A robust base::DeleteFile.

base/files/file_util_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/files/file_util.h"
 
 #include <windows.h>
 #include <io.h>
 #include <psapi.h>
 #include <shellapi.h>
 #include <shlobj.h>
 #include <stddef.h>
 #include <stdint.h>
+#include <string.h>
 #include <time.h>
 #include <winsock2.h>
 
 #include <algorithm>
 #include <limits>
 #include <string>
+#include <utility>
 
+#include "base/base32.h"
 #include "base/files/file_enumerator.h"
 #include "base/files/file_path.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/metrics/histogram.h"
 #include "base/process/process_handle.h"
 #include "base/rand_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/time/time.h"
 #include "base/win/scoped_handle.h"
 #include "base/win/windows_version.h"
 
 namespace base {
 
 namespace {
 
 const DWORD kFileShareAll =
     FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE;
 
-// Deletes all files and directories in a path.
-// Returns false on the first failure it encounters.
-bool DeleteFileRecursive(const FilePath& path,
-                         const FilePath::StringType& pattern,
-                         bool recursive) {
-  FileEnumerator traversal(path, false,
-                           FileEnumerator::FILES | FileEnumerator::DIRECTORIES,
-                           pattern);
-  for (FilePath current = traversal.Next(); !current.empty();
-       current = traversal.Next()) {
-    // Try to clear the read-only bit if we find it.
-    FileEnumerator::FileInfo info = traversal.GetInfo();
-    if ((info.find_data().dwFileAttributes & FILE_ATTRIBUTE_READONLY) &&
-        (recursive || !info.IsDirectory())) {
-      SetFileAttributes(
-          current.value().c_str(),
-          info.find_data().dwFileAttributes & ~FILE_ATTRIBUTE_READONLY);
-    }
-
-    if (info.IsDirectory()) {
-      if (recursive && (!DeleteFileRecursive(current, pattern, true) ||
-                        !RemoveDirectory(current.value().c_str())))
-        return false;
-    } else if (!::DeleteFile(current.value().c_str())) {
+// The workhorse of base::DeleteFile. This class implements a robust file and
+// directory deletion strategy to work with Windows' peculiarity around file
+// deletion -- on Windows, one does not simply delete a file. The Win32
+// DeleteFile function is deceptively named (though properly documented) as it
+// marks a file for deletion at some unspecified time in the future when all
+// handles are closed. This here workhorse accomplishes two goals: recursive
+// deletes can succeed in the face of other software operating therein (so long
+// as they open files with SHARE_DELETE) and it's much more likely that callers
+// can delete a file or directory and then immediately create another with the
+// same name. This class implementes DeleteFile as follows:
+// - Open the item to be deleted.
+// - Rob the item of its read-only status, if applicable.
+// - In the case of a directory that does not have a reparse point (i.e., a
+//   plain old directory, not a mount point or a symlinks), recursively delete
+//   everything contained therein using the strategy described here.
+// - Paint the item with delete-on-close to make sure it is deletable.
+// - Hide the item.
+// - Clear the delete-on-close bit so that it can...
+// - Move the item to a temporary directory (with a random name).
+// - Paint the item with delete-on-close for good.
+//
+// Failure possibilities are:
+// - The item could not be opened.
+// - The item's attributes could not be read.
+// - The item was read-only and this attribute could not be cleared.
+// - The item could not be deleted for various legitimate reasons such as it
+//   being open without SHARE_DELETE access, or the current user not having
+//   permission to delete it.
+// - The file was moved out to the temp directory, could not be deleted, and
+//   could not be moved back to its original location. This will DCHECK in a
+//   debug build, as it is highly undesirable and so far outside of expectation.
+//
+// There also exists a partial success case where the item could not be moved
+// prior to deletion but was deleted in situ. This is essentially the Win32
