Current Main Bug, Concurrency, And Persistence Scan - 2026-04-26¶
Scope¶
This pass scanned the active app worktree at
EMULE_WORKSPACE_ROOT\workspaces\v0.72a\app\eMule-main on main, focusing on
bugs, concurrency issues, memory risks, persistence crash windows, and small
legacy-code fixes that fit the broadband edition's close-to-stock maintenance
model.
No app source changes were made for this review.
Findings Added¶
| ID | Priority | Area | Finding |
|---|---|---|---|
| BUG-069 | Major | WebServer/static files | Static resource serving does not prove final path containment and reads whole files into memory. |
| BUG-070 | Minor | helper threads/shutdown | Several helper thread constructors ignore AfxBeginThread() failure before shutdown waits. |
| BUG-071 | Major | server list persistence | server.met save and auto-update still use destructive backup/promotion moves. |
| BUG-072 | Minor | Kad persistence | preferencesKad.dat and nodes.dat still save directly to live files. |
| BUG-073 | Major | WebServer/session concurrency | Session and bad-login arrays are mutated from concurrent request threads without synchronization. |
| BUG-074 | Minor | archive preview threading | Archive preview scanner uses volatile cancellation and synchronous worker-to-UI result handoff. |
Scan Notes¶
- WebServer request handling is still threaded per accepted connection. That makes session/bad-login state and static-file helpers current concurrency and security-relevant surfaces, not historical-only cleanup.
- The persistence findings deliberately extend already-landed safe-promotion
work from part metadata,
known.met,cancelled.met, andipfilter.datwithout changing product behavior. - The helper-thread launch finding is a stress/low-resource hardening item. It is unlikely on normal startup, but it is cheap to make explicit and testable.
- The archive-preview finding should be handled together with the existing archive-recovery backlog. Retiring the feature remains a valid low-drift outcome if preview is not worth maintaining.
Items Rechecked But Not Reopened¶
- Broad
catch (...),ASSERT(0), unsafe formatting, deprecated Winsock, and volatile/threading modernization are already tracked by existing backlog or architecture documents. - WebSocket and MiniUPnP forced termination remain covered by
BUG-033and were not duplicated. - Download progress-bar drawing is already tracked as
BUG-068.
Recommended Order¶
- Fix BUG-069 and BUG-073 before expanding the WebServer/REST surface further.
- Fix BUG-071 and BUG-072 as the next persistence durability slice, reusing the current atomic-promotion helpers where possible.
- Fix BUG-070 when touching upload/disk helper threads or when adding low-resource startup/shutdown tests.
- Resolve BUG-074 together with the archive-preview retain/remove
decision behind
BUG-002,BUG-013, andREF-025.