summaryrefslogtreecommitdiffstats
path: root/updater/blockimg.cpp (unfollow)
Commit message (Collapse)AuthorFilesLines
2018-11-05updater: Error out on underrun during patching.Tao Bao1-1/+4
Test: Run recovery_component_test on marlin. Change-Id: If23baf42aeacb48500edabc2eadd2e7119a848da
2018-10-05Use only signed/unsigned numbers with ParseInt/ParseUint respectivelyTom Cherry1-1/+1
Test: build Change-Id: If56b33c9c420237ff441779ba1dbebffd9dae8e3
2018-08-28Enable c++17 in recovery_defaults.Tao Bao1-23/+23
And add the first few users. Test: Run recovery_unit_test and recovery_component_test on marlin. Change-Id: Ifdf093d011478b6a1dd0405b0ba48c145b509cc8
2018-08-28Remove otafaultTianjie Xu1-70/+46
Now it's less beneficial to inject I/O faults since we don't see many of them. Remove the library that mocks I/O failures. And switch to android::base I/O when possible. Bug: 113032079 Test: unit tests pass Change-Id: I9f2a92b7ba80f4da6ff9e2abc27f2680138f942c
2018-08-06Add an updater function to compute hash treeTianjie Xu1-18/+123
The new command is part of the transfer.list and allows us to compute the hash tree on non-ab devices. The required arguments for the hash_tree computation are: hash_tree_ranges source_ranges hash_algorithm salt_hex root_hash Bug: 25170618 Test: unit tests pass; run simulator with compute_hash_tree Change-Id: I8ff0d582cc8adabb8a060db7845f38b35b28e62c
2018-07-13applypatch: Consolidate CacheSizeCheck() and MakeFreeSpaceOnCache().Tao Bao1-3/+3
They are doing exactly the same thing, except for the slightly different error return value (1 vs -1). int CacheSizeCheck(size_t bytes); int MakeFreeSpaceOnCache(size_t bytes_needed); This CL consolidates the two functions and uses bool as its return type. // Checks whether /cache partition has at least 'bytes'-byte free space. Returns true immediately // if so. Otherwise, it will try to free some space by removing older logs, checks again and // returns the checking result. bool CheckAndFreeSpaceOnCache(size_t bytes); Test: Run recovery_unit_test and recovery_component_test on marlin. Change-Id: I94a96934d2b18713f8f39ad5aa96a02c98d87963
2018-07-10edify: Remove VAL_INVALID and move ValueType into Value class.Tao Bao1-10/+11
Test: mmma -j bootable/recovery Test: Run recovery_component_test and recovery_unit_test on marlin. Change-Id: I4b240e3e771c387b9694be9c0f2f74e0265ab4cb
2018-07-07updater: Add ABORT command.Tao Bao1-0/+7
This will be used for testing purpose only, replacing the previously used "fail", to intentionally abort an update. As we're separating the logic between commands parsing and execution, "abort" needs to be considered as a valid command during the parsing. Test: recovery_unit_test and recovery_component_test on marlin. Change-Id: I47c41c423e62c41cc8515fd92f3c5959be08da02
2018-07-03No longer print hash for stashed blocks during verification of retryTianjie Xu1-1/+3
During block verification, load stash reads from the source blocks on the device instead of the stashed files. And for interrupted update, it's pretty common that the source blocks has already been overwritten by subsequent commands. In that case the hash printing is mostly useless. Moreover we should have already printed the hash when the first update failed. Bug: 80241799 Test: Unit tests pass. No longer prints mismatching stashed source blocks on retry. Change-Id: I4effe684280b0325199f6cc4b2cc26e91295c2d7
2018-06-18updater: Defer the creation of the new data writer.Tao Bao1-24/+24
This avoids leaving the created new data writer thread unjoined, in the presence of transfer list parsing errors, or the early exit case on `total_blocks == 0`. Also fix a minor issue when dumping the errno on pthread_create error (pthread_create returns the error number, as opposed to setting errno). Test: Run recovery_component_test on marlin. Change-Id: Icfac27fef0c64736eb8c76264da73c223b4960cb
2018-06-08updater: Drop the 'overlap' parameter in LoadSrcTgtVersion3().Tao Bao1-12/+10
Test: Run recovery_component_test on marlin. Change-Id: I93afca891c5c9c1a351c907b023cd20c4704a66a
2018-06-07updater: Remove the redundant check on line count.Tao Bao1-9/+3
Test: recovery_component_test on marlin. Change-Id: I2ac2bd47469d1aec8a97a8c4ed0fe80ffd65c95b
2018-06-05updater: Replace the reference arguments with pointers.Tao Bao1-102/+101
As suggested by the style guide (https://google.github.io/styleguide/cppguide.html#Reference_Arguments), all parameters passed by reference must be labeled const. This CL moves most of the non-const references in blockimg.cpp to pointers, except for the CommandParameters& parameter in PerformCommand* functions, which will be handled in separate CLs. Test: mmma -j bootable/recovery Test: Run recovery_component_test on marlin. Change-Id: I84299208e9a1699f5381fb2228d4120f0c8dacb3
2018-06-04tests: Add ResumableUpdaterTest.Tao Bao1-0/+1
This is a stress test that instantiates multiple testcases that interrupt a BBOTA update at every transfer command. Each testcase asserts the last_command_file after the interruption, verifies the update resumability, then resumes the update and asserts the updated image. The transfer list in the testcase covers most of the transfer commands (stash/free/move/bsdiff/zero/new), as well as some special pattern like having duplicate stash ids. This CL also addresses one issue in the updater code, by resetting the stash_map before each run. The stash map should be valid only per block_image_verify/block_image_update run. Having leftover may cause issue in subsequent runs, in particular when calling block_image_verify after a previous run of block_image_{update,verify}. Test: Run recovery_component_test on marlin. Change-Id: I6f9a0368d194a754ce41a9c9819c6d5be2657248
2018-05-31updater: Drop the 'blocks' parameter in LoadStash().Tao Bao1-15/+8
None of the callers actually uses the value. (Even in the earlier versions, e.g. the one in M, the value wasn't used either.) Test: Run recovery_component_test on marlin. Change-Id: I53e61a1afa211f71a200889ed3aa4046763b46ea
