Commit graph

101 commits

Author SHA1 Message Date
Tao Bao
c3901231ce updater: Add Commmand class to manage BBOTA commands.
Move the commands map parsing out of PerformBlockImageUpdate(), as this
can be done more easily by the caller.

The goal (not done in this CL) is to decouple command parsing logic from
the performers. This allows (a) focusing on the command logic in the
performer; and (b) extending BBOTA commands syntax separately.

Test: Run recovery_unit_test and recovery_component_test.
Change-Id: Ife202398a7660b152d84a3ba17b90f93d19c55f2
2018-05-25 15:26:42 -07:00
Tao Bao
26efb0ae3a updater: Use a bool to indicate if allowed to skip a command.
This avoids the signedness issue, and makes the code more readable.

Test: mmma bootable/recovery
Test: Run recovery_component_test.
Change-Id: I01c3a0357887cfd7c9d4aba4239ef650cfa18388
2018-05-21 15:05:53 -07:00
Tao Bao
ab20706a84 updater: Clean up the header lines computation.
It no longer needs to be conditional, as we've removed the support for
BBOTA v1/v2.

Test: mmma bootable/recovery
Change-Id: I881de8afa38cc5b41b48e6d48d85170699ea5eb4
2018-05-21 14:48:49 -07:00
Tianjie Xu
c2b2bb5d78 Last command file should be updated after a command finishes
The last command file has the last executed stash command by convention.
So we should update the file after we actually finishes executing the command;
instead of after loading src/tgt.

Bug: 79756267
Test: unit tests pass
Change-Id: I4535b5836e7eb13b3abe3d02f9f362ec5e9ec969
2018-05-15 21:05:30 -07:00
Tao Bao
0ffe13b56f Merge "updater: Skip an updated partition on retry." 2018-05-08 00:57:14 +00:00
Tao Bao
98f875eee7 updater: Fix an issue when resuming an update.
We cannot skip "new" commands while resuming an update with
last_command_file, because they read in the data sequentially from the
package.

Bug: 69858743
Test: Interrupt an update that has new commands. Check the update log.
Change-Id: I05fb67246f5ea3ba2a0f78f10255c0d9b0bc2f5a
2018-05-07 22:14:45 +00:00
Tao Bao
864c668dd2 updater: Skip an updated partition on retry.
Prior to the change, the BBOTA updater would try to re-run all the
commands for a given partition on retry, including creating stashes
according to the list of commands. This could fail a retry when the
previous update had moved on to next stage, with leftovers in /cache.

This CL creates a marker on /cache upon successfully updating a
partition. The update commands will be skipped when trying to apply
updates on an updated partition. Note that the marker is expected to be
removed while doing a normal boot (in particular, handled by
RecoverySystem#handleAftermath). If that didn't happen, the updater
would also remove the marker before starting next fresh update.

Alternatively, we can achieve the same goal by changing the OTA script,
which needs to additionally compare the checksum against the target
build. For example,

  range_sha1("/system", "ranges") == SHA1_of_updated_system ||
  block_image_update("/system");

The downside is that we need to pay that cost on each install, as the
edify script doesn't support caching the result in a variable.

Bug: 79165963
Test: Simulate the process on device (by triggering a reboot while
      updating /vendor). Check the update log and result.
Change-Id: I731031fa336133e1221b33edfc469969706e8091
2018-05-07 15:05:00 -07:00
Tao Bao
641fa97def Rename CacheLocation to Paths.
We have a general need for overriding more paths (e.g. "/tmp"), mostly
for testing purpose. Rename CacheLocation to Paths, and use that to
manage TEMPORARY_{INSTALL,LOG}_FILE.

Test: mmma -j bootable/recovery
Test: recovery_component_test
Change-Id: Ia8ce8e5695df37ca434f13ac4d3206de1e8e9396
2018-04-25 21:46:00 -07:00
Tao Bao
188f3a5bf8 updater: Remove an unneeded strdup().
StringValue() makes a copy of the arg.

