A robust base::DeleteFile.

base/files/file_util_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/files/file_util.h"
 
 #include <windows.h>
 #include <io.h>
 #include <psapi.h>
 #include <shellapi.h>
 #include <shlobj.h>
 #include <stddef.h>
 #include <stdint.h>
+#include <string.h>
 #include <time.h>
 #include <winsock2.h>
 
 #include <algorithm>
 #include <limits>
 #include <string>
+#include <utility>
 
+#include "base/base32.h"
 #include "base/files/file_enumerator.h"
 #include "base/files/file_path.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/metrics/histogram.h"
 #include "base/process/process_handle.h"
 #include "base/rand_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/time/time.h"
 #include "base/win/scoped_handle.h"
 #include "base/win/windows_version.h"
 
 namespace base {
 
 namespace {
 
 const DWORD kFileShareAll =
     FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE;
 
-// Deletes all files and directories in a path.
-// Returns false on the first failure it encounters.
-bool DeleteFileRecursive(const FilePath& path,
-                         const FilePath::StringType& pattern,
-                         bool recursive) {
-  FileEnumerator traversal(path, false,
-                           FileEnumerator::FILES | FileEnumerator::DIRECTORIES,
-                           pattern);
-  for (FilePath current = traversal.Next(); !current.empty();
-       current = traversal.Next()) {
-    // Try to clear the read-only bit if we find it.
-    FileEnumerator::FileInfo info = traversal.GetInfo();
-    if ((info.find_data().dwFileAttributes & FILE_ATTRIBUTE_READONLY) &&
-        (recursive || !info.IsDirectory())) {
-      SetFileAttributes(
-          current.value().c_str(),
-          info.find_data().dwFileAttributes & ~FILE_ATTRIBUTE_READONLY);
-    }
-
-    if (info.IsDirectory()) {
-      if (recursive && (!DeleteFileRecursive(current, pattern, true) ||
-                        !RemoveDirectory(current.value().c_str())))
-        return false;
-    } else if (!::DeleteFile(current.value().c_str())) {
+// The workhorse of base::DeleteFile. This class implements a robust file and
+// directory deletion strategy to work with Windows' peculiarity around file
+// deletion -- on Windows, one does not simply delete a file. The Win32
+// DeleteFile function is deceptively named (though properly documented) as it
+// marks a file for deletion at some unspecified time in the future when all
+// handles are closed. This here workhorse accomplishes two goals: recursive
+// deletes can succeed in the face of other software operating therein (so long
+// as they open files with SHARE_DELETE) and it's much more likely that callers
+// can delete a file or directory and then immediately create another with the
+// same name. This class implementes DeleteFile as follows:
+// - Open the item to be deleted.
+// - Rob the item of its read-only status, if applicable.
+// - In the case of a directory that does not have a reparse point (i.e., a
+//   plain old directory, not a mount point or a symlinks), recursively delete
+//   everything contained therein using the strategy described here.
+// - Paint the item with delete-on-close to make sure it is deletable.
+// - Hide the item.
+// - Clear the delete-on-close bit so that it can...
+// - Move the item to a temporary directory (with a random name).
+// - Paint the item with delete-on-close for good.
+//
+// Failure possibilities are:
+// - The item could not be opened.
+// - The item's attributes could not be read.
+// - The item was read-only and this attribute could not be cleared.
+// - The item could not be deleted for various legitimate reasons such as it
+//   being open without SHARE_DELETE access, or the current user not having
+//   permission to delete it.
+// - The file was moved out to the temp directory, could not be deleted, and
+//   could not be moved back to its original location. This will DCHECK in a
+//   debug build, as it is highly undesirable and so far outside of expectation.
+//
+// There also exists a partial success case where the item could not be moved
+// prior to deletion but was deleted in situ. This is essentially the Win32
+// DeleteFile behavior, also known as "better than nothing".
+class TreeDeleter {
+ public:
+  // Deletes |path| (a file or a directory). If |recursive| is true and |path|
+  // names a directory that does not have a reparse point (i.e., is not a mount
+  // point or a symlink), then recursively deletes the contents of |path| prior
+  // to deleting |path|. Returns false if |path| was not entirely deleted.
+  static bool RobustDelete(const FilePath& path,
+                           bool recursive,
+                           DeleteFileMetrics* metrics);
+
+ private:
+  TreeDeleter();
+
+  // Returns a random 8.3 ASCII filename.