+// DeleteFile behavior, also known as "better than nothing".
+class TreeDeleter {
+ public:
+  // Deletes |path| (a file or a directory). If |recursive| is true and |path|
+  // names a directory that does not have a reparse point (i.e., is not a mount
+  // point or a symlink), then recursively deletes the contents of |path| prior
+  // to deleting |path|. Returns false if |path| was not entirely deleted.
+  static bool RobustDelete(const FilePath& path,
+                           bool recursive,
+                           DeleteFileMetrics* metrics);
+
+ private:
+  TreeDeleter();
+
+  // Returns a random 8.3 ASCII filename.
+  static std::string GenerateRandomFileName();
+
+  // Returns true if the serial number of the volume on which |path| resides
+  // can be obtained, equals |volume_serial_number|, and a file can be created
+  // in the directory.
+  static bool IsSuitableTemporaryDirectory(const FilePath& path,
+                                           DWORD volume_serial_number);
+
+  // Deletes |path| (recursively, if |recursive|) with up to 4 retries.
+  bool BeginDelete(const FilePath& path, bool recursive);
+
+  // Sets |temp_dir_path_| to the path of a directory on the same volume as
+  // |path| (opened as |to_delete|) that will be used to temporarily hold files
+  // and directories as they are being deleted.
+  void ChooseTempDir(const FilePath& path, const win::ScopedHandle& to_delete);
+
+  // Main entrypoint to delete |path|. |level| indicates the current level of
+  // recursion. |recurse|, when true, indicates that the operation should
+  // recurse into directories.
+  bool Delete(const FilePath& path, int level, bool recurse);
+
+  // Main entrypoint to the open-and-delete-on-close strategy.
+  bool DeleteOnClose(const FilePath& path, int level, bool recurse);
+
+  // Deletes |path| (a file or an empty directory) using the traditional Win32
+  // APIs.
+  bool DeleteFallback(const FilePath& path);
+
+  // Deletes |to_delete|, using |basic_info| to adjust its attributes in the
+  // process.
+  bool DoDelete(const FilePath& path,
+                int level,
+                bool recurse,
+                const win::ScopedHandle& to_delete,
+                FILE_BASIC_INFO* basic_info);
+
+  // Deletes as much of the contents of |path| as possible, returning |true|
+  // only if everything within was deleted.
+  bool DeleteContents(const FilePath& path, int level);
+
+  // Moves |to_delete| out into the temp directory of the operation.
+  // |to_delete| is expected to already have its delete-on-close attribute set.
+  // This function will clear it, move the file, and re-establish
+  // delete-on-close. Returns false if the delete-on-close attribute is not set
+  // on exit.
+  bool MoveToTemp(const FilePath& path, const win::ScopedHandle& to_delete);
+
+  // Renames the item |to_delete| to |target|.
+  bool MoveTo(const win::ScopedHandle& to_delete, const FilePath& target);
+
+  // Metrics relating to the operation.
+  DeleteFileMetrics metrics_ = DeleteFileMetrics();
+
+  // The directory into which items are to be moved immediately prior to
+  // deletion.
+  FilePath temp_dir_path_;
+
+  // The size, in bytes, of the FILE_RENAME_INFO block.
+  size_t rename_info_buffer_size_ = 0;
+
+  // Holds a FILE_RENAME_INFO when the instance will be used to move files out
+  // of their current directory prior to deletion.
+  std::unique_ptr<uint8_t> rename_info_buffer_;
+
+  DISALLOW_COPY_AND_ASSIGN(TreeDeleter);
+};
+
+// static
+bool TreeDeleter::RobustDelete(const FilePath& path,
+                               bool recursive,
+                               DeleteFileMetrics* metrics) {
+  TreeDeleter deleter;
+  bool result = deleter.BeginDelete(MakeAbsoluteFilePath(path), recursive);
+  if (metrics)
+    *metrics = deleter.metrics_;
+  return result;
+}
+
+TreeDeleter::TreeDeleter() {}
+
+// static
+std::string TreeDeleter::GenerateRandomFileName() {
+  char random[5];
+  RandBytes(&random[0], sizeof(random));
+  return Base32Encode(StringPiece(&random[0], sizeof(random))).append(".tmp");

[Nico, 2017/01/10 18:31:56]

what's wrong with win32's GetTempFileName()?

