 // Determine if we are processing the attention request for the first time.
410 // Assign the target file for the first time.
413 }
415 // Verify whether we have actually been instructed to use a different file.
416 // This may happen the first time this function is executed, if SetTarget was
417 // called two times before the worker thread processed the attention request.
423 // If we were asked to rename the file but the initial file did not exist,
424 // we simply create the file in the renamed location. We avoid this check
425 // if we have already started writing the output file ourselves.
430 }
432 // We are moving the previous target file to a different location.
437 nsAutoString renamedTargetName;
441 // We must delete any existing target file before moving the current
442 // one.
448 }
450 // Move the file. If this fails, we still reference the original file
451 // in mActualTarget, so that it is deleted if requested. If this
452 // succeeds, the nsIFile instance referenced by mActualTarget mutates
453 // and starts pointing to the new file, but we'll discard the reference.
456 }
458 // We should not only update the mActualTarget with renameTarget when
459 // they point to the different files.
460 // In this way, if mActualTarget and renamedTarget point to the same file
461 // with different addresses, "CheckCompletion()" will return false
462 // forever.
463 }
465 // Update mActualTarget with renameTarget,
466 // even if they point to the same file.
469 }
471 // Notify if the target file name actually changed.
473 // We must clone the nsIFile instance because mActualTarget is not
474 // immutable, it may change if the target is renamed later.
485 }
488 // The pending rename operation might be the last task before finishing. We
489 // may return here only if we have already created the target file.
492 }
494 // Even if the operation did not complete, the pipe input stream may be
495 // empty and may have been closed already. We detect this case using the
496 // Available property, because it never returns an error if there is more
497 // data to be consumed. If the pipe input stream is closed, we just exit
498 // and wait for more calls like SetTarget or Finish to be invoked on the
499 // control thread. However, we still truncate the file or create the
500 // initial digest context if we are expected to do that.
505 }
506 }
508 // Create the digest if requested and NSS hasn't been shut down.
512 }
514 // When we are requested to append to an existing file, we should read the
515 // existing data and ensure we include it as part of the final hash.
523 // Try to clean up the inputStream if an error occurs.
534 // We reached the end of the file.
536 }
541 // The pending resume operation may have been cancelled by the control
542 // thread while the worker thread was reading in the existing file.
543 // Abort reading in the original file in that case, as the digest will
544 // be discarded anyway.
548 }
549 }
551 // Close explicitly to handle any errors.
555 }
556 }
558 // We will append to the initial target file only if it was requested by the
559 // caller, but we'll always append on subsequent accesses to the target file.
565 }
567 // Create the target file, or append to it if we already started writing it.
568 // The 0600 permissions are used while the file is being downloaded, and for
569 // interrupted downloads. Those may be located in the system temporary
570 // directory, as well as the target directory, and generally have a ".part"
571 // extension. Those part files should never be group or world-writable even
572 // if the umask allows it.
584 // Wrap the output stream so that it feeds the digest if needed.
586 // Constructing the DigestOutputStream cannot fail. Passing mDigest
587 // to DigestOutputStream is safe, because BackgroundFileSaver always
588 // outlives the outputStream. BackgroundFileSaver is reference-counted
589 // before the call to AsyncCopy, and mDigest is never destroyed
590 // before AsyncCopyCallback.
592 }
594 // Start copying our input to the target file. No errors can be raised past
595 // this point if the copy starts, since they should be handled by the thread.
596 {
607 }
608 }
610 // If the operation succeeded, we must ensure that we keep this object alive
611 // for the entire duration of the copy, since only the raw pointer will be
612 // provided as the argument of the AsyncCopyCallback function. We can add the
613 // reference now, after NS_AsyncCopy returned, because it always starts
614 // processing asynchronously, and there is no risk that the callback is
615 // invoked before we reach this point. If the operation failed instead, then
616 // AsyncCopyCallback will never be called.
620 }
622 // Called on the worker thread.
624 nsresult rv;
627 {
634 }
636 // If an error occurred, we don't need to do the checks in this code block,
637 // and the operation can be completed immediately with a failure code.
641 // We did not incur in an error, so we must determine if we can stop now.
642 // If the Finish method has not been called, we can just continue now.
645 }
647 // We can only stop when all the operations requested by the control
648 // thread have been processed. First, we check whether we have processed
649 // the first SetTarget call, if any. Then, we check whether we have
650 // processed any rename requested by subsequent SetTarget calls.
654 }
656 // If we still have data to write to the output file, allow the copy
657 // operation to resume. The Available getter may return an error if one
658 // of the pipe's streams has been already closed.
663 }
664 }
667 }
669 // Ensure we notify completion now that the operation finished.
670 // Do a best-effort attempt to remove the file if required.
673 }
675 // Finish computing the hash
683 }
684 }
686 // Compute the signature of the binary. ExtractSignatureInfo doesn't do
687 // anything on non-Windows platforms except return an empty nsIArray.
689 nsString filePath;
696 }
697 }
699 // Post an event to notify that the operation completed.
