Skip to content

Archive preview scanner uses volatile cancellation and synchronous UI handoff

Summary

The archive preview scanner still uses a volatile bool in a heap-allocated thread parameter block as its cancellation/lifetime signal. The worker then uses synchronous SendMessage() to hand results back to the preview dialog.

Product Decision

On 2026-04-26, archive preview/recovery was explicitly retained as-is for Release 1. This surface is not a release hardening target, and this bug should not be scheduled unless that product decision is explicitly reversed.

On 2026-05-08, the product decision was clarified: archive preview is deprecated, entirely frozen, and its known bugs are Wont-Fix unless the feature is explicitly unfrozen by a later product decision. The source now carries a comment at the thread-launch path to make that frozen status visible during future code review.

Current Main Evidence

  • srchybrid\ArchiveRecovery.h::archiveScannerThreadParams_s contains volatile bool m_bIsValid.
  • srchybrid\ArchivePreviewDlg.cpp::UpdateArchiveDisplay() clears m_activeTParams->m_bIsValid from the UI thread when replacing an active scan.
  • RunArchiveScanner() performs scan work on an MFC worker thread and calls SendMessage(ownerHwnd, UM_ARCHIVESCANDONE, ...) with the heap-owned parameter block.
  • ShowScanResults() consumes and frees the same payload on the UI side.

Risk

volatile is not a synchronization primitive. The UI thread can mark a payload invalid while the worker continues through recovery code, and the worker can block indefinitely if it synchronously sends completion to a busy or tearing-down UI thread. This is a legacy-feature stability issue rather than a core transfer bug, but it sits on a known fragile surface already tracked by BUG-002 and BUG-013.

Under the current product decision, this remains accepted only because the feature is deprecated and frozen rather than an active release-hardening target.

Historical Broadband Fit

Two close-stock paths are acceptable: harden the current preview worker, or fold this into the archive-preview retirement decision if the feature is removed.

Frozen Disposition

No implementation is planned while archive preview is deprecated and frozen. Do not spend Beta 0.7.3 hardening effort on this path unless the feature is explicitly unfrozen. If that happens, the historical acceptance criteria below become the starting point for a new active bug.

Acceptance Criteria

  • [ ] replace the volatile cancellation flag with a real atomic/cancel token or protected state
  • [ ] define payload ownership for success, cancellation, launch failure, and dialog teardown
  • [ ] avoid synchronous worker-to-UI sends during teardown, or prove the wait is bounded and safe
  • [ ] preserve current archive-preview behavior if the feature is retained
  • [ ] add a targeted test or manual stress script for repeated preview open, cancel, close, and rescan operations

Validation

  • 2026-05-08: Source comment added near the archive preview scanner thread launch in app commit 8c2cc67 to document the deprecated/frozen Wont-Fix status.