File.copy{Sync} on Windows should copy to a temporary file, then rename it.

[zanderso]

We observed an issue in which a File.copySync in the Flutter CLI resulted in a file of the correct size, but with a tail of '0' bytes in the case where the program is killed by a signal. The tail of '0' bytes exposed insufficient input validation in package:kernel leading to OOM crashes:

flutter/flutter#54420
#41862

@jensjoha investigated with some small programs, and observed the tail of '0' bytes only on Windows. For large file copies, the Windows documentation recommends using the COPY_FILE_NO_BUFFERING flag, but the flag by itself is not sufficient to avoid the issue in the case that the process is killed or the whole system dies (e.g. loses power).

The blog post here recommends copying a file to a temporary location, and then renaming the file to its file destination. We can do this in the Flutter CLI, but this method should really be used by dart:io so that all Dart users can benefit.

/cc @mraleph @a-siva @zichangg @jonasfj

[jamesderlin]

If this is done by the SDK, there needs to be care that:

• The temporary file is created in the same directory as the destination file to ensure that they're on the same volume.
• The temporary file is automatically cleaned up if the process crashes or rename fails.
• The file can't be hijacked between generating a unique filename and creating the file.

[zanderso]

I agree for the first item. For the second item, I don't think that will be possible on Windows if the process crashes or is killed by a signal. For the third item, a similar mechanism to the one for creating temporary directories can be used (rng falling back on uuids).

[jonasfj]

/cc @sortie

[jamesderlin]

For the second item, I don't think that will be possible on Windows if the process crashes or is killed by a signal.

DeleteFile claims to delete a file when its handle is closed; I don't think that this relies on the process not crashing, but I haven't verified. There are also mechanisms to mark files to be cleaned up at the next reboot.

[zanderso]

@jamesderlin I bet @zichangg would appreciate some links to the docs if you have them =)

[zichangg]

@jamesderlin Any code example or docs will be helpful for me! ^_^

[jamesderlin]

I was probably thinking of MoveFileEx with MOVEFILE_DELAY_UNTIL_REBOOT, but I had forgotten that that requires administrative privileges, so that wouldn't be suitable.

I think if DeleteFile works when the process is killed, then that should cover everything except sudden power loss, and maybe that's good enough.