support sparse simg from a-i-b #3

bennyz · 2026-01-09T13:23:35Z

Summary by CodeRabbit

New Features
- Added automatic detection and optimized support for Android Sparse Images, improving flash efficiency by intelligently handling sparse data.
- Implemented streaming-based parsing for better performance when processing sparse image formats.
- Enhanced I/O operations with improved seeking, buffer management, and alignment handling.
Documentation
- Added comprehensive guide covering sparse image support, format detection, and optimization details.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

coderabbitai · 2026-01-09T13:23:44Z

📝 Walkthrough

Walkthrough

This PR introduces Android Sparse Image (simg) format auto-detection and streaming parsing to the fls codebase. It adds new public APIs for format detection, sparse parsing with incremental processing, and enhanced async block writer infrastructure with command-based channel operations to support seek and fill operations alongside writes.

Changes

Cohort / File(s)	Summary
Sparse Image Parser `src/fls/simg.rs`	New module providing complete simg streaming parser with state machine, WriteCommand emission (Seek/Write/Fill/Complete), header/chunk parsing, error handling, and comprehensive tests covering edge cases and incremental feeding.
Format Detection `src/fls/format_detector.rs`	New module implementing FormatDetector with streaming buffer-based detection (≤64 bytes threshold ≥28 bytes), distinguishes SparseImage vs Regular formats, EOF finalization, and comprehensive test coverage.
Block Writer Enhancement `src/fls/block_writer.rs`	Added seek() method with alignment validation for direct I/O, fill\_pattern helpers, new open\_for\_device/open\_for\_regular\_file variants with custom flags, macOS-specific warnings, AsyncBlockWriter channel refactored from `Sender<Vec<u8>>` to `Sender<WriterCommand>` with new async methods write()/seek()/fill().
Pipeline Integration `src/fls/from_url.rs`	Added FormatDetector and SparseParser integration into download/decompress pipeline with helpers: handle\_detected\_format, process\_sparse\_data, write\_regular\_data, execute\_write\_commands, centralized error handling via get\_writer\_error/get\_decompressor\_error/handle\_retry\_error.
OCI Pipeline Integration `src/fls/oci/from_oci.rs`	Integrated sparse detection state machine across tar, external decompressor, in-process decompression, and raw-disk pipelines with process\_buffer\_with\_format\_detection, finalize\_format\_at\_eof, and debug logging for format detection/sparse operations.
Module Wiring `src/fls/mod.rs`	Added module declarations for format\_detector and simg submodules.
Documentation `docs/sparse-image-support.md`	New documentation explaining simg format, auto-detection mechanism, header/chunk structures, workflow (Download→Decompress→Detect→Parse/Write), WriteCommand semantics, O\_DIRECT alignment considerations, and usage examples.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Decompressor
    participant FormatDetector
    participant SparseParser
    participant BlockWriter

    Client->>Decompressor: stream compressed data
    loop Decompress & Detect
        Decompressor->>FormatDetector: process decompressed chunk
        alt Detection Complete (≥28 bytes)
            FormatDetector->>FormatDetector: detect format (parse header or regular)
            alt Sparse Image Detected
                FormatDetector->>SparseParser: initialize with header
                SparseParser->>BlockWriter: emit Seek/Write/Fill/Complete commands
            else Regular Format
                FormatDetector->>BlockWriter: write data directly
            end
        else Need More Data
            FormatDetector->>Decompressor: return NeedMoreData
        end
    end
    
    loop While Sparse Parsing (if simg)
        Client->>Decompressor: more data
        Decompressor->>SparseParser: process chunk data
        SparseParser->>BlockWriter: emit WriteCommand (Raw/Fill/Seek)
        BlockWriter->>BlockWriter: align and write to device
    end
    
    SparseParser->>BlockWriter: emit Complete with expected_size
    BlockWriter->>Client: finish with progress update

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly Related PRs

initial OCI support #2 (initial OCI support) — Makes overlapping changes to the same fls modules (oci integration, block_writer.rs, from_url.rs, and related writer/command types infrastructure).

Suggested Reviewers

mangelajo

Poem

🐰 A sparse image hops into view,
Auto-detected, fresh and new!
Seek, write, fill—commands flow,
Block writer channels steal the show!
Efficient flashing, smart and fast,
This feature's built to truly last! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'support sparse simg from a-i-b' is vague and uses abbreviations that lack clarity about the actual change.	Clarify the title to explain what 'sparse simg' and 'a-i-b' mean (e.g., 'Add Android Sparse Image support for A/B device flashing' or similar descriptive phrasing).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In @src/fls/from_url.rs:
- Around line 111-120: The spawn closure is capturing `options` partially and
causing a move error when using `options.simg_mode`; fix it by extracting the
needed field before spawning: store `let simg_mode = options.simg_mode;` (or
clone/copy the enum) prior to creating `writer_handle`, then use `simg_mode`
inside the `tokio::spawn` block (keep `debug` and `block_writer` usage
unchanged); this avoids moving `options` into the async closure and ensures the
code compiles.
- Around line 203-399: The auto-detect branch can drop bytes because it treats
consumed_bytes.len() as bytes consumed from the current read; fix
FormatDetector::process (and its DetectionResult) so it returns how many bytes
were consumed from the current input chunk (e.g., consumed_from_input: usize) in
addition to the detection slice, then in SimgMode::Auto use that
consumed_from_input to: pass the exact buffer[..consumed_from_input] to
parser.process, compute remaining = &buffer[consumed_from_input..n] for further
processing, and when switching to regular mode write
buffer[..consumed_from_input] (not consumed_bytes.len()) before writing
remaining bytes; update all places referencing consumed_bytes.len() to use
consumed_from_input and keep parser.process/use of the detection slice
consistent.

In @src/fls/simg.rs:
- Around line 243-280: The multiplication chunk_sz * block_size can overflow
u32; update the RAW branch to perform checked/64-bit arithmetic (e.g., cast
chunk_sz and block_size to u64 or use checked_mul) when computing expected_total
and data_size, verify the product does not overflow and return an error if it
does, and change SparseChunk::data_size (and any related checks like
check_size/check_data_len call-sites) to use u64 (or otherwise accommodate the
larger size) so validation and the returned SparseChunk use the correct
non-wrapping value.

🧹 Nitpick comments (4)

src/fls/options.rs (1)
3-12: Good addition; consider deriving Copy, Eq for SimgMode if you want cheap pass-by-value.
Proposed diff
-#[derive(Debug, Clone, PartialEq)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
 pub enum SimgMode {
Also applies to: 28-31, 49-50
src/main.rs (1)
59-66: Prefer clap conflicts_with (or ArgGroup) over manual exit(1) for --simg/--no-simg.
Proposed diff
         /// Force sparse image (simg) mode - always parse as Android sparse image format
         /// and skip writing to unallocated regions for faster flashing
-        #[arg(long)]
+        #[arg(long, conflicts_with = "no_simg")]
         simg: bool,
         /// Disable sparse image auto-detection - always treat input as regular file
-        #[arg(long)]
+        #[arg(long, conflicts_with = "simg")]
         no_simg: bool,
@@
-                simg_mode: match (simg, no_simg) {
-                    (true, true) => {
-                        eprintln!("Error: Cannot specify both --simg and --no-simg flags");
-                        std::process::exit(1);
-                    }
-                    (true, false) => SimgMode::Force,
-                    (false, true) => SimgMode::Disable,
-                    (false, false) => SimgMode::Auto, // Default: auto-detect
-                },
+                simg_mode: if simg {
+                    SimgMode::Force
+                } else if no_simg {
+                    SimgMode::Disable
+                } else {
+                    SimgMode::Auto
+                },
             };
Also applies to: 142-150
src/fls/block_writer.rs (1)
74-105: The safety concern is mitigated by runtime device detection, but consider adding explicit path validation for defense-in-depth.

The code already checks metadata() to determine whether the path is a block device before calling either open_for_device() or open_for_regular_file(). This means:

Valid block devices (e.g., /dev/sdb) are correctly opened read+write without truncation

Regular files are correctly created/truncated as intended

Non-existent paths fall back to regular file behavior (which would fail with permission error if attempted under /dev/)

However, if metadata() fails for reasons other than the file not existing (e.g., permission denied), the unwrap_or(false) fallback could misclassify a device as a regular file. Adding an explicit check in open_for_regular_file() to reject /dev/ prefixed paths would provide defense-in-depth:
Suggested refinement
 fn open_for_regular_file(path: &str) -> io::Result<std::fs::File> {
+    if path.starts_with("/dev/") {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidInput,
+            "Regular file path cannot be under /dev/; ensure the device path is correctly spelled",
+        ));
+    }
     OpenOptions::new()
         .write(true)
         .create(true)
         .truncate(true)
         .open(path)
 }
Also applies to: 141-149, 238-246
src/fls/simg.rs (1)

528-609: Test coverage is good for basic functionality.

The tests cover header parsing, invalid magic detection, and a streaming scenario with RAW and DONT_CARE chunks. Consider adding tests for:

FILL and CRC32 chunk types

Incremental byte-by-byte feeding to exercise buffering

Large chunk sizes to verify overflow handling (once fixed)

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0df405c and ae42182.

⛔ Files ignored due to path filters (1)

Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

src/fls/block_writer.rs
src/fls/format_detector.rs
src/fls/from_url.rs
src/fls/http.rs
src/fls/mod.rs
src/fls/options.rs
src/fls/simg.rs
src/main.rs

🧰 Additional context used

🧬 Code graph analysis (3)

src/fls/format_detector.rs (1)

src/fls/simg.rs (4)

new (323-332)

process (352-519)

parse_header (165-205)

header (336-338)

src/fls/from_url.rs (6)

src/fls/block_writer.rs (4)

mpsc (469-469)

new (40-52)

new (126-292)

new (448-523)

src/fls/decompress.rs (2)

spawn_stderr_reader (52-69)

start_decompressor_process (33-50)

src/fls/http.rs (2)

setup_http_client (6-75)

start_download (77-168)

src/fls/format_detector.rs (1)

new (47-53)

src/fls/simg.rs (1)

new (323-332)

src/fls/progress.rs (1)

new (84-104)

src/fls/simg.rs (2)

src/fls/format_detector.rs (3)

new (47-53)

process (63-85)

default (126-128)

src/fls/options.rs (1)

default (34-51)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

GitHub Check: Build (aarch64-apple-darwin)
GitHub Check: Build (x86_64-unknown-linux-gnu)
GitHub Check: Build (aarch64-unknown-linux-gnu)
GitHub Check: Build (x86_64-apple-darwin)
GitHub Check: Build (aarch64-unknown-linux-musl)
GitHub Check: Test

🔇 Additional comments (13)

src/fls/http.rs (1)

47-50: Log-only formatting changes look safe.

Also applies to: 128-132

src/fls/mod.rs (1)

6-17: Module wiring + re-export looks correct; confirm semver expectations for new public export.

src/fls/block_writer.rs (1)

429-575: Command-driven writer loop is a clean fit for sparse images (Seek/Fill/Write separation).

src/fls/from_url.rs (1)

32-66: Retry helper extraction and reuse is a nice improvement (less duplicated retry/backoff logic).

Also applies to: 505-528, 646-658

src/fls/simg.rs (9)

1-36: LGTM!

The module documentation clearly explains the sparse image format, and the constants are correctly defined according to the Android sparse image specification.

38-88: LGTM!

The struct designs are clean. Both image_size() and output_size() correctly cast to u64 before multiplication to prevent integer overflow.

90-160: LGTM!

Comprehensive error handling with clear, informative messages. The Display, Error, and From<io::Error> implementations are idiomatic Rust.

