Download Feedback Service should upload all eligible downloads

This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads no matter user clicks KEEP or DISCARD
on download shelf, where eligible means:
1) user is not incognito
2) user opted in for safe browsing extended reporting.
3) DownloadItemModel::ShouldAllowDownloadFeedback returns true

This CL also changes the logic of StealDangerousDownload(),
since if user chose to keep the download we cannot delete it
after feedback is sent.
In order to make download file immediately available to user
without making them wait for upload complete, we make a
temporary copy of the download file in DownloadItemImpl::
StealDangerousDownload(..) function, and upload this copy via
DownloadFeedbackService::BeginFeedbackOrDeleteFile. This temp
copy will be deleted after feedback is sent
(~DownloadFeedbackImpl()).

BUG=655799
Committed: https://crrev.com/2fe67a026c44af1daf09616c2b7bda2db5abee12
Cr-Commit-Position: refs/heads/master@{#432528}

[Jialiu Lin, 2016-10-19 16:42:39]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-19 16:43:02]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-10-19 16:45:47]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-19 16:45:48]

Dry run: Try jobs failed on following builders:
  mac_chromium_rel_ng on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_...)

[Jialiu Lin, 2016-10-19 22:47:39]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-19 22:48:31]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-10-20 00:28:27]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-20 00:28:28]

Dry run: This issue passed the CQ dry run.

[Jialiu Lin, 2016-10-21 22:19:49]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-21 22:20:24]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Jialiu Lin, 2016-10-22 00:08:21]

Description was changed from

==========
draft

BUG=
==========

to

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads with all dangerous type no matter
user keeps or discards the download.

Note eligible means user is not incognito && opted in for
safe browsing extended reporting.

BUG=655799
==========

[commit-bot: I haz the power, 2016-10-22 01:04:17]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-22 01:04:18]

Dry run: This issue passed the CQ dry run.

[Jialiu Lin, 2016-10-24 17:37:14]

Description was changed from

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads with all dangerous type no matter
user keeps or discards the download.

Note eligible means user is not incognito && opted in for
safe browsing extended reporting.

BUG=655799
==========

to

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads no matter user clicks KEEP or DISCARD
on download shelf, where eligible means:
1) user is not incognito 
2) user opted in for safe browsing extended reporting.
3) DownloadItemModel::ShouldAllowDownloadFeedback returns true

BUG=655799
==========

[Jialiu Lin, 2016-10-24 18:14:30]

jialiul@chromium.org changed reviewers:
+ asanka@chromium.org, pkasting@chromium.org

[Jialiu Lin, 2016-10-24 18:14:31]

Hi asanka@ and pkasting@, 
Surprisingly, this is a 3 years old regression (without anyone complaining for a
long time....), but per Safe Browsing Bineval team's recent request, we are
trying to get this in M56.
Note, this fix does not cover Mac OS, since Bineval binary analysis pipeline is
not ready for dmg or other Mac executable types yet.

Thanks!

[Jialiu Lin, 2016-10-24 18:14:48]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-24 18:15:35]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-10-24 20:13:25]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-24 20:13:27]

Dry run: This issue passed the CQ dry run.

[Peter Kasting, 2016-10-24 20:31:59]

You added two reviewers.  Please say what you want each to review?  Or are you
trying to get both of us to explicitly look at everything?

[Jialiu Lin, 2016-10-24 20:39:30]

Ah, sorry.
asanka@, could you take a look at the overall flow (and  
content/browser/download/download_item_impl.cc for owner review)?
pkasting@, could you look at files under c/b/ui/views/*?


Thanks!

[Peter Kasting, 2016-10-24 21:39:08]

My only real concern is the question about whether a KEEP download will still be
deleted when successfully submitted.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
File chrome/browser/ui/views/download/download_item_view.cc (right):

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.cc:269: if
(!safe_browsing::ExtendedReportingPrefExists(*prefs)) {
Nit: Remove ! and reverse conditional arms, so the "else" doesn't mentally read
like a double-negative.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.cc:597: if
(ShouldAllowDownloadFeedback()) {
Nit: No {}

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.cc:789: if ((!enabled ||
!SubmitDownloadToFeedbackService()) &&
Doesn't this result in deleting the download when submission succeeds, even if
the command was KEEP?  Is that a problem?

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.cc:790: download_command_id
== DownloadCommands::DISCARD)
Nit: This might be clearer if written like:

  if (feedback_enabled && SubmitDownloadToFeedbackService())
    return;  // WARNING: |this| is now deleted.

  if (download_command_id == DownloadCommands::DISCARD)
    download()->Remove();

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
File chrome/browser/ui/views/download/download_item_view.h (right):

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.h:90: bool
ShouldAllowDownloadFeedback();
Nit: I suggest a comment that states the purpose of the code instead of its
function, and a function name more parallel to the others you use:

  // Returns whether the current download should be sent to the feedback service
  // (if the user approves).
  bool ShouldSubmitDownloadToFeedbackService();

However, note that both callers of this method just want to gate calls to
MaybeSubmitDownloadToFeedbackService() on it.  So consider just rolling it into
that function, and updating the comment I suggest below to "...if the user has
approved and the download is suitable for submission,..."

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.h:96: void
MaybeSubmitDownloadToFeedbackService(
It's very confusing that you have both MaybeSubmitDownloadToFeedbackService()
and PossiblySubmitDownloadToFeedbackService().

Below I suggest a name change for the latter.  I would also change the comments
on here to soemthing like the following:

  // Sends the current download to the feedback service if the user has
  // approved, then performs the specified |download_command|.
  //
  // User approval comes in the form of a positive response to the
  // DownloadFeedbackDialogView, which this function will first show if it has
  // not been shown before.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.h:163: void
PossiblySubmitDownloadToFeedbackService(
Nit: Call this function something more precise.  I suggest
SubmitDownloadWhenFeedbackServiceEnabled().

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.h:165: bool enabled);
Nit: I would rename this |feedback_enabled| and put it before |command_id|.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
File chrome/browser/ui/views/download/download_shelf_context_menu_view.cc
(right):

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_shelf_context_menu_view.cc:63: if
(download_item_view_->ShouldAllowDownloadFeedback())
Nit: Can combine this if with the outer one

[Jialiu Lin, 2016-10-25 20:41:35]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-25 20:42:13]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[asanka, 2016-10-25 20:51:13]

Unfortunately the StealDangerousDownload logic and the upload logic aren't
written to deal with KEEP :-( Once StealDangerousDownload is called, the
download is removed from the system and ownership of the file is transferred to
the caller, which is the DownloadFeedbackService. The latter deletes the file
after completion.

