The Tor Browser: toolkit/components/downloads/nsDownloadScanner.cpp@925c144e1f1f (annotated)

toolkit/components/downloads/nsDownloadScanner.cpp@925c144e1f1f (annotated)

toolkit/components/downloads/nsDownloadScanner.cpp

Fri, 16 Jan 2015 18:13:44 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Fri, 16 Jan 2015 18:13:44 +0100
branch: TOR_BUG_9701
changeset 14: 925c144e1f1f
permissions: -rw-r--r--

Integrate suggestion from review to improve consistency with existing code.

 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: se cin sw=2 ts=2 et : */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "nsDownloadScanner.h"
 #include <comcat.h>
 #include <process.h>
 #include "nsDownloadManager.h"
 #include "nsIXULAppInfo.h"
 #include "nsXULAppAPI.h"
 #include "nsIPrefService.h"
 #include "nsNetUtil.h"
 #include "nsDeque.h"
 #include "nsIFileURL.h"
 #include "nsIPrefBranch.h"
 #include "nsXPCOMCIDInternal.h"
 /**
  * Code overview
  *
  * Download scanner attempts to make use of one of two different virus
  * scanning interfaces available on Windows - IOfficeAntiVirus (Windows
  * 95/NT 4 and IE 5) and IAttachmentExecute (XPSP2 and up).  The latter
  * interface supports calling IOfficeAntiVirus internally, while also
  * adding support for XPSP2+ ADS forks which define security related
  * prompting on downloaded content.
  *
  * Both interfaces are synchronous and can take a while, so it is not a
  * good idea to call either from the main thread. Some antivirus scanners can
  * take a long time to scan or the call might block while the scanner shows
  * its UI so if the user were to download many files that finished around the
  * same time, they would have to wait a while if the scanning were done on
  * exactly one other thread. Since the overhead of creating a thread is
  * relatively small compared to the time it takes to download a file and scan
  * it, a new thread is spawned for each download that is to be scanned. Since
  * most of the mozilla codebase is not threadsafe, all the information needed
  * for the scanner is gathered in the main thread in nsDownloadScanner::Scan::Start.
  * The only function of nsDownloadScanner::Scan which is invoked on another
  * thread is DoScan.
  *
  * Watchdog overview
  *
  * The watchdog is used internally by the scanner. It maintains a queue of
  * current download scans. In a separate thread, it dequeues the oldest scan
  * and waits on that scan's thread with a timeout given by WATCHDOG_TIMEOUT
  * (default is 30 seconds). If the wait times out, then the watchdog notifies
  * the Scan that it has timed out. If the scan really has timed out, then the
  * Scan object will dispatch its run method to the main thread; this will
  * release the watchdog thread's addref on the Scan. If it has not timed out
  * (i.e. the Scan just finished in time), then the watchdog dispatches a
  * ReleaseDispatcher to release its ref of the Scan on the main thread.
  *
  * In order to minimize execution time, there are two events used to notify the
  * watchdog thread of a non-empty queue and a quit event. Every blocking wait
  * that the watchdog thread does waits on the quit event; this lets the thread
  * quickly exit when shutting down. Also, the download scan queue will be empty
  * most of the time; rather than use a spin loop, a simple event is triggered
  * by the main thread when a new scan is added to an empty queue. When the
  * watchdog thread knows that it has run out of elements in the queue, it will
  * wait on the new item event.
  *
  * Memory/resource leaks due to timeout:
  * In the event of a timeout, the thread must remain alive; terminating it may
  * very well cause the antivirus scanner to crash or be put into an
  * inconsistent state; COM resources may also not be cleaned up. The downside
  * is that we need to leave the thread running; suspending it may lead to a
  * deadlock. Because the scan call may be ongoing, it may be dependent on the
  * memory referenced by the MSOAVINFO structure, so we cannot free mName, mPath
  * or mOrigin; this means that we cannot free the Scan object since doing so
  * will deallocate that memory. Note that mDownload is set to null upon timeout
  * or completion, so the download itself is never leaked. If the scan does
  * eventually complete, then the all the memory and resources will be freed.