Test: mmma bootable/recovery
Change-Id: I1002994e7496c840aa05c785019bdeca281f467e
2018-04-25 07:16:00 -07:00
Tao Bao
8b0b0f1f02 applypatch: Drop the SHA_CTX parameter in Apply{BSDiff,Image}Patch.
As they're accepting the SinkFn callback, it makes more sense to leave
the work to their callers.

Test: mmma -j bootable/recovery
Test: Run recovery_component_test on marlin.
Test: No other active user of the two functions.
Change-Id: I8d67b38ce037925442296f136b483e0c71983777
2018-04-20 09:27:50 -07:00
Tianjie Xu
3bbb20f557 Add a singleton CacheLocation to replace the hard coded locations
This class allows us to set the following locations dynamically:
cache_temp_source, last_command_file, stash_directory_base.

In the updater's main function, we reset the values of these variables
to their default locations in /cache; while we can set them to temp
files in unit tests or host simulation.

Test: unit tests pass
Change-Id: I528652650caa41373617ab055d41b1f1a4ec0f87
2018-02-28 11:19:11 -08:00
Tianjie Xu
c242084539 Fix the behavior of undefined commands in BlockImageVerify
In BlockImageVerify some commands are undefined, e.g. "erase", "new",
"zero". And we should not error out if the corresponding function
pointer of these commands is null; otherwise we will fail the
verification.

The old code is:
if (cmd->f != nullptr && cmd->f(params) == -1)
  return false;

In the last_command_file change the logic was wrongly modified to
if (cmd->f == nullptr)
  return false;
...
if (cmd->f(params) == -1)
  return false;

Test: sideload an incremental OTA twice on bullhead
Change-Id: I2561c365badb850da0e416629ccd61f0df7da5d7
2018-02-27 23:04:14 -08:00
Tianjie Xu
284752e2bc Log the last command to cache
When performing an update, save the index and cmdline of the current
command into the last command file if this command writes to the stash
either explicitly of implicitly. This mitigates the overhead to update
the last command file for every command. I ran a simple test on angler
and the time to update 1000 times is ~2.3 seconds.

Upon resuming an update, read the saved index first; then
  1. In verification mode, check if all commands before the saved index
     have already produced the expected target blocks. If not, delete the
     last command file so that we will later resume the update from the
     start of the transfer list.
  2. In update mode, skip all commands before the saved index. Therefore,
     we can avoid deleting stashes with duplicate id unintentionally;
     and also speed up the update.

If an update succeeds or is unresumable, delete the last command file.
Bug: 69858743
Test: Unittest passed, apply a failed update with invalid cmd on angler
and check the last_command content, apply a failed update with invalid
source hash and last_command is deleted.
Change-Id: Ib60ba1e3c6d111d9f33097759b17dbcef97a37bf
2018-02-06 16:16:49 -08:00
Tianjie Xu
5ad802839d Avoid overwrite of the error message in AbortFn
The AbortFn() used to overwrite the error message, hiding the real
failure reported in ErrorAbort(). And we will miss the failure in
the script patterns like 'blockimageupdate() || abort()'

We will ensure there's one line break at the end of ErrorAbort's
error message; and append to the existing error message when calling
abort().

Test: Message from ErrorAbort shows up in the log
Change-Id: I3aebd06629c5129330250c7fe5e8cdead2ae85bc
2018-01-29 11:42:59 -08:00
Tao Bao
1e0941f4f6 applypatch: Change the patch parameter to const Value& in Apply{BSDiff,Image}Patch.
It used to be "const Value*", but nullptr won't be a valid input.

Test: recovery_host_test; recovery_component_test
Change-Id: I904b5689ac3e64504088bf0544c9fb5d45a52243
2017-11-10 12:18:34 -08:00
Tao Bao
6798315327 otautil: Remove the aborts in RangeSet::Parse().
We used to CHECK and abort on parsing errors. While it works fine for
the updater use case (because recovery starts updater in a forked
process and collects the process exit code), it's difficult for other
clients to use RangeSet as a library (e.g. update_verifier).