We'll need to rework this logic and assumptions made thereof before we can
upload reports accepted dangerous downloads.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
File chrome/browser/ui/views/download/download_item_view.cc (right):

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.cc:789: if ((!enabled ||
!SubmitDownloadToFeedbackService()) &&
On 2016/10/24 at 21:39:07, Peter Kasting wrote:
> Doesn't this result in deleting the download when submission succeeds, even if
the command was KEEP?  Is that a problem?

Yes. The StealDangerousDownload logic is meant to acquire a dangerous download
after the user has chosen to discard it.

Even if we didn't delete the file, we can't run the upload logic after accepting
a dangerous download. :-( We expose the file to external consumers at that
point. The upload logic may interfere with applications that are trying to
access the download file and prevent the user from opening the file
successfully.

[Peter Kasting, 2016-10-25 20:54:07]

Ah.  Sounds like this can't land as-is then.

[commit-bot: I haz the power, 2016-10-25 20:56:38]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-25 20:56:39]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux
(JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
  mac_chromium_compile_dbg_ng on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_comp...)

[Jialiu Lin, 2016-10-25 21:07:10]

Thanks asanka@ and pkasting@. 
I'm now halfway changing the uploading logic (This CL is growing...). After I
resolve all the related unit_/browser_tests, I'll ping you for another round of
review.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
File chrome/browser/ui/views/download/download_item_view.cc (right):

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.cc:269: if
(!safe_browsing::ExtendedReportingPrefExists(*prefs)) {
On 2016/10/24 21:39:07, Peter Kasting wrote:
> Nit: Remove ! and reverse conditional arms, so the "else" doesn't mentally
read
> like a double-negative.
Done.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.cc:597: if
(ShouldAllowDownloadFeedback()) {
On 2016/10/24 21:39:07, Peter Kasting wrote:
> Nit: No {}

Done.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.cc:789: if ((!enabled ||
!SubmitDownloadToFeedbackService()) &&
On 2016/10/24 21:39:07, Peter Kasting wrote:
> Doesn't this result in deleting the download when submission succeeds, even if
> the command was KEEP?  Is that a problem?

oops, Thanks for catching this. Seems changes need to be made to more files.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.cc:790: download_command_id
== DownloadCommands::DISCARD)
On 2016/10/24 21:39:07, Peter Kasting wrote:
> Nit: This might be clearer if written like:
> 
>   if (feedback_enabled && SubmitDownloadToFeedbackService())
>     return;  // WARNING: |this| is now deleted.
> 
>   if (download_command_id == DownloadCommands::DISCARD)
>     download()->Remove();

Done.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
File chrome/browser/ui/views/download/download_item_view.h (right):

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.h:90: bool
ShouldAllowDownloadFeedback();
On 2016/10/24 21:39:07, Peter Kasting wrote:
> Nit: I suggest a comment that states the purpose of the code instead of its
> function, and a function name more parallel to the others you use:
> 
>   // Returns whether the current download should be sent to the feedback
service
>   // (if the user approves).
>   bool ShouldSubmitDownloadToFeedbackService();
> 
> However, note that both callers of this method just want to gate calls to
> MaybeSubmitDownloadToFeedbackService() on it.  So consider just rolling it
into
> that function, and updating the comment I suggest below to "...if the user has
> approved and the download is suitable for submission,..."
Function merged into MaybeSubmitDownloadToFeedbackService().

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.h:96: void
MaybeSubmitDownloadToFeedbackService(
On 2016/10/24 21:39:07, Peter Kasting wrote:
> It's very confusing that you have both MaybeSubmitDownloadToFeedbackService()
> and PossiblySubmitDownloadToFeedbackService().
> 
> Below I suggest a name change for the latter.  I would also change the
comments
> on here to soemthing like the following:
> 
>   // Sends the current download to the feedback service if the user has
>   // approved, then performs the specified |download_command|.
>   //
>   // User approval comes in the form of a positive response to the
>   // DownloadFeedbackDialogView, which this function will first show if it has
>   // not been shown before.

Good suggestion! I have renamed the second function accordingly.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.h:163: void
PossiblySubmitDownloadToFeedbackService(
On 2016/10/24 21:39:07, Peter Kasting wrote:
> Nit: Call this function something more precise.  I suggest
> SubmitDownloadWhenFeedbackServiceEnabled().

Done.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_item_view.h:165: bool enabled);
On 2016/10/24 21:39:07, Peter Kasting wrote:
> Nit: I would rename this |feedback_enabled| and put it before |command_id|.

Renamed |enabled| to |feedback_enabled|, though I have to keep
|feedback_enabled| at the end of the variable list, since it will take in user
decision callback values from DownloadFeedbackDialogView.

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
File chrome/browser/ui/views/download/download_shelf_context_menu_view.cc
(right):

https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
chrome/browser/ui/views/download/download_shelf_context_menu_view.cc:63: if
(download_item_view_->ShouldAllowDownloadFeedback())
On 2016/10/24 21:39:07, Peter Kasting wrote:
> Nit: Can combine this if with the outer one

Done.

[Jialiu Lin, 2016-10-25 21:35:22]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-25 21:35:53]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-10-25 22:16:15]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-25 22:16:16]

Dry run: Try jobs failed on following builders:
  win_chromium_x64_rel_ng on master.tryserver.chromium.win (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_x64_...)

[Jialiu Lin, 2016-10-25 23:30:49]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-25 23:31:19]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-10-26 00:12:33]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-26 00:12:34]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[Jialiu Lin, 2016-10-26 00:55:30]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-26 00:55:46]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-10-26 02:05:05]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-26 02:05:06]

Dry run: This issue passed the CQ dry run.

[asanka, 2016-10-26 13:56:13]

On 2016/10/25 at 21:07:10, jialiul wrote:
> Thanks asanka@ and pkasting@. 
> I'm now halfway changing the uploading logic (This CL is growing...). After I
resolve all the related unit_/browser_tests, I'll ping you for another round of
review.