  * It is possible, however extremely rare, that in the event of a timeout, the
  * mStateSync critical section will leak its event; this will happen only if
  * the scanning thread, watchdog thread or main thread try to enter the
  * critical section when one of the others is already in it.
  *
  * Reasoning for CheckAndSetState - there exists a race condition between the time when
  * either the timeout or normal scan sets the state and when Scan::Run is
  * executed on the main thread. Ex: mStatus could be set by Scan::DoScan* which
  * then queues a dispatch on the main thread. Before that dispatch is executed,
  * the timeout code fires and sets mStatus to AVSCAN_TIMEDOUT which then queues
  * its dispatch to the main thread (the same function as DoScan*). Both
  * dispatches run and both try to set the download state to AVSCAN_TIMEDOUT
  * which is incorrect.
  *
  * There are 5 possible outcomes of the virus scan:
  *    AVSCAN_GOOD     => the file is clean
  *    AVSCAN_BAD      => the file has a virus
  *    AVSCAN_UGLY     => the file had a virus, but it was cleaned
  *    AVSCAN_FAILED   => something else went wrong with the virus scanner.
  *    AVSCAN_TIMEDOUT => the scan (thread setup + execution) took too long
  *
  * Both the good and ugly states leave the user with a benign file, so they
  * transition to the finished state. Bad files are sent to the blocked state.
  * The failed and timedout states transition to finished downloads.
  *
  * Possible Future enhancements:
  *  * Create an interface for scanning files in general
  *  * Make this a service
  *  * Get antivirus scanner status via WMI/registry
  */
 // IAttachementExecute supports user definable settings for certain
 // security related prompts. This defines a general GUID for use in
 // all projects. Individual projects can define an individual guid
 // if they want to.
 #ifndef MOZ_VIRUS_SCANNER_PROMPT_GUID
 #define MOZ_VIRUS_SCANNER_PROMPT_GUID \
   { 0xb50563d1, 0x16b6, 0x43c2, { 0xa6, 0x6a, 0xfa, 0xe6, 0xd2, 0x11, 0xf2, \
 xea } }
 #endif
 static const GUID GUID_MozillaVirusScannerPromptGeneric =
   MOZ_VIRUS_SCANNER_PROMPT_GUID;
 // Initial timeout is 30 seconds
 #define WATCHDOG_TIMEOUT (30*PR_USEC_PER_SEC)
 // Maximum length for URI's passed into IAE
 #define MAX_IAEURILENGTH 1683
 class nsDownloadScannerWatchdog
 {
   typedef nsDownloadScanner::Scan Scan;
 public:
   nsDownloadScannerWatchdog();
   ~nsDownloadScannerWatchdog();
   nsresult Init();
   nsresult Shutdown();
   void Watch(Scan *scan);
 private:
   static unsigned int __stdcall WatchdogThread(void *p);
   CRITICAL_SECTION mQueueSync;
   nsDeque mScanQueue;
   HANDLE mThread;
   HANDLE mNewItemEvent;
   HANDLE mQuitEvent;
 };
 nsDownloadScanner::nsDownloadScanner() :
   mAESExists(false)
 {
 }
 // This destructor appeases the compiler; it would otherwise complain about an
 // incomplete type for nsDownloadWatchdog in the instantiation of
 // nsAutoPtr::~nsAutoPtr
 // Plus, it's a handy location to call nsDownloadScannerWatchdog::Shutdown from
 nsDownloadScanner::~nsDownloadScanner() {
   if (mWatchdog)
     (void)mWatchdog->Shutdown();
 }
 nsresult
 nsDownloadScanner::Init()
 {
   // This CoInitialize/CoUninitialize pattern seems to be common in the Mozilla
   // codebase. All other COM calls/objects are made on different threads.
   nsresult rv = NS_OK;
   CoInitialize(nullptr);
   if (!IsAESAvailable()) {
     CoUninitialize();
     return NS_ERROR_NOT_AVAILABLE;
   }
   mAESExists = true;
   // Initialize scanning
   mWatchdog = new nsDownloadScannerWatchdog();
   if (mWatchdog) {
     rv = mWatchdog->Init();
     if (FAILED(rv))
       mWatchdog = nullptr;
   } else {
     rv = NS_ERROR_OUT_OF_MEMORY;
   }
   if (NS_FAILED(rv))
     return rv;
   return rv;
 }
 bool
 nsDownloadScanner::IsAESAvailable()
 {
   // Try to instantiate IAE to see if it's available.