[grt (UTC plus 2), 2017/01/12 15:07:03]

I think it's undesirable here for a few reasons:
- If you want it to guarantee a unique filename, the documentation says it's
inefficient in directories containing lots of files. Temp dirs often have lots
of files, so this seems bad.
- If you want it to guarantee a unique filename, it creates a file with that
name and leaves it there for you. This file is then in the way of the file we
want to move, so we'd have to delete it or rename it, which kinda puts us back
to where we started. :-)
- If you don't want it to guarantee a unique filename, you have to call it
repeatedly in case of collision, which is no better than the roll-your-own I've
created here.

[Nico, 2017/01/17 13:19:58]

(This is to protect against time of check to time of use attacks – see mktemp
references on https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use . For
file deletion, I believe you're right that this gets in the way instead of
helping, but I'm also not very creative in coming up with exploits for this type
of problem :-) )
Well, it's roughly the same code except that we don't need the base64 code in
base, right? (Maybe I'm missing something.)

+}
+
+// static
+bool TreeDeleter::IsSuitableTemporaryDirectory(const FilePath& path,
+                                               DWORD volume_serial_number) {
+  BY_HANDLE_FILE_INFORMATION info = {};
+  File file(path, (File::FLAG_OPEN | File::FLAG_SHARE_DELETE |
+                   File::FLAG_BACKUP_SEMANTICS));
+  if (!file.IsValid()) {
+    PLOG(ERROR) << "Unable to get volume serial number of " << path.value();
+    return false;
+  }
+  if (!::GetFileInformationByHandle(file.GetPlatformFile(), &info) ||
+      info.dwVolumeSerialNumber != volume_serial_number) {
+    return false;
+  }
+  file.Close();
+
+  // Check that a file can be created in the directory.
+  file.Initialize(path.AppendASCII(GenerateRandomFileName()),
+                  (File::FLAG_CREATE | File::FLAG_WRITE | File::FLAG_TEMPORARY |
+                   File::FLAG_HIDDEN | File::FLAG_DELETE_ON_CLOSE |
+                   File::FLAG_SHARE_DELETE));
+  return file.IsValid();
+}
+
+bool TreeDeleter::BeginDelete(const FilePath& path, bool recursive) {
+  // Repeatedly attempt to delete |path| until there is nothing left that can be
+  // deleted. Bail out after five fruitless iterations (four retries).
+  int retries_without_progress = 0;
+  while (true) {
+    int total_deleted_before = metrics_.delete_on_close_success_count +
+                               metrics_.delete_file_success_count;
+    if (Delete(path, 0, recursive))
+      return true;  // Yay!
+    if (metrics_.delete_on_close_success_count +
+            metrics_.delete_file_success_count >
+        total_deleted_before) {
+      // Progress is being made; reset the retry count.
+      retries_without_progress = 0;
+    } else if (++retries_without_progress == 5) {
+      // Give up after making no progress five consecutive times.
+      break;
+    }
+    ++metrics_.total_retry_count;
+  }
+
+  return false;
+}
+
+void TreeDeleter::ChooseTempDir(const FilePath& path,
+                                const win::ScopedHandle& to_delete) {
+  DCHECK(temp_dir_path_.empty());
+
+  // Get the volume serial number of the path to be deleted.
+  BY_HANDLE_FILE_INFORMATION item_info = {};
+  if (::GetFileInformationByHandle(to_delete.Get(), &item_info)) {
+    FilePath temp_path;
+
+    // Try %TEMP%.
+    if (GetTempDir(&temp_path) &&
+        IsSuitableTemporaryDirectory(temp_path,
+                                     item_info.dwVolumeSerialNumber)) {
+      temp_dir_path_ = temp_path;
+      metrics_.temporary_directory_location = DeleteFileMetrics::TEMP;
+      return;
+    }
+
+    // Try X:\Temp and X:\Tmp.
+    wchar_t volume_path_name[MAX_PATH];
+    if (::GetVolumePathName(path.NormalizePathSeparators().value().c_str(),
+                            volume_path_name, arraysize(volume_path_name))) {
+      static constexpr const wchar_t* kTempNames[] = {L"Temp", L"Tmp"};
+      for (const wchar_t* temp_name : kTempNames) {
+        temp_path = FilePath(volume_path_name).Append(temp_name);
+        if (IsSuitableTemporaryDirectory(temp_path,
+                                         item_info.dwVolumeSerialNumber)) {
+          temp_dir_path_ = temp_path;
+          metrics_.temporary_directory_location =
+              DeleteFileMetrics::VOLUME_TEMP;
+          return;
+        }
+      }
+    }
+
+    // Try the parent dir of |path|.