2018-05-26updater: Add Commmand class to manage BBOTA commands.Tao Bao1-63/+54
Move the commands map parsing out of PerformBlockImageUpdate(), as this can be done more easily by the caller. The goal (not done in this CL) is to decouple command parsing logic from the performers. This allows (a) focusing on the command logic in the performer; and (b) extending BBOTA commands syntax separately. Test: Run recovery_unit_test and recovery_component_test. Change-Id: Ife202398a7660b152d84a3ba17b90f93d19c55f2
2018-05-22updater: Use a bool to indicate if allowed to skip a command.Tao Bao1-22/+17
This avoids the signedness issue, and makes the code more readable. Test: mmma bootable/recovery Test: Run recovery_component_test. Change-Id: I01c3a0357887cfd7c9d4aba4239ef650cfa18388
2018-05-21updater: Clean up the header lines computation.Tao Bao1-6/+4
It no longer needs to be conditional, as we've removed the support for BBOTA v1/v2. Test: mmma bootable/recovery Change-Id: I881de8afa38cc5b41b48e6d48d85170699ea5eb4
2018-05-16Last command file should be updated after a command finishesTianjie Xu1-11/+7
The last command file has the last executed stash command by convention. So we should update the file after we actually finishes executing the command; instead of after loading src/tgt. Bug: 79756267 Test: unit tests pass Change-Id: I4535b5836e7eb13b3abe3d02f9f362ec5e9ec969
2018-05-08updater: Fix an issue when resuming an update.Tao Bao1-3/+6
We cannot skip "new" commands while resuming an update with last_command_file, because they read in the data sequentially from the package. Bug: 69858743 Test: Interrupt an update that has new commands. Check the update log. Change-Id: I05fb67246f5ea3ba2a0f78f10255c0d9b0bc2f5a
2018-05-08updater: Skip an updated partition on retry.Tao Bao1-39/+77
Prior to the change, the BBOTA updater would try to re-run all the commands for a given partition on retry, including creating stashes according to the list of commands. This could fail a retry when the previous update had moved on to next stage, with leftovers in /cache. This CL creates a marker on /cache upon successfully updating a partition. The update commands will be skipped when trying to apply updates on an updated partition. Note that the marker is expected to be removed while doing a normal boot (in particular, handled by RecoverySystem#handleAftermath). If that didn't happen, the updater would also remove the marker before starting next fresh update. Alternatively, we can achieve the same goal by changing the OTA script, which needs to additionally compare the checksum against the target build. For example, range_sha1("/system", "ranges") == SHA1_of_updated_system || block_image_update("/system"); The downside is that we need to pay that cost on each install, as the edify script doesn't support caching the result in a variable. Bug: 79165963 Test: Simulate the process on device (by triggering a reboot while updating /vendor). Check the update log and result. Change-Id: I731031fa336133e1221b33edfc469969706e8091
2018-04-26Rename CacheLocation to Paths.Tao Bao1-16/+12
We have a general need for overriding more paths (e.g. "/tmp"), mostly for testing purpose. Rename CacheLocation to Paths, and use that to manage TEMPORARY_{INSTALL,LOG}_FILE. Test: mmma -j bootable/recovery Test: recovery_component_test Change-Id: Ia8ce8e5695df37ca434f13ac4d3206de1e8e9396
2018-04-25updater: Remove an unneeded strdup().Tao Bao1-1/+1
StringValue() makes a copy of the arg. Test: mmma bootable/recovery Change-Id: I1002994e7496c840aa05c785019bdeca281f467e
2018-04-20applypatch: Drop the SHA_CTX parameter in Apply{BSDiff,Image}Patch.Tao Bao1-3/+2
As they're accepting the SinkFn callback, it makes more sense to leave the work to their callers. Test: mmma -j bootable/recovery Test: Run recovery_component_test on marlin. Test: No other active user of the two functions. Change-Id: I8d67b38ce037925442296f136b483e0c71983777
2018-02-28Add a singleton CacheLocation to replace the hard coded locationsTianjie Xu1-4/+5
This class allows us to set the following locations dynamically: cache_temp_source, last_command_file, stash_directory_base. In the updater's main function, we reset the values of these variables to their default locations in /cache; while we can set them to temp files in unit tests or host simulation. Test: unit tests pass Change-Id: I528652650caa41373617ab055d41b1f1a4ec0f87
2018-02-28Fix the behavior of undefined commands in BlockImageVerifyTianjie Xu1-2/+4
In BlockImageVerify some commands are undefined, e.g. "erase", "new", "zero". And we should not error out if the corresponding function pointer of these commands is null; otherwise we will fail the verification. The old code is: if (cmd->f != nullptr && cmd->f(params) == -1) return false; In the last_command_file change the logic was wrongly modified to if (cmd->f == nullptr) return false; ... if (cmd->f(params) == -1) return false; Test: sideload an incremental OTA twice on bullhead Change-Id: I2561c365badb850da0e416629ccd61f0df7da5d7
2018-02-07Log the last command to cacheTianjie Xu1-9/+172
When performing an update, save the index and cmdline of the current command into the last command file if this command writes to the stash either explicitly of implicitly. This mitigates the overhead to update the last command file for every command. I ran a simple test on angler and the time to update 1000 times is ~2.3 seconds. Upon resuming an update, read the saved index first; then 1. In verification mode, check if all commands before the saved index have already produced the expected target blocks. If not, delete the last command file so that we will later resume the update from the start of the transfer list. 2. In update mode, skip all commands before the saved index. Therefore, we can avoid deleting stashes with duplicate id unintentionally; and also speed up the update. If an update succeeds or is unresumable, delete the last command file. Bug: 69858743 Test: Unittest passed, apply a failed update with invalid cmd on angler and check the last_command content, apply a failed update with invalid source hash and last_command is deleted. Change-Id: Ib60ba1e3c6d111d9f33097759b17dbcef97a37bf