   nsRefPtr<IAttachmentExecute> ae;
   HRESULT hr;
   hr = CoCreateInstance(CLSID_AttachmentServices, nullptr, CLSCTX_INPROC,
                         IID_IAttachmentExecute, getter_AddRefs(ae));
   if (FAILED(hr)) {
     NS_WARNING("Could not instantiate attachment execution service\n");
     return false;
   }
   return true;
 }
 // If IAttachementExecute is available, use the CheckPolicy call to find out
 // if this download should be prevented due to Security Zone Policy settings.
 AVCheckPolicyState
 nsDownloadScanner::CheckPolicy(nsIURI *aSource, nsIURI *aTarget)
 {
   nsresult rv;
   if (!mAESExists || !aSource || !aTarget)
     return AVPOLICY_DOWNLOAD;
   nsAutoCString source;
   rv = aSource->GetSpec(source);
   if (NS_FAILED(rv))
     return AVPOLICY_DOWNLOAD;
   nsCOMPtr<nsIFileURL> fileUrl(do_QueryInterface(aTarget));
   if (!fileUrl)
     return AVPOLICY_DOWNLOAD;
   nsCOMPtr<nsIFile> theFile;
   nsAutoString aFileName;
   if (NS_FAILED(fileUrl->GetFile(getter_AddRefs(theFile))) ||
       NS_FAILED(theFile->GetLeafName(aFileName)))
     return AVPOLICY_DOWNLOAD;
   // IAttachementExecute prohibits src data: schemes by default but we
   // support them. If this is a data src, skip off doing a policy check.
   // (The file will still be scanned once it lands on the local system.)
   bool isDataScheme(false);
   nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(aSource);
   if (innerURI)
     (void)innerURI->SchemeIs("data", &isDataScheme);
   if (isDataScheme)
     return AVPOLICY_DOWNLOAD;
   nsRefPtr<IAttachmentExecute> ae;
   HRESULT hr;
   hr = CoCreateInstance(CLSID_AttachmentServices, nullptr, CLSCTX_INPROC,
                         IID_IAttachmentExecute, getter_AddRefs(ae));
   if (FAILED(hr))
     return AVPOLICY_DOWNLOAD;
   (void)ae->SetClientGuid(GUID_MozillaVirusScannerPromptGeneric);
   (void)ae->SetSource(NS_ConvertUTF8toUTF16(source).get());
   (void)ae->SetFileName(aFileName.get());
   // Any failure means the file download/exec will be blocked by the system.
   // S_OK or S_FALSE imply it's ok.
   hr = ae->CheckPolicy();
   if (hr == S_OK)
     return AVPOLICY_DOWNLOAD;
   if (hr == S_FALSE)
     return AVPOLICY_PROMPT;
   if (hr == E_INVALIDARG)
     return AVPOLICY_PROMPT;
   return AVPOLICY_BLOCKED;
 }
 #ifndef THREAD_MODE_BACKGROUND_BEGIN
 #define THREAD_MODE_BACKGROUND_BEGIN 0x00010000
 #endif
 #ifndef THREAD_MODE_BACKGROUND_END
 #define THREAD_MODE_BACKGROUND_END 0x00020000
 #endif
 unsigned int __stdcall
 nsDownloadScanner::ScannerThreadFunction(void *p)
 {
   HANDLE currentThread = GetCurrentThread();
   NS_ASSERTION(!NS_IsMainThread(), "Antivirus scan should not be run on the main thread");
   nsDownloadScanner::Scan *scan = static_cast<nsDownloadScanner::Scan*>(p);
   if (!SetThreadPriority(currentThread, THREAD_MODE_BACKGROUND_BEGIN))
     (void)SetThreadPriority(currentThread, THREAD_PRIORITY_IDLE);