Cool. I haven't looked at the upload logic yet. If you aren't already, could you
consider making a temporary copy of the downloaded file (or a size capped prefix
of the file), and upload using the copy? This way we can play well with
applications that open the downloaded file immediately after the download
completes. Also, this allows Chrome to signal download completion sooner rather
than wait for the upload to complete.

>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> File chrome/browser/ui/views/download/download_item_view.cc (right):
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> chrome/browser/ui/views/download/download_item_view.cc:269: if
(!safe_browsing::ExtendedReportingPrefExists(*prefs)) {
> On 2016/10/24 21:39:07, Peter Kasting wrote:
> > Nit: Remove ! and reverse conditional arms, so the "else" doesn't mentally
read
> > like a double-negative.
> Done.
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> chrome/browser/ui/views/download/download_item_view.cc:597: if
(ShouldAllowDownloadFeedback()) {
> On 2016/10/24 21:39:07, Peter Kasting wrote:
> > Nit: No {}
> 
> Done.
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> chrome/browser/ui/views/download/download_item_view.cc:789: if ((!enabled ||
!SubmitDownloadToFeedbackService()) &&
> On 2016/10/24 21:39:07, Peter Kasting wrote:
> > Doesn't this result in deleting the download when submission succeeds, even
if
> > the command was KEEP?  Is that a problem?
> 
> oops, Thanks for catching this. Seems changes need to be made to more files.
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> chrome/browser/ui/views/download/download_item_view.cc:790:
download_command_id == DownloadCommands::DISCARD)
> On 2016/10/24 21:39:07, Peter Kasting wrote:
> > Nit: This might be clearer if written like:
> > 
> >   if (feedback_enabled && SubmitDownloadToFeedbackService())
> >     return;  // WARNING: |this| is now deleted.
> > 
> >   if (download_command_id == DownloadCommands::DISCARD)
> >     download()->Remove();
> 
> Done.
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> File chrome/browser/ui/views/download/download_item_view.h (right):
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> chrome/browser/ui/views/download/download_item_view.h:90: bool
ShouldAllowDownloadFeedback();
> On 2016/10/24 21:39:07, Peter Kasting wrote:
> > Nit: I suggest a comment that states the purpose of the code instead of its
> > function, and a function name more parallel to the others you use:
> > 
> >   // Returns whether the current download should be sent to the feedback
service
> >   // (if the user approves).
> >   bool ShouldSubmitDownloadToFeedbackService();
> > 
> > However, note that both callers of this method just want to gate calls to
> > MaybeSubmitDownloadToFeedbackService() on it.  So consider just rolling it
into
> > that function, and updating the comment I suggest below to "...if the user
has
> > approved and the download is suitable for submission,..."
> Function merged into MaybeSubmitDownloadToFeedbackService().
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> chrome/browser/ui/views/download/download_item_view.h:96: void
MaybeSubmitDownloadToFeedbackService(
> On 2016/10/24 21:39:07, Peter Kasting wrote:
> > It's very confusing that you have both
MaybeSubmitDownloadToFeedbackService()
> > and PossiblySubmitDownloadToFeedbackService().
> > 
> > Below I suggest a name change for the latter.  I would also change the
comments
> > on here to soemthing like the following:
> > 
> >   // Sends the current download to the feedback service if the user has
> >   // approved, then performs the specified |download_command|.
> >   //
> >   // User approval comes in the form of a positive response to the
> >   // DownloadFeedbackDialogView, which this function will first show if it
has
> >   // not been shown before.
> 
> Good suggestion! I have renamed the second function accordingly.
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> chrome/browser/ui/views/download/download_item_view.h:163: void
PossiblySubmitDownloadToFeedbackService(
> On 2016/10/24 21:39:07, Peter Kasting wrote:
> > Nit: Call this function something more precise.  I suggest
> > SubmitDownloadWhenFeedbackServiceEnabled().
> 
> Done.
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> chrome/browser/ui/views/download/download_item_view.h:165: bool enabled);
> On 2016/10/24 21:39:07, Peter Kasting wrote:
> > Nit: I would rename this |feedback_enabled| and put it before |command_id|.
> 
> Renamed |enabled| to |feedback_enabled|, though I have to keep
|feedback_enabled| at the end of the variable list, since it will take in user
decision callback values from DownloadFeedbackDialogView.
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> File chrome/browser/ui/views/download/download_shelf_context_menu_view.cc
(right):
> 
>
https://codereview.chromium.org/2439533002/diff/80001/chrome/browser/ui/views...
> chrome/browser/ui/views/download/download_shelf_context_menu_view.cc:63: if
(download_item_view_->ShouldAllowDownloadFeedback())
> On 2016/10/24 21:39:07, Peter Kasting wrote:
> > Nit: Can combine this if with the outer one
> 
> Done.

[Jialiu Lin, 2016-10-26 16:00:32]

Thanks, asanka@. 
My current implementation is to delay the download completion until upload is
done by adding adding another condition in IsDownloadReadyForCompletion(), then
call MaybeCompleteDownload() when feedback is done.

I'll try using the temporary file approach to see which way is better.

[Jialiu Lin, 2016-10-27 22:30:48]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-10-27 22:32:25]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Jialiu Lin, 2016-10-27 23:21:21]

Description was changed from

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads no matter user clicks KEEP or DISCARD
on download shelf, where eligible means:
1) user is not incognito 
2) user opted in for safe browsing extended reporting.
3) DownloadItemModel::ShouldAllowDownloadFeedback returns true

BUG=655799
==========

to

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads no matter user clicks KEEP or DISCARD
on download shelf, where eligible means:
1) user is not incognito 
2) user opted in for safe browsing extended reporting.
3) DownloadItemModel::ShouldAllowDownloadFeedback returns true

This change also change the logic of StealDangerousDownload(..), since if user
chose to keep the download we cannot delete it after feedback is sent.
In order to make download file immediately available to user without making them
wait for upload complete, we make a temporary copy of the download file in
DownloadItemImpl::StealDangerousDownload(..) function, and upload this copy via
DownloadFeedbackService::BeginFeedbackOrDeleteFile. This temp copy will be
deleted after feedback is sent (~DownloadFeedbackImpl()). 