2018-01-29Avoid overwrite of the error message in AbortFnTianjie Xu1-9/+9
The AbortFn() used to overwrite the error message, hiding the real failure reported in ErrorAbort(). And we will miss the failure in the script patterns like 'blockimageupdate() || abort()' We will ensure there's one line break at the end of ErrorAbort's error message; and append to the existing error message when calling abort(). Test: Message from ErrorAbort shows up in the log Change-Id: I3aebd06629c5129330250c7fe5e8cdead2ae85bc
2017-11-10applypatch: Change the patch parameter to const Value& in Apply{BSDiff,Image}Patch.Tao Bao1-2/+2
It used to be "const Value*", but nullptr won't be a valid input. Test: recovery_host_test; recovery_component_test Change-Id: I904b5689ac3e64504088bf0544c9fb5d45a52243
2017-11-07otautil: Remove the aborts in RangeSet::Parse().Tao Bao1-1/+19
We used to CHECK and abort on parsing errors. While it works fine for the updater use case (because recovery starts updater in a forked process and collects the process exit code), it's difficult for other clients to use RangeSet as a library (e.g. update_verifier). This CL switches the aborts to returning empty RangeSet instead. Callers need to check the parsing results explicitly. The CL also separates RangeSet::PushBack() into a function, and moves SortedRangeSet::Clear() into RangeSet. Test: recovery_unit_test Test: Sideload an OTA package with the new updater on angler. Test: Sideload an OTA package with injected range string errors. The updater aborts from the explicit checks. Change-Id: If2b7f6f41dc93af917a21c7877a83e98dc3fd016
2017-10-20Finish the new data receiver when update failsTianjie Xu1-16/+41
The thread to receive new data may still be alive after we exit PerformBlockImageUpdate() upon failures. This caused memory corruption when we run the unittest repeatedly. Set the receiver_available flag to false and make sure the receiver exits when the update fails. Bug: 65430057 Test: unittests passed with tsan Change-Id: Icb232d13fb96c78262249ffbd29cdbe5b77f1fce
2017-10-11Move rangeset.h and print_sha1.h into otautil.Tao Bao1-2/+2
Also drop the "bootable/recovery" path in LOCAL_C_INCLUDES from applypatch modules. Test: lunch aosp_{angler,bullhead,fugu,dragon,sailfish}-userdebug; mmma bootable/recovery Change-Id: Idd602a796894f971ee4f8fa3eafe36c42d9de986
2017-10-09Revert "Revert "Move error_code.h into otautil.""Tao Bao1-1/+1
This reverts commit 26436d6d6010d5323349af7e119ff8f34f85c40c to re-land "Move error_code.h into otautil.". This way it stops requiring relative path ".." in LOCAL_C_INCLUDES (uncrypt and edify). Soong doesn't accept non-local ".." in "local_include_dirs". This CL needs to land with device-specific module changes (e.g. adding the dependency on libotautil). Test: lunch aosp_{angler,bullhead,dragon,fugu,sailfish}-userdebug; mmma bootable/recovery Change-Id: If193241801af2dae73eccd31ce57cd2b81c9fd96
2017-10-05Revert "Move error_code.h into otautil."Tao Bao1-1/+1
This reverts commit 623fe7e701d5d0fb17082d1ced14498af1b44e5b. Reason for revert: Need to address device-specific modules. Change-Id: Ib7a4191e7f193dfff49b02d3de76dda856800251
2017-10-04Move error_code.h into otautil.Tao Bao1-1/+1
This way it stops requiring relative path ".." in LOCAL_C_INCLUDES (uncrypt and edify). Soong doesn't accept non-local ".." in "local_include_dirs". Test: mmma bootable/recovery Change-Id: Ia4649789cef2aaeb2785483660e9ea5a8b389c62
2017-09-29otafault: Move headers under otafault/.Tao Bao1-1/+1
Test: mmma bootable/recovery Change-Id: I3ceb72f703c7c2857d656c137d71baa1fccd8238
2017-08-19Move Image/ImageChunk/PatchChunk declaration into header filesTianjie Xu1-1/+1
1. Move the declaration of the Image classes to the header file to make testing easier. 2. Also move rangeset.h to bootable/recovery to allow access in imgdiff. Test: recovery component test Change-Id: I68a863e60a3f2e7ae46ee48f48eb15391f5f4330
2017-07-22Fix a case when brotli writer fails to write last few blocks of dataTianjie Xu1-94/+81
receive_new_data may exit too early if the zip processor has sent all the raw data. As a result, the last few 'new' commands will fail even though the brotli decoder has more output in its buffer. Restruct the code so that 'NewThreadInfo' owns the decoder state solely; and receive_brotli_new_data is responsible for the decompression. Also reduce the test data size to 100 blocks to avoid the test timeout. Bug: 63802629 Test: recovery_component_test. on bullhead, apply full updates with and w/o brotli compressed entries, apply an incremental update. Change-Id: Id429b2c2f31951897961525609fa12c3657216b7 (cherry picked from commit 6ed175d5412deeaec9691f85757e45452407b8e3)
2017-07-21Fix a case when brotli writer fails to write last few blocks of dataTianjie Xu1-94/+81
receive_new_data may exit too early if the zip processor has sent all the raw data. As a result, the last few 'new' commands will fail even though the brotli decoder has more output in its buffer. Restruct the code so that 'NewThreadInfo' owns the decoder state solely; and receive_brotli_new_data is responsible for the decompression. Also reduce the test data size to 100 blocks to avoid the test timeout. Bug: 63802629 Test: recovery_component_test. on bullhead, apply full updates with and w/o brotli compressed entries, apply an incremental update. Change-Id: I9442f2536b74e48dbf7eeb062a8539c82c6dab47
2017-07-08Add support to decompress brotli compressed new dataTianjie Xu1-32/+143