   scan->DoScan();
   (void)SetThreadPriority(currentThread, THREAD_MODE_BACKGROUND_END);
   _endthreadex(0);
   return 0;
 }
 // The sole purpose of this class is to release an object on the main thread
 // It assumes that its creator will addref it and it will release itself on
 // the main thread too
 class ReleaseDispatcher : public nsRunnable {
 public:
   ReleaseDispatcher(nsISupports *ptr)
     : mPtr(ptr) {}
   NS_IMETHOD Run();
 private:
   nsISupports *mPtr;
 };
 nsresult ReleaseDispatcher::Run() {
   NS_ASSERTION(NS_IsMainThread(), "Antivirus scan release dispatch should be run on the main thread");
   NS_RELEASE(mPtr);
   NS_RELEASE_THIS();
   return NS_OK;
 }
 nsDownloadScanner::Scan::Scan(nsDownloadScanner *scanner, nsDownload *download)
   : mDLScanner(scanner), mThread(nullptr),
     mDownload(download), mStatus(AVSCAN_NOTSTARTED),
     mSkipSource(false)
 {
   InitializeCriticalSection(&mStateSync);
 }
 nsDownloadScanner::Scan::~Scan() {
   DeleteCriticalSection(&mStateSync);
 }
 nsresult
 nsDownloadScanner::Scan::Start()
 {
   mStartTime = PR_Now();
   mThread = (HANDLE)_beginthreadex(nullptr, 0, ScannerThreadFunction,
       this, CREATE_SUSPENDED, nullptr);
   if (!mThread)
     return NS_ERROR_OUT_OF_MEMORY;
   nsresult rv = NS_OK;
   // Get the path to the file on disk
   nsCOMPtr<nsIFile> file;
   rv = mDownload->GetTargetFile(getter_AddRefs(file));
   NS_ENSURE_SUCCESS(rv, rv);
   rv = file->GetPath(mPath);
   NS_ENSURE_SUCCESS(rv, rv);
   // Grab the app name
   nsCOMPtr<nsIXULAppInfo> appinfo =
     do_GetService(XULAPPINFO_SERVICE_CONTRACTID, &rv);
   NS_ENSURE_SUCCESS(rv, rv);
   nsAutoCString name;
   rv = appinfo->GetName(name);
   NS_ENSURE_SUCCESS(rv, rv);
   CopyUTF8toUTF16(name, mName);
   // Get the origin
   nsCOMPtr<nsIURI> uri;
   rv = mDownload->GetSource(getter_AddRefs(uri));
   NS_ENSURE_SUCCESS(rv, rv);
   nsAutoCString origin;
   rv = uri->GetSpec(origin);
   NS_ENSURE_SUCCESS(rv, rv);
   // Certain virus interfaces do not like extremely long uris.
   // Chop off the path and cgi data and just pass the base domain.
   if (origin.Length() > MAX_IAEURILENGTH) {
     rv = uri->GetPrePath(origin);
     NS_ENSURE_SUCCESS(rv, rv);
   }
   CopyUTF8toUTF16(origin, mOrigin);
   // We count https/ftp/http as an http download
   bool isHttp(false), isFtp(false), isHttps(false);
   nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(uri);
   if (!innerURI) innerURI = uri;
   (void)innerURI->SchemeIs("http", &isHttp);
   (void)innerURI->SchemeIs("ftp", &isFtp);
   (void)innerURI->SchemeIs("https", &isHttps);
   mIsHttpDownload = isHttp || isFtp || isHttps;
   // IAttachementExecute prohibits src data: schemes by default but we
   // support them. Mark the download if it's a data scheme, so we
   // can skip off supplying the src to IAttachementExecute when we scan
   // the resulting file.