BUG=655799
==========

[Jialiu Lin, 2016-10-27 23:22:39]

Description was changed from

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads no matter user clicks KEEP or DISCARD
on download shelf, where eligible means:
1) user is not incognito 
2) user opted in for safe browsing extended reporting.
3) DownloadItemModel::ShouldAllowDownloadFeedback returns true

This change also change the logic of StealDangerousDownload(..), since if user
chose to keep the download we cannot delete it after feedback is sent.
In order to make download file immediately available to user without making them
wait for upload complete, we make a temporary copy of the download file in
DownloadItemImpl::StealDangerousDownload(..) function, and upload this copy via
DownloadFeedbackService::BeginFeedbackOrDeleteFile. This temp copy will be
deleted after feedback is sent (~DownloadFeedbackImpl()). 

BUG=655799
==========

to

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads no matter user clicks KEEP or DISCARD
on download shelf, where eligible means:
1) user is not incognito 
2) user opted in for safe browsing extended reporting.
3) DownloadItemModel::ShouldAllowDownloadFeedback returns true

This CL also changes the logic of StealDangerousDownload(),
since if user chose to keep the download we cannot delete it
after feedback is sent.
In order to make download file immediately available to user
without making them wait for upload complete, we make a
temporary copy of the download file in DownloadItemImpl::
StealDangerousDownload(..) function, and upload this copy via
DownloadFeedbackService::BeginFeedbackOrDeleteFile. This temp
copy will be deleted after feedback is sent
(~DownloadFeedbackImpl()). 

BUG=655799
==========

[Jialiu Lin, 2016-10-27 23:27:37]

Hi asanka@, 
Could you take a look at this latest version?
In this version, I changed the logic of StealDangerousDownload() to make a
temporary copy of the download file (if user chose to keep uncommon download)
and immediately validate the uncommon download. This copy will be uploaded via
DownloadFeedbackService::BeginFeedbackOrDeleteFile, and will
be deleted after feedback is sent in 
(DownloadFeedbackImpl::~DownloadFeedbackImpl()).

Manually tested, seems no crash. Test bots seems happy too. 
Let me know if anything doesn't add up.

[commit-bot: I haz the power, 2016-10-27 23:55:42]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-10-27 23:55:43]

Dry run: Try jobs failed on following builders:
  linux_android_rel_ng on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/linux_androi...)

[asanka, 2016-10-31 14:38:55]

On 2016/10/27 at 23:27:37, jialiul wrote:
> Hi asanka@, 
> Could you take a look at this latest version?
> In this version, I changed the logic of StealDangerousDownload() to make a
> temporary copy of the download file (if user chose to keep uncommon download)
and immediately validate the uncommon download. This copy will be uploaded via
> DownloadFeedbackService::BeginFeedbackOrDeleteFile, and will
> be deleted after feedback is sent in 
> (DownloadFeedbackImpl::~DownloadFeedbackImpl()).
> 
> Manually tested, seems no crash. Test bots seems happy too. 
> Let me know if anything doesn't add up.

Sorry about the delay. I'll have a look at this later today.

[asanka, 2016-11-01 20:58:58]

Overall LG.

What's the largest file size that's supported by the feedback service? If the
download is larger than that size, what should we do? Try to do a partial upload
or skip the upload?

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/downloa...
File chrome/browser/download/download_browsertest.cc (right):

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/downloa...
chrome/browser/download/download_browsertest.cc:3411: download->Cancel(true);
Should also test that the target file exists. You can accept the download and
wait for it to complete. At that point, the download file should still exist.

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
File chrome/browser/ui/views/download/download_shelf_context_menu_view.cc
(right):

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
chrome/browser/ui/views/download/download_shelf_context_menu_view.cc:62:
DownloadCommands::KEEP) {
Can you add a DCHECK here to make sure command_id is never DISCARD?

https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
File content/browser/download/download_item_impl.cc (right):

https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
content/browser/download/download_item_impl.cc:317: DCHECK(IsDangerous());
Can you also DCHECK AllDataSaved() ?

It appears that the logic below will only have the desired effect if
AllDataSaved() is true. I.e. the file is complete.

https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
content/browser/download/download_item_impl.cc:332: } else if (download_file_) {
If there's no download_file_, then you can callback.Run(current_path_).
Otherwise that branch will cause the callback to never be run. All branches must
invoke |callback| at some point. Otherwise the download will stall.

[Peter Kasting, 2016-11-01 21:01:09]

Do you still want me to review anything in this latest version?

[asanka, 2016-11-01 21:09:23]

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/safe_br...
File chrome/browser/safe_browsing/download_feedback_service.cc (right):

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/safe_br...
chrome/browser/safe_browsing/download_feedback_service.cc:172: if (path.empty())
We should probably measure this. Not a big deal if you don't, but if the failure
rate is high, then we'd need to revisit our strategy.

https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
File content/browser/download/download_item_impl.cc (right):

https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
content/browser/download/download_item_impl.cc:104: return base::FilePath();
Can this branch delete the file at |temp_file_path| if |temp_file_path| contains
a valid path? 

base::CopyFile may leave a partial file around if it fails part-way. Leaving
those files around can be harmful in some cases. E.g. if CopyFile failed because
the temporary file location ran out of space lots of things will go wrong
quickly unless we free up the space again.

Also FYI the download file and the temp file may end up on different storage
devices and may be subject to different size restrictions.

[Jialiu Lin, 2016-11-01 21:10:13]

On 2016/11/01 21:01:09, Peter Kasting wrote:
> Do you still want me to review anything in this latest version?

Yes :-) Thanks, pkasting@!

[Jialiu Lin, 2016-11-01 23:10:24]

On 2016/11/01 20:58:58, asanka wrote:
> Overall LG.
> 
> What's the largest file size that's supported by the feedback service? If the
> download is larger than that size, what should we do? Try to do a partial
upload
> or skip the upload?
Feedback service only tries to upload file if it is smaller than 50M. Download
larger than this size will be skipped. This is gated in
ShouldAllowDownloadFeedback().

I'll address all the other comments tomorrow.