This CL switches the aborts to returning empty RangeSet instead. Callers
need to check the parsing results explicitly.

The CL also separates RangeSet::PushBack() into a function, and moves
SortedRangeSet::Clear() into RangeSet.

Test: recovery_unit_test
Test: Sideload an OTA package with the new updater on angler.
Test: Sideload an OTA package with injected range string errors. The
      updater aborts from the explicit checks.
Change-Id: If2b7f6f41dc93af917a21c7877a83e98dc3fd016
2017-11-07 12:50:02 -08:00
Tianjie Xu
5450c84ba4 Finish the new data receiver when update fails
The thread to receive new data may still be alive after we exit
PerformBlockImageUpdate() upon failures. This caused memory corruption
when we run the unittest repeatedly. Set the receiver_available flag
to false and make sure the receiver exits when the update fails.

Bug: 65430057
Test: unittests passed with tsan
Change-Id: Icb232d13fb96c78262249ffbd29cdbe5b77f1fce
2017-10-20 11:14:56 -07:00
Tao Bao
09e468f84c Move rangeset.h and print_sha1.h into otautil.
Also drop the "bootable/recovery" path in LOCAL_C_INCLUDES from
applypatch modules.

Test: lunch aosp_{angler,bullhead,fugu,dragon,sailfish}-userdebug;
      mmma bootable/recovery
Change-Id: Idd602a796894f971ee4f8fa3eafe36c42d9de986
2017-10-10 15:52:11 -07:00
Tao Bao
1fc5bf353a Revert "Revert "Move error_code.h into otautil.""
This reverts commit 26436d6d60 to re-land
"Move error_code.h into otautil.".

This way it stops requiring relative path ".." in LOCAL_C_INCLUDES
(uncrypt and edify). Soong doesn't accept non-local ".." in
"local_include_dirs".

This CL needs to land with device-specific module changes (e.g. adding
the dependency on libotautil).

Test: lunch aosp_{angler,bullhead,dragon,fugu,sailfish}-userdebug;
      mmma bootable/recovery
Change-Id: If193241801af2dae73eccd31ce57cd2b81c9fd96
2017-10-09 14:07:54 -07:00
Tao Bao
26436d6d60 Revert "Move error_code.h into otautil."
This reverts commit 623fe7e701.

Reason for revert: Need to address device-specific modules.

Change-Id: Ib7a4191e7f193dfff49b02d3de76dda856800251
2017-10-05 17:16:31 +00:00
Tao Bao
623fe7e701 Move error_code.h into otautil.
This way it stops requiring relative path ".." in LOCAL_C_INCLUDES
(uncrypt and edify). Soong doesn't accept non-local ".." in
"local_include_dirs".

Test: mmma bootable/recovery
Change-Id: Ia4649789cef2aaeb2785483660e9ea5a8b389c62
2017-10-04 08:55:24 -07:00
Tao Bao
d33b2f86b7 otafault: Move headers under otafault/.
Test: mmma bootable/recovery
Change-Id: I3ceb72f703c7c2857d656c137d71baa1fccd8238
2017-09-29 10:29:53 -07:00
Tianjie Xu
57dd961995 Move Image/ImageChunk/PatchChunk declaration into header files
1. Move the declaration of the Image classes to the header file to make
testing easier.
2. Also move rangeset.h to bootable/recovery to allow access in imgdiff.

Test: recovery component test
Change-Id: I68a863e60a3f2e7ae46ee48f48eb15391f5f4330
2017-08-18 17:56:22 -07:00
Tianjie Xu
6ed175d541 Fix a case when brotli writer fails to write last few blocks of data
receive_new_data may exit too early if the zip processor has sent all
the raw data. As a result, the last few 'new' commands will fail even
though the brotli decoder has more output in its buffer.