703 NS_DISPATCH_NORMAL))) {
705 }
708 }
710 // Called on the control thread.
714 }
717 }
719 // Called on the control thread.
723 nsresult status;
724 {
727 }
731 // If mObserver keeps alive an enclosure that captures `this`, we'll have a
732 // cycle that won't be caught by the cycle-collector, so we need to break it
733 // when we're done here (see bug 1444265).
735 }
737 // At this point, the worker thread will not process any more events, and we
738 // can shut it down. Shutting down a thread may re-enter the event loop on
739 // this thread. This is not a problem in this case, since this function is
740 // called by a top-level event itself, and we have already invoked the
741 // completion observer callback. Re-entering the loop can only delay the
742 // final release and destruction of this saver object, since we are keeping a
743 // reference to it through the event object.
746 sThreadCount--;
748 // When there are no more active downloads, we consider the download session
749 // finished. We record the maximum number of concurrent downloads reached
750 // during the session in a telemetry histogram, and we reset the maximum
751 // thread counter for the next download session
754 sTelemetryMaxThreadCount);
756 }
759 }
763 {
767 }
768 }
769 #ifdef XP_WIN
770 // Setup the file to check.
777 // We want to check it is signed and trusted.
788 // Disallow revocation checks over the network
790 // no UI
794 // The WINTRUST_ACTION_GENERIC_VERIFY_V2 policy verifies that the certificate
795 // chains up to a trusted root CA and has appropriate permissions to sign
796 // code.
798 // Check if the file is signed by something that is trusted. If the file is
799 // not signed, this is a no-op.
802 // According to the Windows documentation, we should check against 0 instead
803 // of ERROR_SUCCESS, which is an HRESULT.
806 }
808 // Lock because signature information is read on the main thread.
811 // A binary may have multiple signers. Each signer may have multiple certs
812 // in the chain.
818 }
824 }
831 X509_ASN_ENCODING) {
833 }
838 }
841 }
842 }
843 }
844 // Free the provider data if cryptoProviderData is not null.
849 }
850 #endif
852 }
854 ////////////////////////////////////////////////////////////////////////////////
855 //// BackgroundFileSaverOutputStream
859 nsIOutputStreamCallback)
868 }
870 NS_IMETHODIMP
873 NS_IMETHODIMP
876 NS_IMETHODIMP
879 }
881 NS_IMETHODIMP
885 }
887 NS_IMETHODIMP
891 }
893 NS_IMETHODIMP
898 }
900 NS_IMETHODIMP
903 }
905 NS_IMETHODIMP
908 }
910 NS_IMETHODIMP
920 aEventTarget);
921 }
923 NS_IMETHODIMP
932 }
934 ////////////////////////////////////////////////////////////////////////////////
935 //// BackgroundFileSaverStreamListener
942 nsAsyncCopyProgressFun
945 }
947 NS_IMETHODIMP
952 }
954 NS_IMETHODIMP
956 nsresult aStatusCode) {
957 // If an error occurred, cancel the operation immediately. On success, wait
958 // until the caller has determined whether the file should be renamed.
961 }
964 }
966 NS_IMETHODIMP
971 nsresult rv;
975 // Read the requested data. Since the pipe has an infinite buffer, we don't
976 // expect any write error to occur here.
981 // If reading from the input stream fails for any reason, the pipe will return
982 // a success code, but without reading all the data. Since we should be able
983 // to read the requested data when OnDataAvailable is called, raise an error.
987 }
990 {
1000 }
1001 }
1002 }
1006 }
1009 }
1011 // Called on the worker thread.
1012 // static
1018 // Wait if the control thread is in the process of suspending or resuming.
1021 // This function is called when some bytes are consumed by NS_AsyncCopy. Each
1022 // time this happens, verify if a suspended request should be resumed, because
1023 // we have now consumed enough data.
1030 // Post an event to verify if the request should be resumed.
1034 self,
1036 NS_DISPATCH_NORMAL))) {
1038 }
1039 }
1040 }
1041 }
1043 // Called on the control thread.
1045 // Prevent the worker thread from changing state while processing.
1050 // Try to suspend the request. If this fails, don't try to resume later.
1055 }
1056 }
1059 // Resume the request only if we succeeded in suspending it.
1064 }
1065 }
1066 }
1069 }
1071 ////////////////////////////////////////////////////////////////////////////////
1072 //// DigestOutputStream
1079 }
1081 NS_IMETHODIMP
1084 NS_IMETHODIMP
1087 NS_IMETHODIMP
1090 NS_IMETHODIMP
1097 }
1099 NS_IMETHODIMP
1102 // Not supported. We could read the stream to a buf, call DigestOp on the
1103 // result, seek back and pass the stream on, but it's not worth it since our
1104 // application (NS_AsyncCopy) doesn't invoke this on the sink.
1106 }
1108 NS_IMETHODIMP
1112 }
1114 NS_IMETHODIMP
1117 }
1119 #undef LOG_ENABLED