162-205: LGTM!

The header parsing is robust with proper validation of magic number, version, and header sizes before extracting fields.

282-320: LGTM!

The state machine design is clean and the WriteCommand enum provides a clear abstraction for the downstream writer. The four states cover the complete parsing lifecycle well.

322-344: LGTM!

Proper initialization with pre-allocated buffer capacity. The #[allow(dead_code)] annotations are appropriate for public API methods that may be used by consumers.

352-376: LGTM!

The header accumulation and parsing logic is correct. State transition to WaitingChunkHeader is properly handled after successful header parsing.

378-484: LGTM!

The chunk header parsing state is well-implemented. The handling of extra buffered bytes, the continue for RAW chunks, and the state transition guards are all correctly structured.

486-519: LGTM!

The RawData state correctly streams through raw bytes, and the Complete state appropriately ignores trailing data. The buffer is properly cleared when transitioning back to chunk header parsing.

src/fls/format_detector.rs

src/fls/from_url.rs

src/fls/simg.rs

coderabbitai

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @src/fls/from_url.rs:
- Around line 151-159: In WriteCommand::Seek handler the code assigns
total_skipped_bytes = offset which overwrites prior skips; either accumulate
skipped bytes or rename the variable to reflect it holds the current absolute
offset. To fix: if you want total bytes skipped across all DONT_CARE regions,
change the logic to add the skipped amount (e.g., total_skipped_bytes += offset
or total_skipped_bytes += offset - previous_offset) using the current
writer/file position to compute the delta; otherwise rename total_skipped_bytes
to current_offset (or similar) and keep assigning offset. Update references to
total_skipped_bytes accordingly.

🧹 Nitpick comments (3)

src/fls/format_detector.rs (1)

66-72: Minor: Simplify the clone pattern.

The clone().unwrap() pattern works but could be slightly cleaner. The code is safe because detected_format is always Some when detection_complete is true, but consider using a match or unwrap_or_clone for clarity.
♻️ Optional simplification
         if self.detection_complete {
             return DetectionResult::Detected {
-                format: self.detected_format.clone().unwrap(),
+                format: self.detected_format.clone().expect("format always set when complete"),
                 consumed_bytes: Vec::new(), // No additional bytes to consume
                 consumed_from_input: 0,     // No additional bytes consumed from current input
             };
         }
Or alternatively, store the format directly instead of as an Option once detection completes.

src/fls/from_url.rs (1)

260-305: Significant code duplication in WriteCommand handling.

The WriteCommand matching logic is duplicated ~4 times across the Auto path (detection processing, remaining buffer processing, and ongoing processing) plus the Force path. Consider extracting a helper function to reduce duplication and maintenance burden.

♻️ Suggested refactor

Extract a helper async function:

async fn execute_write_commands(
    commands: Vec<WriteCommand>,
    writer: &AsyncBlockWriter,
    error_tx: &mpsc::UnboundedSender<String>,
    debug: bool,
) -> io::Result<()> {
    for cmd in commands {
        match cmd {
            WriteCommand::Write(data) => {
                writer.write(data).await.map_err(|e| {
                    let _ = error_tx.send(format!("Error writing to device: {}", e));
                    e
                })?;
            }
            WriteCommand::Seek(offset) => {
                if debug {
                    eprintln!("[DEBUG] Sparse: seeking to offset {}", offset);
                }
                writer.seek(offset).await.map_err(|e| {
                    let _ = error_tx.send(format!("Error seeking device: {}", e));
                    e
                })?;
            }
            WriteCommand::Fill { pattern, bytes } => {
                if debug {
                    eprintln!("[DEBUG] Sparse: fill pattern for {} bytes", bytes);
                }
                writer.fill(pattern, bytes).await.map_err(|e| {
                    let _ = error_tx.send(format!("Error filling device: {}", e));
                    e
                })?;
            }
            WriteCommand::Complete { .. } => {
                // Continue processing
            }
        }
    }
    Ok(())
}

This would consolidate the repeated match blocks and ensure consistent error handling.

Also applies to: 331-367, 423-458

src/fls/simg.rs (1)

253-296: Good overflow protection, but redundant calculation.

The overflow check at lines 256-261 properly uses checked_mul, but line 293 recalculates the same value without the checked arithmetic. While safe (because we've already validated), consider storing the checked result to avoid the redundant calculation.

♻️ Optional improvement

         CHUNK_TYPE_RAW => {
             // Use checked arithmetic to prevent overflow
             let data_size_u64 = (chunk_sz as u64).checked_mul(block_size as u64).ok_or(
                 SparseError::ChunkSizeOverflow {
                     chunk_sz,
                     block_size,
                 },
             )?;
+            // Store for later use to avoid recalculation
             let expected_total = CHUNK_HEADER_SIZE as u64 + data_size_u64;
             if expected_total > u32::MAX as u64 {
                 return Err(SparseError::ChunkSizeOverflow {
                     chunk_sz,
                     block_size,
                 });
             }
             check_size(expected_total as u32)?;
-            (ChunkType::Raw, CHUNK_HEADER_SIZE)
+            (ChunkType::Raw, CHUNK_HEADER_SIZE, Some(data_size_u64))
         }

Then use the stored value at line 290-296 instead of recalculating.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ae42182 and 26d3233.

⛔ Files ignored due to path filters (1)

Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

src/fls/block_writer.rs
src/fls/format_detector.rs
src/fls/from_url.rs
src/fls/http.rs
src/fls/mod.rs
src/fls/options.rs
src/fls/simg.rs
src/main.rs

🚧 Files skipped from review as they are similar to previous changes (1)

src/main.rs

🧰 Additional context used

🧬 Code graph analysis (4)

src/fls/block_writer.rs (4)

src/fls/format_detector.rs (1)

new (48-54)

src/fls/simg.rs (1)

new (349-358)

src/fls/progress.rs (1)

new (84-104)

src/fls/from_url.rs (5)

mpsc (82-82)

mpsc (83-83)

mpsc (84-84)

mpsc (546-546)

mpsc (550-550)

src/fls/from_url.rs (8)

src/fls/block_writer.rs (4)

mpsc (481-481)

new (40-52)

new (138-304)

new (460-535)

src/fls/decompress.rs (2)

spawn_stderr_reader (52-69)

start_decompressor_process (33-50)

src/fls/error_handling.rs (1)

process_error_messages (3-7)

src/fls/http.rs (2)

setup_http_client (6-75)

start_download (77-168)

src/fls/download_error.rs (1)

format_error (168-223)

src/fls/format_detector.rs (1)

new (48-54)

src/fls/simg.rs (1)

new (349-358)

src/fls/progress.rs (1)

new (84-104)

src/fls/format_detector.rs (1)

src/fls/simg.rs (3)

process (378-552)

parse_header (175-215)

header (362-364)

src/fls/simg.rs (1)

src/fls/options.rs (1)

default (34-51)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Build (aarch64-unknown-linux-musl)
GitHub Check: Build (aarch64-unknown-linux-gnu)

🔇 Additional comments (14)

src/fls/http.rs (2)

47-50: LGTM: Formatting improvement.

The multi-line formatting improves readability with no functional changes.

128-132: LGTM: Formatting improvement.

The multi-line formatting improves readability with no functional changes.

src/fls/mod.rs (1)

6-16: LGTM!

The module organization is clean. Adding format_detector and simg modules with the SimgMode re-export properly exposes the new sparse image functionality while maintaining the existing public API structure.

src/fls/options.rs (2)

3-12: LGTM!

The SimgMode enum is well-designed with clear documentation. Deriving Copy is appropriate for this small enum, and the three modes (Auto, Force, Disable) provide good flexibility for different use cases.

28-30: Good default choice.

Defaulting to SimgMode::Auto is the right choice - it enables transparent sparse image support for users who don't need to configure it explicitly while allowing advanced users to override the behavior.

Also applies to: 49-49

src/fls/format_detector.rs (1)

40-123: Well-structured streaming detector.

The incremental detection design is solid:

Threshold of 28 bytes correctly matches sparse header size

Buffer limit of 64 bytes prevents unbounded memory usage

Falls back to Regular format when header parsing fails

Properly tracks consumption for downstream processing

src/fls/from_url.rs (1)

17-66: Good extraction of helper functions.

The get_writer_error and handle_retry_error helpers improve code organization and centralize retry logic. The retry handling properly respects non-retryable errors and uses suggested retry delays when available.

src/fls/block_writer.rs (4)

74-117: Good safety validation for device paths.

The /dev/ path check in open_for_regular_file and open_for_regular_file_with_flags is a sensible safety guard to prevent accidentally treating a misspelled device path as a regular file (which would create/truncate it).

571-587: Efficient fill pattern implementation.

The 4KB buffer approach for filling patterns is reasonable - it balances memory usage against syscall overhead. The buffer is properly filled with the 4-byte pattern before the write loop.

441-562: Well-designed command-based async writer.

The WriterCommand enum provides a clean abstraction for the different I/O operations. The async wrappers properly handle channel errors with appropriate BrokenPipe error types.

339-357: The bytes_written field correctly tracks file position during sparse image flashing. When seek() sets bytes_written = offset, this is the intended behavior—progress should report the output file position reached, not raw bytes written. Sparse images rely on seeking to skip DONT_CARE regions entirely, so the progress jump when skipping large unallocated blocks is expected and correct.

Likely an incorrect or invalid review comment.

src/fls/simg.rs (3)

348-552: Well-implemented streaming parser.

The state machine design is solid:

Properly handles incremental byte-by-byte feeding (tested in test_incremental_byte_feeding)

Correctly manages buffer accumulation for header and chunk headers

RAW data pass-through is efficient

Complete signal includes expected final size for validation

The parser handles edge cases like small RAW chunks completing within the header buffer correctly (lines 449-463).

172-215: Robust header validation.

The header parsing correctly validates:

Magic number (0xED26FF3A)

Major version (must be 1)

Header and chunk header sizes match expected values

This ensures only valid sparse images are processed.

561-783: Comprehensive test coverage.

The test suite covers:

Valid header parsing

Invalid magic detection

Streaming parser with RAW and DONT_CARE chunks

FILL and CRC32 chunk parsing

Incremental byte-by-byte feeding

Overflow detection with extreme values

Large but valid chunk sizes

src/fls/from_url.rs

coderabbitai

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/fls/from_url.rs (1)

566-572: Update tokio dependency to at least 1.19.0: JoinHandle::is_finished() is unavailable in earlier versions

The file uses JoinHandle::is_finished() in 5 places (lines 568, 639, 716, 789, 903), but the Cargo.toml constraint tokio = { version = "1.0", ... } allows versions from 1.0.0 through 1.18.x. The is_finished() method was introduced in tokio 1.19.0 (June 2022), so the code will fail to compile with earlier versions. Update the version constraint to tokio = { version = "1.19", ... } or higher.

🤖 Fix all issues with AI agents

In @src/fls/block_writer.rs:
- Around line 339-357: seek() sets bytes_written to the requested offset but
flush_buffer() may perform O_DIRECT-padded writes that advance the actual file
cursor beyond that logical offset; change flush_buffer() (or the underlying
write routine) to return the number of physical bytes written (or expose a
physical_bytes_written value), then in seek() update self.bytes_written to the
actual device cursor after the flush (or maintain two counters, e.g.
logical_bytes_written and physical_bytes_written) and send the progress using
the physical cursor via written_progress_tx so progress and subsequent seeks
reflect the true on-disk position.
- Around line 571-587: write_fill_pattern currently emits a final write that may
be smaller than ALIGNMENT which can trigger O_DIRECT padding and extra device
writes; update write_fill_pattern to ensure each write size is rounded up to
ALIGNMENT (or pad the final chunk to an ALIGNMENT multiple) before calling
writer.write, or call BlockWriter::flush_buffer (which performs alignment
rounding) at the end so the on-disk writes match the logical bytes; reference
the write_fill_pattern function, the ALIGNMENT constant, and
BlockWriter::flush_buffer when making the change.