+  static std::string GenerateRandomFileName();
+
+  // Returns true if the serial number of the volume on which |path| resides
+  // can be obtained, equals |volume_serial_number|, and a file can be created
+  // in the directory.
+  static bool IsSuitableTemporaryDirectory(const FilePath& path,
+                                           DWORD volume_serial_number);
+
+  // Deletes |path| (recursively, if |recursive|) with up to 4 retries.
+  bool BeginDelete(const FilePath& path, bool recursive);
+
+  // Sets |temp_dir_path_| to the path of a directory on the same volume as
+  // |path| (opened as |to_delete|) that will be used to temporarily hold files
+  // and directories as they are being deleted.
+  void ChooseTempDir(const FilePath& path, const win::ScopedHandle& to_delete);
+
+  // Main entrypoint to delete |path|. |level| indicates the current level of
+  // recursion. |recurse|, when true, indicates that the operation should
+  // recurse into directories.
+  bool Delete(const FilePath& path, int level, bool recurse);
+
+  // Main entrypoint to the open-and-delete-on-close strategy.
+  bool DeleteOnClose(const FilePath& path, int level, bool recurse);
+
+  // Deletes |path| (a file or an empty directory) using the traditional Win32
+  // APIs.
+  bool DeleteFallback(const FilePath& path);
+
+  // Deletes |to_delete|, using |basic_info| to adjust its attributes in the
+  // process.
+  bool DoDelete(const FilePath& path,
+                int level,
+                bool recurse,
+                const win::ScopedHandle& to_delete,
+                FILE_BASIC_INFO* basic_info);
+
+  // Deletes as much of the contents of |path| as possible, returning |true|
+  // only if everything within was deleted.
+  bool DeleteContents(const FilePath& path, int level);
+
+  // Moves |to_delete| out into the temp directory of the operation.
+  // |to_delete| is expected to already have its delete-on-close attribute set.
+  // This function will clear it, move the file, and re-establish
+  // delete-on-close. Returns false if the delete-on-close attribute is not set
+  // on exit.
+  bool MoveToTemp(const FilePath& path, const win::ScopedHandle& to_delete);
+
+  // Renames the item |to_delete| to |target|.
+  bool MoveTo(const win::ScopedHandle& to_delete, const FilePath& target);
+
+  // Metrics relating to the operation.
+  DeleteFileMetrics metrics_ = DeleteFileMetrics();
+
+  // The directory into which items are to be moved immediately prior to
+  // deletion.
+  FilePath temp_dir_path_;
+
+  // The size, in bytes, of the FILE_RENAME_INFO block.
+  size_t rename_info_buffer_size_ = 0;
+
+  // Holds a FILE_RENAME_INFO when the instance will be used to move files out
+  // of their current directory prior to deletion.
+  std::unique_ptr<uint8_t> rename_info_buffer_;
+
+  DISALLOW_COPY_AND_ASSIGN(TreeDeleter);
+};
+
+// static
+bool TreeDeleter::RobustDelete(const FilePath& path,
+                               bool recursive,
+                               DeleteFileMetrics* metrics) {
+  TreeDeleter deleter;
+  bool result = deleter.BeginDelete(MakeAbsoluteFilePath(path), recursive);
+  if (metrics)
+    *metrics = deleter.metrics_;
+  return result;
+}
+
+TreeDeleter::TreeDeleter() {}
+
+// static
+std::string TreeDeleter::GenerateRandomFileName() {
+  char random[5];
+  RandBytes(&random[0], sizeof(random));
+  return Base32Encode(StringPiece(&random[0], sizeof(random))).append(".tmp");
+}
+
+// static
+bool TreeDeleter::IsSuitableTemporaryDirectory(const FilePath& path,
+                                               DWORD volume_serial_number) {
+  BY_HANDLE_FILE_INFORMATION info = {};
+  File file(path, (File::FLAG_OPEN | File::FLAG_SHARE_DELETE |
+                   File::FLAG_BACKUP_SEMANTICS));
+  if (!file.IsValid()) {
+    PLOG(ERROR) << "Unable to get volume serial number of " << path.value();
+    return false;
+  }
+  if (!::GetFileInformationByHandle(file.GetPlatformFile(), &info) ||
+      info.dwVolumeSerialNumber != volume_serial_number) {
+    return false;
+  }
+  file.Close();
+
+  // Check that a file can be created in the directory.
