Garbage Collect the Storage directory on next profile start after an extension uninstall.

content/browser/storage_partition_impl_map.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/storage_partition_impl_map.h"
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/stl_util.h"
+#include "base/string_number_conversions.h"
 #include "base/string_util.h"
-#include "base/string_number_conversions.h"
-#include "base/threading/worker_pool.h"
+#include "base/stringprintf.h"
+#include "base/threading/sequenced_worker_pool.h"
 #include "content/browser/appcache/chrome_appcache_service.h"
 #include "content/browser/fileapi/browser_file_system_helper.h"
 #include "content/browser/fileapi/chrome_blob_storage_context.h"
 #include "content/browser/histogram_internals_request_job.h"
 #include "content/browser/loader/resource_request_info_impl.h"
 #include "content/browser/net/view_blob_internals_job_factory.h"
 #include "content/browser/net/view_http_cache_job_factory.h"
 #include "content/browser/resource_context_impl.h"
 #include "content/browser/storage_partition_impl.h"
 #include "content/browser/tcmalloc_internals_request_job.h"
@@ skipping 178 matching lines @@
 //
 // The code in GetStoragePartitionPath() constructs these path names.
 //
 // TODO(nasko): Move extension related path code out of content.
 const FilePath::CharType kStoragePartitionDirname[] =
     FILE_PATH_LITERAL("Storage");
 const FilePath::CharType kExtensionsDirname[] =
     FILE_PATH_LITERAL("ext");
 const FilePath::CharType kDefaultPartitionDirname[] =
     FILE_PATH_LITERAL("def");
+const FilePath::CharType kTrashDirname[] =
+    FILE_PATH_LITERAL("trash");
 
 // Because partition names are user specified, they can be arbitrarily long
 // which makes them unsuitable for paths names. We use a truncation of a
 // SHA256 hash to perform a deterministic shortening of the string. The
 // kPartitionNameHashBytes constant controls the length of the truncation.
 // We use 6 bytes, which gives us 99.999% reliability against collisions over
 // 1 million partition domains.
 //
 // Analysis:
 // We assume that all partition names within one partition domain are
@@ skipping 37 matching lines @@
 }
 
 // Helper function for doing a depth-first deletion of the data on disk.
 // Examines paths directly in |current_dir| (no recursion) and tries to
 // delete from disk anything that is in, or isn't a parent of something in
 // |paths_to_keep|. Paths that need further expansion are added to
 // |paths_to_consider|.
 void ObliterateOneDirectory(const FilePath& current_dir,
                             const std::vector<FilePath>& paths_to_keep,
                             std::vector<FilePath>* paths_to_consider) {
+  CHECK(current_dir.IsAbsolute());
+
   file_util::FileEnumerator enumerator(current_dir, false, kAllFileTypes);
   for (FilePath to_delete = enumerator.Next(); !to_delete.empty();
        to_delete = enumerator.Next()) {
     // Enum tracking which of the 3 possible actions to take for |to_delete|.
     enum { kSkip, kEnqueue, kDelete } action = kDelete;
 
     for (std::vector<FilePath>::const_iterator to_keep = paths_to_keep.begin();
          to_keep != paths_to_keep.end();
          ++to_keep) {
       if (to_delete == *to_keep) {
@@ skipping 18 matching lines @@
 
       case kSkip:
         break;
     }
   }
 }
 
 // Synchronously attempts to delete |root|, preserving only entries in
 // |paths_to_keep|. If there are no entries in |paths_to_keep| on disk, then it
 // completely removes |root|. All paths must be absolute paths.
-void BlockingObliteratePath(const FilePath& root,
-                            const std::vector<FilePath>& paths_to_keep) {
+void BlockingObliteratePath(
+    const FilePath& root,
+    const std::vector<FilePath>& paths_to_keep,
+    const scoped_refptr<base::TaskRunner>& closure_runner,
+    const base::Closure& on_gc_required) {
+  CHECK(root.IsAbsolute());
+
   // Reduce |paths_to_keep| set to those under the root and actually on disk.
   std::vector<FilePath> valid_paths_to_keep;
   for (std::vector<FilePath>::const_iterator it = paths_to_keep.begin();
        it != paths_to_keep.end();
        ++it) {
     if (root.IsParent(*it) && file_util::PathExists(*it))
       valid_paths_to_keep.push_back(*it);
   }
 
   // If none of the |paths_to_keep| are valid anymore then we just whack the
   // root and be done with it.
   if (valid_paths_to_keep.empty()) {
     file_util::Delete(root, true);
     return;
+  } else {

[Charlie Reis, 2012/12/10 23:22:28]

nit: Don't need the else, since we return early above.