In @src/fls/from_url.rs:
- Around line 119-203: The “skipped MB” metric is wrong because
total_skipped_bytes is being set to the absolute offset on WriteCommand::Seek;
change it to accumulate skipped bytes by computing the delta from the previous
offset: keep a prev_offset (initial 0), on Seek compute delta =
offset.saturating_sub(prev_offset), add delta to total_skipped_bytes, then set
prev_offset = offset (or update when writer writes/seeks); alternatively
accumulate bytes for DONT_CARE chunks if the SparseParser exposes them—update
references to total_skipped_bytes, WriteCommand::Seek, and writer.seek
accordingly so the final debug print reports actual skipped bytes.
- Around line 32-66: The doc comment for handle_retry_error is misleading: it
says “returning true if we should retry” but the function returns
Option<Duration>; update the comment for handle_retry_error to state that it
returns Some(Duration) when a retry should be attempted (providing the delay)
and None when no retry should occur, and briefly describe the parameters (error,
retry_count, max_retries, default_retry_delay_secs) and returned semantics to
match the current implementation.
- Around line 204-468: Auto-detect in SimgMode::Auto drops earlier-read bytes
when switching to FileFormat::Regular because it writes
buffer[..consumed_from_input] instead of the detector's accumulated
consumed_bytes; update the FileFormat::Regular branch to write the
detector-provided consumed_bytes (not just the current buffer slice) before
writing any remaining bytes, using the existing consumed_bytes and
consumed_from_input values returned by detector.process, and keep using
writer.write(...) for both the accumulated consumed_bytes and the subsequent
remaining bytes.

🧹 Nitpick comments (6)

src/fls/block_writer.rs (2)

74-117: Good factoring, but /dev/ validation is a bit Linux-centric

The open_for_regular_file*() guard (Line 81-86, Line 105-110) is helpful, but on macOS there are also device-ish paths outside /dev/ (and in containers /dev may be unusual). If the intent is “regular file only”, consider validating via metadata.file_type().is_*_device() when the path exists, instead of string prefix checks, and keep the prefix check as a fast-path.

441-569: Command-based AsyncBlockWriter looks solid; consider a Complete/Flush command for symmetry

The WriterCommand::{Write,Seek,Fill} split and the blocking loop dispatch (Line 491-525) is clean, and the bounded channel provides backpressure. One possible follow-up: add an explicit Flush/Complete command to allow upstream (e.g., sparse parser) to request a flush barrier without closing the channel, if that becomes necessary for validation or ordering.

src/fls/from_url.rs (1)

204-468: A lot of duplicated sparse command execution logic

The same for command in commands { match command { ... } } appears several times in Auto mode (and again in the “format determined” section). This is a good candidate for a small helper like async fn exec_sparse_commands(writer: &AsyncBlockWriter, commands: Vec<WriteCommand>, ...).

src/fls/format_detector.rs (2)

64-90: Consider renaming consumed_bytes to reduce confusion

consumed_bytes: Vec<u8> reads like a count, but it’s actually the buffered prefix that the next stage must consume. A rename like buffered_prefix / prefix_bytes would make downstream usage harder to get wrong (and may have prevented the regular-path bug in from_url.rs).

Also applies to: 91-118

139-308: Nice coverage; add one cross-read Regular test

You already test incremental sparse detection. Consider adding an incremental regular detection test (e.g., 3 bytes then 25 bytes) to ensure downstream integrators handle the “buffered prefix spans multiple reads” case correctly.

src/main.rs (1)

59-66: Use clap's native conflicts_with for better UX

The current runtime validation at lines 142-150 works, but clap v4.4 supports declarative mutual exclusion. Add #[arg(conflicts_with = "no_simg")] to the simg flag (and vice versa) so clap prints conflict errors automatically and includes the constraint in --help, eliminating the manual exit(1) logic.

Also applies to: 142-150

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 26d3233 and 49697e2.

⛔ Files ignored due to path filters (1)

Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

src/fls/block_writer.rs
src/fls/format_detector.rs
src/fls/from_url.rs
src/fls/http.rs
src/fls/mod.rs
src/fls/options.rs
src/fls/simg.rs
src/main.rs

🚧 Files skipped from review as they are similar to previous changes (3)

src/fls/options.rs
src/fls/http.rs
src/fls/simg.rs

🧰 Additional context used

🧬 Code graph analysis (2)

src/fls/format_detector.rs (1)

src/fls/simg.rs (5)

new (349-358)

process (378-552)

parse_header (175-215)

is_complete (368-370)

header (362-364)

src/fls/from_url.rs (8)

src/fls/block_writer.rs (4)

mpsc (481-481)

new (40-52)

new (138-304)

new (460-535)

src/fls/decompress.rs (2)

spawn_stderr_reader (52-69)

start_decompressor_process (33-50)

src/fls/error_handling.rs (1)

process_error_messages (3-7)

src/fls/http.rs (1)

setup_http_client (6-75)

src/fls/download_error.rs (1)

format_error (168-223)

src/fls/format_detector.rs (1)

new (48-54)

src/fls/simg.rs (1)

new (349-358)

src/fls/progress.rs (1)

new (84-104)

🔇 Additional comments (3)

src/fls/mod.rs (1)

6-17: Module wiring + public re-export looks correct

Adding format_detector/simg modules and re-exporting SimgMode alongside BlockFlashOptions is consistent with the new CLI and from_url plumbing.

src/fls/from_url.rs (1)

17-30: get_writer_error() behavior is reasonable for “finished early” checks

Nice touch to distinguish task panic vs I/O error, and to log the underlying reason before bubbling it up.

src/fls/format_detector.rs (1)

8-38: LGTM: simple, bounded detector API

Types (FileFormat, DetectionResult, FormatDetector) are clear and tests are present.

src/fls/block_writer.rs

src/fls/from_url.rs

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/fls/simg.rs (2)
312-312: Consider using u64 for raw_remaining to support RAW chunks larger than 4GB.

The u32 type limits individual RAW chunks to ~4GB. While this is validated at lines 416-421 (returning ChunkSizeOverflow), very large disk images with RAW chunks exceeding 4GB would fail to parse. If this is an intentional limitation for streaming efficiency, consider documenting it.
♻️ Proposed fix to support larger chunks
 /// Current RAW chunk remaining bytes to pass through
-    raw_remaining: u32,
+    raw_remaining: u64,
Then update lines 416-421 to remove the u32 check, and update lines 422, 430, 436, 504, 508 to use u64 arithmetic.
545-768: Good test coverage for the parser.

Tests cover header parsing, all chunk types, streaming behavior, incremental feeding, and overflow detection. Consider adding explicit tests for error paths like UnsupportedVersion and InvalidChunkHeaderSize to ensure complete coverage of the SparseError variants.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 49697e2 and 6b17dfa.

⛔ Files ignored due to path filters (1)

Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

src/fls/block_writer.rs
src/fls/format_detector.rs
src/fls/from_url.rs
src/fls/http.rs
src/fls/mod.rs
src/fls/options.rs
src/fls/simg.rs
src/main.rs

🚧 Files skipped from review as they are similar to previous changes (2)

src/fls/options.rs
src/fls/http.rs

🧰 Additional context used

🧬 Code graph analysis (4)

src/main.rs (2)

src/fls/format_detector.rs (1)

process (64-92)

src/fls/simg.rs (1)

process (370-536)

src/fls/format_detector.rs (1)

src/fls/simg.rs (2)

parse_header (175-215)

header (354-356)

src/fls/from_url.rs (7)

src/fls/decompress.rs (2)

spawn_stderr_reader (52-69)

start_decompressor_process (33-50)

src/fls/error_handling.rs (1)

process_error_messages (3-7)

src/fls/http.rs (2)

setup_http_client (6-75)

start_download (77-168)

src/fls/download_error.rs (1)

format_error (168-223)

src/fls/format_detector.rs (1)

new (48-54)

src/fls/simg.rs (1)

new (341-350)

src/fls/progress.rs (1)

new (84-104)

src/fls/simg.rs (2)

src/fls/format_detector.rs (3)

new (48-54)

process (64-92)

default (127-129)

src/fls/options.rs (1)

default (34-51)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Build (aarch64-unknown-linux-gnu)
GitHub Check: Build (aarch64-unknown-linux-musl)

🔇 Additional comments (31)

src/fls/mod.rs (1)

6-6: LGTM! Module additions and re-exports are correct.

The new modules (format_detector, simg) and the updated re-export to include SimgMode follow standard Rust patterns and integrate properly with the existing codebase.

Also applies to: 12-12, 16-16

src/main.rs (2)

5-5: LGTM! CLI flags are well-documented.

The import and CLI flag definitions are clear and accurately describe the sparse image handling modes.

Also applies to: 59-65

142-150: LGTM! Flag conflict detection and mode mapping are correct.

The mutual exclusivity check properly prevents conflicting flags, and the mapping to SimgMode variants is accurate with the default behavior clearly documented.

src/fls/block_writer.rs (8)

74-117: LGTM! Well-structured file opening helpers.

The separation of device and regular file opening logic is clean, and the safety check preventing regular file operations on /dev/ paths is a good defensive measure.

153-161: LGTM! Clean dispatch logic for file opening.

The closure correctly routes to the appropriate helper based on device type and flag presence.

217-227: LGTM! Appropriate handling of non-existent files.

The NotFound handling allows regular files to be created while properly propagating other metadata errors.

238-248: LGTM! Helpful warning for macOS users.

The warning about buffered vs. raw devices on macOS is well-crafted and provides actionable guidance to prevent common errors.

339-357: LGTM! Seek implementation is correct.

The method properly flushes pending data before seeking, updates position tracking, and reports progress. This is essential for sparse image support.

441-450: LGTM! Command-based architecture is well-designed.

The WriterCommand enum cleanly models sparse image operations (Write, Seek, Fill), and the command processing loop handles each variant appropriately with good error reporting.

Also applies to: 481-525

538-562: LGTM! AsyncBlockWriter API is clean and consistent.

The async methods (write, seek, fill) provide a clean interface for sparse image operations with appropriate error handling.

571-587: LGTM! Efficient fill pattern implementation.

The helper efficiently fills regions with a 4-byte pattern using a 4KB buffer, minimizing syscalls while handling arbitrary byte counts correctly.

src/fls/format_detector.rs (4)

41-45: LGTM! Detection thresholds are correctly sized.

DETECTION_THRESHOLD of 28 bytes matches the sparse header size, and MAX_BUFFER_SIZE of 64 bytes provides a reasonable upper bound for format detection.

64-92: LGTM! Process method correctly buffers and triggers detection.

The method safely accumulates data up to MAX_BUFFER_SIZE, correctly tracks consumption from the current input, and provides idempotent behavior after detection completes.

95-111: LGTM! Detection logic correctly delegates to sparse header parsing.

The method appropriately uses simg::parse_header to distinguish between sparse images and regular files, with correct state management.

132-301: LGTM! Comprehensive test coverage.

The tests thoroughly verify format detection, incremental buffering, buffer limits, and idempotent behavior after detection completes.

src/fls/from_url.rs (10)

17-30: LGTM! Comprehensive writer error extraction.

The helper correctly handles all JoinHandle result cases (success, error, panic) with clear error messages.

36-69: LGTM! Centralized retry logic with good UX.