+  file.Initialize(path.AppendASCII(GenerateRandomFileName()),
+                  (File::FLAG_CREATE | File::FLAG_WRITE | File::FLAG_TEMPORARY |
+                   File::FLAG_HIDDEN | File::FLAG_DELETE_ON_CLOSE |
+                   File::FLAG_SHARE_DELETE));
+  return file.IsValid();
+}
+
+bool TreeDeleter::BeginDelete(const FilePath& path, bool recursive) {
+  // Repeatedly attempt to delete |path| until there is nothing left that can be
+  // deleted. Bail out after five fruitless iterations (four retries).
+  int retries_without_progress = 0;
+  while (true) {
+    int total_deleted_before = metrics_.delete_on_close_success_count +
+                               metrics_.delete_file_success_count;
+    if (Delete(path, 0, recursive))
+      return true;  // Yay!
+    if (metrics_.delete_on_close_success_count +
+            metrics_.delete_file_success_count >
+        total_deleted_before) {
+      // Progress is being made; reset the retry count.
+      retries_without_progress = 0;
+    } else if (++retries_without_progress == 5) {
+      // Give up after making no progress five consecutive times.
+      break;
+    }
+    ++metrics_.total_retry_count;
+  }
+
+  return false;
+}
+
+void TreeDeleter::ChooseTempDir(const FilePath& path,
+                                const win::ScopedHandle& to_delete) {
+  DCHECK(temp_dir_path_.empty());
+
+  // Get the volume serial number of the path to be deleted.
+  BY_HANDLE_FILE_INFORMATION item_info = {};
+  if (::GetFileInformationByHandle(to_delete.Get(), &item_info)) {
+    FilePath temp_path;
+
+    // Try %TEMP%.
+    if (GetTempDir(&temp_path) &&
+        IsSuitableTemporaryDirectory(temp_path,
+                                     item_info.dwVolumeSerialNumber)) {
+      temp_dir_path_ = temp_path;
+      metrics_.temporary_directory_location = DeleteFileMetrics::TEMP;
+      return;
+    }
+
+    // Try X:\Temp and X:\Tmp.
+    wchar_t volume_path_name[MAX_PATH];
+    if (::GetVolumePathName(path.NormalizePathSeparators().value().c_str(),
+                            volume_path_name, arraysize(volume_path_name))) {
+      static constexpr const wchar_t* kTempNames[] = {L"Temp", L"Tmp"};
+      for (const wchar_t* temp_name : kTempNames) {
+        temp_path = FilePath(volume_path_name).Append(temp_name);
+        if (IsSuitableTemporaryDirectory(temp_path,
+                                         item_info.dwVolumeSerialNumber)) {
+          temp_dir_path_ = temp_path;
+          metrics_.temporary_directory_location =
+              DeleteFileMetrics::VOLUME_TEMP;
+          return;
+        }
+      }
+    }
+
+    // Try the parent dir of |path|.
+    temp_path = path.DirName().DirName();
+    if (IsSuitableTemporaryDirectory(temp_path,
+                                     item_info.dwVolumeSerialNumber)) {
+      temp_dir_path_ = temp_path;
+      metrics_.temporary_directory_location = DeleteFileMetrics::PARENT;
+      return;
+    }
+
+    // Try the dir of |path|.
+    temp_path = path.DirName();
+    if (IsSuitableTemporaryDirectory(temp_path,
+                                     item_info.dwVolumeSerialNumber)) {
+      temp_dir_path_ = temp_path;
+      metrics_.temporary_directory_location = DeleteFileMetrics::ITEM;
+      return;
+    }
+  }
+
+  PLOG(ERROR) << "Failed to get file info of " << path.value();
+  DCHECK(temp_dir_path_.empty());
+  metrics_.temporary_directory_location = DeleteFileMetrics::NONE;
+}
+
+bool TreeDeleter::Delete(const FilePath& path, int level, bool recurse) {
+  if (DeleteOnClose(path, level, recurse)) {
+    ++metrics_.delete_on_close_success_count;
+    return true;
+  }
+  if (DeleteFallback(path)) {
+    ++metrics_.delete_file_success_count;
+    return true;
+  }
+  ++metrics_.fail_count;
+  return false;
+}
+
+bool TreeDeleter::DeleteOnClose(const FilePath& path, int level, bool recurse) {
+  // Open the item to be deleted with permission to hide and delete it with full
+  // sharing. Note that backup semantics are required to open a directory.