> 
>
https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/downloa...
> File chrome/browser/download/download_browsertest.cc (right):
> 
>
https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/downloa...
> chrome/browser/download/download_browsertest.cc:3411: download->Cancel(true);
> Should also test that the target file exists. You can accept the download and
> wait for it to complete. At that point, the download file should still exist.
> 
>
https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
> File chrome/browser/ui/views/download/download_shelf_context_menu_view.cc
> (right):
> 
>
https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
> chrome/browser/ui/views/download/download_shelf_context_menu_view.cc:62:
> DownloadCommands::KEEP) {
> Can you add a DCHECK here to make sure command_id is never DISCARD?
> 
>
https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
> File content/browser/download/download_item_impl.cc (right):
> 
>
https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
> content/browser/download/download_item_impl.cc:317: DCHECK(IsDangerous());
> Can you also DCHECK AllDataSaved() ?
> 
> It appears that the logic below will only have the desired effect if
> AllDataSaved() is true. I.e. the file is complete.
> 
>
https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
> content/browser/download/download_item_impl.cc:332: } else if (download_file_)
{
> If there's no download_file_, then you can callback.Run(current_path_).
> Otherwise that branch will cause the callback to never be run. All branches
must
> invoke |callback| at some point. Otherwise the download will stall.

[Peter Kasting, 2016-11-01 23:48:32]

LGTM, but I have concerns, which might be better addressed in another CL.

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
File chrome/browser/ui/views/download/download_item_view.cc (right):

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
chrome/browser/ui/views/download/download_item_view.cc:595: // WARNING: all end
states after this point delete |this|.
I think this lies; when MaybeSubmit...() calls
DownloadFeedbackDialogView::Show(), that doesn't delete |this|, does it?

In either case I'd move this to be at the end of the function like the comment
in SubmitDownloadWhenFeedbackServiceEnabled(), but be careful that the wording
is accurate.

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
File chrome/browser/ui/views/download/download_item_view.h (right):

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
chrome/browser/ui/views/download/download_item_view.h:88: // Submit download to
download feedback service if the user has approved and
Nit: Verbs in function comments should be descriptive ("Submits") rather than
imperative ("Submit"); see
http://google.github.io/styleguide/cppguide.html#Function_Comments .  (Several
places)

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
chrome/browser/ui/views/download/download_item_view.h:90: // If user hasn't seen
SBER opt-in text before, show SBER opt-in dialog first.
Does this function delete |this|?  If so it should probably say so.  Note that I
don't think this does this in all cases, see comments in .cc file.

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
chrome/browser/ui/views/download/download_item_view.h:153: //
|download_command|, and |this| will have been deleted.
This comment doesn't seem to accurately describe what the code does.  It looks
like the code attempts to submit the download for feedback, and if that fails,
it applies the download command.

I think the code and comments here are all more confusing than they need to be
because of the way that trying to submit the download for feedback "takes over"
the download command.  If submitting the download for feedback is a purely async
process that makes a temporary copy of the downloaded file (only when it's small
enough for submission) and always deletes that temporary copy when it's done,
then basically feedback submission becomes decoupled from handling the download
completion at all.

Is that change feasible to make?  Because it would avoid a lot of hassling about
precise comments and architecture for achieving the current design.

[Jialiu Lin, 2016-11-03 19:57:31]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-03 19:58:26]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Jialiu Lin, 2016-11-03 20:11:01]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-03 20:11:49]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Jialiu Lin, 2016-11-03 20:16:49]

jialiul@chromium.org changed reviewers:
+ noyau@chromium.org

[Jialiu Lin, 2016-11-03 20:16:50]

Thanks for your comments, asanka@ and pkasting@! 
Let me know if you have further comments. 

Meanwhile, add other reviewers for owner review:
noyau@ for chrome/browser/ntp_snippets/*
holte@ for uma metric
nick@ for content/public/*

Thanks!

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/downloa...
File chrome/browser/download/download_browsertest.cc (right):

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/downloa...
chrome/browser/download/download_browsertest.cc:3411: download->Cancel(true);
On 2016/11/01 20:58:58, asanka wrote:
> Should also test that the target file exists. You can accept the download and
> wait for it to complete. At that point, the download file should still exist.

Done.

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/safe_br...
File chrome/browser/safe_browsing/download_feedback_service.cc (right):

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/safe_br...
chrome/browser/safe_browsing/download_feedback_service.cc:172: if (path.empty())
On 2016/11/01 21:09:23, asanka wrote:
> We should probably measure this. Not a big deal if you don't, but if the
failure
> rate is high, then we'd need to revisit our strategy.

Done.

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
File chrome/browser/ui/views/download/download_item_view.cc (right):

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
chrome/browser/ui/views/download/download_item_view.cc:595: // WARNING: all end
states after this point delete |this|.
On 2016/11/01 23:48:32, Peter Kasting wrote:
> I think this lies; when MaybeSubmit...() calls
> DownloadFeedbackDialogView::Show(), that doesn't delete |this|, does it?
> 
> In either case I'd move this to be at the end of the function like the comment
> in SubmitDownloadWhenFeedbackServiceEnabled(), but be careful that the wording
> is accurate.

Done.

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
File chrome/browser/ui/views/download/download_item_view.h (right):

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
chrome/browser/ui/views/download/download_item_view.h:88: // Submit download to
download feedback service if the user has approved and
On 2016/11/01 23:48:32, Peter Kasting wrote:
> Nit: Verbs in function comments should be descriptive ("Submits") rather than
> imperative ("Submit"); see
> http://google.github.io/styleguide/cppguide.html#Function_Comments .  (Several
> places)

Done.

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
chrome/browser/ui/views/download/download_item_view.h:90: // If user hasn't seen
SBER opt-in text before, show SBER opt-in dialog first.
On 2016/11/01 23:48:32, Peter Kasting wrote:
> Does this function delete |this|?  If so it should probably say so.  Note that
I
> don't think this does this in all cases, see comments in .cc file.
Agree, I don't think it deletes |this|. Will fix comment in .cc file.

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
chrome/browser/ui/views/download/download_item_view.h:153: //
|download_command|, and |this| will have been deleted.
On 2016/11/01 23:48:32, Peter Kasting wrote:
> This comment doesn't seem to accurately describe what the code does.  It looks
> like the code attempts to submit the download for feedback, and if that fails,
> it applies the download command.
> 
> I think the code and comments here are all more confusing than they need to be
> because of the way that trying to submit the download for feedback "takes
over"
> the download command.  If submitting the download for feedback is a purely
async
> process that makes a temporary copy of the downloaded file (only when it's
small
> enough for submission) and always deletes that temporary copy when it's done,
> then basically feedback submission becomes decoupled from handling the
download
> completion at all.
> 
> Is that change feasible to make?  Because it would avoid a lot of hassling
about
> precise comments and architecture for achieving the current design.

