summaryrefslogtreecommitdiffstats
path: root/toolkit/components/downloads/nsDownloadScanner.cpp
diff options
context:
space:
mode:
authorMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
committerMatt A. Tobin <mattatobin@localhost.localdomain>2018-02-02 04:16:08 -0500
commit5f8de423f190bbb79a62f804151bc24824fa32d8 (patch)
tree10027f336435511475e392454359edea8e25895d /toolkit/components/downloads/nsDownloadScanner.cpp
parent49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff)
downloadUXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz
UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip
Add m-esr52 at 52.6.0
Diffstat (limited to 'toolkit/components/downloads/nsDownloadScanner.cpp')
-rw-r--r--toolkit/components/downloads/nsDownloadScanner.cpp728
1 files changed, 728 insertions, 0 deletions
diff --git a/toolkit/components/downloads/nsDownloadScanner.cpp b/toolkit/components/downloads/nsDownloadScanner.cpp
new file mode 100644
index 000000000..1ef5b3660
--- /dev/null
+++ b/toolkit/components/downloads/nsDownloadScanner.cpp
@@ -0,0 +1,728 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: se cin sw=2 ts=2 et : */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsDownloadScanner.h"
+#include <comcat.h>
+#include <process.h>
+#include "nsDownloadManager.h"
+#include "nsIXULAppInfo.h"
+#include "nsXULAppAPI.h"
+#include "nsIPrefService.h"
+#include "nsNetUtil.h"
+#include "prtime.h"
+#include "nsDeque.h"
+#include "nsIFileURL.h"
+#include "nsIPrefBranch.h"
+#include "nsXPCOMCIDInternal.h"
+
+/**
+ * Code overview
+ *
+ * Download scanner attempts to make use of one of two different virus
+ * scanning interfaces available on Windows - IOfficeAntiVirus (Windows
+ * 95/NT 4 and IE 5) and IAttachmentExecute (XPSP2 and up). The latter
+ * interface supports calling IOfficeAntiVirus internally, while also
+ * adding support for XPSP2+ ADS forks which define security related
+ * prompting on downloaded content.
+ *
+ * Both interfaces are synchronous and can take a while, so it is not a
+ * good idea to call either from the main thread. Some antivirus scanners can
+ * take a long time to scan or the call might block while the scanner shows
+ * its UI so if the user were to download many files that finished around the
+ * same time, they would have to wait a while if the scanning were done on
+ * exactly one other thread. Since the overhead of creating a thread is
+ * relatively small compared to the time it takes to download a file and scan
+ * it, a new thread is spawned for each download that is to be scanned. Since
+ * most of the mozilla codebase is not threadsafe, all the information needed
+ * for the scanner is gathered in the main thread in nsDownloadScanner::Scan::Start.
+ * The only function of nsDownloadScanner::Scan which is invoked on another
+ * thread is DoScan.
+ *
+ * Watchdog overview
+ *
+ * The watchdog is used internally by the scanner. It maintains a queue of
+ * current download scans. In a separate thread, it dequeues the oldest scan
+ * and waits on that scan's thread with a timeout given by WATCHDOG_TIMEOUT
+ * (default is 30 seconds). If the wait times out, then the watchdog notifies
+ * the Scan that it has timed out. If the scan really has timed out, then the
+ * Scan object will dispatch its run method to the main thread; this will
+ * release the watchdog thread's addref on the Scan. If it has not timed out
+ * (i.e. the Scan just finished in time), then the watchdog dispatches a
+ * ReleaseDispatcher to release its ref of the Scan on the main thread.
+ *
+ * In order to minimize execution time, there are two events used to notify the
+ * watchdog thread of a non-empty queue and a quit event. Every blocking wait
+ * that the watchdog thread does waits on the quit event; this lets the thread
+ * quickly exit when shutting down. Also, the download scan queue will be empty
+ * most of the time; rather than use a spin loop, a simple event is triggered
+ * by the main thread when a new scan is added to an empty queue. When the
+ * watchdog thread knows that it has run out of elements in the queue, it will
+ * wait on the new item event.