Add a new writer that can decode the brotli-compressed system/vendor new data stored in the OTA zip. Brotli generally gives better compression rate at the cost of slightly increased time consumption. The patch.dat is already compressed by BZ; so there's no point to further compress it. For the given 1.9G bullhead system image: Size: 875M -> 787M; ~10% reduction of package size. Time: 147s -> 153s; ~4% increase of the block_image_update execution time. (I guess I/O takes much longer time than decompression.) Also it takes 4 minutes to compress the system image on my local machine, 3 more minutes than zip. Test: recovery tests pass && apply a full OTA with brotli compressed system/vendor.new.dat on bullhead Change-Id: I232335ebf662a9c55579ca073ad45265700a621e
2017-05-24Retry the update if ApplyBSDiffPatch | ApplyImagePatch failsTianjie Xu1-0/+2
We have seen one case when bspatch failed likely due to patch corruption. Since the package has passed verification before, we want to reboot and retry the patch command again since there's no alternative for users. We won't delete the stash before reboot, and the src has passed SHA1 check. If there's an error on the patch, it will fail the package verification during retry. Bug: 37855643 Test: angler reboots and retries the update when bspatch fails. Change-Id: I2ebac9621bd1f0649bb301b9a28a0dd079ed4e1d
2017-04-08Abort the update if there's not enough new dataTianjie Xu1-4/+26
Right now the update stuck in a deadlock if there's less new data than expection. Add some checkers and abort the update if such case happens. Also add a corresponding test. Bug: 36787146 Test: update aborts correctly on bullhead && recovery_component_test passes Change-Id: I914e4a2a4cf157b99ef2fc65bd21c6981e38ca47
2017-04-03Change the internal representation in RangeSet.Tao Bao1-205/+187
This CL makes the following changes to RangeSet: - Uses std::pair<size_t, size_t> to represent a Range; - Uses std::vector<Range> to represent a RangeSet; - Provides const iterators (forward and reverse); - Provides const accessor; - 'blocks()' returns the number of blocks (formerly 'size'); - 'size()' returns the number of Range's (formerly 'count'). Test: recovery_unit_test Test: Apply an incremental update with the new updater. Change-Id: Ia1fbb343370a152e1f7aa050cf914c2da09b1396
2017-03-31updater: Keep the parsed parameters in std::unique_ptr.Tao Bao1-160/+157
We don't need to take raw pointers out of the parsed arguments. std::unique_ptr handles the dereferencing automatically. Test: mmma bootable/recovery Change-Id: I1beabf6e04dc350bdad7b36cee5fb345c82b28f2
2017-03-31Move parse_range() and range_overlaps() into RangeSet.Tao Bao1-110/+18
Also move RangeSet into a header file to make it testable, and add unit tests. In RangeSet::Parse() (the former parse_range()), use libbase logging to do assertions. This has the same effect as the previous exit(EXIT_FAILURE) to terminate the updater process and abort an update. The difference lies in the exit status code (i.e. WEXITSTATUS(status) in install.cpp), which changes from 1 (i.e. EXIT_FAILURE) to 0. Test: recovery_unit_test Test: Apply an incremental update with the new updater. Change-Id: Ie8393c78b0d8ae0fd5f0ca0646d871308d71fff0
2017-03-30updater: Don't append newline when calling uiPrint().Tao Bao1-1/+2
LOG(INFO) already appends a newline. Don't print redundant newline. Test: No extra blank lines when calling ui_print(). And on-screen UI shows the same. Change-Id: I74e9a8504a7146a6cb3dae02fe2406d0dd54069b
2017-03-29updater: Move RangeSinkWrite into RangeSinkState.Tao Bao1-164/+146
Then rename RangeSinkState to RangeSinkWriter. RangeSinkWriter reads data from the given FD, and writes them to the desination RangeSet. Test: Apply an incremental with the new updater. Change-Id: I5e3ab6fc082efa1726562c55b56e2d418fe4acaf
2017-03-28applypatch: Let Apply{BSDiff,Image}Patch accept std::function.Tao Bao1-75/+76
Test: mmma bootable/recovery system/update_engine Test: recovery_component_test Change-Id: I93c2caa87bf94a53509bb37f98f2c02bcadb6f5c
2017-03-28applypatch: Change the ssize_t length parameters to size_t.Tao Bao1-41/+40
Mostly for applypatch family APIs like ApplyBSDiffPatch() and ApplyImagePatch(). Changing to size_t doesn't indicate they would necessarily work with very large size_t (e.g. > ssize_t), just similar to write(2). But otherwise accepting negative length doesn't make much sense. Also change the return type of SinkFn from ssize_t to size_t. Callers tell a successful sink by comparing the number of written bytes against the desired value. Negative return values like -1 are not needed. This also makes it consistent with bsdiff::bspatch interface. Test: recovery_component_test Test: Apply an incremental with the new updater. Change-Id: I7ff1615203a5c9854134f75d019e266f4ea6e714
2017-03-28updater: Clean up LoadSrcTgtVersion2().Tao Bao1-146/+143
Rename to LoadSourceBlocks() by moving the target blocks parsing part into the caller. This allows detecting whether the target blocks have already had the expected data before loading the source blocks. It doesn't affect anything when applying an update package for the first time, but it skips loading the unneeded source blocks when resuming an update. It additionally avoids unnecessarily dumping the "corrupt" source/stash blocks when resuming an update. Bug: 33694730 Test: Apply an incremental update with the new updater. Test: Resume an incremental update with the new updater. Change-Id: I794fd0d1045be7b3b7f8619285dc0dade01398d0
2017-03-24updater: Remove some redundant arguments.Tao Bao1-78/+65
Clean up a few functions that take CommandParameters& as the first parameter. We don't need to take duplicate arguments if they always come from CommandParameters. This redundancy came from the point we replaced strtok()s (commit baad2d454dc07ce916442987a2908a93fe6ae298). Test: Apply an incremental update with the new updater. Change-Id: I2912b8ce6bc7580bf7f566e125f12270e679e155
2017-03-24updater: Drop the support for BBOTA v1 and v2.Tao Bao1-398/+330