[awong, 2012/12/11 01:18:32]

Done.

+    closure_runner->PostTask(FROM_HERE, on_gc_required);
   }
 
   // Otherwise, start at the root and delete everything that is not in
   // |valid_paths_to_keep|.
   std::vector<FilePath> paths_to_consider;
   paths_to_consider.push_back(root);
   while(!paths_to_consider.empty()) {
     FilePath path = paths_to_consider.back();
     paths_to_consider.pop_back();
     ObliterateOneDirectory(path, valid_paths_to_keep, &paths_to_consider);
   }
 }
 
+// Deletes all entries inside the |storage_root| that are not in the
+// |active_paths|.  Deletion is done in 2 steps:
+//
+//   (1) Moving all garbage collected paths into a trash directory.
+//   (2) Asynchronously deleting the trash directory.
+//
+// The deletion is asynchronously because after (1) completes, calling code can

[Charlie Reis, 2012/12/10 23:22:28]

nit: asynchronous
Also, "calling code can safely continue..."

[awong, 2012/12/11 01:18:32]

Done.

+// continue to use the paths that had just been garbage collected without
+// fear of race conditions.
+//
+// This code also ignores failed moves rather than attempting a smarter retry.
+// Moves shouldn't fail here unless there is some out-of-band error (eg.,
+// FS corruption). Retry logic is dangerous in the general case because
+// there is not necessarily a guaranteed case where the logic may succeed.
+void BlockingGarbageCollect(

[Charlie Reis, 2012/12/10 23:22:28]

What does the "Blocking" part of the name refer to?  Just the moving of
directories into the trash directory?  Unclear, given how much emphasis there is
on the asynchronous behavior.

[awong, 2012/12/11 01:18:32]

Yeah, it's referring to the move to trash.

[awong, 2012/12/11 01:18:32]

Yep. It's referring to the moves and the enumeration. I added a comment.

+    const FilePath& storage_root,
+    const scoped_refptr<base::TaskRunner>& file_access_runner,
+    scoped_ptr<base::hash_set<FilePath> > active_paths) {
+  CHECK(storage_root.IsAbsolute());
+
+  file_util::FileEnumerator enumerator(storage_root, false, kAllFileTypes);
+  FilePath trash_directory;
+  if (!file_util::CreateTemporaryDirInDir(storage_root, kTrashDirname,
+                                          &trash_directory)) {
+    // Unable to continue without creating the trash directory so give up.
+    return;
+  }
+  for (FilePath path = enumerator.Next(); !path.empty();
+       path = enumerator.Next()) {
+    if (active_paths->find(path) == active_paths->end() &&
+        path != trash_directory) {
+      // Since |trash_directory| is unique for each run of this function there
+      // can be no colllisions on the move.
+      file_util::Move(path, trash_directory.Append(path.BaseName()));
+    }
+  }
+
+  file_access_runner->PostTask(
+      FROM_HERE,
+      base::Bind(base::IgnoreResult(&file_util::Delete), trash_directory,
+                 true));
+}
+
 }  // namespace
 
 // static
 FilePath StoragePartitionImplMap::GetStoragePartitionPath(
     const std::string& partition_domain,
     const std::string& partition_name) {
   if (partition_domain.empty())
     return FilePath();
 
   FilePath path = GetStoragePartitionDomainPath(partition_domain);
@@ skipping 11 matching lines @@
     return path.AppendASCII(base::HexEncode(buffer, sizeof(buffer)));
   }
 
   return path.Append(kDefaultPartitionDirname);
 }
 
 StoragePartitionImplMap::StoragePartitionImplMap(
     BrowserContext* browser_context)
     : browser_context_(browser_context),
       resource_context_initialized_(false) {
+  // Doing here instead of initializer list cause it's just too ugly to read.
+  base::SequencedWorkerPool* blocking_pool = BrowserThread::GetBlockingPool();
+  file_access_runner_ =
+      blocking_pool->GetSequencedTaskRunner(blocking_pool->GetSequenceToken());
 }
 
 StoragePartitionImplMap::~StoragePartitionImplMap() {
   STLDeleteContainerPairSecondPointers(partitions_.begin(),
                                        partitions_.end());
 }
 
 StoragePartitionImpl* StoragePartitionImplMap::Get(
     const std::string& partition_domain,
     const std::string& partition_name,
@@ skipping 33 matching lines @@
       partition_domain.empty() ?
       browser_context_->GetMediaRequestContext() :
       browser_context_->GetMediaRequestContextForStoragePartition(
           partition->GetPath(), in_memory));
 