I agree. If the "make a temp copy" strategy works out, it is much cleaner to use
it for both DISCARD and KEEP. 
However, at this point, I am leaning towards only applying this strategy on
"KEEP" (7% of all download feedback cases). Since a number of things can go
wrong with the temp copy, e.g. temporary file location runs out of space,
download file and the temp file may end up on different storage devices and may
be subject to different size restrictions, etc.
I added a UMA metrics to track the failing rate in this CL too (per asanka@'s
request). So if this strategy looks fine in M56, I'll do a refactor to use temp
copy for both KEEP and DISCARD.

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
File chrome/browser/ui/views/download/download_shelf_context_menu_view.cc
(right):

https://codereview.chromium.org/2439533002/diff/210001/chrome/browser/ui/view...
chrome/browser/ui/views/download/download_shelf_context_menu_view.cc:62:
DownloadCommands::KEEP) {
On 2016/11/01 20:58:58, asanka wrote:
> Can you add a DCHECK here to make sure command_id is never DISCARD?

Done.

https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
File content/browser/download/download_item_impl.cc (right):

https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
content/browser/download/download_item_impl.cc:104: return base::FilePath();
On 2016/11/01 21:09:23, asanka wrote:
> Can this branch delete the file at |temp_file_path| if |temp_file_path|
contains
> a valid path? 
> 
> base::CopyFile may leave a partial file around if it fails part-way. Leaving
> those files around can be harmful in some cases. E.g. if CopyFile failed
because
> the temporary file location ran out of space lots of things will go wrong
> quickly unless we free up the space again.
> 
> Also FYI the download file and the temp file may end up on different storage
> devices and may be subject to different size restrictions.

Done.

https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
content/browser/download/download_item_impl.cc:317: DCHECK(IsDangerous());
On 2016/11/01 20:58:58, asanka wrote:
> Can you also DCHECK AllDataSaved() ?
> 
> It appears that the logic below will only have the desired effect if
> AllDataSaved() is true. I.e. the file is complete.

Done.

https://codereview.chromium.org/2439533002/diff/210001/content/browser/downlo...
content/browser/download/download_item_impl.cc:332: } else if (download_file_) {
On 2016/11/01 20:58:58, asanka wrote:
> If there's no download_file_, then you can callback.Run(current_path_).
> Otherwise that branch will cause the callback to never be run. All branches
must
> invoke |callback| at some point. Otherwise the download will stall.

Done.

[commit-bot: I haz the power, 2016-11-03 20:46:19]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-03 20:46:21]

Dry run: Try jobs failed on following builders:
  cast_shell_linux on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)

[Jialiu Lin, 2016-11-03 20:51:28]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-03 20:52:04]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Jialiu Lin, 2016-11-03 20:52:34]

Patchset #14 (id:230002) has been deleted

[commit-bot: I haz the power, 2016-11-03 22:33:04]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-03 22:33:05]

Dry run: Try jobs failed on following builders:
  linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
  win_chromium_x64_rel_ng on master.tryserver.chromium.win (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_x64_...)

[asanka, 2016-11-07 16:01:55]

LGTM. You can treat the comments as nits or stuff for followups as appropriate.
Thanks!

https://codereview.chromium.org/2439533002/diff/250001/chrome/browser/downloa...
File chrome/browser/download/download_browsertest.cc (right):

https://codereview.chromium.org/2439533002/diff/250001/chrome/browser/downloa...
chrome/browser/download/download_browsertest.cc:3425:
ASSERT_FALSE(updated_downloads.empty());
Should assert that there's exactly one download. Otherwise the property
assertions that follow won't be reliable.

https://codereview.chromium.org/2439533002/diff/250001/chrome/browser/downloa...
chrome/browser/download/download_browsertest.cc:3428: }
I'm okay with the tests as is. But ideally we'd test against a throttled upload
server and verify that we can safely delete the file at download->GetFullPath()
without the upload process getting interrupted. :-)

I don't know if the reliability of the upload mechanism is tested elsewhere, but
its resilience against the download target file getting removed is a new
requirement. Perhaps we should add such tests as followups? I'm worried that we
can regress on this aspect without any tests to catch it.

https://codereview.chromium.org/2439533002/diff/250001/content/browser/downlo...
File content/browser/download/download_item_impl.cc (right):

https://codereview.chromium.org/2439533002/diff/250001/content/browser/downlo...
content/browser/download/download_item_impl.cc:103: }
} else {

clang-format should've fixed this for you.

https://codereview.chromium.org/2439533002/diff/250001/content/browser/downlo...
content/browser/download/download_item_impl.cc:106: if
(base::PathExists(temp_file_path)) {
DeleteFile is a no-op if the file doesn't exist and we don't check the return
code. The only thing we need to check prior to calling DeleteFile() is whether
the |temp_file_path| is a directory because DeleteFile() works on both files and
directories.

So what you'd want is something like:

if (!base::DirectoryExists(temp_file_path))
  base::DeleteFile(temp_file_path);

Incidentally, this logic already exists in DeleteDownloadedFile(). So you can
give it a more generic name and call it instead. I'm okay if you do the check
here as well, since it's just two lines.

https://codereview.chromium.org/2439533002/diff/250001/content/public/browser...
File content/public/browser/download_item.h (right):

https://codereview.chromium.org/2439533002/diff/250001/content/public/browser...
content/public/browser/download_item.h:123: // cleanup.
Nit: I suggest changing 'X will be <verb>d' to '<verb>s X' and '<verb> X' to
also be '<verb>s X'.

[Jialiu Lin, 2016-11-14 20:54:01]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-14 20:55:30]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Jialiu Lin, 2016-11-14 20:57:38]

jialiul@chromium.org changed reviewers:
- noyau@chromium.org

[Jialiu Lin, 2016-11-14 20:57:39]

Thanks for your comments asanka@. And sorry for my late reply. I was OOO last
week. I agree that we probably need more tests to check the reliability of the
new uploading mechanism. I will add more tests together with other refactoring
in a later CL (issue 665100).  I may pick your brain on some details later.