The helper correctly implements retry logic with appropriate checks for retryability and max retries, providing clear user feedback.

71-118: LGTM! Command execution is well-structured.

The helper correctly executes each WriteCommand variant with consistent error handling and helpful debug logging.

120-146: LGTM! Data processing helpers are clean and focused.

Both helpers (process_sparse_data, write_regular_data) have clear responsibilities with consistent error handling.

148-189: LGTM! Format-specific handling is correct.

The helper properly processes buffered detection data and remaining input based on the detected format, returning an appropriate parser state for continued processing.

211-221: LGTM! Clear user messaging for mode selection.

The mode-specific messages clearly communicate the sparse image handling behavior to users.

242-334: LGTM! Force mode correctly processes sparse images.

The Force path properly parses sparse format, executes write commands, and tracks skipped regions for reporting. Offset tracking for all command types is correct.

336-391: Verify progress tracking during format detection.

In the Auto path, when DetectionResult::NeedMoreData is returned (line 359), the code uses continue without processing the data. However, decompressed_progress_tx.send(n as u64) is called earlier (line 353) before format detection, so progress is tracked correctly. The data is buffered in the detector for later processing.

393-414: LGTM! Disable mode correctly bypasses sparse processing.

The Disable path straightforwardly writes all data without format detection or sparse parsing, as intended.

481-481: LGTM! Consistent error handling with helper functions.

The use of get_writer_error and handle_retry_error throughout the file maintains consistent error handling and retry logic across different failure scenarios.

Also applies to: 552-552, 629-629, 493-517, 632-657

src/fls/simg.rs (6)

1-36: LGTM!

Clear module documentation explaining the sparse image format, and well-defined public constants with appropriate documentation comments.

38-88: LGTM!

Data structures are well-designed with appropriate derives (Debug, Clone). The image_size() and output_size() methods correctly use u64 arithmetic to avoid overflow when computing sizes.

90-170: LGTM!

Comprehensive error enum with clear, informative Display implementations. The error types cover all parsing failure modes including overflow detection.

172-215: LGTM!

Header parsing is thorough with proper validation of magic number, version compatibility, and header sizes before extracting fields using little-endian byte order.

217-298: LGTM!

Robust chunk header parsing with:

Checked arithmetic (checked_mul) to prevent overflow

Proper size validation for each chunk type

Clear separation of concerns (header parsing only, data handled by streaming parser)

340-543: LGTM!

The streaming parser state machine is well-implemented:

Correct state transitions between WaitingHeader, WaitingChunkHeader, RawData, and Complete

Proper buffering for partial headers across process() calls

Appropriate WriteCommand emissions for each chunk type

Handles incremental byte-by-byte feeding correctly (tested in test_incremental_byte_feeding)

bennyz · 2026-01-09T15:38:35Z

@coderabbitai review

coderabbitai · 2026-01-09T15:38:42Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/fls/block_writer.rs (1)
149-161: Don’t swallow metadata() errors on Linux (permissions/etc.) — it produces misleading behavior.

Right now, non-NotFound errors become is_block_dev=false, which can turn into a confusing “Regular file path cannot be under /dev/” error.
Proposed fix
-            let is_block_dev = std::fs::metadata(device)
-                .map(|m| m.file_type().is_block_device())
-                .unwrap_or(false);
+            let is_block_dev = match std::fs::metadata(device) {
+                Ok(m) => m.file_type().is_block_device(),
+                Err(e) if e.kind() == io::ErrorKind::NotFound => false,
+                Err(e) => return Err(e),
+            };
Also applies to: 206-207

🤖 Fix all issues with AI agents

In @src/fls/block_writer.rs:
- Around line 339-357: flush_buffer currently pads the write size for O_DIRECT
but can write stale tail bytes; modify flush_buffer to zero the buffer region
from buffer_pos up to the rounded write_size before performing the write when
direct_io is enabled, and ensure bytes_written is advanced only by the actual
written length. Enforce alignment in seek (and any fill method) by returning an
error if direct_io is enabled and offset % alignment != 0, and avoid flushing an
unaligned partial buffer on seek: if buffer_pos != 0 and direct_io is enabled,
either return an error instructing the caller to write/align the buffer first or
require padding/zeroing as above before seeking. Update send on
written_progress_tx after the actual advanced bytes_written.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b17dfa and 0c83a77.

⛔ Files ignored due to path filters (1)

Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

src/fls/block_writer.rs
src/fls/format_detector.rs
src/fls/from_url.rs
src/fls/http.rs
src/fls/mod.rs
src/fls/options.rs
src/fls/simg.rs
src/main.rs

🚧 Files skipped from review as they are similar to previous changes (2)

src/fls/http.rs
src/fls/simg.rs

🧰 Additional context used

🧬 Code graph analysis (3)

src/main.rs (2)

src/fls/format_detector.rs (1)

process (64-92)

src/fls/simg.rs (1)

process (372-538)

src/fls/format_detector.rs (1)

src/fls/simg.rs (4)

new (343-352)

process (372-538)

parse_header (175-215)

header (356-358)

src/fls/from_url.rs (8)

src/fls/block_writer.rs (4)

mpsc (481-481)

new (40-52)

new (138-304)

new (460-535)

src/fls/decompress.rs (2)

spawn_stderr_reader (52-69)

start_decompressor_process (33-50)

src/fls/error_handling.rs (1)

process_error_messages (3-7)

src/fls/http.rs (2)

setup_http_client (6-75)

start_download (77-168)

src/fls/download_error.rs (1)

format_error (168-223)

src/fls/format_detector.rs (1)

new (48-54)

src/fls/simg.rs (1)

new (343-352)

src/fls/progress.rs (1)

new (84-104)

🔇 Additional comments (24)

src/fls/mod.rs (1)

6-6: LGTM! Clean module wiring.

The new modules format_detector and simg are properly declared, and SimgMode is correctly re-exported for public use.

Also applies to: 12-12, 16-16

src/fls/options.rs (2)

3-12: LGTM! Well-designed enum with appropriate derives.

The SimgMode enum is cleanly defined with sensible variants and comprehensive documentation.

28-30: LGTM! Sensible default and clear documentation.

The simg_mode field is properly integrated with a logical default value (Auto detection).

Also applies to: 49-49

src/main.rs (2)

59-65: LGTM! Clear CLI flag documentation.

The flag descriptions effectively communicate the purpose and behavior of sparse image mode options.

142-150: LGTM! Proper mutual exclusion validation.

The validation correctly prevents conflicting flags and provides a clear error message. The mapping logic comprehensively handles all flag combinations.

src/fls/from_url.rs (11)

17-30: LGTM! Comprehensive error extraction.

The function correctly handles all possible outcomes from the writer task (success, error, panic) with clear error messages.

32-69: LGTM! Well-structured retry logic.

The centralized retry handling improves code maintainability and correctly implements backoff with configurable delays.

71-118: LGTM! Comprehensive command execution.

All WriteCommand variants are properly handled with consistent error reporting. The debug logging for Seek and Fill operations will aid troubleshooting.

120-146: LGTM! Clean data processing helpers.

Both functions provide clear abstractions with consistent error handling and reporting.

148-189: LGTM! Correct format transition handling.

The function properly processes buffered detection data and remaining input for both sparse and regular formats.

242-334: LGTM! Robust forced sparse mode implementation.

The Force mode correctly parses sparse images and tracks offsets and skipped regions. The debug statistics for skipped bytes provide useful insights into sparse image efficiency.

336-391: LGTM! Well-structured auto-detection flow.

The Auto mode implementation correctly detects format from initial data and seamlessly transitions to the appropriate processing mode.

393-414: LGTM! Clean disabled mode implementation.

The Disable mode provides a straightforward path for regular file processing without sparse handling.

211-221: LGTM! Clear user communication.

The mode-specific messages help users understand which sparse image processing mode is active.

493-517: LGTM! Consistent retry handling.

The refactored retry logic using handle_retry_error provides consistent behavior across initial download attempts and connection interruptions.

Also applies to: 634-645

707-715: LGTM! Proper task result handling.

The decompressor writer task result is correctly unwrapped with appropriate error propagation.

src/fls/format_detector.rs (6)

8-28: LGTM! Well-designed detection result types.

The enums provide clear semantics for detection outcomes, with DetectionResult::Detected carrying both the accumulated buffer and the amount consumed from the current input.

41-54: LGTM! Appropriate buffer sizing.

The constants balance detection accuracy with memory efficiency. DETECTION_THRESHOLD matches the sparse header size, and MAX_BUFFER_SIZE provides adequate margin for detection.

64-92: LGTM! Sound buffering and detection logic.

The method correctly implements incremental detection with appropriate buffering limits and idempotent behavior after detection completes.

95-111: LGTM! Correct sparse image detection.

The detection logic appropriately uses simg::parse_header to identify sparse images, falling back to regular format for invalid headers.

113-130: LGTM! Useful utility methods.

The helper methods provide clean access to detection state and integrate well with Rust patterns via the Default trait.

132-301: LGTM! Comprehensive test coverage.

The test suite thoroughly validates detection behavior including edge cases like incremental processing, buffer limits, and idempotent calls.

src/fls/block_writer.rs (2)

74-117: Open helpers look directionally good; keep the “/dev/” guard but consider surfacing device-vs-file intent at call sites.

These helpers reduce duplication and improve diagnostics; the “regular file cannot be under /dev/” error is a nice UX touch for typos.

441-450: WriterCommand + async command loop is a solid structure for sparse writes.

The Write/Seek/Fill command model looks clean, and the bounded channel still provides backpressure while enabling non-stream operations.

Also applies to: 481-525, 537-563

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/fls/from_url.rs (1)
242-334: LGTM! Force mode implementation is correct.

The Force mode properly:

Initializes SparseParser and tracking variables

Processes all data through the parser

Executes commands with offset tracking for skip statistics

Handles all WriteCommand variants correctly

Reports skipped bytes in debug mode

The implementation correctly handles sparse image parsing and efficiently skips unallocated regions.
Minor optimization: Avoid cloning Write data

At line 276, data.clone() could potentially be avoided if the WriteCommand already owns the data. Consider whether the clone is necessary:
WriteCommand::Write(ref data) => {
    current_offset += data.len() as u64;
    writer.write(data.clone()).await  // <-- clone here
}
If WriteCommand::Write already owns a Vec<u8>, consider consuming it directly to avoid the copy. This is a minor optimization since the data is typically written immediately.
src/fls/simg.rs (1)

311-315: Consider documenting the 4GB per-chunk limit more explicitly.

The raw_remaining: u32 field limits individual RAW chunks to ~4GB. While the code correctly rejects larger chunks with ChunkSizeOverflow, users encountering this error might not immediately understand the streaming limitation.

This is acceptable for most use cases since Android sparse images typically have smaller chunks, but consider adding a note to the module docs if this limitation could affect real-world usage.

Also applies to: 416-424

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c83a77 and df7dc69.

⛔ Files ignored due to path filters (1)

Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (8)

src/fls/block_writer.rs
src/fls/format_detector.rs
src/fls/from_url.rs
src/fls/http.rs
src/fls/mod.rs
src/fls/options.rs
src/fls/simg.rs
src/main.rs

✅ Files skipped from review due to trivial changes (1)

src/fls/http.rs

🧰 Additional context used

🧬 Code graph analysis (3)

src/fls/format_detector.rs (1)

src/fls/simg.rs (2)

parse_header (175-215)

header (356-358)

src/fls/from_url.rs (7)

src/fls/decompress.rs (2)

spawn_stderr_reader (52-69)

start_decompressor_process (33-50)

src/fls/error_handling.rs (1)

process_error_messages (3-7)

src/fls/http.rs (2)

setup_http_client (6-75)

start_download (77-168)

src/fls/download_error.rs (1)

format_error (168-223)

src/fls/format_detector.rs (1)

new (48-54)

src/fls/simg.rs (1)

new (343-352)

src/fls/progress.rs (1)

new (84-104)

src/main.rs (2)

src/fls/format_detector.rs (1)

process (64-92)

src/fls/simg.rs (1)

process (372-538)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Build (aarch64-unknown-linux-gnu)
GitHub Check: Build (aarch64-unknown-linux-musl)

🔇 Additional comments (33)

src/fls/options.rs (1)

3-50: LGTM! Clean enum and option addition.