[Nico, 2017/01/10 18:31:56]

xxx

[Nico, 2017/01/10 18:39:51]

Sorry, meant to edit this one before hitting publish. If you put the temp dir
into the parent directory, the `enumer` for the parent won't have the new temp
file you're creating, will it?

[grt (UTC plus 2), 2017/01/12 15:07:03]

No, the enumerator used in DeleteContents will never see items that are moved
into either the parent dir of |path| or the dir of |path|. ChooseTempDir is
called only once with the path given to RobustDelete. In the case where
RobustDelete is called, |path| names a directory, and |recursive| is true,
enumeration is done within the directory |path| (and its children) and in the
directory containing |path|.

+    temp_path = path.DirName().DirName();
+    if (IsSuitableTemporaryDirectory(temp_path,
+                                     item_info.dwVolumeSerialNumber)) {
+      temp_dir_path_ = temp_path;
+      metrics_.temporary_directory_location = DeleteFileMetrics::PARENT;
+      return;
+    }
+
+    // Try the dir of |path|.
+    temp_path = path.DirName();
+    if (IsSuitableTemporaryDirectory(temp_path,
+                                     item_info.dwVolumeSerialNumber)) {
+      temp_dir_path_ = temp_path;
+      metrics_.temporary_directory_location = DeleteFileMetrics::ITEM;
+      return;
+    }
+  }
+
+  PLOG(ERROR) << "Failed to get file info of " << path.value();
+  DCHECK(temp_dir_path_.empty());
+  metrics_.temporary_directory_location = DeleteFileMetrics::NONE;
+}
+
+bool TreeDeleter::Delete(const FilePath& path, int level, bool recurse) {
+  if (DeleteOnClose(path, level, recurse)) {
+    ++metrics_.delete_on_close_success_count;
+    return true;
+  }
+  if (DeleteFallback(path)) {
+    ++metrics_.delete_file_success_count;
+    return true;
+  }
+  ++metrics_.fail_count;
+  return false;
+}
+
+bool TreeDeleter::DeleteOnClose(const FilePath& path, int level, bool recurse) {
+  // Open the item to be deleted with permission to hide and delete it with full
+  // sharing. Note that backup semantics are required to open a directory.
+  // Operate on a link or a mount point (implemented via reparse points) itself
+  // rather than on its target.
+  win::ScopedHandle to_delete(::CreateFile(
+      path.value().c_str(),
+      DELETE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES,
+      FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, nullptr,
+      OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT,
+      nullptr));
+  if (!to_delete.IsValid()) {
+    DWORD error = ::GetLastError();
+    if (error == ERROR_FILE_NOT_FOUND || error == ERROR_PATH_NOT_FOUND)
+      return true;
+    PLOG(ERROR) << "Failed to open " << path.value() << " for deletion";
+    return false;
+  }
+
+  if (metrics_.temporary_directory_location == DeleteFileMetrics::UNDECIDED)
+    ChooseTempDir(path, to_delete);
+
+  // Remove the item's read-only bit if it is set. This is required for
+  // deletion.
+  bool read_only_set = false;
+  FILE_BASIC_INFO basic_info = {};
+  if (!::GetFileInformationByHandleEx(to_delete.Get(), FileBasicInfo,