+ *
+ * Memory/resource leaks due to timeout:
+ * In the event of a timeout, the thread must remain alive; terminating it may
+ * very well cause the antivirus scanner to crash or be put into an
+ * inconsistent state; COM resources may also not be cleaned up. The downside
+ * is that we need to leave the thread running; suspending it may lead to a
+ * deadlock. Because the scan call may be ongoing, it may be dependent on the
+ * memory referenced by the MSOAVINFO structure, so we cannot free mName, mPath
+ * or mOrigin; this means that we cannot free the Scan object since doing so
+ * will deallocate that memory. Note that mDownload is set to null upon timeout
+ * or completion, so the download itself is never leaked. If the scan does
+ * eventually complete, then the all the memory and resources will be freed.
+ * It is possible, however extremely rare, that in the event of a timeout, the
+ * mStateSync critical section will leak its event; this will happen only if
+ * the scanning thread, watchdog thread or main thread try to enter the
+ * critical section when one of the others is already in it.
+ *
+ * Reasoning for CheckAndSetState - there exists a race condition between the time when
+ * either the timeout or normal scan sets the state and when Scan::Run is
+ * executed on the main thread. Ex: mStatus could be set by Scan::DoScan* which
+ * then queues a dispatch on the main thread. Before that dispatch is executed,
+ * the timeout code fires and sets mStatus to AVSCAN_TIMEDOUT which then queues
+ * its dispatch to the main thread (the same function as DoScan*). Both
+ * dispatches run and both try to set the download state to AVSCAN_TIMEDOUT
+ * which is incorrect.
+ *
+ * There are 5 possible outcomes of the virus scan:
+ * AVSCAN_GOOD => the file is clean
+ * AVSCAN_BAD => the file has a virus
+ * AVSCAN_UGLY => the file had a virus, but it was cleaned
+ * AVSCAN_FAILED => something else went wrong with the virus scanner.
+ * AVSCAN_TIMEDOUT => the scan (thread setup + execution) took too long
+ *
+ * Both the good and ugly states leave the user with a benign file, so they
+ * transition to the finished state. Bad files are sent to the blocked state.
+ * The failed and timedout states transition to finished downloads.
+ *
+ * Possible Future enhancements:
+ * * Create an interface for scanning files in general
+ * * Make this a service
+ * * Get antivirus scanner status via WMI/registry
+ */
+
+// IAttachementExecute supports user definable settings for certain
+// security related prompts. This defines a general GUID for use in
+// all projects. Individual projects can define an individual guid
+// if they want to.
+#ifndef MOZ_VIRUS_SCANNER_PROMPT_GUID
+#define MOZ_VIRUS_SCANNER_PROMPT_GUID \
+ { 0xb50563d1, 0x16b6, 0x43c2, { 0xa6, 0x6a, 0xfa, 0xe6, 0xd2, 0x11, 0xf2, \
+ 0xea } }
+#endif
+static const GUID GUID_MozillaVirusScannerPromptGeneric =
+ MOZ_VIRUS_SCANNER_PROMPT_GUID;
+
+// Initial timeout is 30 seconds
+#define WATCHDOG_TIMEOUT (30*PR_USEC_PER_SEC)
+
+// Maximum length for URI's passed into IAE
+#define MAX_IAEURILENGTH 1683
+
+class nsDownloadScannerWatchdog
+{
+ typedef nsDownloadScanner::Scan Scan;
+public:
+ nsDownloadScannerWatchdog();
+ ~nsDownloadScannerWatchdog();
+
+ nsresult Init();
+ nsresult Shutdown();
+
+ void Watch(Scan *scan);
+private:
+ static unsigned int __stdcall WatchdogThread(void *p);
+ CRITICAL_SECTION mQueueSync;
+ nsDeque mScanQueue;
+ HANDLE mThread;
+ HANDLE mNewItemEvent;
+ HANDLE mQuitEvent;
+};
+
+nsDownloadScanner::nsDownloadScanner() :
+ mAESExists(false)
+{
+}
+
+// This destructor appeases the compiler; it would otherwise complain about an
+// incomplete type for nsDownloadWatchdog in the instantiation of
+// nsAutoPtr::~nsAutoPtr
+// Plus, it's a handy location to call nsDownloadScannerWatchdog::Shutdown from
+nsDownloadScanner::~nsDownloadScanner() {
+ if (mWatchdog)
+ (void)mWatchdog->Shutdown();
+}
+
+nsresult
+nsDownloadScanner::Init()
+{
+ // This CoInitialize/CoUninitialize pattern seems to be common in the Mozilla
+ // codebase. All other COM calls/objects are made on different threads.