The SimgMode enum is well-documented and the integration into BlockFlashOptions is straightforward. The default value of SimgMode::Auto is a sensible choice for backward compatibility.

src/main.rs (3)

5-5: LGTM! Correct import addition.

The SimgMode import is properly added alongside the existing fls import.

59-65: LGTM! Well-documented CLI flags.

The --simg and --no-simg flags are clearly documented with their purpose and behavior.

142-150: LGTM! Robust flag validation and mapping.

The match expression correctly validates that both flags cannot be set simultaneously and maps all combinations appropriately to SimgMode variants.

src/fls/mod.rs (1)

6-16: LGTM! Clean module wiring.

The new modules format_detector and simg are properly declared, and the public re-export correctly includes SimgMode alongside the existing BlockFlashOptions.

src/fls/from_url.rs (9)

17-30: LGTM! Clean error extraction helper.

The get_writer_error function properly handles all cases from the JoinHandle: successful completion with unexpected closure, I/O errors, and task panics. Error reporting to stderr is appropriate.

32-69: LGTM! Centralized retry logic.

The handle_retry_error function consolidates retry decision-making with proper checks for:

Non-retryable errors

Max retry limit

Suggested vs default retry delays

This improves code maintainability over inline retry logic.

71-118: LGTM! Complete WriteCommand execution.

The execute_write_commands function properly handles all WriteCommand variants:

Write: Direct data write with error propagation

Seek: Optional debug logging and seek operation

Fill: Optional debug logging and fill operation

Complete: Debug logging only (informational)

Error handling via error_tx is consistent across all operations.

120-189: LGTM! Well-structured sparse and regular data processing helpers.

The helper functions process_sparse_data, write_regular_data, and handle_detected_format provide clean abstractions for:

Parsing sparse data and executing commands

Writing regular data with error reporting

Handling format detection results for both sparse and regular files

The handling of consumed bytes and remaining data in handle_detected_format ensures no data loss during format detection.

211-221: LGTM! Clear mode indication.

The logging statements clearly indicate which sparse image mode is active, which will help users understand the processing behavior.

336-391: LGTM! Auto mode detection flow is well-implemented.

The Auto mode correctly:

Uses FormatDetector to incrementally detect format

Handles NeedMoreData by continuing to buffer

Processes detection result via handle_detected_format

Routes subsequent data through the appropriate path (sparse parser or regular writes)

Maintains the format_determined flag to switch processing modes

The handling of consumed_from_input and remaining data ensures no bytes are lost during the detection transition.

393-414: LGTM! Disable mode is straightforward.

The Disable mode correctly bypasses all sparse parsing and writes data directly to the block device via write_regular_data.

481-481: LGTM! Consistent use of get_writer_error helper.

The calls to get_writer_error(writer_handle).await properly extract and report writer errors at all termination points.

Also applies to: 552-552, 629-629

493-517: LGTM! Refactored retry logic using helper.

The retry logic now uses the centralized handle_retry_error function, improving consistency and maintainability across both initial download attempts and connection interruptions.

Also applies to: 634-645

src/fls/format_detector.rs (4)

40-54: LGTM! Appropriate detection thresholds.

The constants are well-chosen:

DETECTION_THRESHOLD of 28 bytes matches the sparse header size

MAX_BUFFER_SIZE of 64 bytes limits memory usage while allowing detection with minimal buffering

The constructor properly initializes all fields.

64-92: LGTM! Robust incremental detection logic.

The process method correctly:

Returns cached results once detection is complete (idempotent)

Accumulates data up to MAX_BUFFER_SIZE

Attempts detection when sufficient data is available

Returns NeedMoreData when more input is required

The tracking of consumed_from_input ensures accurate accounting of how much of the current input was consumed.

94-111: LGTM! Clean format detection via parse_header.

The attempt_detection_with_consumed method uses simg::parse_header as the detection mechanism:

If the header parses successfully → SparseImage

Otherwise → Regular

This is a sound approach that leverages existing validation logic. The method properly clones the buffer for the consumed_bytes return value and marks detection as complete.

132-301: LGTM! Comprehensive test coverage.

The test suite covers:

✅ Sparse image detection with valid header

✅ Regular file detection with non-sparse data

✅ Need-more-data scenario with partial input

✅ Incremental detection across multiple calls

✅ Buffer limit enforcement

✅ Idempotent behavior after detection

All critical paths are tested with appropriate assertions.

src/fls/block_writer.rs (7)

74-92: LGTM - Device vs regular file opening helpers are well-designed.

The separation between device and regular file opening with the /dev/ path check provides good safety against accidentally truncating device files. The error message is clear and actionable.

94-117: LGTM - Custom flags variants are consistent with the base helpers.

The pattern is well applied - device files get read+write, regular files get write+create+truncate, both with custom flags support.

339-370: LGTM - Seek implementation handles O_DIRECT alignment correctly.

The method properly:

Validates alignment for O_DIRECT mode

Flushes pending data before seeking

Updates position tracking

One minor note: bytes_written semantically becomes "current position" after a seek, which works correctly for progress reporting but may be slightly misleading if interpreted as "total bytes written to disk." The current behavior aligns with what downstream consumers expect for sparse image handling.

378-390: Good improvement - Explicit zero-padding prevents stale data leakage.

Zeroing the padding region (lines 384-386) before writing aligned blocks is a security best practice that prevents leaking stale buffer contents. The use of div_ceil for alignment calculation is correct.

462-471: LGTM - WriterCommand enum provides clean abstraction for I/O operations.

The command-driven approach cleanly separates the async interface from the blocking I/O, enabling proper support for sparse image operations (seek, fill) while maintaining the existing write path.

592-610: LGTM - Efficient pattern fill implementation.

The 4KB buffer size aligns with the ALIGNMENT constant, and the loop correctly handles partial writes. Relying on BlockWriter's internal buffering for alignment is appropriate as documented in the comment.

216-227: LGTM - Good handling of non-existent files for regular file creation.

The metadata check now gracefully handles NotFound errors, allowing regular files to be created while still properly detecting device types for existing paths.

src/fls/simg.rs (8)

1-14: LGTM - Clear and informative module documentation.

The module documentation clearly explains the sparse image format and chunk types, providing good context for maintainers.

52-57: LGTM - Correct use of u64 arithmetic prevents overflow in size calculations.

The image_size() method correctly casts to u64 before multiplication, preventing overflow for large images.

90-170: LGTM - Comprehensive error handling with informative messages.

The SparseError enum covers all parsing failure modes with clear, actionable error messages. The ChunkSizeOverflow variant explicitly handles arithmetic overflow scenarios.

172-215: LGTM - Robust header parsing with proper validation.

All header fields are validated: magic number, version (major must be 1), header sizes match expected constants. The little-endian parsing matches the sparse image specification.

253-271: LGTM - Excellent overflow protection for RAW chunk size calculation.

The use of checked_mul (line 256) combined with the check against u32::MAX (lines 263-268) properly prevents integer overflow vulnerabilities that could lead to buffer issues.

505-528: LGTM - RawData state correctly handles streaming raw chunk data.

The state properly:

Emits Write commands for available data

Tracks remaining bytes correctly

Transitions to next state when chunk is complete

Clears the buffer when moving to WaitingChunkHeader

547-769: LGTM - Comprehensive test coverage.

The tests cover:

Basic parsing (header, chunks)

Error cases (invalid magic, overflow)

Streaming behavior (incremental byte feeding)

All chunk types (RAW, FILL, DONT_CARE, CRC32)

Edge cases (large valid chunks)

Good use of helper functions (make_header, make_raw_chunk, etc.) to reduce test boilerplate.

398-503: No issue found: control flow is correct.

The continue statement on line 458 (inside the ChunkType::Raw match arm) properly prevents execution of the completion check at lines 487-494. The code flow is:

RAW chunks that complete: emit Complete and execute continue (skip lines 487-494)

RAW chunks pending: set state to RawData and execute continue (skip lines 487-494)

Non-RAW chunks: fall through to lines 487-494 for completion check

No double-emission of Complete command occurs.

Likely an incorrect or invalid review comment.

coderabbitai

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/fls/block_writer.rs (1)

144-207: Major: Linux device-type detection can hide metadata errors and mis-route the open.
std::fs::metadata(device).…unwrap_or(false) converts any metadata error into “not a block device”, which can then call open_for_regular_file*() and produce the /dev/ InvalidInput message instead of the real cause (EACCES/EPERM/etc.).

Proposed fix (preserve metadata errors; only treat NotFound as “regular file”)

         #[cfg(target_os = "linux")]
         let (file, use_direct_io) = {
             use std::os::unix::fs::FileTypeExt;

-            // Check if this is a block device
-            let is_block_dev = std::fs::metadata(device)
-                .map(|m| m.file_type().is_block_device())
-                .unwrap_or(false);
+            // Check if this is a block device (don't mask metadata errors)
+            let is_block_dev = match std::fs::metadata(device) {
+                Ok(m) => m.file_type().is_block_device(),
+                Err(e) if e.kind() == io::ErrorKind::NotFound => false,
+                Err(e) => return Err(e),
+            };

             // Helper to open file with appropriate method based on device type
             let open_file = |flags: Option<libc::c_int>| -> io::Result<std::fs::File> {
                 match flags {
                     Some(f) if is_block_dev => open_for_device_with_flags(device, f),
                     Some(f) => open_for_regular_file_with_flags(device, f),
                     None if is_block_dev => open_for_device(device),
                     None => open_for_regular_file(device),
                 }
             };

🤖 Fix all issues with AI agents

In @src/fls/block_writer.rs:
- Around line 74-118: The current early path.starts_with("/dev/") guard in
open_for_regular_file and open_for_regular_file_with_flags can mask earlier
filesystem/metadata errors; change both functions to first call
std::fs::metadata(path) and if metadata returns an Err, propagate that Err
immediately, otherwise only then check path.starts_with("/dev/") and return the
InvalidInput error; if metadata succeeds and path is not under /dev/, proceed to
OpenOptions as before. This preserves real error propagation while keeping the
UX guard for actual /dev paths.