   (void)innerURI->SchemeIs("data", &mSkipSource);
   // ResumeThread returns the previous suspend count
   if (1 != ::ResumeThread(mThread)) {
     CloseHandle(mThread);
     return NS_ERROR_UNEXPECTED;
   }
   return NS_OK;
 }
 nsresult
 nsDownloadScanner::Scan::Run()
 {
   NS_ASSERTION(NS_IsMainThread(), "Antivirus scan dispatch should be run on the main thread");
   // Cleanup our thread
   if (mStatus != AVSCAN_TIMEDOUT)
     WaitForSingleObject(mThread, INFINITE);
   CloseHandle(mThread);
   DownloadState downloadState = 0;
   EnterCriticalSection(&mStateSync);
   switch (mStatus) {
     case AVSCAN_BAD:
       downloadState = nsIDownloadManager::DOWNLOAD_DIRTY;
       break;
     default:
     case AVSCAN_FAILED:
     case AVSCAN_GOOD:
     case AVSCAN_UGLY:
     case AVSCAN_TIMEDOUT:
       downloadState = nsIDownloadManager::DOWNLOAD_FINISHED;
       break;
   }
   LeaveCriticalSection(&mStateSync);
   // Download will be null if we already timed out
   if (mDownload)
     (void)mDownload->SetState(downloadState);
   // Clean up some other variables
   // In the event of a timeout, our destructor won't be called
   mDownload = nullptr;
   NS_RELEASE_THIS();
   return NS_OK;
 }
 static DWORD
 ExceptionFilterFunction(DWORD exceptionCode) {
   switch(exceptionCode) {
     case EXCEPTION_ACCESS_VIOLATION:
     case EXCEPTION_ILLEGAL_INSTRUCTION:
     case EXCEPTION_IN_PAGE_ERROR:
     case EXCEPTION_PRIV_INSTRUCTION:
     case EXCEPTION_STACK_OVERFLOW:
       return EXCEPTION_EXECUTE_HANDLER;
     default:
       return EXCEPTION_CONTINUE_SEARCH;
   }
 }
 bool
 nsDownloadScanner::Scan::DoScanAES()
 {
   // This warning is for the destructor of ae which will not be invoked in the
   // event of a win32 exception
 #pragma warning(disable: 4509)
   HRESULT hr;
   nsRefPtr<IAttachmentExecute> ae;
   MOZ_SEH_TRY {
     hr = CoCreateInstance(CLSID_AttachmentServices, nullptr, CLSCTX_ALL,
                           IID_IAttachmentExecute, getter_AddRefs(ae));
   } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
     return CheckAndSetState(AVSCAN_NOTSTARTED,AVSCAN_FAILED);
   }
   // If we (somehow) already timed out, then don't bother scanning
   if (CheckAndSetState(AVSCAN_SCANNING, AVSCAN_NOTSTARTED)) {
     AVScanState newState;
     if (SUCCEEDED(hr)) {
       bool gotException = false;
       MOZ_SEH_TRY {
         (void)ae->SetClientGuid(GUID_MozillaVirusScannerPromptGeneric);
         (void)ae->SetLocalPath(mPath.get());
         // Provide the src for everything but data: schemes.
         if (!mSkipSource)
           (void)ae->SetSource(mOrigin.get());
         // Save() will invoke the scanner
         hr = ae->Save();
       } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
         gotException = true;
       }
       MOZ_SEH_TRY {
         ae = nullptr;
       } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
         gotException = true;
       }
       if(gotException) {
         newState = AVSCAN_FAILED;
       }
       else if (SUCCEEDED(hr)) { // Passed the scan
         newState = AVSCAN_GOOD;
       }
       else if (HRESULT_CODE(hr) == ERROR_FILE_NOT_FOUND) {
         NS_WARNING("Downloaded file disappeared before it could be scanned");
         newState = AVSCAN_FAILED;
       }
       else if (hr == E_INVALIDARG) {
         NS_WARNING("IAttachementExecute returned invalid argument error");
         newState = AVSCAN_FAILED;
       }
       else {
         newState = AVSCAN_UGLY;
       }
     }
     else {
       newState = AVSCAN_FAILED;
     }
     return CheckAndSetState(newState, AVSCAN_SCANNING);
   }
   return false;
 }
 #pragma warning(default: 4509)
 void
 nsDownloadScanner::Scan::DoScan()
 {
   CoInitialize(nullptr);
   if (DoScanAES()) {
     // We need to do a few more things on the main thread
     NS_DispatchToMainThread(this);
   } else {
     // We timed out, so just release
     ReleaseDispatcher* releaser = new ReleaseDispatcher(this);
     if(releaser) {
       NS_ADDREF(releaser);
       NS_DispatchToMainThread(releaser);
     }
   }
   MOZ_SEH_TRY {
     CoUninitialize();
   } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
     // Not much we can do at this point...