Thanks!

https://codereview.chromium.org/2439533002/diff/250001/chrome/browser/downloa...
File chrome/browser/download/download_browsertest.cc (right):

https://codereview.chromium.org/2439533002/diff/250001/chrome/browser/downloa...
chrome/browser/download/download_browsertest.cc:3425:
ASSERT_FALSE(updated_downloads.empty());
On 2016/11/07 16:01:55, asanka wrote:
> Should assert that there's exactly one download. Otherwise the property
> assertions that follow won't be reliable.

Done.

https://codereview.chromium.org/2439533002/diff/250001/chrome/browser/downloa...
chrome/browser/download/download_browsertest.cc:3428: }
On 2016/11/07 16:01:54, asanka wrote:
> I'm okay with the tests as is. But ideally we'd test against a throttled
upload
> server and verify that we can safely delete the file at
download->GetFullPath()
> without the upload process getting interrupted. :-)
> 
> I don't know if the reliability of the upload mechanism is tested elsewhere,
but
> its resilience against the download target file getting removed is a new
> requirement. Perhaps we should add such tests as followups? I'm worried that
we
> can regress on this aspect without any tests to catch it.
acknowledged.
I agree. We need more tests to verify the reliability. Since I'm trying to get
this change in M56 (branch on Nov 17), I'll probably defer this to a later CL.
And also as pkasting@ suggested, if this temp file solution works out fine, we
can also use this mechanism for discarded downloads, thus unify the logic of
handling file uploading. I created crbug.com/665100 as a reminder of these two
follow-ups.

https://codereview.chromium.org/2439533002/diff/250001/content/browser/downlo...
File content/browser/download/download_item_impl.cc (right):

https://codereview.chromium.org/2439533002/diff/250001/content/browser/downlo...
content/browser/download/download_item_impl.cc:103: }
On 2016/11/07 16:01:55, asanka wrote:
> } else {
> 
> clang-format should've fixed this for you.

Done.

https://codereview.chromium.org/2439533002/diff/250001/content/browser/downlo...
content/browser/download/download_item_impl.cc:106: if
(base::PathExists(temp_file_path)) {
On 2016/11/07 16:01:55, asanka wrote:
> DeleteFile is a no-op if the file doesn't exist and we don't check the return
> code. The only thing we need to check prior to calling DeleteFile() is whether
> the |temp_file_path| is a directory because DeleteFile() works on both files
and
> directories.
> 
> So what you'd want is something like:
> 
> if (!base::DirectoryExists(temp_file_path))
>   base::DeleteFile(temp_file_path);
> 
> Incidentally, this logic already exists in DeleteDownloadedFile(). So you can
> give it a more generic name and call it instead. I'm okay if you do the check
> here as well, since it's just two lines.

Done.

https://codereview.chromium.org/2439533002/diff/250001/content/public/browser...
File content/public/browser/download_item.h (right):

https://codereview.chromium.org/2439533002/diff/250001/content/public/browser...
content/public/browser/download_item.h:123: // cleanup.
On 2016/11/07 16:01:55, asanka wrote:
> Nit: I suggest changing 'X will be <verb>d' to '<verb>s X' and '<verb> X' to
> also be '<verb>s X'.

Done.

[Jialiu Lin, 2016-11-14 21:00:07]

jialiul@chromium.org changed reviewers:
+ holte@chromium.org, nick@semenkovich.com, treib@chromium.org

[Jialiu Lin, 2016-11-14 21:00:08]

Add other reviewers:
treib for chrome/browser/ntp_snippets/*
holte@ for uma metric
nick@ for content/public/*

Please feel free to re-assign if you're not available to review. I am targeting
M56.

[Jialiu Lin, 2016-11-14 21:00:27]

jialiul@chromium.org changed reviewers:
- nick@semenkovich.com

[Jialiu Lin, 2016-11-14 21:01:55]

jialiul@chromium.org changed reviewers:
+ nick@chromium.org

[Jialiu Lin, 2016-11-14 21:01:56]

nick@chromium.org: Please review changes in  content/public/*

[ncarter (slow), 2016-11-14 21:07:19]

content/public lgtm

[Steven Holte, 2016-11-14 21:34:34]

https://codereview.chromium.org/2439533002/diff/270001/chrome/browser/safe_br...
File chrome/browser/safe_browsing/download_feedback_service.cc (right):

https://codereview.chromium.org/2439533002/diff/270001/chrome/browser/safe_br...
chrome/browser/safe_browsing/download_feedback_service.cc:173:
UMA_HISTOGRAM_BOOLEAN("SBDownloadFeedback.EmptyFilePathFailure", true);
It would be better to consolidate these into single macro invocation, since each
creates a static variable.

[Jialiu Lin, 2016-11-14 21:55:07]

Thanks, holte@! UMA macro invocation consolidated.

https://codereview.chromium.org/2439533002/diff/270001/chrome/browser/safe_br...
File chrome/browser/safe_browsing/download_feedback_service.cc (right):

https://codereview.chromium.org/2439533002/diff/270001/chrome/browser/safe_br...
chrome/browser/safe_browsing/download_feedback_service.cc:173:
UMA_HISTOGRAM_BOOLEAN("SBDownloadFeedback.EmptyFilePathFailure", true);
On 2016/11/14 21:34:34, Steven Holte wrote:
> It would be better to consolidate these into single macro invocation, since
each
> creates a static variable.
Done.