+ nsresult rv = NS_OK;
+ CoInitialize(nullptr);
+
+ if (!IsAESAvailable()) {
+ CoUninitialize();
+ return NS_ERROR_NOT_AVAILABLE;
+ }
+
+ mAESExists = true;
+
+ // Initialize scanning
+ mWatchdog = new nsDownloadScannerWatchdog();
+ if (mWatchdog) {
+ rv = mWatchdog->Init();
+ if (FAILED(rv))
+ mWatchdog = nullptr;
+ } else {
+ rv = NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ if (NS_FAILED(rv))
+ return rv;
+
+ return rv;
+}
+
+bool
+nsDownloadScanner::IsAESAvailable()
+{
+ // Try to instantiate IAE to see if it's available.
+ RefPtr<IAttachmentExecute> ae;
+ HRESULT hr;
+ hr = CoCreateInstance(CLSID_AttachmentServices, nullptr, CLSCTX_INPROC,
+ IID_IAttachmentExecute, getter_AddRefs(ae));
+ if (FAILED(hr)) {
+ NS_WARNING("Could not instantiate attachment execution service\n");
+ return false;
+ }
+ return true;
+}
+
+// If IAttachementExecute is available, use the CheckPolicy call to find out
+// if this download should be prevented due to Security Zone Policy settings.
+AVCheckPolicyState
+nsDownloadScanner::CheckPolicy(nsIURI *aSource, nsIURI *aTarget)
+{
+ nsresult rv;
+
+ if (!mAESExists || !aSource || !aTarget)
+ return AVPOLICY_DOWNLOAD;
+
+ nsAutoCString source;
+ rv = aSource->GetSpec(source);
+ if (NS_FAILED(rv))
+ return AVPOLICY_DOWNLOAD;
+
+ nsCOMPtr<nsIFileURL> fileUrl(do_QueryInterface(aTarget));
+ if (!fileUrl)
+ return AVPOLICY_DOWNLOAD;
+
+ nsCOMPtr<nsIFile> theFile;
+ nsAutoString aFileName;
+ if (NS_FAILED(fileUrl->GetFile(getter_AddRefs(theFile))) ||
+ NS_FAILED(theFile->GetLeafName(aFileName)))
+ return AVPOLICY_DOWNLOAD;
+
+ // IAttachementExecute prohibits src data: schemes by default but we
+ // support them. If this is a data src, skip off doing a policy check.
+ // (The file will still be scanned once it lands on the local system.)
+ bool isDataScheme(false);
+ nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(aSource);
+ if (innerURI)
+ (void)innerURI->SchemeIs("data", &isDataScheme);
+ if (isDataScheme)
+ return AVPOLICY_DOWNLOAD;
+
+ RefPtr<IAttachmentExecute> ae;
+ HRESULT hr;
+ hr = CoCreateInstance(CLSID_AttachmentServices, nullptr, CLSCTX_INPROC,
+ IID_IAttachmentExecute, getter_AddRefs(ae));
+ if (FAILED(hr))
+ return AVPOLICY_DOWNLOAD;
+
+ (void)ae->SetClientGuid(GUID_MozillaVirusScannerPromptGeneric);
+ (void)ae->SetSource(NS_ConvertUTF8toUTF16(source).get());
+ (void)ae->SetFileName(aFileName.get());
+
+ // Any failure means the file download/exec will be blocked by the system.
+ // S_OK or S_FALSE imply it's ok.