The script support for BBOTA v1 and v2 has been dropped in commit 8fad03e7712082eb880ffaaffb69eb13252ce220 (platform/build). Bug: 33694730 Test: Apply an incremental with the new updater. Test: recovery_component_test Change-Id: I038b1bf8d10f030cab8ec0aa6ee565c5a9545dfd
2017-03-23Removed C-style castsMikhail Lappo1-1/+1
In c++ code would be cleaner to use c++ retinterpret cast instead of old c-style notation Change-Id: Ibeef5e0c374addf108c0a8876a6be45063d8e396
2017-03-23Redundant checking of STL container elementMikhail Lappo1-3/+1
As of C++ specification size_type erase( const key_type& key ); removes the element (if one exists). There is no need to perform the check twice. Change-Id: I4b057c08526abc7c2a483a60f9e166e4d8f56a74
2017-03-22Remove malloc in edify functionsTianjie Xu1-13/+41
And switch them to std::vector & std::unique_ptr Bug: 32117870 Test: recovery tests passed on sailfish Change-Id: I5a45951c4bdf895be311d6d760e52e7a1b0798c3
2017-03-22Fix the permission of stashed blocks created by updaterTianjie Xu1-0/+12
Our updater created the stashes with root permission. This causes an access denial when the RecoverySystem service tries to clean up these blocks after a failing update. As a result, the subsequent OTA updates may fail due to insufficient cache space. Bug: 36457133 Test: stashed blocks cleaned successfully after reboot Change-Id: If0ca99638cdfa1033646f29d9cc92b5ff1bacac1
2017-03-17Revert "Revert "Print SHA-1 in hex for corrupted blocks""Tianjie Xu1-6/+140
This reverts commit 90eff6a340f9983792d700df3b1ea0203aced207. Also fix the bug where stashed blocks are not freed. Bug: 21124445 Test: Previous failed update succeeded on bullhead Change-Id: I23d232331a2beb51b6dcc82c957c87bc247d0268
2017-03-16updater: Minor clean up to EnumerateStash().Tao Bao1-73/+50
Test: Apply an incremental BBOTA package with the new updater. Test: Resume an interrupted BBOTA (so it cleans up the partial stash). Change-Id: I620cc57ee6366845bcffbc19210f7a01e2196052
2017-03-15Revert "Print SHA-1 in hex for corrupted blocks"Tao Bao1-140/+3
This reverts commit bb0cd75a0e1f6760bdf96bd141f3a546ffa45fbc. Broke the 'free' command that deletes a stash. Bug: 36242722 Test: The previously failed incremental applies successfully. Change-Id: I1237cb0a33adfbeea57e0465b629704862ba13aa
2017-03-13Print SHA-1 in hex for corrupted blocksTianjie Xu1-3/+140
It will be helpful for debug if we know which blocks are corrupted after a verification failure. This CL prints the SHA-1 for each source block in a transfer command if these blocks don't have an expected hash. And along with the correct SHA-1, we will catch the corrupted blocks. Bug: 21124445 Test: Printed the mismatched SHA-1 for bullhead during an update. Change-Id: I683d4bdaf9a335035045b3f532b3a265b2fcbbfc
2017-02-03Replace _exit(-1) with _exit(EXIT_FAILURE).Tao Bao1-1/+1
-1 is not a valid exit status. Also replace a few exit(1) with exit(EXIT_FAILURE). Test: mmma bootable/recovery Change-Id: I4596c8328b770bf95acccc06a4401bd5cabd4bfd
2017-01-04updater: Refactor parse_range().Tao Bao1-74/+63
Returning the parsed RangeSet directly (as opposed to using some pointer parameter) to make the code cleaner. Test: Apply an incremental with the new updater. Change-Id: I8c99e701f189eb6a3eacc0d647e5a3a85fbeb3eb
2016-12-29updater: Clean up CreateStash().Tao Bao1-84/+85
Change the stash size computation from int to size_t. Test: Apply an incremental BBOTA with the new updater. Change-Id: Ib45b71b826fec6aa0ffafc67c17735825634eae0
2016-12-14updater: Fix the operator order.Tao Bao1-1/+1
Shift operator ("<<") has a higher precedence level than ternary operator ("?"). Test: BBOTA update log says "performing update" as opposed to "performing 0". Change-Id: I0cf60cbfc11415e94f1f9f6effe75f14d13a1874
2016-12-01updater: Switch to libbase logging.Tao Bao1-99/+95
Test: Build an updater into a package and apply it on device. Change-Id: I289b5768e9b1e44ef78e0479c64dbaa36fb1a685
2016-11-01Cleanup ReadArgs & ReadValueArgs usageTianjie Xu1-30/+24
ReadArgs will switch to using std::string and std::unique_ptr. Also cleanup the callers. Test: mma & component test passed. Change-Id: I4724406ae6c0c134a27bbd1cdd24ad5d343b2a3b
2016-10-18Replace minzip with libziparchiveTianjie Xu1-47/+26
Clean up the duplicated codes that handle the zip files in bootable/recovery; and rename the library of the remaining utility functions to libotautil. Test: Update package installed successfully on angler. Bug: 19472796 Change-Id: Iea8962fcf3004473cb0322b6bb3a9ea3ca7f679e
2016-10-15Change StringValue to use std::stringTianjie Xu1-81/+73
Changing the field of 'Value' in edify to std::string from char*. Meanwhile cleaning up the users of 'Value' and switching them to cpp style. Test: compontent tests passed. Bug: 31713288 Change-Id: Iec5a7d601b1e4ca40935bf1c70d325dafecec235
2016-10-11Refactor libupdater into a seperate module.Tao Bao1-2/+2
So that we can write native tests for updater functions. This CL adds a testcase for getprop() function. Test: mmma bootable/recovery; Run recovery_component_test on device. Change-Id: Iff4c1ff63c5c71aded2f9686fed6b71cc298c228
2016-09-01Check an edge case when read(2) returns 0Tianjie Xu1-0/+4
We might end up in an infinite loop if read(2) reached EOF unexpectedly. The problematic code in uncrypt mentioned in the bug has been fixed by switching to libbase ReadFully(). So I grepped through the recovery code and fixed some other occurences of the issue. Bug: 31073201 Change-Id: Ib867029158ba23363b8f85d61c25058a635c5a6b
2016-06-16Check the results from applypatchTianjie Xu1-4/+10
Check the results from applypatch in PerformCommandDiff; and abort the update on failure. Bug:29339536 Change-Id: I5087d79ba532b54250f4c17560524255c8a4fabc
2016-06-03Call ioctl before each write on retryTianjie Xu1-7/+52
If the update is a retry, ioctl(BLKDISCARD) the destination blocks before writing to these blocks. Bug: 28990135 Change-Id: I1e703808e68ebb1292cd66afd76be8fd6946ee59