In @src/fls/from_url.rs:
- Around line 229-282: The loop that reads decompressed data should also check
the decompressor stdin writer task so its failure is surfaced immediately: where
the code currently checks writer_handle.is_finished() (and uses
writer_handle.await to get its result), add equivalent checks for
decompressor_writer_handle.is_finished() and, if finished, await
decompressor_writer_handle to capture its error and send it via error_tx_clone
(or return it) before continuing/retrying; also update the branches that call
process_sparse_data/write_regular_data to first verify
decompressor_writer_handle is alive and propagate the decompressor-writer error
instead of masking it as a closed buffer.
- Around line 17-30: The function get_writer_error should stop treating a
successful writer completion as an error and instead return the actual final
byte count or a distinct error; change its signature from async fn
get_writer_error(handle: JoinHandle<io::Result<u64>>) -> Box<dyn
std::error::Error> to return Result<u64, Box<dyn std::error::Error>> (or a small
enum WriterError with variants Finished(u64), Io(io::Error), Panicked(String)),
then in the match return Ok(n) for Ok(Ok(n)), and convert Ok(Err(e)) and Err(e)
into Err(...) with contextual messages (avoid silently printing with eprintln!,
preserve the original io::Error via e.into() or use error chaining) so callers
can distinguish normal completion (final_bytes) from failure/panic.
- Around line 120-134: process_sparse_data currently ignores _consumed from
SparseParser::process which can drop unprocessed bytes; change it to loop over
the input until all bytes are consumed: repeatedly call
SparseParser::process(data_slice) (preserving the same error handling that sends
to error_tx), obtain (commands, consumed),
execute_execute_write_commands(commands, writer, error_tx, debug).await for each
chunk, advance the data slice by consumed, and break if consumed == 0 to avoid
infinite loops; update/remove the _consumed variable and ensure the function
returns after fully consuming the original data.

In @src/fls/simg.rs:
- Around line 300-539: At each place where the parser transitions to
ParserState::Complete and pushes WriteCommand::Complete (in process — both
inside the WaitingChunkHeader branch after chunk counts and inside
ParserState::RawData when raw_remaining drops to 0), validate that
self.current_output_offset == header.image_size(); if not, return an appropriate
SparseError (e.g., ImageSizeMismatch with expected and actual values) instead of
emitting Complete. Ensure you use the existing header via
self.header.as_ref().unwrap() to compute expected size and update all completion
sites to perform this check before setting state to Complete and pushing
WriteCommand::Complete.
- Around line 217-298: In parse_chunk_header, the CHUNK_TYPE_CRC32 arm must
validate that chunk_sz is zero (CRC32 chunks must not advance output blocks);
update the CHUNK_TYPE_CRC32 match arm in parse_chunk_header to first check
chunk_sz == 0 and return an error if not (e.g.
Err(SparseError::ChunkSizeMismatch { expected: 0, actual: chunk_sz }) or a
dedicated error variant), then proceed with check_size(16) and
check_data_len(16) as before so CRC32 chunks cannot silently change the output
layout.

🧹 Nitpick comments (2)

src/fls/from_url.rs (1)

71-118: Handle WriteCommand::Complete instead of ignoring it (sparse safety check).
Right now Complete { expected_size } is effectively a no-op; that removes your best chance to validate sparse correctness (e.g., parser finishing early / malformed sparse image). At minimum, capture expected_size and validate at the end of the writer task that the final device offset matches it.

src/fls/block_writer.rs (1)

592-610: write_fill_pattern is fine; optional micro-optimization: avoid rebuilding the 4KB buffer each call.
If fill is common, consider caching a pre-filled buffer per pattern or generating into the aligned internal buffer directly.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between df7dc69 and 29db99d.

⛔ Files ignored due to path filters (1)

Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

src/fls/block_writer.rs
src/fls/format_detector.rs
src/fls/from_url.rs
src/fls/http.rs
src/fls/mod.rs
src/fls/simg.rs

🚧 Files skipped from review as they are similar to previous changes (2)

src/fls/http.rs
src/fls/mod.rs

🧰 Additional context used

🧬 Code graph analysis (3)

src/fls/block_writer.rs (4)

src/fls/format_detector.rs (1)

new (48-54)

src/fls/simg.rs (1)

new (343-352)

src/fls/progress.rs (1)

new (84-104)

src/fls/from_url.rs (5)

mpsc (205-205)

mpsc (206-206)

mpsc (207-207)

mpsc (323-323)

mpsc (327-327)

src/fls/from_url.rs (7)

src/fls/decompress.rs (2)

spawn_stderr_reader (52-69)

start_decompressor_process (33-50)

src/fls/error_handling.rs (1)

process_error_messages (3-7)

src/fls/http.rs (2)

setup_http_client (6-75)

start_download (77-168)

src/fls/download_error.rs (1)

format_error (168-223)

src/fls/format_detector.rs (1)

new (48-54)

src/fls/simg.rs (1)

new (343-352)

src/fls/progress.rs (1)

new (84-104)

src/fls/format_detector.rs (1)

src/fls/simg.rs (3)

new (343-352)

parse_header (175-215)

header (356-358)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Build (aarch64-unknown-linux-musl)
GitHub Check: Build (aarch64-unknown-linux-gnu)

🔇 Additional comments (12)

src/fls/from_url.rs (4)

32-69: Retry helper looks solid; nice centralization and consistent messaging.

148-189: Format switch orchestration is clean; good separation into helpers.
Only nit: remaining_data.to_vec() on the hot path will allocate per chunk; not wrong, but worth watching if this becomes a throughput limiter.

343-349: Good: early-exit when writer task terminates during download/retry.

Also applies to: 416-420, 493-497

574-582: Good: decompressor-writer task is awaited and errors are propagated.

src/fls/block_writer.rs (5)

210-288: macOS open flow + raw-disk warning is a strong UX improvement.

339-370: BlockWriter::seek looks correct; alignment guard for O_DIRECT is appropriate.
One thing to confirm: bytes_written now behaves like “current output offset” (not necessarily “physical bytes written”), which changes the semantics of progress reporting for sparse DONT_CARE.

378-411: Aligned padding + zeroing on partial O_DIRECT flush is sensible.

462-550: Command-driven writer loop is a good fit for sparse (Write/Seek/Fill).

558-584: Async wrappers for Write/Seek/Fill are clean and propagate “channel closed” well.

src/fls/format_detector.rs (1)

132-301: Tests are in good shape (incremental, buffer limit, idempotency).

src/fls/simg.rs (2)

172-215: parse_header implementation looks correct and appropriately strict on sizes/version.

547-770: Nice coverage for streaming/incremental feeding and chunk variants.

src/fls/block_writer.rs

src/fls/format_detector.rs

src/fls/from_url.rs

src/fls/simg.rs

coderabbitai

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @docs/sparse-image-support.md:
- Around line 70-77: The docs show an enum named WriteCommand but the
implementation uses WriterCommand (and simg.rs defines WriteCommand while
block_writer.rs uses WriterCommand); update the documentation to either document
WriterCommand instead or explicitly state that both enums exist and map between
the layer-specific types, and ensure the enum name in the code snippet matches
the actual symbol (WriteCommand or WriterCommand) used by the implementation and
tests.

In @src/fls/block_writer.rs:
- Around line 342-373: The seek method is currently overwriting bytes_written
(used elsewhere as "total bytes written") with the file position, changing its
semantics; instead preserve bytes_written as cumulative bytes written and add a
separate field (e.g., current_position or file_pos) to track the seeked
position, update that new field in seek (while continuing to call flush_buffer()
and send progress via written_progress_tx using the appropriate value), and
update any places that relied on bytes_written-for-position to use the new field
or adjust their logic accordingly so total bytes written remains accurate.

🧹 Nitpick comments (5)

src/fls/block_writer.rs (1)

595-613: Consider memory efficiency for large fill operations.

For very large fill operations (e.g., gigabytes of zeros), this creates many 4KB write calls through the BlockWriter. While functionally correct, consider emitting a single large buffer or using the OS-level fallocate/ftruncate for zero-fill cases when the pattern is all zeros.
docs/sparse-image-support.md (1)
46-51: Add language specifier to fenced code block.

The ASCII diagram should have a language specifier to satisfy markdown linting. Use text or plaintext for ASCII diagrams.
📝 Suggested fix
-```
+```text
 ┌─────────────┐    ┌──────────────┐    ┌────────────────┐    ┌─────────────┐
 │   HTTP      │───►│ Decompressor │───►│ Format         │───►│ Block       │
 │   Download  │    │ (xz/gz/zst)  │    │ Detector/Parser│    │ Writer      │
 └─────────────┘    └──────────────┘    └────────────────┘    └─────────────┘
-```
+```
src/fls/format_detector.rs (1)
64-92: Edge case: detection may not trigger for data exactly at threshold.

The condition self.buffer.len() >= Self::DETECTION_THRESHOLD || self.buffer.len() >= Self::MAX_BUFFER_SIZE is correct, but if a stream provides exactly 27 bytes and then EOF, detection would never occur. Consider handling this case or documenting the minimum data requirement.

Consider adding a finalize() method that forces detection with whatever data is available:
💡 Optional enhancement
/// Force detection with current buffer (call at EOF if NeedMoreData)
pub fn finalize(&mut self) -> DetectionResult {
    if self.detection_complete {
        return self.cached_result();
    }
    if self.buffer.is_empty() {
        // No data at all - treat as regular
        self.detected_format = Some(FileFormat::Regular);
        self.detection_complete = true;
    }
    self.attempt_detection_with_consumed(0)
}
src/fls/simg.rs (2)

306-311: Clarify raw_remaining limitation in API documentation.

The comment notes the ~4GB limit for RAW chunks, but this is an implementation detail that users might not expect. Consider documenting this in the public API or returning a specific error variant.

546-549: Silent data discard in Complete state.

When the parser reaches Complete state, any remaining input data is silently ignored. This is likely intentional for trailing padding, but consider logging a warning in debug mode if significant data remains.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29db99d and 0bf5af4.

⛔ Files ignored due to path filters (1)

Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

docs/sparse-image-support.md
src/fls/block_writer.rs
src/fls/format_detector.rs
src/fls/from_url.rs
src/fls/http.rs
src/fls/mod.rs
src/fls/simg.rs

🚧 Files skipped from review as they are similar to previous changes (2)

src/fls/http.rs
src/fls/mod.rs

🧰 Additional context used

🧬 Code graph analysis (3)

src/fls/format_detector.rs (1)

src/fls/simg.rs (3)

process (368-554)

parse_header (176-216)

header (352-354)

src/fls/from_url.rs (4)

src/fls/error_handling.rs (1)

process_error_messages (3-7)

src/fls/download_error.rs (1)

format_error (168-223)

src/fls/format_detector.rs (1)

new (48-54)

src/fls/simg.rs (1)

new (339-348)

src/fls/simg.rs (2)

src/fls/block_writer.rs (5)

write (311-340)

write (562-568)

new (40-52)

new (138-307)

new (484-559)

src/fls/format_detector.rs (3)

new (48-54)

is_complete (115-117)

process (64-92)

🪛 LanguageTool

docs/sparse-image-support.md

[style] ~12-~12: This phrase is redundant. Consider writing “space”.
Context: ...antly reduce flash time for images with empty space fls automatically detects sparse ima...

(EMPTY_HOLE)

[style] ~89-~89: This phrase is redundant. Consider writing “space”.
Context: ...mage with 1GB of actual data and 3GB of empty space: | Method | Data Transferred | Data Wr...

(EMPTY_HOLE)

🪛 markdownlint-cli2 (0.18.1)

docs/sparse-image-support.md

46-46: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Build (aarch64-unknown-linux-musl)
GitHub Check: Build (aarch64-unknown-linux-gnu)

🔇 Additional comments (15)

src/fls/block_writer.rs (3)

74-92: LGTM! Good separation of device vs regular file opening logic.

The /dev/ path check in open_for_regular_file provides a useful safety guard against accidentally truncating block devices when the intent was to write to a regular file.

381-393: Good defensive zeroing of padding region.

The explicit zeroing of padding bytes before aligned writes prevents leaking stale buffer data to disk, which is important for security and reproducibility.

465-474: Well-designed command enum for async I/O.

The WriterCommand enum cleanly encapsulates the three operations needed for sparse image support. The 4-byte pattern in Fill aligns with the sparse image format specification.

src/fls/from_url.rs (4)

17-30: Good extraction of writer error handling.