+                                      &basic_info, sizeof(basic_info))) {
+    PLOG(ERROR) << "Failed to read attributes of " << path.value();
+    return false;
+  }
+  if ((basic_info.FileAttributes & FILE_ATTRIBUTE_READONLY) != 0) {
+    basic_info.FileAttributes &= ~FILE_ATTRIBUTE_READONLY;
+    if (!::SetFileInformationByHandle(to_delete.Get(), FileBasicInfo,
+                                      &basic_info, sizeof(basic_info))) {
+      PLOG(ERROR) << "Failed to strip read-only attribute of " << path.value();
       return false;
     }
-  }
+    read_only_set = true;
+  }
+
+  if (DoDelete(path, level, recurse, to_delete, &basic_info))
+    return true;
+
+  // Restore the item's read-only state on failure.
+  if (read_only_set) {
+    basic_info.FileAttributes |= FILE_ATTRIBUTE_READONLY;
+    if (!::SetFileInformationByHandle(to_delete.Get(), FileBasicInfo,
+                                      &basic_info, sizeof(basic_info))) {
+      PLOG(ERROR) << "Failed to restore read-only attribute of "
+                  << path.value();
+    }
+  }
+  return false;
+}
+
+bool TreeDeleter::DeleteFallback(const FilePath& path) {
+  // Try a straight-up delete as a fallback. Don't bother figuring out if |path|
+  // names a file or an empty directory; just try both.
+  return ::DeleteFile(path.value().c_str()) ||
+         ::RemoveDirectory(path.value().c_str());
+}
+
+bool TreeDeleter::DoDelete(const FilePath& path,
+                           int level,
+                           bool recurse,
+                           const win::ScopedHandle& to_delete,
+                           FILE_BASIC_INFO* basic_info) {
+  // Recurse into this item if desired, this item is a directory, and this item
+  // does not have a reparse point (i.e., is not a mount point, a symlink, or
+  // some other directory-like thing implemented by a filesystem filter).
+  if (recurse && (basic_info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0 &&
+      (basic_info->FileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) == 0 &&
+      !DeleteContents(path, level + 1)) {
+    return false;
+  }
+
+  // Check to see if it's possible to delete this item. A non-empty directory,
+  // for example, cannot be deleted.
+  FILE_DISPOSITION_INFO disposition = {TRUE};  // DeleteFile
+  if (!::SetFileInformationByHandle(to_delete.Get(), FileDispositionInfo,
+                                    &disposition, sizeof(disposition))) {
+    PLOG(ERROR) << "Unable to delete " << path.value();
+    return false;
+  }
+
+  // The item will now be deleted when all handles are closed. Hide it so that
+  // it appears to vanish right away and so that any other procs (e.g.,
+  // explorer.exe) observing the temp directory have a greater likelihood of
+  // not reacting when a new file suddenly appears and disappears.
+  bool hidden_set = false;
+  if ((basic_info->FileAttributes & FILE_ATTRIBUTE_HIDDEN) == 0) {
+    basic_info->FileAttributes |= FILE_ATTRIBUTE_HIDDEN;
+    if (!::SetFileInformationByHandle(to_delete.Get(), FileBasicInfo,
+                                      basic_info, sizeof(*basic_info))) {