2016-05-20Allow recovery to return error codesTianjie Xu1-27/+54
Write error code, cause code, and retry count into last_install. So we can have more information about the reason of a failed OTA. Example of new last_install: @/cache/recovery/block.map package name 0 install result retry: 1 retry count (new) error: 30 error code (new) cause: 12 error cause (new) Details in: go/android-ota-errorcode Bug: 28471955 Change-Id: I00e7153c821e7355c1be81a86c7f228108f3dc37
2016-05-16Add time and I/O info to last_installTianjie Xu1-0/+12
One example of last_install is: /sideload/package.zip 1 time_total: 101 bytes_written_system: 14574000 bytes_stashed_system: 100 bytes_written_vendor: 5107400 bytes_stashed_vendor: 0 Bug: 28658632 Change-Id: I4bf79ea71a609068d38fbce6b41bcb892524aa7a
2016-04-29Fix google-explicit-constructor warnings.Chih-Hung Hsieh1-1/+1
Bug: 28341362 Change-Id: I5b35ae16c069e7e9229e66963386f322bd808af1
2016-04-27updater: Don't zero out CommandParameters with memset(3).Tao Bao1-2/+1
[1] switched a few things to android::base::unique_fd including CommandParameters.fd. However, we were using memset(3) to zero out the struct, which effectively assigned unique_fd(0) to fd. When it called fd.reset(), file descriptor 0 was unintentionally closed. When FD 0 was later reassigned via open(2), it led to lseek(2) errors: "Bad file descriptor". This CL switches to using braced-init (i.e. '= {}') instead, so that the default constructor unique_fd(-1) would be called. [1]: commit bcabd0929316fdd022ea102cc86396547ad9f070 Bug: 28391985 Change-Id: If1f99932b15552714c399e65c8b80550344b758a
2016-03-29Switch to <android-base/unique_fd.h>.Elliott Hughes1-25/+17
Change-Id: I13ba3f40bd52b5f3e3fe9002a45a9a8630040129
2016-03-25Skip stashing source blocks in verify modeTianjie Xu1-8/+46
Currently block_image_verify() stashes source blocks to /cache and in some case triggers I/O errors. To avoid this risk, We create a map from the hash value to the source blocks' range_set. When executing stash command in verify mode, source range is saved but block contents aren't stashed. And load_stash could get its value from either the stashed file from the previous update, or the contents on the source partition specified by the saved range. Bug: 27584487 Bug: 25633753 Change-Id: I775baf4bee55762b6e7b204f8294afc597afd996 (cherry picked from commit 0188935d55206e8c2becb29e995f166cb7040355)
2016-03-23Skip stashing source blocks in verify modeTianjie Xu1-8/+46
Currently block_image_verify() stashes source blocks to /cache and in some case triggers I/O errors. To avoid this risk, We create a map from the hash value to the source blocks' range_set. When executing stash command in verify mode, source range is saved but block contents aren't stashed. And load_stash could get its value from either the stashed file from the previous update, or the contents on the source partition specified by the saved range. Bug: 27584487 Bug: 25633753 Change-Id: I775baf4bee55762b6e7b204f8294afc597afd996
2016-03-19Control fault injection with config files instead of build flagsJed Estep1-1/+1
Bug: 27724259 Change-Id: I65bdefed10b3fb85fcb9e1147eaf0687d7d438f4
2016-03-17Revert "DO NOT MERGE Control fault injection with config files instead of build flags"Tao Bao1-1/+1
This reverts commit f73abf36bcfd433a3fdd1664a77e8e531346c1b1. Bug: 27724259 Change-Id: I1301fdad15650837d0b1febd0c3239134e2b94fb
2016-03-16DO NOT MERGE Control fault injection with config files instead of build flagsJed Estep1-1/+1
Bug: 26570379 Change-Id: I76109d09276d6e3ed3a32b6fedafb2582f545c0c
2016-02-23Control fault injection with config files instead of build flagsJed Estep1-1/+1
Bug: 26570379 Change-Id: I76109d09276d6e3ed3a32b6fedafb2582f545c0c (cherry picked from commit d940887dde23597dc358b16d96ca48dd7480fee6)
2016-02-20Control fault injection with config files instead of build flagsJed Estep1-1/+1
Bug: 26570379 Change-Id: I76109d09276d6e3ed3a32b6fedafb2582f545c0c
2016-02-10IO fault injection for OTA packagesJed Estep1-12/+13
Bug: 25951086 Change-Id: I31c74c735eb7a975b7f41fe2b2eff042e5699c0c (cherry-picked from commit f1fc48c6e62cfee42d25ad12f443e22d50c15d0b)
2016-02-04Switch from mincrypt to BoringSSL in applypatch and updater.Sen Jiang1-10/+9
Bug: 18790686 Change-Id: I7d2136fb39b2266f5ae5be24819c617b08a6c21e
2016-01-07updater: Add a function to check first blockTianjie Xu1-0/+55
Add and register a function to check if the device has been remounted since last update during incremental OTA. This function reads block 0 and executes before partition recovery for version >= 4. Bug: 21124327 Change-Id: I8b915b9f1d4736b3609daa9d16bd123225be357f (cherry picked from commit 30bf4765593e639966df9f460df22c3fe912e7bf)
2016-01-06IO fault injection for OTA packagesJed Estep1-6/+7
Bug: 25951086 Change-Id: I31c74c735eb7a975b7f41fe2b2eff042e5699c0c
2015-12-18updater: Add a function to check first blockTianjie Xu1-0/+55
Add and register a function to check if the device has been remounted since last update during incremental OTA. This function reads block 0 and executes before partition recovery for version >= 4. Bug: 21124327 Change-Id: I8b915b9f1d4736b3609daa9d16bd123225be357f
2015-12-11updater: Output msg when recovery is calledTianjie Xu1-1/+4
Output messages in log when recovery is attempted or succeeded during incremental OTA update. Change-Id: I4033df7ae3aaecbc61921d5337eda26f79164fda (cherry picked from commit b686ba211443490111729ba9d82eb0c0b305e185)
2015-12-10updater: Output msg when recovery is calledTianjie Xu1-1/+4
Output messages in log when recovery is attempted or succeeded during incremental OTA update. Change-Id: I4033df7ae3aaecbc61921d5337eda26f79164fda
2015-12-07updater: Replace strtok() with android::base::Split().Tao Bao1-133/+144
Change-Id: I36346fa199a3261da1ae1bc310b3557fe1716d96
2015-12-05Track rename from base/ to android-base/.Elliott Hughes1-2/+2