Restruct the code so that 'NewThreadInfo' owns the decoder state solely;
and receive_brotli_new_data is responsible for the decompression.

Also reduce the test data size to 100 blocks to avoid the test timeout.

Bug: 63802629
Test: recovery_component_test. on bullhead, apply full updates with and
w/o brotli compressed entries, apply an incremental update.

Change-Id: I9442f2536b74e48dbf7eeb062a8539c82c6dab47
2017-07-21 11:44:00 -07:00
Tianjie Xu
107a34f9fc Add support to decompress brotli compressed new data
Add a new writer that can decode the brotli-compressed system/vendor
new data stored in the OTA zip.

Brotli generally gives better compression rate at the cost of slightly
increased time consumption. The patch.dat is already compressed
by BZ; so there's no point to further compress it.

For the given 1.9G bullhead system image:
Size: 875M -> 787M; ~10% reduction of package size.
Time: 147s -> 153s; ~4% increase of the block_image_update execution time.
(I guess I/O takes much longer time than decompression.)

Also it takes 4 minutes to compress the system image on my local
machine, 3 more minutes than zip.

Test: recovery tests pass && apply a full OTA with brotli compressed
system/vendor.new.dat on bullhead

Change-Id: I232335ebf662a9c55579ca073ad45265700a621e
2017-07-07 16:08:18 -07:00
Tianjie Xu
6957555e29 Retry the update if ApplyBSDiffPatch | ApplyImagePatch fails
We have seen one case when bspatch failed likely due to patch
corruption. Since the package has passed verification before, we want
to reboot and retry the patch command again since there's no
alternative for users.

We won't delete the stash before reboot, and the src has passed SHA1
check. If there's an error on the patch, it will fail the package
verification during retry.

Bug: 37855643
Test: angler reboots and retries the update when bspatch fails.
Change-Id: I2ebac9621bd1f0649bb301b9a28a0dd079ed4e1d
2017-05-23 17:36:56 -07:00
Tianjie Xu
3a8d98dd90 Abort the update if there's not enough new data
Right now the update stuck in a deadlock if there's less new data than
expection. Add some checkers and abort the update if such case happens.
Also add a corresponding test.

Bug: 36787146
Test: update aborts correctly on bullhead && recovery_component_test passes
Change-Id: I914e4a2a4cf157b99ef2fc65bd21c6981e38ca47
2017-04-07 17:19:46 -07:00
Tao Bao
bf5b77dbf7 Change the internal representation in RangeSet.
This CL makes the following changes to RangeSet:
 - Uses std::pair<size_t, size_t> to represent a Range;
 - Uses std::vector<Range> to represent a RangeSet;
 - Provides const iterators (forward and reverse);
 - Provides const accessor;
 - 'blocks()' returns the number of blocks (formerly 'size');
 - 'size()' returns the number of Range's (formerly 'count').

Test: recovery_unit_test
Test: Apply an incremental update with the new updater.
Change-Id: Ia1fbb343370a152e1f7aa050cf914c2da09b1396
2017-04-03 09:22:48 -07:00
Tao Bao
c97edcb4f4 updater: Keep the parsed parameters in std::unique_ptr.
We don't need to take raw pointers out of the parsed arguments.
std::unique_ptr handles the dereferencing automatically.

Test: mmma bootable/recovery
Change-Id: I1beabf6e04dc350bdad7b36cee5fb345c82b28f2
2017-03-31 12:24:22 -07:00
Tao Bao
8f23757ad4 Move parse_range() and range_overlaps() into RangeSet.
Also move RangeSet into a header file to make it testable, and add unit
tests.

In RangeSet::Parse() (the former parse_range()), use libbase logging to
do assertions. This has the same effect as the previous
exit(EXIT_FAILURE) to terminate the updater process and abort an update.
The difference lies in the exit status code (i.e. WEXITSTATUS(status) in
install.cpp), which changes from 1 (i.e. EXIT_FAILURE) to 0.