+      PLOG(WARNING) << "Failed to hide " << path.value();
+    }
+    hidden_set = true;
+  }
+
+  if (temp_dir_path_.empty() || MoveToTemp(path, to_delete))
+    return true;
+
+  // The item couldn't be deleted. Restore its visibility.
+  if (hidden_set) {
+    basic_info->FileAttributes &= ~FILE_ATTRIBUTE_HIDDEN;
+    if (!::SetFileInformationByHandle(to_delete.Get(), FileBasicInfo,
+                                      basic_info, sizeof(*basic_info))) {
+      PLOG(WARNING) << "Failed to unhide " << path.value();
+    }
+  }
+  return false;
+}
+
+bool TreeDeleter::DeleteContents(const FilePath& path, int level) {
+  metrics_.max_depth = std::max(metrics_.max_depth, level);
+
+  // Recursively (and greedily) delete everything in |path|.
+  bool items_failed = false;
+  FileEnumerator enumer(path, false,
+                        (FileEnumerator::DIRECTORIES | FileEnumerator::FILES));
+  for (FilePath item = enumer.Next(); !item.empty(); item = enumer.Next()) {
+    if (!Delete(item, level, true /* recurse */))
+      items_failed = true;
+  }
+
+  // Report success in the absence of failures.
+  return !items_failed;
+}
+
+bool TreeDeleter::MoveToTemp(const FilePath& path,
+                             const win::ScopedHandle& to_delete) {
+  DCHECK(!temp_dir_path_.empty());
+  // Do the shuffle to move the item out to the temp directory so that a new
+  // item with the same name can be created immediately in this directory, or
+  // so that the containing directory can be deleted immediately.
+
+  // Revoke deletion so that the item can be moved.
+  FILE_DISPOSITION_INFO disposition = {FALSE};  // DeleteFile
+  if (!::SetFileInformationByHandle(to_delete.Get(), FileDispositionInfo,
+                                    &disposition, sizeof(disposition))) {
+    PLOG(WARNING) << "Unable to revoke deletion of " << path.value()
+                  << "; skipping move to temp";
+    return true;
+  }
+
+  // Move the file out to the temp directory. Failure to move is not a fatal
+  // failure, though it will lead to a race when deleting the containing
+  // directory. This is mitigated by retries in directory deletion.
+  bool file_moved = false;
+  int attempts = 0;
+  do {
+    file_moved =
+        MoveTo(to_delete, temp_dir_path_.AppendASCII(GenerateRandomFileName()));
+  } while (!file_moved && ++attempts < 5);
+
+  // Mark the file to be deleted on close once again.
+  disposition.DeleteFile = TRUE;
+  if (!::SetFileInformationByHandle(to_delete.Get(), FileDispositionInfo,
+                                    &disposition, sizeof(disposition))) {
+    // This is unexpected since the file was to be deleted moments ago, but is
+    // possible (e.g., another process has mapped it into memory).
+    PLOG(ERROR) << "Failed to mark file to be deleted on close";
+
+    if (file_moved) {
+      // Try to move the file back to where it was. If this fails, we're in the
+      // town of cats and leaving the file in the wrong place. Regardless, make
+      // a final attempt to mark the file for deletion.