Change-Id: I354a8c424d340a9abe21fd716a4ee0d3b177d86f
2015-11-16DO NOT MERGE recovery: Switch applypatch/ and updater/ to cpp.Tao Bao1-17/+14
Mostly trivial changes to make cpp compiler happy. Change-Id: I69bd1d96fcccf506007f6144faf37e11cfba1270 (cherry picked from commit ba9a42aa7e10686de186636fe9fecbf8c4cc7c19)
2015-11-16Add error and range checks to parse_rangeSami Tolvanen1-10/+71
Only trusted input is passed to parse_range, but check for invalid input to catch possible problems in transfer lists. Bug: 21033983 Bug: 21034030 Bug: 21034172 Bug: 21034406 Change-Id: I1e266de3de15c99ee596ebdb034419fdfe7eba1f (cherry picked from commit f2bac04e1ba0a5b79f8adbc35b493923b776f8b2)
2015-08-04udpater: Call fsync() after rename().Tao Bao1-0/+20
We need to ensure the renamed filename reaches the underlying storage. Bug: 22840552 Change-Id: I824b6e9d8a9c5966035be7b42a73678d07376342 (cherry picked from commit dc3922622a94af4f6412fd68e8f075f839ab2348)
2015-07-14recovery: Switch applypatch/ and updater/ to cpp.Tao Bao1-1994/+0
Mostly trivial changes to make cpp compiler happy. Change-Id: I1b0481465c67c3bbca35a839d0764190d84ff34e (cherry picked from commit ba9a42aa7e10686de186636fe9fecbf8c4cc7c19)
2015-07-14recovery: Switch applypatch/ and updater/ to cpp.Tao Bao1-1994/+0
Mostly trivial changes to make cpp compiler happy. Change-Id: I69bd1d96fcccf506007f6144faf37e11cfba1270
2015-07-11Revert "Zero blocks before BLKDISCARD"Tao Bao1-17/+1
This reverts commit b65f0272c860771f2105668accd175be1ed95ae9. It slows down the update too much on some devices (e.g. increased from 8 mins to 40 mins to take a full OTA update). Bug: 22129621 Change-Id: I016e3b47313e3113f01bb4f8eb3c14856bdc35e5 (cherry picked from commit 7125f9594db027ce4313d940ce2cafac67ae8c31)
2015-07-01Revert "Zero blocks before BLKDISCARD"Tao Bao1-17/+1
This reverts commit b65f0272c860771f2105668accd175be1ed95ae9. It slows down the update too much on some devices (e.g. increased from 8 mins to 40 mins to take a full OTA update). Bug: 22129621 Change-Id: I4e8d4f6734967caf4f0d19c734027f7b6c107370
2015-06-26More accurate checking for overlapped ranges.Tao Bao1-1/+1
A RangeSet has half-closed half-open bounds. For example, "3,5" contains blocks 3 and 4. So "3,5" and "5,7" are actually not overlapped. Bug: 22098085 Change-Id: I362d259f8b5d62478858ad0422b635bc5068698d (cherry picked from commit c0f56ad76680df555689d4a2397487ef8c16b1a6)
2015-06-26More accurate checking for overlapped ranges.Tao Bao1-1/+1
A RangeSet has half-closed half-open bounds. For example, "3,5" contains blocks 3 and 4. So "3,5" and "5,7" are actually not overlapped. Bug: 22098085 Change-Id: I75e54a6506f2a20255d782ee710e889fad2eaf29
2015-06-10Zero blocks before BLKDISCARDSami Tolvanen1-1/+17
Due to observed BLKDISCARD flakiness, overwrite blocks that we want to discard with zeros first to avoid later issues with dm-verity if BLKDISCARD is not successful. Bug: 20614277 Bug: 20881595 Change-Id: I4f6f2db39db990879ff10468c9db41606497bd6f (cherry picked from commit a3c75e3ea60d61df93461f5c356befe825c429d2)
2015-06-10Zero blocks before BLKDISCARDSami Tolvanen1-1/+17
Due to observed BLKDISCARD flakiness, overwrite blocks that we want to discard with zeros first to avoid later issues with dm-verity if BLKDISCARD is not successful. Bug: 20614277 Bug: 20881595 Change-Id: I4f6f2db39db990879ff10468c9db41606497bd6f
2015-06-10Revert "Zero blocks before BLKDISCARD"Sami Tolvanen1-5/+9
This reverts commit 96392b97f6bf1670d478494fb6df89a3410e53fa. Change-Id: I77acc27158bad3cd8948390a3955197646a43a31
2015-06-10Revert "Zero blocks before BLKDISCARD"Sami Tolvanen1-5/+9
This reverts commit 604c583c9dd3d47906b1a57c14a7e9650df7471e. Change-Id: I2b0b283dc3f44bae55c5e9f7231d7c712630c2b5
2015-06-09Zero blocks before BLKDISCARDSami Tolvanen1-9/+5
Due to observed BLKDISCARD flakiness, overwrite blocks that we want to discard with zeros first to avoid later issues with dm-verity if BLKDISCARD is not successful. Bug: 20614277 Bug: 20881595 Change-Id: I0280fe115b020dcab35f49041fb55b7f8e793da3 (cherry picked from commit 96392b97f6bf1670d478494fb6df89a3410e53fa)
2015-06-09Zero blocks before BLKDISCARDSami Tolvanen1-9/+5
Due to observed BLKDISCARD flakiness, overwrite blocks that we want to discard with zeros first to avoid later issues with dm-verity if BLKDISCARD is not successful. Bug: 20614277 Bug: 20881595 Change-Id: I0280fe115b020dcab35f49041fb55b7f8e793da3
2015-05-29Really don't use TEMP_FAILURE_RETRY with close in recovery.Elliott Hughes1-1/+1
I missed one last time. Bug: http://b/20501816 Change-Id: I9896ee2704237d61ee169f898680761e946e0a56 (cherry picked from commit b3ac676192a093c561b7f15064cbd67733407b12)
2015-05-29Handle BLKDISCARD failuresSami Tolvanen1-2/+1
In the block updater, if BLKDISCARD fails, the error is silently ignored and some of the blocks may not be erased. This means the target partition will have inconsistent contents. If the ioctl fails, return an error and abort the update. Bug: 20614277 Change-Id: I33867ba9337c514de8ffae59f28584b285324067 (cherry picked from commit cc2428c8181d18c9a88db908fa4eabd2db5601ad)
2015-05-29Really don't use TEMP_FAILURE_RETRY with close in recovery.Elliott Hughes1-1/+1
I missed one last time. Bug: http://b/20501816 Change-Id: I9896ee2704237d61ee169f898680761e946e0a56
2015-05-28Handle BLKDISCARD failuresSami Tolvanen1-2/+1
In the block updater, if BLKDISCARD fails, the error is silently ignored and some of the blocks may not be erased. This means the target partition will have inconsistent contents. If the ioctl fails, return an error and abort the update. Bug: 20614277 Change-Id: I33867ba9337c514de8ffae59f28584b285324067
2015-05-16Don't use TEMP_FAILURE_RETRY on close in recovery.Elliott Hughes1-2/+2
Bug: http://b/20501816 Change-Id: I35efcd8dcec7a6492ba70602d380d9980cdda31f (cherry picked from commit b47afedb42866e85b76822736d915afd371ef5f0)
