diff options
| author | evan@chromium.org <evan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-23 00:07:32 +0000 |
|---|---|---|
| committer | evan@chromium.org <evan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-23 00:07:32 +0000 |
| commit | 6077a01022957200646ae74b40ee7ab499b99e72 (patch) | |
| tree | b743ff22bd0c6c019181ec7fbe8b8230c300a585 /base | |
| parent | 77ab22463ac2f8e94a2629d13aec8b88691c4cfc (diff) | |
| download | chromium_src-6077a01022957200646ae74b40ee7ab499b99e72.zip chromium_src-6077a01022957200646ae74b40ee7ab499b99e72.tar.gz chromium_src-6077a01022957200646ae74b40ee7ab499b99e72.tar.bz2 | |
Thread IO safety: annotate file_util, and block IO thread from doing IO
- Mark functions in file_util_posix as requiring permission to perform
disk actions.
- Mark the IO thread as disallowed from performing disk actions.
- Temporarily work around the protections in places where we currently
have bugs.
BUG=59847,59849,60207,60211
TEST=no dchecks in debug builds
Review URL: http://codereview.chromium.org/3872002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@63600 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'base')
| -rw-r--r-- | base/file_util_posix.cc | 35 | ||||
| -rw-r--r-- | base/shared_memory_posix.cc | 6 | ||||
| -rw-r--r-- | base/thread_restrictions.cc | 4 | ||||
| -rw-r--r-- | base/thread_restrictions.h | 30 |
4 files changed, 71 insertions, 4 deletions
diff --git a/base/file_util_posix.cc b/base/file_util_posix.cc index 8660054..119bc0e 100644 --- a/base/file_util_posix.cc +++ b/base/file_util_posix.cc @@ -39,6 +39,7 @@ #include "base/singleton.h" #include "base/string_util.h" #include "base/sys_string_conversions.h" +#include "base/thread_restrictions.h" #include "base/time.h" #include "base/utf_string_conversions.h" @@ -48,6 +49,7 @@ namespace { // Helper for NormalizeFilePath(), defined below. bool RealPath(const FilePath& path, FilePath* real_path) { + base::ThreadRestrictions::AssertIOAllowed(); // For realpath(). FilePath::CharType buf[PATH_MAX]; if (!realpath(path.value().c_str(), buf)) return false; @@ -63,11 +65,13 @@ bool RealPath(const FilePath& path, FilePath* real_path) { MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_5) typedef struct stat stat_wrapper_t; static int CallStat(const char *path, stat_wrapper_t *sb) { + base::ThreadRestrictions::AssertIOAllowed(); return stat(path, sb); } #else typedef struct stat64 stat_wrapper_t; static int CallStat(const char *path, stat_wrapper_t *sb) { + base::ThreadRestrictions::AssertIOAllowed(); return stat64(path, sb); } #endif @@ -80,6 +84,7 @@ static const char* kTempFileName = ".org.chromium.XXXXXX"; #endif bool AbsolutePath(FilePath* path) { + base::ThreadRestrictions::AssertIOAllowed(); // For realpath(). char full_path[PATH_MAX]; if (realpath(path->value().c_str(), full_path) == NULL) return false; @@ -89,6 +94,7 @@ bool AbsolutePath(FilePath* path) { int CountFilesCreatedAfter(const FilePath& path, const base::Time& comparison_time) { + base::ThreadRestrictions::AssertIOAllowed(); int file_count = 0; DIR* dir = opendir(path.value().c_str()); @@ -139,6 +145,7 @@ int CountFilesCreatedAfter(const FilePath& path, // that functionality. If not, remove from file_util_win.cc, otherwise add it // here. bool Delete(const FilePath& path, bool recursive) { + base::ThreadRestrictions::AssertIOAllowed(); const char* path_str = path.value().c_str(); stat_wrapper_t file_info; int test = CallStat(path_str, &file_info); @@ -178,6 +185,7 @@ bool Delete(const FilePath& path, bool recursive) { } bool Move(const FilePath& from_path, const FilePath& to_path) { + base::ThreadRestrictions::AssertIOAllowed(); // Windows compatibility: if to_path exists, from_path and to_path // must be the same type, either both files, or both directories. stat_wrapper_t to_file_info; @@ -202,12 +210,14 @@ bool Move(const FilePath& from_path, const FilePath& to_path) { } bool ReplaceFile(const FilePath& from_path, const FilePath& to_path) { + base::ThreadRestrictions::AssertIOAllowed(); return (rename(from_path.value().c_str(), to_path.value().c_str()) == 0); } bool CopyDirectory(const FilePath& from_path, const FilePath& to_path, bool recursive) { + base::ThreadRestrictions::AssertIOAllowed(); // Some old callers of CopyDirectory want it to support wildcards. // After some discussion, we decided to fix those callers. // Break loudly here if anyone tries to do this. @@ -307,14 +317,17 @@ bool CopyDirectory(const