   PostCreateInitialization(partition, in_memory);
 
   return partition;
 }
 
-void StoragePartitionImplMap::AsyncObliterate(const GURL& site) {
+void StoragePartitionImplMap::AsyncObliterate(
+    const GURL& site,
+    const base::Closure& on_gc_required) {
   // This method should avoid creating any StoragePartition (which would
   // create more open file handles) so that it can delete as much of the
   // data off disk as possible.
   std::string partition_domain;
   std::string partition_name;
   bool in_memory = false;
   GetContentClient()->browser()->GetStoragePartitionConfigForSite(
       browser_context_, site, false, &partition_domain,
       &partition_name, &in_memory);
 
-  // The default partition is the whole profile. We can't obliterate that and
-  // should never even try.
-  CHECK(!partition_domain.empty()) << site;
-
   // Find the active partitions for the domain. Because these partitions are
   // active, it is not possible to just delete the directories that contain
   // the backing data structures without causing the browser to crash. Instead,
   // of deleteing the directory, we tell each storage context later to
   // remove any data they have saved. This will leave the directory structure
   // intact but it will only contain empty databases.
   std::vector<StoragePartitionImpl*> active_partitions;
   std::vector<FilePath> paths_to_keep;
   for (PartitionMap::const_iterator it = partitions_.begin();
        it != partitions_.end();
        ++it) {
     const StoragePartitionConfig& config = it->first;
     if (config.partition_domain == partition_domain) {
       it->second->AsyncClearAllData();
       if (!config.in_memory) {
         paths_to_keep.push_back(it->second->GetPath());
       }
     }
   }
 
   // Start a best-effort delete of the on-disk storage excluding paths that are
   // known to still be in use. This is to delete any previously created
   // StoragePartition state that just happens to not have been used during this
   // run of the browser.
   FilePath domain_root = browser_context_->GetPath().Append(
       GetStoragePartitionDomainPath(partition_domain));
-  base::WorkerPool::PostTask(
+
+  // Never try to obliterate the browser context root. Die hard.
+  CHECK(domain_root != browser_context_->GetPath()) << site;

[Charlie Reis, 2012/12/10 23:22:28]

Can we easily check that domain_root is within browser_context_->GetPath() as
well?  Maybe that's overkill, but I wouldn't want something like "../" to be
able to cause larger parts of the user's filesystem to be deleted.

[awong, 2012/12/11 01:18:32]

Made this check more robust.

+
+  BrowserThread::PostBlockingPoolTask(
       FROM_HERE,
-      base::Bind(&BlockingObliteratePath, domain_root, paths_to_keep),
-      true);
+      base::Bind(&BlockingObliteratePath, domain_root, paths_to_keep,
+                 base::MessageLoopProxy::current(), on_gc_required));
+}
 
-  // TODO(ajwong): Schedule a final AsyncObliterate of the whole directory on
-  // the next browser start. http://crbug.com/85127.
+void StoragePartitionImplMap::GarbageCollect(
+    scoped_ptr<base::hash_set<FilePath> > active_paths,
+    const base::Closure& done) {
+  // Include all paths for current StoragePartitions in the active_paths since
+  // they cannot be deleted safely.
+  for (PartitionMap::const_iterator it = partitions_.begin();
+       it != partitions_.end();
+       ++it) {
+    const StoragePartitionConfig& config = it->first;
+    if (!config.in_memory)
+      active_paths->insert(it->second->GetPath());
+  }
+
+  // Find the directory holding the StoragePartitions and delete everything in
+  // there that isn't considered active.
+  FilePath storage_root = browser_context_->GetPath().Append(
+      GetStoragePartitionDomainPath(std::string()));
+  file_access_runner_->PostTaskAndReply(
+      FROM_HERE,
+      base::Bind(&BlockingGarbageCollect, storage_root,
+                 file_access_runner_,
+                 base::Passed(&active_paths)),
+      done);
 }
 
 void StoragePartitionImplMap::ForEach(
     const BrowserContext::StoragePartitionCallback& callback) {
   for (PartitionMap::const_iterator it = partitions_.begin();
        it != partitions_.end();
        ++it) {
     callback.Run(it->second);
   }
 }
@@ skipping 27 matching lines @@
 
     // We do not call InitializeURLRequestContext() for media contexts because,
     // other than the HTTP cache, the media contexts share the same backing
     // objects as their associated "normal" request context.  Thus, the previous
     // call serves to initialize the media request context for this storage
     // partition as well.
   }
 }
 
 }  // namespace content