+  // Operate on a link or a mount point (implemented via reparse points) itself
+  // rather than on its target.
+  win::ScopedHandle to_delete(::CreateFile(
+      path.value().c_str(),
+      DELETE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES,
+      FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, nullptr,
+      OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT,
+      nullptr));
+  if (!to_delete.IsValid()) {
+    DWORD error = ::GetLastError();
+    if (error == ERROR_FILE_NOT_FOUND || error == ERROR_PATH_NOT_FOUND)
+      return true;
+    PLOG(ERROR) << "Failed to open " << path.value() << " for deletion";
+    return false;
+  }
+
+  if (metrics_.temporary_directory_location == DeleteFileMetrics::UNDECIDED)
+    ChooseTempDir(path, to_delete);
+
+  // Remove the item's read-only bit if it is set. This is required for
+  // deletion.
+  bool read_only_set = false;
+  FILE_BASIC_INFO basic_info = {};
+  if (!::GetFileInformationByHandleEx(to_delete.Get(), FileBasicInfo,
+                                      &basic_info, sizeof(basic_info))) {
+    PLOG(ERROR) << "Failed to read attributes of " << path.value();
+    return false;
+  }
+  if ((basic_info.FileAttributes & FILE_ATTRIBUTE_READONLY) != 0) {
+    basic_info.FileAttributes &= ~FILE_ATTRIBUTE_READONLY;
+    if (!::SetFileInformationByHandle(to_delete.Get(), FileBasicInfo,
+                                      &basic_info, sizeof(basic_info))) {
+      PLOG(ERROR) << "Failed to strip read-only attribute of " << path.value();
       return false;
     }
-  }
+    read_only_set = true;
+  }
+
+  if (DoDelete(path, level, recurse, to_delete, &basic_info))
+    return true;
+
+  // Restore the item's read-only state on failure.
+  if (read_only_set) {
+    basic_info.FileAttributes |= FILE_ATTRIBUTE_READONLY;
+    if (!::SetFileInformationByHandle(to_delete.Get(), FileBasicInfo,
+                                      &basic_info, sizeof(basic_info))) {
+      PLOG(ERROR) << "Failed to restore read-only attribute of "
+                  << path.value();
+    }
+  }
+  return false;
+}
+
+bool TreeDeleter::DeleteFallback(const FilePath& path) {
+  // Try a straight-up delete as a fallback. Don't bother figuring out if |path|
+  // names a file or an empty directory; just try both.
+  return ::DeleteFile(path.value().c_str()) ||
+         ::RemoveDirectory(path.value().c_str());
+}
+
+bool TreeDeleter::DoDelete(const FilePath& path,
+                           int level,
+                           bool recurse,
+                           const win::ScopedHandle& to_delete,
+                           FILE_BASIC_INFO* basic_info) {
+  // Recurse into this item if desired, this item is a directory, and this item
+  // does not have a reparse point (i.e., is not a mount point, a symlink, or
+  // some other directory-like thing implemented by a filesystem filter).
+  if (recurse && (basic_info->FileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0 &&
+      (basic_info->FileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) == 0 &&
+      !DeleteContents(path, level + 1)) {
+    return false;
+  }
+
+  // Check to see if it's possible to delete this item. A non-empty directory,
+  // for example, cannot be deleted.
+  FILE_DISPOSITION_INFO disposition = {TRUE};  // DeleteFile
+  if (!::SetFileInformationByHandle(to_delete.Get(), FileDispositionInfo,
+                                    &disposition, sizeof(disposition))) {
+    PLOG(ERROR) << "Unable to delete " << path.value();
+    return false;
+  }
+
+  // The item will now be deleted when all handles are closed. Hide it so that
+  // it appears to vanish right away and so that any other procs (e.g.,
+  // explorer.exe) observing the temp directory have a greater likelihood of
+  // not reacting when a new file suddenly appears and disappears.