FilePath& from_path, } bool PathExists(const FilePath& path) { + base::ThreadRestrictions::AssertIOAllowed(); return access(path.value().c_str(), F_OK) == 0; } bool PathIsWritable(const FilePath& path) { + base::ThreadRestrictions::AssertIOAllowed(); return access(path.value().c_str(), W_OK) == 0; } bool DirectoryExists(const FilePath& path) { + base::ThreadRestrictions::AssertIOAllowed(); stat_wrapper_t file_info; if (CallStat(path.value().c_str(), &file_info) == 0) return S_ISDIR(file_info.st_mode); @@ -365,6 +378,7 @@ bool ReadFromFD(int fd, char* buffer, size_t bytes) { // file descriptor. |path| is set to the temporary file path. // This function does NOT unlink() the file. int CreateAndOpenFdForTemporaryFile(FilePath directory, FilePath* path) { + base::ThreadRestrictions::AssertIOAllowed(); // For call to mkstemp(). *path = directory.Append(kTempFileName); const std::string& tmpdir_string = path->value(); // this should be OK since mkstemp just replaces characters in place @@ -374,6 +388,7 @@ int CreateAndOpenFdForTemporaryFile(FilePath directory, FilePath* path) { } bool CreateTemporaryFile(FilePath* path) { + base::ThreadRestrictions::AssertIOAllowed(); // For call to close(). FilePath directory; if (!GetTempDir(&directory)) return false; @@ -401,6 +416,7 @@ FILE* CreateAndOpenTemporaryFileInDir(const FilePath& dir, FilePath* path) { } bool CreateTemporaryFileInDir(const FilePath& dir, FilePath* temp_file) { + base::ThreadRestrictions::AssertIOAllowed(); // For call to close(). int fd = CreateAndOpenFdForTemporaryFile(dir, temp_file); return ((fd >= 0) && !close(fd)); } @@ -408,6 +424,7 @@ bool CreateTemporaryFileInDir(const FilePath& dir, FilePath* temp_file) { static bool CreateTemporaryDirInDirImpl(const FilePath& base_dir, const FilePath::StringType& name_tmpl, FilePath* new_dir) { + base::ThreadRestrictions::AssertIOAllowed(); // For call to mkdtemp(). CHECK(name_tmpl.find("XXXXXX") != FilePath::StringType::npos) << "Directory name template must contain \"XXXXXX\"."; @@ -443,6 +460,7 @@ bool CreateNewTempDirectory(const FilePath::StringType& prefix, } bool CreateDirectory(const FilePath& full_path) { + base::ThreadRestrictions::AssertIOAllowed(); // For call to mkdir(). std::vector<FilePath> subpaths; // Collect a list of all parent directories. @@ -484,6 +502,7 @@ bool GetFileInfo(const FilePath& file_path, base::PlatformFileInfo* results) { } bool GetInode(const FilePath& path, ino_t* inode) { + base::ThreadRestrictions::AssertIOAllowed(); // For call to stat(). struct stat buffer; int result = stat(path.value().c_str(), &buffer); if (result < 0) @@ -498,10 +517,12 @@ FILE* OpenFile(const std::string& filename, const char* mode) { } FILE* OpenFile(const FilePath& filename, const char* mode) { + base::ThreadRestrictions::AssertIOAllowed(); return fopen(filename.value().c_str(), mode); } int ReadFile(const FilePath& filename, char* data, int size) { + base::ThreadRestrictions::AssertIOAllowed(); int fd = open(filename.value().c_str(), O_RDONLY); if (fd < 0) return -1; @@ -513,6 +534,7 @@ int ReadFile(const FilePath& filename, char* data, int size) { } int WriteFile(const FilePath& filename, const char* data, int size) { + base::ThreadRestrictions::AssertIOAllowed(); int fd = creat(filename.value().c_str(), 0666); if (fd < 0) return -1; @@ -540,6 +562,9 @@ int WriteFileDescriptor(const int fd, const char* data, int size) { // Gets the current working directory for the process. bool GetCurrentDirectory(FilePath* dir) { + // getcwd can return ENOENT, which implies it checks against the disk. + base::ThreadRestrictions::AssertIOAllowed(); + char system_buffer[PATH_MAX] = ""; if (!getcwd(system_buffer, sizeof(system_buffer))) { NOTREACHED(); @@ -551,6 +576,7 @@ bool GetCurrentDirectory(FilePath* dir) { // Sets the current working directory for the process. bool SetCurrentDirectory(const FilePath& path) { + base::ThreadRestrictions::AssertIOAllowed(); int ret = chdir(path.value().c_str()); return !ret; } @@ -655,6 +681,7 @@ FilePath FileEnumerator::Next() { bool FileEnumerator::ReadDirectory(std::vector<DirectoryEntryInfo>* entries, const FilePath& source, bool show_links) { + base::ThreadRestrictions::AssertIOAllowed(); DIR* dir = opendir(source.value().c_str()); if (!dir) return false; @@ -703,6 +730,8 @@ MemoryMappedFile::MemoryMappedFile() } bool MemoryMappedFile::MapFileToMemoryInternal() { + base::ThreadRestrictions::AssertIOAllowed(); + struct stat