[Nico, 2017/01/10 18:31:56]

Why would this succeed now?

[grt (UTC plus 2), 2017/01/12 15:07:03]

Races. It's possible that another proc had mapped the file into memory
(https://github.com/Microsoft/Windows-driver-samples/blob/master/filesys/fastf...),
like, I dunno, an AV scanner...

+      bool file_moved_back = MoveTo(to_delete, path);
+      LONG error = ::GetLastError();
+      if (::SetFileInformationByHandle(to_delete.Get(), FileDispositionInfo,
+                                       &disposition, sizeof(disposition))) {
+        // Whew! The file will eventually be deleted in situ.
+        if (!file_moved_back)
+          ++metrics_.move_to_temp_count;
+        return true;
+      }
+      if (!file_moved_back) {
+        ::SetLastError(error);
+        PLOG(DFATAL) << "Failed to move item back to original location";
+      }
+    }
+    return false;
+  }
+
+  ++metrics_.move_to_temp_count;
+
   return true;
 }
+
+bool TreeDeleter::MoveTo(const win::ScopedHandle& to_delete,
+                         const FilePath& target) {
+  // Compute the proper size of the FILE_RENAME_INFO including the target path.
+  size_t path_bytes = (target.value().length() + 1) * sizeof(wchar_t);
+  size_t struct_size = offsetof(FILE_RENAME_INFO, FileName) + path_bytes;
+
+  // Allocate a new buffer if needed.
+  if (rename_info_buffer_size_ < struct_size) {
+    rename_info_buffer_.reset();
+    rename_info_buffer_.reset(new uint8_t[struct_size]);
+    rename_info_buffer_size_ = struct_size;
+  }
+
+  // Formulate a FILE_RENAME_INFO struct in the buffer.
+  FILE_RENAME_INFO* file_rename_info =
+      reinterpret_cast<FILE_RENAME_INFO*>(rename_info_buffer_.get());
+  file_rename_info->ReplaceIfExists = FALSE;
+  file_rename_info->RootDirectory = nullptr;
+  file_rename_info->FileNameLength = target.value().length();
+  ::memcpy(&file_rename_info->FileName[0], target.value().c_str(), path_bytes);
+
+  if (!::SetFileInformationByHandle(to_delete.Get(), FileRenameInfo,
+                                    file_rename_info, struct_size)) {
+    PLOG(ERROR) << "Failed to move item to " << target.value();
+    return false;
+  }
+  return true;
+}
 
 }  // namespace
 
 FilePath MakeAbsoluteFilePath(const FilePath& input) {
   ThreadRestrictions::AssertIOAllowed();
   wchar_t file_path[MAX_PATH];
   if (!_wfullpath(file_path, input.value().c_str(), MAX_PATH))
     return FilePath();
   return FilePath(file_path);
 }
 
 bool DeleteFile(const FilePath& path, bool recursive) {
+  return DeleteFileWithMetrics(path, recursive, nullptr);
+}
+
+bool DeleteFileWithMetrics(const FilePath& path,
+                           bool recursive,
+                           DeleteFileMetrics* metrics) {
   ThreadRestrictions::AssertIOAllowed();
 
+  // Wildcards are not supported.
+  DCHECK_EQ(path.BaseName().value().find_first_of(L"*?"),
+            FilePath::StringType::npos);
+
   if (path.empty())
     return true;
 
   if (path.value().length() >= MAX_PATH)
     return false;
 
-  // Handle any path with wildcards.
-  if (path.BaseName().value().find_first_of(L"*?") !=
-      FilePath::StringType::npos) {
-    return DeleteFileRecursive(path.DirName(), path.BaseName().value(),
-                               recursive);
-  }
-  DWORD attr = GetFileAttributes(path.value().c_str());
-  // We're done if we can't find the path.
-  if (attr == INVALID_FILE_ATTRIBUTES)
-    return true;
-  // We may need to clear the read-only bit.
-  if ((attr & FILE_ATTRIBUTE_READONLY) &&
-      !SetFileAttributes(path.value().c_str(),
-                          attr & ~FILE_ATTRIBUTE_READONLY)) {
-    return false;
-  }
-  // Directories are handled differently if they're recursive.
-  if (!(attr & FILE_ATTRIBUTE_DIRECTORY))
-    return !!::DeleteFile(path.value().c_str());
-  // Handle a simple, single file delete.
-  if (!recursive || DeleteFileRecursive(path, L"*", true))
-    return !!RemoveDirectory(path.value().c_str());
-
-  return false;
+  return TreeDeleter::RobustDelete(path, recursive, metrics);
 }
 
 bool DeleteFileAfterReboot(const FilePath& path) {
   ThreadRestrictions::AssertIOAllowed();
 
   if (path.value().length() >= MAX_PATH)
     return false;
 
   return MoveFileEx(path.value().c_str(), NULL,
                     MOVEFILE_DELAY_UNTIL_REBOOT |
@@ skipping 697 matching lines @@
     // Like Move, this function is not transactional, so we just
     // leave the copied bits behind if deleting from_path fails.
     // If to_path exists previously then we have already overwritten
     // it by now, we don't get better off by deleting the new bits.
   }
   return false;
 }
 
 }  // namespace internal
 }  // namespace base