Test: recovery_unit_test
Test: Apply an incremental update with the new updater.
Change-Id: Ie8393c78b0d8ae0fd5f0ca0646d871308d71fff0
2017-03-31 00:04:56 -07:00
Tao Bao
65c065b4bb Merge "updater: Move RangeSinkWrite into RangeSinkState." 2017-03-30 23:56:14 +00:00
Tao Bao
0bbc764bbe updater: Don't append newline when calling uiPrint().
LOG(INFO) already appends a newline. Don't print redundant newline.

Test: No extra blank lines when calling ui_print(). And on-screen UI
      shows the same.
Change-Id: I74e9a8504a7146a6cb3dae02fe2406d0dd54069b
2017-03-30 10:28:37 -07:00
Tao Bao
60a70afc0a updater: Move RangeSinkWrite into RangeSinkState.
Then rename RangeSinkState to RangeSinkWriter. RangeSinkWriter reads
data from the given FD, and writes them to the desination RangeSet.

Test: Apply an incremental with the new updater.
Change-Id: I5e3ab6fc082efa1726562c55b56e2d418fe4acaf
2017-03-29 11:31:41 -07:00
Tao Bao
c0e1c46a70 applypatch: Let Apply{BSDiff,Image}Patch accept std::function.
Test: mmma bootable/recovery system/update_engine
Test: recovery_component_test
Change-Id: I93c2caa87bf94a53509bb37f98f2c02bcadb6f5c
2017-03-28 10:14:53 -07:00
Tao Bao
f7eb760fe7 applypatch: Change the ssize_t length parameters to size_t.
Mostly for applypatch family APIs like ApplyBSDiffPatch() and
ApplyImagePatch(). Changing to size_t doesn't indicate they would
necessarily work with very large size_t (e.g. > ssize_t), just
similar to write(2). But otherwise accepting negative length doesn't
make much sense.

Also change the return type of SinkFn from ssize_t to size_t. Callers
tell a successful sink by comparing the number of written bytes against
the desired value. Negative return values like -1 are not needed. This
also makes it consistent with bsdiff::bspatch interface.

Test: recovery_component_test
Test: Apply an incremental with the new updater.
Change-Id: I7ff1615203a5c9854134f75d019e266f4ea6e714
2017-03-28 10:13:38 -07:00
Tao Bao
d2aecd465b updater: Clean up LoadSrcTgtVersion2().
Rename to LoadSourceBlocks() by moving the target blocks parsing part
into the caller. This allows detecting whether the target blocks have
already had the expected data before loading the source blocks. It
doesn't affect anything when applying an update package for the first
time, but it skips loading the unneeded source blocks when resuming an
update. It additionally avoids unnecessarily dumping the "corrupt"
source/stash blocks when resuming an update.

Bug: 33694730
Test: Apply an incremental update with the new updater.
Test: Resume an incremental update with the new updater.
Change-Id: I794fd0d1045be7b3b7f8619285dc0dade01398d0
2017-03-27 16:21:55 -07:00
Tao Bao
5212a00588 Merge "updater: Remove some redundant arguments." 2017-03-25 23:11:37 +00:00
Tao Bao
5479506c9c Merge "updater: Drop the support for BBOTA v1 and v2." 2017-03-24 23:06:56 +00:00
Tao Bao
110155a604 Merge "Removed C-style casts" 2017-03-24 20:28:00 +00:00
Tao Bao
bcf464988e updater: Remove some redundant arguments.
Clean up a few functions that take CommandParameters& as the first
parameter. We don't need to take duplicate arguments if they always come
from CommandParameters. This redundancy came from the point we replaced
strtok()s (commit baad2d454d).