file_stat; if (fstat(file_, &file_stat) == base::kInvalidPlatformFileValue) { LOG(ERROR) << "Couldn't fstat " << file_ << ", errno " << errno; @@ -719,6 +748,8 @@ bool MemoryMappedFile::MapFileToMemoryInternal() { } void MemoryMappedFile::CloseHandles() { + base::ThreadRestrictions::AssertIOAllowed(); + if (data_ != NULL) munmap(data_, length_); if (file_ != base::kInvalidPlatformFileValue) @@ -770,6 +801,9 @@ FilePath GetHomeDir() { if (home_dir && home_dir[0]) return FilePath(home_dir); + // g_get_home_dir calls getpwent, which can fall through to LDAP calls. + base::ThreadRestrictions::AssertIOAllowed(); + home_dir = g_get_home_dir(); if (home_dir && home_dir[0]) return FilePath(home_dir); @@ -783,6 +817,7 @@ FilePath GetHomeDir() { } bool CopyFile(const FilePath& from_path, const FilePath& to_path) { + base::ThreadRestrictions::AssertIOAllowed(); int infile = open(from_path.value().c_str(), O_RDONLY); if (infile < 0) return false; diff --git a/base/shared_memory_posix.cc b/base/shared_memory_posix.cc index 7283cbd..ae814d7 100644 --- a/base/shared_memory_posix.cc +++ b/base/shared_memory_posix.cc @@ -14,6 +14,7 @@ #include "base/logging.h" #include "base/platform_thread.h" #include "base/safe_strerror_posix.h" +#include "base/thread_restrictions.h" #include "base/utf_string_conversions.h" namespace base { @@ -146,6 +147,11 @@ bool SharedMemory::CreateOrOpen(const std::string& name, int posix_flags, uint32 size) { DCHECK(mapped_file_ == -1); + // This function theoretically can block on the disk, but realistically + // the temporary files we create will just go into the buffer cache + // and be deleted before they ever make it out to disk. + base::ThreadRestrictions::ScopedAllowIO allow_io; + file_util::ScopedFILE file_closer; FILE *fp; diff --git a/base/thread_restrictions.cc b/base/thread_restrictions.cc index 1ee8eee..270d663 100644 --- a/base/thread_restrictions.cc +++ b/base/thread_restrictions.cc @@ -21,8 +21,10 @@ LazyInstance<ThreadLocalBoolean, LeakyLazyInstanceTraits<ThreadLocalBoolean> > } // anonymous namespace // static -void ThreadRestrictions::SetIOAllowed(bool allowed) { +bool ThreadRestrictions::SetIOAllowed(bool allowed) { + bool previous_allowed = g_io_disallowed.Get().Get(); g_io_disallowed.Get().Set(!allowed); + return !previous_allowed; } // static diff --git a/base/thread_restrictions.h b/base/thread_restrictions.h index c0fee58..cbdb913 100644 --- a/base/thread_restrictions.h +++ b/base/thread_restrictions.h @@ -5,6 +5,8 @@ #ifndef BASE_THREAD_RESTRICTIONS_H_ #define BASE_THREAD_RESTRICTIONS_H_ +#include "base/basictypes.h" + namespace base { // ThreadRestrictions helps protect threads that should not block from @@ -21,21 +23,43 @@ namespace base { // // ThreadRestrictions does nothing in release builds; it is debug-only. // +// Style tip: where should you put AssertIOAllowed checks? It's best +// if you put them as close to the disk access as possible, at the +// lowest level. This rule is simple to follow and helps catch all +// callers. For example, if your function GoDoSomeBlockingDiskCall() +// only calls other functions in Chrome and not fopen(), you should go +// add the AssertIOAllowed checks in the helper functions. + class ThreadRestrictions { public: + // Constructing a ScopedAllowIO temporarily allows IO for the current + // thread. Doing this is almost certainly always incorrect. This object + // is available to temporarily work around bugs. + class ScopedAllowIO { + public: + ScopedAllowIO() { previous_value_ = SetIOAllowed(true); } + ~ScopedAllowIO() { SetIOAllowed(previous_value_); } + private: + // Whether IO is allowed when the ScopedAllowIO was constructed. + bool previous_value_; + + DISALLOW_COPY_AND_ASSIGN(ScopedAllowIO); + }; #ifndef NDEBUG // Set whether the current thread to make IO calls. // Threads start out in the *allowed* state. - static void SetIOAllowed(bool allowed); + // Returns the previous value. + static bool SetIOAllowed(bool allowed); // Check whether the current thread is allowed to make IO calls, - // and DCHECK if not. + // and DCHECK if not. See the block comment above the class for + // a discussion of where to add these checks. static void AssertIOAllowed(); #else // In Release builds, inline the empty definitions of these functions so // that they can be compiled out. - static void SetIOAllowed(bool allowed) {} + static bool SetIOAllowed(bool allowed) { return true; } static void AssertIOAllowed() {} #endif |