+ hr = ae->CheckPolicy();
+
+ if (hr == S_OK)
+ return AVPOLICY_DOWNLOAD;
+
+ if (hr == S_FALSE)
+ return AVPOLICY_PROMPT;
+
+ if (hr == E_INVALIDARG)
+ return AVPOLICY_PROMPT;
+
+ return AVPOLICY_BLOCKED;
+}
+
+#ifndef THREAD_MODE_BACKGROUND_BEGIN
+#define THREAD_MODE_BACKGROUND_BEGIN 0x00010000
+#endif
+
+#ifndef THREAD_MODE_BACKGROUND_END
+#define THREAD_MODE_BACKGROUND_END 0x00020000
+#endif
+
+unsigned int __stdcall
+nsDownloadScanner::ScannerThreadFunction(void *p)
+{
+ HANDLE currentThread = GetCurrentThread();
+ NS_ASSERTION(!NS_IsMainThread(), "Antivirus scan should not be run on the main thread");
+ nsDownloadScanner::Scan *scan = static_cast<nsDownloadScanner::Scan*>(p);
+ if (!SetThreadPriority(currentThread, THREAD_MODE_BACKGROUND_BEGIN))
+ (void)SetThreadPriority(currentThread, THREAD_PRIORITY_IDLE);
+ scan->DoScan();
+ (void)SetThreadPriority(currentThread, THREAD_MODE_BACKGROUND_END);
+ _endthreadex(0);
+ return 0;
+}
+
+// The sole purpose of this class is to release an object on the main thread
+// It assumes that its creator will addref it and it will release itself on
+// the main thread too
+class ReleaseDispatcher : public mozilla::Runnable {
+public:
+ ReleaseDispatcher(nsISupports *ptr)
+ : mPtr(ptr) {}
+ NS_IMETHOD Run();
+private:
+ nsISupports *mPtr;
+};
+
+nsresult ReleaseDispatcher::Run() {
+ NS_ASSERTION(NS_IsMainThread(), "Antivirus scan release dispatch should be run on the main thread");
+ NS_RELEASE(mPtr);
+ NS_RELEASE_THIS();
+ return NS_OK;
+}
+
+nsDownloadScanner::Scan::Scan(nsDownloadScanner *scanner, nsDownload *download)
+ : mDLScanner(scanner), mThread(nullptr),
+ mDownload(download), mStatus(AVSCAN_NOTSTARTED),
+ mSkipSource(false)
+{
+ InitializeCriticalSection(&mStateSync);
+}
+
+nsDownloadScanner::Scan::~Scan() {
+ DeleteCriticalSection(&mStateSync);
+}
+
+nsresult
+nsDownloadScanner::Scan::Start()
+{
+ mStartTime = PR_Now();
+
+ mThread = (HANDLE)_beginthreadex(nullptr, 0, ScannerThreadFunction,
+ this, CREATE_SUSPENDED, nullptr);
+ if (!mThread)
+ return NS_ERROR_OUT_OF_MEMORY;
+
+ nsresult rv = NS_OK;
+
+ // Get the path to the file on disk
+ nsCOMPtr<nsIFile> file;
+ rv = mDownload->GetTargetFile(getter_AddRefs(file));
+ NS_ENSURE_SUCCESS(rv, rv);
+ rv = file->GetPath(mPath);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // Grab the app name
+ nsCOMPtr<nsIXULAppInfo> appinfo =
+ do_GetService(XULAPPINFO_SERVICE_CONTRACTID, &rv);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ nsAutoCString name;
+ rv = appinfo->GetName(name);
+ NS_ENSURE_SUCCESS(rv, rv);
+ CopyUTF8toUTF16(name, mName);
+
+ // Get the origin
+ nsCOMPtr<nsIURI> uri;
+ rv = mDownload->GetSource(getter_AddRefs(uri));
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ nsAutoCString origin;
+ rv = uri->GetSpec(origin);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ // Certain virus interfaces do not like extremely long uris.
+ // Chop off the path and cgi data and just pass the base domain.
+ if (origin.Length() > MAX_IAEURILENGTH) {
+ rv = uri->GetPrePath(origin);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ CopyUTF8toUTF16(origin, mOrigin);
+
+ // We count https/ftp/http as an http download
+ bool isHttp(false), isFtp(false), isHttps(false);
+ nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(uri);
+ if (!innerURI) innerURI = uri;
+ (void)innerURI->SchemeIs("http", &isHttp);
+ (void)innerURI->SchemeIs("ftp", &isFtp);
+ (void)innerURI->SchemeIs("https", &isHttps);
+ mIsHttpDownload = isHttp || isFtp || isHttps;
+
+ // IAttachementExecute prohibits src data: schemes by default but we
+ // support them. Mark the download if it's a data scheme, so we
+ // can skip off supplying the src to IAttachementExecute when we scan
+ // the resulting file.
