Skip to content

DirectDownload lacks bounded timeout and cancellation contract

Summary

DirectDownload::DownloadUrlToFile performs WinInet send and read operations without an explicit timeout or cancellation contract. Background refresh workers that use this helper can therefore remain blocked longer than shutdown lifetime assumptions allow.

This is a major Beta 0.7.3 blocker because it compounds BUG-092 and BUG-093: even after completion delivery is made safe, unbounded blocking makes release shutdown and refresh retry behavior hard to reason about under bad networks, captive portals, or stalled servers.

Evidence

  • srchybrid/DirectDownload.cpp:99 calls HttpSendRequest without a local timeout/cancellation contract.
  • srchybrid/DirectDownload.cpp:121 loops on InternetReadFile without a local timeout/cancellation contract.
  • GeoLocation and IPFilter update workers depend on this helper for background refresh downloads.

Execution Plan

  1. Revalidate all current callers of DirectDownload::DownloadUrlToFile and identify which calls are background refresh work versus user-blocking work.
  2. Add bounded WinInet receive/send/connect timeout options appropriate for background refresh downloads.
  3. Decide whether the timeout is part of DirectDownload defaults or passed in through an explicit options structure, favoring the smallest compatibility delta.
  4. Add a cancellation path or owner shutdown event if the refresh owner must be able to interrupt a blocked download during process shutdown.
  5. Preserve successful download behavior, proxy behavior, temp-file cleanup, and close-time persistence handling from BUG-091.
  6. Add a focused hanging-server or injected WinInet timeout seam for send and read paths.
  7. Validate GeoLocation/IPFilter refresh failure handling, retry behavior, and shutdown with a blocked download.

Acceptance Criteria

  • Background refresh downloads have a documented upper bound or explicit cancellation contract.
  • Shutdown cannot wait indefinitely for GeoLocation or IPFilter refresh downloads.
  • Timeout/cancellation failures clean up temporary artifacts and leave refresh state reusable.
  • Successful download behavior and existing update promotion rules remain unchanged.
  • The item has commit evidence and targeted validation in this file before Beta 0.7.3.

Validation

  • 2026-05-08: Done in app commit 84020af.
  • python -m emule_workspace validate --workspace-root . passed.
  • python -m emule_workspace build app --workspace-root . --config Release --platform x64 --variant main passed; log root workspaces\v0.72a\state\build-logs\20260508-102932.
  • python -m emule_workspace build app --workspace-root . --config Debug --platform x64 --variant main passed; log root workspaces\v0.72a\state\build-logs\20260508-102952.
  • Code validation: DirectDownload::DownloadUrlToFile now applies bounded WinInet connect, send, and receive timeouts, plus a five-minute total background download deadline across repeated reads. Timeout failure returns false and preserves the existing failed-artifact deletion path.