   }
 }
 HANDLE
 nsDownloadScanner::Scan::GetWaitableThreadHandle() const
 {
   HANDLE targetHandle = INVALID_HANDLE_VALUE;
   (void)DuplicateHandle(GetCurrentProcess(), mThread,
                         GetCurrentProcess(), &targetHandle,
                         SYNCHRONIZE, // Only allow clients to wait on this handle
                         FALSE, // cannot be inherited by child processes
 );
   return targetHandle;
 }
 bool
 nsDownloadScanner::Scan::NotifyTimeout()
 {
   bool didTimeout = CheckAndSetState(AVSCAN_TIMEDOUT, AVSCAN_SCANNING) ||
                       CheckAndSetState(AVSCAN_TIMEDOUT, AVSCAN_NOTSTARTED);
   if (didTimeout) {
     // We need to do a few more things on the main thread
     NS_DispatchToMainThread(this);
   }
   return didTimeout;
 }
 bool
 nsDownloadScanner::Scan::CheckAndSetState(AVScanState newState, AVScanState expectedState) {
   bool gotExpectedState = false;
   EnterCriticalSection(&mStateSync);
   if(gotExpectedState = (mStatus == expectedState))
     mStatus = newState;
   LeaveCriticalSection(&mStateSync);
   return gotExpectedState;
 }
 nsresult
 nsDownloadScanner::ScanDownload(nsDownload *download)
 {
   if (!mAESExists)
     return NS_ERROR_NOT_AVAILABLE;
   // No ref ptr, see comment below
   Scan *scan = new Scan(this, download);
   if (!scan)
     return NS_ERROR_OUT_OF_MEMORY;
   NS_ADDREF(scan);
   nsresult rv = scan->Start();
   // Note that we only release upon error. On success, the scan is passed off
   // to a new thread. It is eventually released in Scan::Run on the main thread.
   if (NS_FAILED(rv))
     NS_RELEASE(scan);
   else
     // Notify the watchdog
     mWatchdog->Watch(scan);
   return rv;
 }
 nsDownloadScannerWatchdog::nsDownloadScannerWatchdog()
   : mNewItemEvent(nullptr), mQuitEvent(nullptr) {
   InitializeCriticalSection(&mQueueSync);
 }
 nsDownloadScannerWatchdog::~nsDownloadScannerWatchdog() {
   DeleteCriticalSection(&mQueueSync);
 }
 nsresult
 nsDownloadScannerWatchdog::Init() {
   // Both events are auto-reset
   mNewItemEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr);
   if (INVALID_HANDLE_VALUE == mNewItemEvent)
     return NS_ERROR_OUT_OF_MEMORY;
   mQuitEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr);
   if (INVALID_HANDLE_VALUE == mQuitEvent) {
     (void)CloseHandle(mNewItemEvent);
     return NS_ERROR_OUT_OF_MEMORY;
   }
   // This thread is always running, however it will be asleep
   // for most of the dlmgr's lifetime
   mThread = (HANDLE)_beginthreadex(nullptr, 0, WatchdogThread,
                                    this, 0, nullptr);
   if (!mThread) {
     (void)CloseHandle(mNewItemEvent);
     (void)CloseHandle(mQuitEvent);
     return NS_ERROR_OUT_OF_MEMORY;
   }
   return NS_OK;
 }
 nsresult
 nsDownloadScannerWatchdog::Shutdown() {
   // Tell the watchdog thread to quite
   (void)SetEvent(mQuitEvent);
   (void)WaitForSingleObject(mThread, INFINITE);
   (void)CloseHandle(mThread);
   // Manually clear and release the queued scans
   while (mScanQueue.GetSize() != 0) {
     Scan *scan = reinterpret_cast<Scan*>(mScanQueue.Pop());
     NS_RELEASE(scan);
   }
   (void)CloseHandle(mNewItemEvent);
   (void)CloseHandle(mQuitEvent);
   return NS_OK;
 }
 void
 nsDownloadScannerWatchdog::Watch(Scan *scan) {
   bool wasEmpty;
   // Note that there is no release in this method