This helper centralizes the pattern of extracting errors from the writer handle, improving code readability across multiple call sites.

32-69: Well-structured retry logic extraction.

The handle_retry_error function cleanly encapsulates the retry decision logic with clear documentation. The mutable retry_count parameter pattern is appropriate here.

277-281: Good separation of sparse vs regular data paths.

The conditional logic cleanly routes data through the appropriate handler based on detected format.

249-276: Unhandled incomplete format detection at EOF.

When EOF is reached before the detector accumulates enough data (28 bytes minimum), detector.process() returns NeedMoreData, triggering continue. On the next iteration, read() returns 0 bytes (EOF) and breaks the loop. However, format_determined remains false, leaving the detector's internal buffer unprocessed.

After the loop exits (line 283), there is no check whether format detection completed. If format_determined is false, the detector's buffered data is silently discarded, and no data is written to the device (since neither the sparse nor regular data-writing branches execute).

Add a fallback detection attempt after the loop, or validate that format detection succeeded before proceeding.

src/fls/format_detector.rs (2)

40-54: Good initialization with clear constants.

The detector is well-designed with appropriate thresholds. DETECTION_THRESHOLD of 28 bytes matches the sparse header size, and MAX_BUFFER_SIZE of 64 provides headroom.

132-301: Excellent test coverage.

The test suite covers all major scenarios: sparse detection, regular fallback, incremental feeding, buffer limits, and idempotency. The create_test_sparse_header() helper is well-designed for generating valid test data.

src/fls/simg.rs (5)

34-53: Well-defined header structure with useful accessor.

The image_size() method correctly computes the total output size using u64 arithmetic to avoid overflow.

84-107: Comprehensive error model.

The SparseError enum covers all parsing failure modes including overflow detection and output size validation. Good defensive design.

254-284: Solid overflow protection in chunk parsing.

The use of checked_mul and explicit overflow checks before casting to u32 is excellent. This prevents integer overflow attacks from malformed sparse images.

394-510: Complex state machine with good completeness checks.

The chunk header parsing correctly handles all three chunk types and validates output size at completion. The buffer management for handling extra bytes in RAW chunks is correct.

One observation: the continue on line 462 after handling RAW chunk setup bypasses the buffer.drain() at line 484, which is intentional since RAW chunks clear the buffer explicitly on line 437.

717-731: Good overflow detection test.

The test correctly verifies that u32::MAX * 2 causes a ChunkSizeOverflow error, validating the checked arithmetic in parse_chunk_header.

docs/sparse-image-support.md (1)

100-102: The documentation accurately describes the behavior. Unknown chunk types, including CRC32 (0xCAC4), trigger an UnknownChunkType error via the default match case in parse_chunk_header. Adding an explicit CHUNK_TYPE_CRC32 constant is unnecessary—the generic error handling already covers this and all other unrecognized chunk types.

src/fls/block_writer.rs

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @docs/sparse-image-support.md:
- Around line 46-51: Add a language specifier to the ASCII diagram code block in
docs/sparse-image-support.md so Markdown renderers apply proper formatting;
change the opening fence from ``` to ```text (or ```mermaid if you prefer
diagram rendering) so the block beginning with "┌─────────────┐   
┌──────────────┐..." is marked as text and ends with the existing closing ```.

🧹 Nitpick comments (1)

src/fls/simg.rs (1)
412-462: Consider clarifying the buffer management comment.

The continue at line 462 correctly skips the buffer.drain() at line 484 because the buffer was already cleared at line 437 for RAW chunks. The comment "Skip the extra bytes handling below" could be more explicit about this buffer management distinction.
📝 Suggested comment improvement
-                                        continue; // Skip the extra bytes handling below
+                                        continue; // RAW chunk path: buffer already cleared at line 437, skip drain at line 484

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0bf5af4 and 4d3375e.

⛔ Files ignored due to path filters (1)

Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

docs/sparse-image-support.md
src/fls/block_writer.rs
src/fls/format_detector.rs
src/fls/from_url.rs
src/fls/http.rs
src/fls/mod.rs
src/fls/simg.rs

🚧 Files skipped from review as they are similar to previous changes (2)

src/fls/http.rs
src/fls/mod.rs

🧰 Additional context used

🧬 Code graph analysis (2)

src/fls/from_url.rs (8)

src/fls/block_writer.rs (4)

mpsc (505-505)

new (40-52)

new (138-307)

new (484-559)

src/fls/decompress.rs (2)

spawn_stderr_reader (52-69)

start_decompressor_process (33-50)

src/fls/error_handling.rs (1)

process_error_messages (3-7)

src/fls/http.rs (2)

setup_http_client (6-75)

start_download (77-168)

src/fls/download_error.rs (1)

format_error (168-223)

src/fls/format_detector.rs (1)

new (50-56)

src/fls/simg.rs (1)

new (339-348)

src/fls/progress.rs (1)

new (84-104)

src/fls/format_detector.rs (1)

src/fls/simg.rs (4)

new (339-348)

process (368-554)

parse_header (176-216)

header (352-354)

🪛 LanguageTool

docs/sparse-image-support.md

[style] ~12-~12: This phrase is redundant. Consider writing “space”.
Context: ...antly reduce flash time for images with empty space fls automatically detects sparse ima...

(EMPTY_HOLE)

[style] ~89-~89: This phrase is redundant. Consider writing “space”.
Context: ...mage with 1GB of actual data and 3GB of empty space: | Method | Data Transferred | Data Wr...

(EMPTY_HOLE)

🪛 markdownlint-cli2 (0.18.1)

docs/sparse-image-support.md

46-46: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

GitHub Check: Build (aarch64-unknown-linux-gnu)

🔇 Additional comments (16)

src/fls/format_detector.rs (3)

42-56: LGTM: Well-designed detection thresholds and state.

The 28-byte threshold matches the sparse header size precisely, and the 64-byte max buffer provides a reasonable safety margin while preventing excessive memory use during detection.

66-129: LGTM: Robust format detection with proper error handling.

The detection logic correctly distinguishes between:

Valid sparse images (magic + valid header)

Regular files (no magic or insufficient data)

Corrupted sparse images (magic present but invalid fields)

Treating corrupted sparse headers as errors prevents potentially dangerous raw writes of malformed data.

143-158: LGTM: Proper EOF handling for incomplete detection.

The guard condition prevents returning buffered data when detection is already complete, avoiding duplicate writes in the processing pipeline.

src/fls/simg.rs (4)

173-216: LGTM: Comprehensive header validation.

The parser correctly validates all critical header fields and provides detailed error messages for each failure mode.

254-272: LGTM: Proper overflow protection for chunk size calculations.

The use of checked_mul and explicit overflow checks prevents arithmetic overflow when calculating chunk data sizes, which is critical for security and stability.

513-544: LGTM: Correct RAW data streaming and completion validation.

The parser correctly tracks remaining bytes and validates the final output size matches the expected image size at completion.

601-763: LGTM: Comprehensive test coverage including edge cases.

The test suite covers all chunk types, incremental parsing, overflow detection, and large chunk sizes. The overflow test at line 718-730 is particularly important for security.

src/fls/from_url.rs (4)

17-118: LGTM: Well-factored helper functions improve code organization.

The extraction of retry logic, error handling, and command execution into dedicated functions significantly improves readability and maintainability of the main download loop.

148-189: LGTM: Clean format detection result handling.

The function properly initializes the sparse parser and processes accumulated detection data before returning control to the main loop. The separation of sparse and regular paths is clear and correct.

229-299: LGTM: Well-integrated auto-detection flow.

The detection logic properly handles:

Incremental detection from streaming data

EOF before detection completes (small files)

Transition from detection to format-specific processing

State management with format_determined flag

The integration with the existing download loop is clean and maintains the streaming nature of the pipeline.

378-402: LGTM: Retry logic consolidation improves consistency.

The centralized handle_retry_error function ensures consistent retry behavior across download initialization and connection interruptions, reducing code duplication and potential for inconsistencies.

Also applies to: 519-530

src/fls/block_writer.rs (5)

74-117: LGTM: Device-aware file opening prevents dangerous operations.

The separation of device vs. regular file opening logic is crucial:

Devices are opened read-write without create/truncate flags

Regular files check for /dev/ prefix to catch typos

Custom flags variants maintain the same safety checks

This design prevents accidental truncation of block devices and provides clear error messages for path issues.

342-373: LGTM: Proper seek implementation with O_DIRECT alignment validation.

The seek method correctly:

Validates 4096-byte alignment for O_DIRECT mode

Flushes buffered data before seeking

Updates both file position and internal tracking

Reports progress after the seek

This enables sparse image DONT_CARE chunk handling while maintaining O_DIRECT requirements.

376-433: LGTM: Correct O_DIRECT alignment with proper padding and tracking.

The flush logic properly handles O_DIRECT alignment:

Rounds up to 4096-byte boundary using div_ceil

Zeros padding to prevent writing stale data

Tracks actual bytes (not padded) for sync interval

This ensures alignment requirements are met while maintaining accurate progress tracking.

465-549: LGTM: Clean command-based I/O dispatch with helpful error handling.

The WriterCommand enum provides a clean abstraction for different I/O operations (write, seek, fill), enabling the sparse image parser to drive the writer through a well-defined interface.

The error handling includes helpful platform-specific guidance (especially for macOS raw vs. buffered devices).

595-613: LGTM: Efficient fill pattern implementation.

The helper correctly:

Creates a 4KB buffer matching alignment requirements

Fills with the repeating 4-byte pattern

Writes in chunks, letting BlockWriter::write() handle buffering and alignment

This provides efficient support for sparse image FILL chunks without duplicating alignment logic.

docs/sparse-image-support.md

mangelajo

Looks great, but now needs rebase.

bennyz · 2026-01-12T09:32:40Z

Looks great, but now needs rebase.

will do

Signed-off-by: Benny Zlotnik <bzlotnik@redhat.com>

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @docs/sparse-image-support.md:
- Around line 70-78: Documentation enum name is inconsistent: the docs show
WriterCommand but the code defines WriteCommand; update the docs sample to use
the actual enum name WriteCommand (or, if you prefer to standardize on
WriterCommand, rename the enum in the implementation to WriterCommand) and
ensure all references in the docs and code (the enum definition and any
matches/usages) are aligned to the same identifier.

🧹 Nitpick comments (4)

src/fls/oci/from_oci.rs (2)

82-117: Code duplication with from_url.rs.

This execute_write_commands function is very similar to the one in src/fls/from_url.rs (lines 91-137). Consider extracting this to a shared helper module to reduce maintenance burden and ensure consistent behavior.

The key difference is that from_url.rs version reports errors via error_tx channel while this version doesn't. If the error channel reporting is intentional here, a comment explaining the difference would help.

135-175: Duplicated helper function.

handle_detected_format is nearly identical to the one in src/fls/from_url.rs (lines 167-208). The only difference is error channel handling. Consider consolidating these into a shared module.

src/fls/simg.rs (1)

422-462: Complex buffer management for RAW chunks - verify edge cases.

The handling of extra bytes when a RAW chunk header is parsed alongside some data bytes is intricate:

Extra bytes beyond the header are extracted (line 425-426)

Only up to raw_remaining bytes are written (line 427-428)

Buffer is cleared (line 437)

If RAW chunk completes immediately, state transitions appropriately

The continue at line 462 skips the buffer.drain() at line 484

This logic appears correct, but the interaction between the continue and the drain that's skipped is subtle. Consider adding a brief comment explaining why RAW chunks need special handling compared to FILL/DONT_CARE.

src/fls/block_writer.rs (1)

343-374: Clarify semantics: bytes_written represents output position, not actual bytes transferred, by design.