+ (void)innerURI->SchemeIs("data", &mSkipSource);
+
+ // ResumeThread returns the previous suspend count
+ if (1 != ::ResumeThread(mThread)) {
+ CloseHandle(mThread);
+ return NS_ERROR_UNEXPECTED;
+ }
+ return NS_OK;
+}
+
+nsresult
+nsDownloadScanner::Scan::Run()
+{
+ NS_ASSERTION(NS_IsMainThread(), "Antivirus scan dispatch should be run on the main thread");
+
+ // Cleanup our thread
+ if (mStatus != AVSCAN_TIMEDOUT)
+ WaitForSingleObject(mThread, INFINITE);
+ CloseHandle(mThread);
+
+ DownloadState downloadState = 0;
+ EnterCriticalSection(&mStateSync);
+ switch (mStatus) {
+ case AVSCAN_BAD:
+ downloadState = nsIDownloadManager::DOWNLOAD_DIRTY;
+ break;
+ default:
+ case AVSCAN_FAILED:
+ case AVSCAN_GOOD:
+ case AVSCAN_UGLY:
+ case AVSCAN_TIMEDOUT:
+ downloadState = nsIDownloadManager::DOWNLOAD_FINISHED;
+ break;
+ }
+ LeaveCriticalSection(&mStateSync);
+ // Download will be null if we already timed out
+ if (mDownload)
+ (void)mDownload->SetState(downloadState);
+
+ // Clean up some other variables
+ // In the event of a timeout, our destructor won't be called
+ mDownload = nullptr;
+
+ NS_RELEASE_THIS();
+ return NS_OK;
+}
+
+static DWORD
+ExceptionFilterFunction(DWORD exceptionCode) {
+ switch(exceptionCode) {
+ case EXCEPTION_ACCESS_VIOLATION:
+ case EXCEPTION_ILLEGAL_INSTRUCTION:
+ case EXCEPTION_IN_PAGE_ERROR:
+ case EXCEPTION_PRIV_INSTRUCTION:
+ case EXCEPTION_STACK_OVERFLOW:
+ return EXCEPTION_EXECUTE_HANDLER;
+ default:
+ return EXCEPTION_CONTINUE_SEARCH;
+ }
+}
+
+bool
+nsDownloadScanner::Scan::DoScanAES()
+{
+ // This warning is for the destructor of ae which will not be invoked in the
+ // event of a win32 exception
+#pragma warning(disable: 4509)
+ HRESULT hr;
+ RefPtr<IAttachmentExecute> ae;
+ MOZ_SEH_TRY {
+ hr = CoCreateInstance(CLSID_AttachmentServices, nullptr, CLSCTX_ALL,
+ IID_IAttachmentExecute, getter_AddRefs(ae));
+ } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
+ return CheckAndSetState(AVSCAN_NOTSTARTED,AVSCAN_FAILED);
+ }
+
+ // If we (somehow) already timed out, then don't bother scanning
+ if (CheckAndSetState(AVSCAN_SCANNING, AVSCAN_NOTSTARTED)) {
+ AVScanState newState;
+ if (SUCCEEDED(hr)) {
+ bool gotException = false;
+ MOZ_SEH_TRY {
+ (void)ae->SetClientGuid(GUID_MozillaVirusScannerPromptGeneric);
+ (void)ae->SetLocalPath(mPath.get());
+ // Provide the src for everything but data: schemes.
+ if (!mSkipSource)
+ (void)ae->SetSource(mOrigin.get());
+
+ // Save() will invoke the scanner
+ hr = ae->Save();
+ } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
+ gotException = true;
+ }
+
+ MOZ_SEH_TRY {
+ ae = nullptr;
+ } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
+ gotException = true;
+ }
+
+ if(gotException) {
+ newState = AVSCAN_FAILED;
+ }
+ else if (SUCCEEDED(hr)) { // Passed the scan
+ newState = AVSCAN_GOOD;
+ }
+ else if (HRESULT_CODE(hr) == ERROR_FILE_NOT_FOUND) {
+ NS_WARNING("Downloaded file disappeared before it could be scanned");
+ newState = AVSCAN_FAILED;
+ }
+ else if (hr == E_INVALIDARG) {
+ NS_WARNING("IAttachementExecute returned invalid argument error");
+ newState = AVSCAN_FAILED;
+ }
+ else {
+ newState = AVSCAN_UGLY;
+ }
+ }
+ else {
+ newState = AVSCAN_FAILED;
+ }
+ return CheckAndSetState(newState, AVSCAN_SCANNING);
+ }
+ return false;
+}
+#pragma warning(default: 4509)
+
+void
+nsDownloadScanner::Scan::DoScan()
+{
+ CoInitialize(nullptr);
+
+ if (DoScanAES()) {
+ // We need to do a few more things on the main thread
+ NS_DispatchToMainThread(this);
+ } else {
+ // We timed out, so just release
+ ReleaseDispatcher* releaser = new ReleaseDispatcher(this);
+ if(releaser) {
+ NS_ADDREF(releaser);
+ NS_DispatchToMainThread(releaser);
+ }
+ }
+
+ MOZ_SEH_TRY {
+ CoUninitialize();
+ } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
+ // Not much we can do at this point...