   // The scan will be released by the watchdog ALWAYS on the main thread
   // when either the watchdog thread processes the scan or the watchdog
   // is shut down
   NS_ADDREF(scan);
   EnterCriticalSection(&mQueueSync);
   wasEmpty = mScanQueue.GetSize()==0;
   mScanQueue.Push(scan);
   LeaveCriticalSection(&mQueueSync);
   // If the queue was empty, then the watchdog thread is/will be asleep
   if (wasEmpty)
     (void)SetEvent(mNewItemEvent);
 }
 unsigned int
 __stdcall
 nsDownloadScannerWatchdog::WatchdogThread(void *p) {
   NS_ASSERTION(!NS_IsMainThread(), "Antivirus scan watchdog should not be run on the main thread");
   nsDownloadScannerWatchdog *watchdog = (nsDownloadScannerWatchdog*)p;
   HANDLE waitHandles[3] = {watchdog->mNewItemEvent, watchdog->mQuitEvent, INVALID_HANDLE_VALUE};
   DWORD waitStatus;
   DWORD queueItemsLeft = 0;
   // Loop until quit event or error
   while (0 != queueItemsLeft ||
          (WAIT_OBJECT_0 + 1) !=
            (waitStatus =
               WaitForMultipleObjects(2, waitHandles, FALSE, INFINITE)) &&
          waitStatus != WAIT_FAILED) {
     Scan *scan = nullptr;
     PRTime startTime, expectedEndTime, now;
     DWORD waitTime;
     // Pop scan from queue
     EnterCriticalSection(&watchdog->mQueueSync);
     scan = reinterpret_cast<Scan*>(watchdog->mScanQueue.Pop());
     queueItemsLeft = watchdog->mScanQueue.GetSize();
     LeaveCriticalSection(&watchdog->mQueueSync);
     // Calculate expected end time
     startTime = scan->GetStartTime();
     expectedEndTime = WATCHDOG_TIMEOUT + startTime;
     now = PR_Now();
     // PRTime is not guaranteed to be a signed integral type (afaik), but
     // currently it is
     if (now > expectedEndTime) {
       waitTime = 0;
     } else {
       // This is a positive value, and we know that it will not overflow
       // (bounded by WATCHDOG_TIMEOUT)
       // waitTime is in milliseconds, nspr uses microseconds
       waitTime = static_cast<DWORD>((expectedEndTime - now)/PR_USEC_PER_MSEC);
     }
     HANDLE hThread = waitHandles[2] = scan->GetWaitableThreadHandle();
     // Wait for the thread (obj 1) or quit event (obj 0)
     waitStatus = WaitForMultipleObjects(2, (waitHandles+1), FALSE, waitTime);
     CloseHandle(hThread);
     ReleaseDispatcher* releaser = new ReleaseDispatcher(scan);
     if(!releaser)
       continue;
     NS_ADDREF(releaser);
     // Got quit event or error
     if (waitStatus == WAIT_FAILED || waitStatus == WAIT_OBJECT_0) {
       NS_DispatchToMainThread(releaser);
       break;
     // Thread exited normally
     } else if (waitStatus == (WAIT_OBJECT_0+1)) {
       NS_DispatchToMainThread(releaser);
       continue;
     // Timeout case
     } else {
       NS_ASSERTION(waitStatus == WAIT_TIMEOUT, "Unexpected wait status in dlmgr watchdog thread");
       if (!scan->NotifyTimeout()) {
         // If we didn't time out, then release the thread
         NS_DispatchToMainThread(releaser);
       } else {
         // NotifyTimeout did a dispatch which will release the scan, so we
         // don't need to release the scan
         NS_RELEASE(releaser);
       }
     }
   }
   _endthreadex(0);
   return 0;
 }

The Tor Browser / annotate

toolkit/components/downloads/nsDownloadScanner.cpp@925c144e1f1f (annotated)

toolkit/components/downloads/nsDownloadScanner.cpp