Test: Apply an incremental update with the new updater.
Change-Id: I2912b8ce6bc7580bf7f566e125f12270e679e155
2017-03-24 00:34:36 -07:00
Tao Bao
3356777cae updater: Drop the support for BBOTA v1 and v2.
The script support for BBOTA v1 and v2 has been dropped in commit
8fad03e7712082eb880ffaaffb69eb13252ce220 (platform/build).

Bug: 33694730
Test: Apply an incremental with the new updater.
Test: recovery_component_test
Change-Id: I038b1bf8d10f030cab8ec0aa6ee565c5a9545dfd
2017-03-23 23:58:02 -07:00
Mikhail Lappo
20791bdcd7 Removed C-style casts
In c++ code would be cleaner to use
c++ retinterpret cast instead of old
c-style notation

Change-Id: Ibeef5e0c374addf108c0a8876a6be45063d8e396
2017-03-23 21:52:04 +01:00
Mikhail Lappo
bb8bce932e Redundant checking of STL container element
As of C++ specification size_type erase( const key_type& key );
removes the element (if one exists). There is no need to perform
the check twice.

Change-Id: I4b057c08526abc7c2a483a60f9e166e4d8f56a74
2017-03-23 17:20:47 +01:00
Tianjie Xu
c444732540 Remove malloc in edify functions
And switch them to std::vector & std::unique_ptr

Bug: 32117870
Test: recovery tests passed on sailfish
Change-Id: I5a45951c4bdf895be311d6d760e52e7a1b0798c3
2017-03-22 14:20:57 -07:00
Tianjie Xu
a946b9e241 Fix the permission of stashed blocks created by updater
Our updater created the stashes with root permission. This causes an
access denial when the RecoverySystem service tries to clean up these
blocks after a failing update. As a result, the subsequent OTA updates
may fail due to insufficient cache space.

Bug: 36457133
Test: stashed blocks cleaned successfully after reboot
Change-Id: If0ca99638cdfa1033646f29d9cc92b5ff1bacac1
2017-03-21 17:40:01 -07:00
Tianjie Xu
2cd36ba522 Revert "Revert "Print SHA-1 in hex for corrupted blocks""
This reverts commit 90eff6a340.
Also fix the bug where stashed blocks are not freed.

Bug: 21124445
Test: Previous failed update succeeded on bullhead
Change-Id: I23d232331a2beb51b6dcc82c957c87bc247d0268
2017-03-16 23:33:01 -07:00
Tao Bao
ec8272f6e3 updater: Minor clean up to EnumerateStash().
Test: Apply an incremental BBOTA package with the new updater.
Test: Resume an interrupted BBOTA (so it cleans up the partial stash).
Change-Id: I620cc57ee6366845bcffbc19210f7a01e2196052
2017-03-16 00:00:46 -07:00
Tao Bao
90eff6a340 Revert "Print SHA-1 in hex for corrupted blocks"
This reverts commit bb0cd75a0e.

Broke the 'free' command that deletes a stash.

Bug: 36242722
Test: The previously failed incremental applies successfully.
Change-Id: I1237cb0a33adfbeea57e0465b629704862ba13aa
2017-03-15 09:57:06 -07:00
Tianjie Xu
bb0cd75a0e Print SHA-1 in hex for corrupted blocks
It will be helpful for debug if we know which blocks are corrupted after
a verification failure. This CL prints the SHA-1 for each source block
in a transfer command if these blocks don't have an expected hash. And
along with the correct SHA-1, we will catch the corrupted blocks.

Bug: 21124445
Test: Printed the mismatched SHA-1 for bullhead during an update.
Change-Id: I683d4bdaf9a335035045b3f532b3a265b2fcbbfc
2017-03-13 11:32:56 -07:00
Tao Bao
3da880156b Replace _exit(-1) with _exit(EXIT_FAILURE).
-1 is not a valid exit status.

Also replace a few exit(1) with exit(EXIT_FAILURE).

Test: mmma bootable/recovery
Change-Id: I4596c8328b770bf95acccc06a4401bd5cabd4bfd
2017-02-03 14:11:11 -08:00