+ }
+}
+
+HANDLE
+nsDownloadScanner::Scan::GetWaitableThreadHandle() const
+{
+ HANDLE targetHandle = INVALID_HANDLE_VALUE;
+ (void)DuplicateHandle(GetCurrentProcess(), mThread,
+ GetCurrentProcess(), &targetHandle,
+ SYNCHRONIZE, // Only allow clients to wait on this handle
+ FALSE, // cannot be inherited by child processes
+ 0);
+ return targetHandle;
+}
+
+bool
+nsDownloadScanner::Scan::NotifyTimeout()
+{
+ bool didTimeout = CheckAndSetState(AVSCAN_TIMEDOUT, AVSCAN_SCANNING) ||
+ CheckAndSetState(AVSCAN_TIMEDOUT, AVSCAN_NOTSTARTED);
+ if (didTimeout) {
+ // We need to do a few more things on the main thread
+ NS_DispatchToMainThread(this);
+ }
+ return didTimeout;
+}
+
+bool
+nsDownloadScanner::Scan::CheckAndSetState(AVScanState newState, AVScanState expectedState) {
+ bool gotExpectedState = false;
+ EnterCriticalSection(&mStateSync);
+ if((gotExpectedState = (mStatus == expectedState)))
+ mStatus = newState;
+ LeaveCriticalSection(&mStateSync);
+ return gotExpectedState;
+}
+
+nsresult
+nsDownloadScanner::ScanDownload(nsDownload *download)
+{
+ if (!mAESExists)
+ return NS_ERROR_NOT_AVAILABLE;
+
+ // No ref ptr, see comment below
+ Scan *scan = new Scan(this, download);
+ if (!scan)
+ return NS_ERROR_OUT_OF_MEMORY;
+
+ NS_ADDREF(scan);
+
+ nsresult rv = scan->Start();
+
+ // Note that we only release upon error. On success, the scan is passed off
+ // to a new thread. It is eventually released in Scan::Run on the main thread.
+ if (NS_FAILED(rv))
+ NS_RELEASE(scan);
+ else
+ // Notify the watchdog
+ mWatchdog->Watch(scan);
+
+ return rv;
+}
+
+nsDownloadScannerWatchdog::nsDownloadScannerWatchdog()
+ : mNewItemEvent(nullptr), mQuitEvent(nullptr) {
+ InitializeCriticalSection(&mQueueSync);
+}
+nsDownloadScannerWatchdog::~nsDownloadScannerWatchdog() {
+ DeleteCriticalSection(&mQueueSync);
+}
+
+nsresult
+nsDownloadScannerWatchdog::Init() {
+ // Both events are auto-reset
+ mNewItemEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr);
+ if (INVALID_HANDLE_VALUE == mNewItemEvent)
+ return NS_ERROR_OUT_OF_MEMORY;
+ mQuitEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr);
+ if (INVALID_HANDLE_VALUE == mQuitEvent) {
+ (void)CloseHandle(mNewItemEvent);
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ // This thread is always running, however it will be asleep
+ // for most of the dlmgr's lifetime
+ mThread = (HANDLE)_beginthreadex(nullptr, 0, WatchdogThread,
+ this, 0, nullptr);
+ if (!mThread) {
+ (void)CloseHandle(mNewItemEvent);
+ (void)CloseHandle(mQuitEvent);
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ return NS_OK;
+}
+
+nsresult
+nsDownloadScannerWatchdog::Shutdown() {
+ // Tell the watchdog thread to quite
+ (void)SetEvent(mQuitEvent);
+ (void)WaitForSingleObject(mThread, INFINITE);
+ (void)CloseHandle(mThread);
+ // Manually clear and release the queued scans
+ while (mScanQueue.GetSize() != 0) {
+ Scan *scan = reinterpret_cast<Scan*>(mScanQueue.Pop());
+ NS_RELEASE(scan);
+ }
+ (void)CloseHandle(mNewItemEvent);
+ (void)CloseHandle(mQuitEvent);
+ return NS_OK;
+}
+