2015-05-16Don't use TEMP_FAILURE_RETRY on close in recovery.Elliott Hughes1-2/+2
Bug: http://b/20501816 Change-Id: I35efcd8dcec7a6492ba70602d380d9980cdda31f
2015-05-15Add error and range checks to parse_rangeSami Tolvanen1-10/+71
Only trusted input is passed to parse_range, but check for invalid input to catch possible problems in transfer lists. Bug: 21033983 Bug: 21034030 Bug: 21034172 Bug: 21034406 Change-Id: Ia17537a2d23d5f701522fbc42ed38924e1ee3366
2015-04-30Check all lseek calls succeed.Elliott Hughes1-28/+20
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek. Bug: http://b/20625546 Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b (cherry picked from commit 7bad7c4646ee8fd8d6e6ed0ffd3ddbb0c1b41a2f)
2015-04-30Check all lseek calls succeed.Elliott Hughes1-28/+20
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek. Bug: http://b/20625546 Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b
2015-04-17Don't remove existing explicitly stashed blocksSami Tolvanen1-10/+28
When automatically stashing overlapping blocks, should the stash file already exist due to an explicit stash command, it's not safe to remove the stash file after the command has completed. Note that it is safe to assume that the stash file will remain in place during the execution of the next command, so we don't have take other measures to preserve overlapping blocks. The stash file itself will be removed by a free command when it's no longer needed. Bug: 20297065 Change-Id: I8ff1a798b94086adff183c5aac03260eb947ae2c
2015-03-23Always use strerror to report errno in recovery.Elliott Hughes1-19/+20
Change-Id: I7009959043150fabf5853a43ee2448c7fbea176e
2015-03-11updater: Check the return value from ApplyImagePatch / ApplyBSDiffPatchTao Bao1-14/+28
Return NULL to abort the update process. Note that returning "" won't stop the script. Change-Id: Ifd108c1356f7c92a905c8776247a8842c6445319
2015-02-23Fix a printf format warning.Narayan Kamath1-1/+1
warning: format '%lu' expects argument of type 'long unsigned int', but argument 3 has type 'unsigned int' [-Wformat] sizeof(RangeSet) + num * sizeof(int)); Change-Id: I4a3c6fc8d40c08ea84f8f5ee13f39350e4264027
2015-02-18Initialize stashbase even stash_max_blocks = 0Jesse Zhao1-1/+1
Change-Id: I480c02ffedd811f4dda9940ef979a05ff54f1435 Bug: 19410117
2015-01-30Support resuming block based OTAsSami Tolvanen1-346/+1460
Add support for transfer list version 3, which allows us to verify the status of each command and resume an interrupted block based OTA update. Notes on the changes: - Move the previous BlockImageUpdateFn to a shorter and reusable PerformBlockImageUpdate, which can be used also in BlockImageVerifyFn for verification. - Split individual transfer list commands into separate functions with unified parameters for clarity, and use a hash table to locate them during execution. - Move common block reading and writing to ReadBlocks and WriteBlocks to reduce code duplication, and rename the readblock and writeblock to less confusing read_all and write_all. The coding style of the new functions follows the existing style in the updater/edify code. Needs matching changes from Ia5c56379f570047f10f0aa7373a1025439495c98 Bug: 18262110 Change-Id: I1e752464134aeb2d396946348e6041acabe13942
2014-09-26support for version 2 of block image diffsDoug Zongker1-45/+209
In version 2 of block image diffs, we support a new command to load data from the image and store it in the "stash table" and then subsequently use entries in the stash table to fill in missing bits of source data we're not allowed to read when doing move/bsdiff/imgdiff commands. This leads to smaller update packages because we can break cycles in the ordering of how pieces are updated by storing data away and using it later, rather than not using the data as input to the patch system at all. This comes at the cost of the RAM or scratch disk needed to store the data. The implementation is backwards compatible; it can still handle the existing version 1 of the transfer file format. Change-Id: I4559bfd76d5403859637aeac832f3a5e9e13b63a
2014-09-08support for version 2 of block image diffsDoug Zongker1-45/+209
In version 2 of block image diffs, we support a new command to load data from the image and store it in the "stash table" and then subsequently use entries in the stash table to fill in missing bits of source data we're not allowed to read when doing move/bsdiff/imgdiff commands. This leads to smaller update packages because we can break cycles in the ordering of how pieces are updated by storing data away and using it later, rather than not using the data as input to the patch system at all. This comes at the cost of the RAM or scratch disk needed to store the data. The implementation is backwards compatible; it can still handle the existing version 1 of the transfer file format. Change-Id: I7fafe741d86b92d82d46feb2939ecf5a3890dc64
2014-09-04fix comment in blockimg updater codeDoug Zongker1-3/+3
The comment for the DEBUG_ERASE setting is exactly backwards. Change-Id: I98ab5828365894217fc78976817a131e7d22d5c1
2014-09-04use lseek64 instead of lseekAndrew Boie1-11/+11
Otherwise, overflow problems can occur with images larger than 2G since the offsets will overflow a 32-bit off_t. Change-Id: I05951a38ebeae83ad2cb938594e8d8adb323e2aa Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2014-08-21fix two bugs in block image updaterDoug Zongker1-18/+32
The computation of file offsets was overflowing for partitions larger than 2 GB. The parsing of the transfer file could fail at the end if the data happened to not be properly null-terminated. Bug: 16984795 Change-Id: I3ce6eb3e54ab7b55aa9bbed252da5a7eacd3317a
2014-08-20installer for new block OTA systemDoug Zongker1-0/+631
(Cherry-pick back from master.) Bug: 16984795 Change-Id: Ifa3d8345c5e2a0be86fb28faa080ca82592a96b4
2014-08-19installer for new block OTA systemDoug Zongker1-0/+631
Bug: 16984795 Change-Id: I90f958446baed83dec658de2430c8fc5e9c3047e