The seek() method intentionally updates bytes_written to the absolute offset (line 368) for sparse image support, not a bug. The comment on line 367 explicitly identifies this as "position tracking." This mixed semantic is correct: normal write() increments bytes_written (line 327), while seek() sets it to the output position (line 368).

For sparse images, this is the intended behavior—progress should reflect the position in the final output file, not just actual bytes transferred. The ProgressTracker displays this value as progress, which works correctly for both dense and sparse writes.

However, the field name bytes_written becomes semantically ambiguous after a seek. Consider documenting this mixed semantic explicitly in the struct definition or renaming to output_position to clarify the intent.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a15d5d7 and 191f34d.

📒 Files selected for processing (7)

docs/sparse-image-support.md
src/fls/block_writer.rs
src/fls/format_detector.rs
src/fls/from_url.rs
src/fls/mod.rs
src/fls/oci/from_oci.rs
src/fls/simg.rs

🚧 Files skipped from review as they are similar to previous changes (1)

src/fls/format_detector.rs

🧰 Additional context used

🧬 Code graph analysis (3)

src/fls/oci/from_oci.rs (2)

src/fls/format_detector.rs (1)

new (50-56)

src/fls/simg.rs (1)

new (339-348)

src/fls/from_url.rs (6)

src/fls/error_handling.rs (1)

process_error_messages (3-7)

src/fls/http.rs (2)

setup_http_client (6-75)

start_download (77-168)

src/fls/download_error.rs (1)

format_error (168-223)

src/fls/format_detector.rs (1)

new (50-56)

src/fls/simg.rs (1)

new (339-348)

src/fls/stream_utils.rs (1)

new (21-27)

src/fls/simg.rs (1)

src/fls/block_writer.rs (5)

write (312-341)

write (563-569)

new (40-52)

new (138-308)

new (485-560)

🪛 LanguageTool

docs/sparse-image-support.md

[style] ~12-~12: This phrase is redundant. Consider writing “space”.
Context: ...antly reduce flash time for images with empty space fls automatically detects sparse ima...

(EMPTY_HOLE)

[style] ~90-~90: This phrase is redundant. Consider writing “space”.
Context: ...mage with 1GB of actual data and 3GB of empty space: | Method | Data Transferred | Data Wr...

(EMPTY_HOLE)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build (aarch64-unknown-linux-gnu)
GitHub Check: Build (aarch64-unknown-linux-musl)
GitHub Check: Build (aarch64-apple-darwin)

🔇 Additional comments (17)

src/fls/mod.rs (1)

7-7: LGTM!

The new internal modules format_detector and simg are correctly wired into the module tree with appropriate visibility.

Also applies to: 15-15

src/fls/oci/from_oci.rs (2)

177-219: LGTM!

The format detection routing logic is well-structured. The state machine correctly handles the three detection outcomes (NeedMoreData, Detected, Error) and appropriately routes subsequent data based on whether a sparse parser was initialized.

335-385: LGTM!

The sparse image detection is cleanly integrated into the tar processing pipeline. The pattern of initializing FormatDetector, Option<SparseParser>, and format_determined flag, then using process_buffer_with_format_detection in the read loop with finalize_format_at_eof at EOF is consistent and correct.

src/fls/from_url.rs (4)

17-25: LGTM!

The await_writer_result helper properly converts task panics to io::Error using io::Error::other, providing uniform error handling throughout the download pipeline.

51-88: LGTM!

Good refactoring to centralize retry logic. The function properly handles non-retryable errors, max retry checks, and suggested retry delays with a sensible fallback.

90-137: LGTM!

The execute_write_commands function properly handles all WriteCommand variants with consistent error reporting through the error channel. The debug logging for Seek and Fill operations will be valuable for troubleshooting.

246-327: LGTM!

The writer task integration with format detection is well-implemented:

Format detection state properly initialized before the loop

EOF handling correctly flushes any buffered detection data as regular content

The continue statement after NeedMoreData correctly prevents premature data processing

Remaining buffer slice calculation after detection is correct

src/fls/block_writer.rs (4)

74-92: LGTM!

Good safety checks in open_for_regular_file - preventing paths under /dev/ from being accidentally opened as regular files helps avoid data loss from typos in device paths.

376-394: LGTM!

Good fix to explicitly zero the padding region before writing. This prevents potential information leakage from stale buffer contents when the final block requires alignment padding.

466-475: LGTM!

The WriterCommand enum cleanly extends the async writer interface to support seek and fill operations required for sparse image processing. The command pattern is a good design choice for this use case.

596-614: LGTM!

The fill pattern implementation is efficient:

Buffer size matches the alignment requirement

Pattern is correctly replicated across the buffer using chunks_exact_mut

The loop properly handles both full and partial buffer writes

src/fls/simg.rs (6)

1-13: LGTM!

Excellent module documentation explaining the sparse image format and its purpose. The format specification reference in the doc comments will help future maintainers understand the code.

173-216: LGTM!

The header parsing is robust:

Validates buffer length before accessing bytes

Checks magic number for format detection

Version validation allows minor version flexibility (only major == 1 required)

Header/chunk header size validation ensures format compliance

254-284: LGTM!

Excellent defensive parsing:

Arithmetic overflow protection using checked_mul prevents panics on malformed input

Each chunk type validates its expected total size

FILL chunk correctly reads the additional 4 bytes for the pattern

306-311: Good documentation of design decision.

The comment explaining why raw_remaining is limited to u32 (~4GB) is helpful. This is a reasonable limitation for streaming efficiency, and the overflow check during parsing ensures this limit is enforced.

513-544: LGTM!

The RAW data streaming state correctly:

Consumes only up to raw_remaining bytes from input

Emits Write commands with the consumed data

Properly transitions to the next state when the chunk is complete

Clears the buffer when transitioning back to WaitingChunkHeader

693-715: LGTM - Excellent test coverage!

The test_incremental_byte_feeding test is particularly valuable - it verifies the streaming parser handles arbitrarily fragmented input correctly, which is essential for real-world streaming scenarios where network chunks don't align with format boundaries.

coderabbitai · 2026-01-12T10:23:50Z

docs/sparse-image-support.md

+```rust
+// From src/fls/simg.rs
+enum WriterCommand {
+    Seek(u64),                             // Skip to offset (DONT_CARE)
+    Write(Vec<u8>),                        // Write data (RAW)
+    Fill { pattern: [u8; 4], bytes: u64 }, // Fill with pattern (FILL)
+    Complete { expected_size: u64 },       // Parsing complete
+}
+```


⚠️ Potential issue | 🟡 Minor

Inconsistent enum name in documentation.

The code sample shows WriterCommand but the actual implementation in src/fls/simg.rs uses WriteCommand. This inconsistency could confuse readers.

📝 Suggested fix

-enum WriterCommand { +enum WriteCommand { Seek(u64), // Skip to offset (DONT_CARE) Write(Vec<u8>), // Write data (RAW) Fill { pattern: [u8; 4], bytes: u64 }, // Fill with pattern (FILL) Complete { expected_size: u64 }, // Parsing complete }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

```rust

// From src/fls/simg.rs

enum WriterCommand {

Seek(u64), // Skip to offset (DONT_CARE)

Write(Vec<u8>), // Write data (RAW)

Fill { pattern: [u8; 4], bytes: u64 }, // Fill with pattern (FILL)

Complete { expected_size: u64 }, // Parsing complete

}

```

🤖 Prompt for AI Agents

In @docs/sparse-image-support.md around lines 70 - 78, Documentation enum name is inconsistent: the docs show WriterCommand but the code defines WriteCommand; update the docs sample to use the actual enum name WriteCommand (or, if you prefer to standardize on WriterCommand, rename the enum in the implementation to WriterCommand) and ensure all references in the docs and code (the enum definition and any matches/usages) are aligned to the same identifier.

bennyz requested a review from mangelajo January 9, 2026 13:23

bennyz force-pushed the sparse-simg branch from ae42182 to f85ba7d Compare January 9, 2026 13:29

coderabbitai bot reviewed Jan 9, 2026

View reviewed changes

src/fls/format_detector.rs Show resolved Hide resolved

src/fls/from_url.rs Outdated Show resolved Hide resolved

src/fls/from_url.rs Outdated Show resolved Hide resolved

src/fls/simg.rs Outdated Show resolved Hide resolved

bennyz force-pushed the sparse-simg branch 2 times, most recently from 26d3233 to 49697e2 Compare January 9, 2026 14:16

coderabbitai bot reviewed Jan 9, 2026

View reviewed changes

src/fls/from_url.rs Outdated Show resolved Hide resolved

src/fls/from_url.rs Outdated Show resolved Hide resolved

coderabbitai bot reviewed Jan 9, 2026

View reviewed changes

src/fls/block_writer.rs Outdated Show resolved Hide resolved

src/fls/from_url.rs Outdated Show resolved Hide resolved

src/fls/from_url.rs Outdated Show resolved Hide resolved

src/fls/from_url.rs Outdated Show resolved Hide resolved

bennyz force-pushed the sparse-simg branch 2 times, most recently from 2ba99db to 6b17dfa Compare January 9, 2026 15:00

coderabbitai bot reviewed Jan 9, 2026

View reviewed changes

bennyz force-pushed the sparse-simg branch from 6b17dfa to 0c83a77 Compare January 9, 2026 15:14

coderabbitai bot reviewed Jan 9, 2026

View reviewed changes

bennyz force-pushed the sparse-simg branch from 0c83a77 to df7dc69 Compare January 9, 2026 15:49

coderabbitai bot reviewed Jan 9, 2026

View reviewed changes

bennyz force-pushed the sparse-simg branch from df7dc69 to 29db99d Compare January 10, 2026 07:58

coderabbitai bot reviewed Jan 10, 2026

View reviewed changes

bennyz force-pushed the sparse-simg branch from 29db99d to 0bf5af4 Compare January 10, 2026 09:10

coderabbitai bot reviewed Jan 10, 2026

View reviewed changes

src/fls/block_writer.rs Show resolved Hide resolved

bennyz force-pushed the sparse-simg branch from 0bf5af4 to 4d3375e Compare January 10, 2026 09:49

coderabbitai bot reviewed Jan 10, 2026

View reviewed changes

docs/sparse-image-support.md Outdated Show resolved Hide resolved

bennyz force-pushed the sparse-simg branch 2 times, most recently from 1e8e3f9 to a15d5d7 Compare January 11, 2026 06:28

mangelajo approved these changes Jan 12, 2026

View reviewed changes

support sparse simg from a-i-b

191f34d

Signed-off-by: Benny Zlotnik <bzlotnik@redhat.com>

bennyz force-pushed the sparse-simg branch from a15d5d7 to 191f34d Compare January 12, 2026 10:18

coderabbitai bot reviewed Jan 12, 2026

View reviewed changes

mangelajo merged commit 8c6990a into jumpstarter-dev:main Jan 12, 2026
8 checks passed

coderabbitai bot mentioned this pull request Jan 13, 2026

restore stats for OCI flashing #5

Merged

bennyz deleted the sparse-simg branch January 14, 2026 09:27

support sparse simg from a-i-b #3

support sparse simg from a-i-b #3

Uh oh!

Conversation

bennyz commented Jan 9, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Jan 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated Code Review Effort

Possibly Related PRs

Suggested Reviewers

Poem

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

bennyz commented Jan 9, 2026

Uh oh!

coderabbitai bot commented Jan 9, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

mangelajo left a comment

Choose a reason for hiding this comment

Uh oh!

bennyz commented Jan 12, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Jan 12, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

bennyz commented Jan 9, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Jan 9, 2026 •

edited

Loading