+void
+nsDownloadScannerWatchdog::Watch(Scan *scan) {
+ bool wasEmpty;
+ // Note that there is no release in this method
+ // The scan will be released by the watchdog ALWAYS on the main thread
+ // when either the watchdog thread processes the scan or the watchdog
+ // is shut down
+ NS_ADDREF(scan);
+ EnterCriticalSection(&mQueueSync);
+ wasEmpty = mScanQueue.GetSize()==0;
+ mScanQueue.Push(scan);
+ LeaveCriticalSection(&mQueueSync);
+ // If the queue was empty, then the watchdog thread is/will be asleep
+ if (wasEmpty)
+ (void)SetEvent(mNewItemEvent);
+}
+
+unsigned int
+__stdcall
+nsDownloadScannerWatchdog::WatchdogThread(void *p) {
+ NS_ASSERTION(!NS_IsMainThread(), "Antivirus scan watchdog should not be run on the main thread");
+ nsDownloadScannerWatchdog *watchdog = (nsDownloadScannerWatchdog*)p;
+ HANDLE waitHandles[3] = {watchdog->mNewItemEvent, watchdog->mQuitEvent, INVALID_HANDLE_VALUE};
+ DWORD waitStatus;
+ DWORD queueItemsLeft = 0;
+ // Loop until quit event or error
+ while (0 != queueItemsLeft ||
+ ((WAIT_OBJECT_0 + 1) !=
+ (waitStatus =
+ WaitForMultipleObjects(2, waitHandles, FALSE, INFINITE)) &&
+ waitStatus != WAIT_FAILED)) {
+ Scan *scan = nullptr;
+ PRTime startTime, expectedEndTime, now;
+ DWORD waitTime;
+
+ // Pop scan from queue
+ EnterCriticalSection(&watchdog->mQueueSync);
+ scan = reinterpret_cast<Scan*>(watchdog->mScanQueue.Pop());
+ queueItemsLeft = watchdog->mScanQueue.GetSize();
+ LeaveCriticalSection(&watchdog->mQueueSync);
+
+ // Calculate expected end time
+ startTime = scan->GetStartTime();
+ expectedEndTime = WATCHDOG_TIMEOUT + startTime;
+ now = PR_Now();
+ // PRTime is not guaranteed to be a signed integral type (afaik), but
+ // currently it is
+ if (now > expectedEndTime) {
+ waitTime = 0;
+ } else {
+ // This is a positive value, and we know that it will not overflow
+ // (bounded by WATCHDOG_TIMEOUT)
+ // waitTime is in milliseconds, nspr uses microseconds
+ waitTime = static_cast<DWORD>((expectedEndTime - now)/PR_USEC_PER_MSEC);
+ }
+ HANDLE hThread = waitHandles[2] = scan->GetWaitableThreadHandle();
+
+ // Wait for the thread (obj 1) or quit event (obj 0)
+ waitStatus = WaitForMultipleObjects(2, (waitHandles+1), FALSE, waitTime);
+ CloseHandle(hThread);
+
+ ReleaseDispatcher* releaser = new ReleaseDispatcher(scan);
+ if(!releaser)
+ continue;
+ NS_ADDREF(releaser);
+ // Got quit event or error
+ if (waitStatus == WAIT_FAILED || waitStatus == WAIT_OBJECT_0) {
+ NS_DispatchToMainThread(releaser);
+ break;
+ // Thread exited normally
+ } else if (waitStatus == (WAIT_OBJECT_0+1)) {
+ NS_DispatchToMainThread(releaser);
+ continue;
+ // Timeout case
+ } else {
+ NS_ASSERTION(waitStatus == WAIT_TIMEOUT, "Unexpected wait status in dlmgr watchdog thread");
+ if (!scan->NotifyTimeout()) {
+ // If we didn't time out, then release the thread
+ NS_DispatchToMainThread(releaser);
+ } else {
+ // NotifyTimeout did a dispatch which will release the scan, so we
+ // don't need to release the scan
+ NS_RELEASE(releaser);
+ }
+ }
+ }
+ _endthreadex(0);
+ return 0;
+}