[Steven Holte, 2016-11-14 21:55:47]

On 2016/11/14 21:55:07, Jialiu Lin wrote:
> Thanks, holte@! UMA macro invocation consolidated.
> 
>
https://codereview.chromium.org/2439533002/diff/270001/chrome/browser/safe_br...
> File chrome/browser/safe_browsing/download_feedback_service.cc (right):
> 
>
https://codereview.chromium.org/2439533002/diff/270001/chrome/browser/safe_br...
> chrome/browser/safe_browsing/download_feedback_service.cc:173:
> UMA_HISTOGRAM_BOOLEAN("SBDownloadFeedback.EmptyFilePathFailure", true);
> On 2016/11/14 21:34:34, Steven Holte wrote:
> > It would be better to consolidate these into single macro invocation, since
> each
> > creates a static variable.
> Done.

lgtm

[Marc Treib, 2016-11-15 08:20:37]

c/b/ntp_snippets/ lgtm

[Jialiu Lin, 2016-11-15 17:02:49]

The CQ bit was checked by jialiul@chromium.org

[Jialiu Lin, 2016-11-15 17:02:50]

The patchset sent to the CQ was uploaded after l-g-t-m from
pkasting@chromium.org, asanka@chromium.org, nick@chromium.org
Link to the patchset: https://codereview.chromium.org/2439533002/#ps290001
(title: "consolidate UMA invocation")

[commit-bot: I haz the power, 2016-11-15 17:03:59]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-15 18:50:43]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-15 18:50:45]

Try jobs failed on following builders:
  linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[Jialiu Lin, 2016-11-15 22:15:55]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-15 22:16:44]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Jialiu Lin, 2016-11-15 23:22:16]

The CQ bit was checked by jialiul@chromium.org to run a CQ dry run

[Jialiu Lin, 2016-11-15 23:22:28]

Patchset #17 (id:310001) has been deleted

[commit-bot: I haz the power, 2016-11-15 23:23:02]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Jialiu Lin, 2016-11-16 00:26:55]

The CQ bit was unchecked by jialiul@chromium.org

[Jialiu Lin, 2016-11-16 00:26:58]

The CQ bit was checked by jialiul@chromium.org

[Jialiu Lin, 2016-11-16 00:26:58]

The patchset sent to the CQ was uploaded after l-g-t-m from asanka@chromium.org,
treib@chromium.org, nick@chromium.org, pkasting@chromium.org, holte@chromium.org
Link to the patchset: https://codereview.chromium.org/2439533002/#ps330001
(title: "make windows bots happy")

[commit-bot: I haz the power, 2016-11-16 00:27:40]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-16 00:57:18]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-16 00:57:20]

Try jobs failed on following builders:
  android_n5x_swarming_rel on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_n5x_...)

[Jialiu Lin, 2016-11-16 02:36:22]

The CQ bit was checked by jialiul@chromium.org

[commit-bot: I haz the power, 2016-11-16 02:37:08]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-16 04:51:20]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-16 04:51:22]

Try jobs failed on following builders:
  android_n5x_swarming_rel on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_n5x_...)

[Jialiu Lin, 2016-11-16 17:03:06]

The CQ bit was checked by jialiul@chromium.org

[commit-bot: I haz the power, 2016-11-16 17:03:45]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-16 17:11:02]

Description was changed from

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads no matter user clicks KEEP or DISCARD
on download shelf, where eligible means:
1) user is not incognito 
2) user opted in for safe browsing extended reporting.
3) DownloadItemModel::ShouldAllowDownloadFeedback returns true

This CL also changes the logic of StealDangerousDownload(),
since if user chose to keep the download we cannot delete it
after feedback is sent.
In order to make download file immediately available to user
without making them wait for upload complete, we make a
temporary copy of the download file in DownloadItemImpl::
StealDangerousDownload(..) function, and upload this copy via
DownloadFeedbackService::BeginFeedbackOrDeleteFile. This temp
copy will be deleted after feedback is sent
(~DownloadFeedbackImpl()). 

BUG=655799
==========

to

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads no matter user clicks KEEP or DISCARD
on download shelf, where eligible means:
1) user is not incognito 
2) user opted in for safe browsing extended reporting.
3) DownloadItemModel::ShouldAllowDownloadFeedback returns true

This CL also changes the logic of StealDangerousDownload(),
since if user chose to keep the download we cannot delete it
after feedback is sent.
In order to make download file immediately available to user
without making them wait for upload complete, we make a
temporary copy of the download file in DownloadItemImpl::
StealDangerousDownload(..) function, and upload this copy via
DownloadFeedbackService::BeginFeedbackOrDeleteFile. This temp
copy will be deleted after feedback is sent
(~DownloadFeedbackImpl()). 

BUG=655799
==========

[commit-bot: I haz the power, 2016-11-16 17:11:04]

Committed patchset #17 (id:330001)

[commit-bot: I haz the power, 2016-11-16 17:18:19]

Description was changed from

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads no matter user clicks KEEP or DISCARD
on download shelf, where eligible means:
1) user is not incognito 
2) user opted in for safe browsing extended reporting.
3) DownloadItemModel::ShouldAllowDownloadFeedback returns true

This CL also changes the logic of StealDangerousDownload(),
since if user chose to keep the download we cannot delete it
after feedback is sent.
In order to make download file immediately available to user
without making them wait for upload complete, we make a
temporary copy of the download file in DownloadItemImpl::
StealDangerousDownload(..) function, and upload this copy via
DownloadFeedbackService::BeginFeedbackOrDeleteFile. This temp
copy will be deleted after feedback is sent
(~DownloadFeedbackImpl()). 

BUG=655799
==========

to

==========
This CL fixes a 3-year-old regression which makes download
feedback service only upload UNCOMMON downloads when user
clicks "DISCARD".  The correct behavior should be uploading
all eligible downloads no matter user clicks KEEP or DISCARD
on download shelf, where eligible means:
1) user is not incognito
2) user opted in for safe browsing extended reporting.
3) DownloadItemModel::ShouldAllowDownloadFeedback returns true

This CL also changes the logic of StealDangerousDownload(),
since if user chose to keep the download we cannot delete it
after feedback is sent.
In order to make download file immediately available to user
without making them wait for upload complete, we make a
temporary copy of the download file in DownloadItemImpl::
StealDangerousDownload(..) function, and upload this copy via
DownloadFeedbackService::BeginFeedbackOrDeleteFile. This temp
copy will be deleted after feedback is sent
(~DownloadFeedbackImpl()).

BUG=655799

Committed: https://crrev.com/2fe67a026c44af1daf09616c2b7bda2db5abee12
Cr-Commit-Position: refs/heads/master@{#432528}
==========

[commit-bot: I haz the power, 2016-11-16 17:18:21]

Patchset 17 (id:??) landed as
https://crrev.com/2fe67a026c44af1daf09616c2b7bda2db5abee12
Cr-Commit-Position: refs/heads/master@{#432528}