+  bool hidden_set = false;
+  if ((basic_info->FileAttributes & FILE_ATTRIBUTE_HIDDEN) == 0) {
+    basic_info->FileAttributes |= FILE_ATTRIBUTE_HIDDEN;
+    if (!::SetFileInformationByHandle(to_delete.Get(), FileBasicInfo,
+                                      basic_info, sizeof(*basic_info))) {
+      PLOG(WARNING) << "Failed to hide " << path.value();
+    }
+    hidden_set = true;
+  }
+
+  if (temp_dir_path_.empty() || MoveToTemp(path, to_delete))
+    return true;
+
+  // The item couldn't be deleted. Restore its visibility.
+  if (hidden_set) {
+    basic_info->FileAttributes &= ~FILE_ATTRIBUTE_HIDDEN;
+    if (!::SetFileInformationByHandle(to_delete.Get(), FileBasicInfo,
+                                      basic_info, sizeof(*basic_info))) {
+      PLOG(WARNING) << "Failed to unhide " << path.value();
+    }
+  }
+  return false;
+}
+
+bool TreeDeleter::DeleteContents(const FilePath& path, int level) {
+  metrics_.max_depth = std::max(metrics_.max_depth, level);
+
+  // Recursively (and greedily) delete everything in |path|.
+  bool items_failed = false;
+  FileEnumerator enumer(path, false,
+                        (FileEnumerator::DIRECTORIES | FileEnumerator::FILES));
+  for (FilePath item = enumer.Next(); !item.empty(); item = enumer.Next()) {
+    if (!Delete(item, level, true /* recurse */))
+      items_failed = true;
+  }
+
+  // Report success in the absence of failures.
+  return !items_failed;
+}
+
+bool TreeDeleter::MoveToTemp(const FilePath& path,
+                             const win::ScopedHandle& to_delete) {
+  DCHECK(!temp_dir_path_.empty());
+  // Do the shuffle to move the item out to the temp directory so that a new
+  // item with the same name can be created immediately in this directory, or
+  // so that the containing directory can be deleted immediately.
+
+  // Revoke deletion so that the item can be moved.
+  FILE_DISPOSITION_INFO disposition = {FALSE};  // DeleteFile
+  if (!::SetFileInformationByHandle(to_delete.Get(), FileDispositionInfo,
+                                    &disposition, sizeof(disposition))) {
+    PLOG(WARNING) << "Unable to revoke deletion of " << path.value()
+                  << "; skipping move to temp";
+    return true;
+  }
+
+  // Move the file out to the temp directory. Failure to move is not a fatal
+  // failure, though it will lead to a race when deleting the containing
+  // directory. This is mitigated by retries in directory deletion.
+  bool file_moved = false;
+  int attempts = 0;
+  do {
+    file_moved =
+        MoveTo(to_delete, temp_dir_path_.AppendASCII(GenerateRandomFileName()));
+  } while (!file_moved && ++attempts < 5);
+
+  // Mark the file to be deleted on close once again.
+  disposition.DeleteFile = TRUE;
+  if (!::SetFileInformationByHandle(to_delete.Get(), FileDispositionInfo,
+                                    &disposition, sizeof(disposition))) {
+    // This is unexpected since the file was to be deleted moments ago, but is
+    // possible (e.g., another process has mapped it into memory).
+    PLOG(ERROR) << "Failed to mark file to be deleted on close";
+
+    if (file_moved) {
+      // Try to move the file back to where it was. If this fails, we're in the
+      // town of cats and leaving the file in the wrong place. Regardless, make
+      // a final attempt to mark the file for deletion.
+      bool file_moved_back = MoveTo(to_delete, path);
+      LONG error = ::GetLastError();
+      if (::SetFileInformationByHandle(to_delete.Get(), FileDispositionInfo,
+                                       &disposition, sizeof(disposition))) {
+        // Whew! The file will eventually be deleted in situ.
+        if (!file_moved_back)
+          ++metrics_.move_to_temp_count;
+        return true;
+      }
+      if (!file_moved_back) {
+        ::SetLastError(error);
+        PLOG(DFATAL) << "Failed to move item back to original location";
+      }
+    }
+    return false;
+  }
+
+  ++metrics_.move_to_temp_count;
+
   return true;
 }
+
+bool TreeDeleter::MoveTo(const win::ScopedHandle& to_delete,
+                         const FilePath& target) {
+  // Compute the proper size of the FILE_RENAME_INFO including the target path.
+  size_t path_bytes = (target.value().length() + 1) * sizeof(wchar_t);
+  size_t struct_size = offsetof(FILE_RENAME_INFO, FileName) + path_bytes;
+
+  // Allocate a new buffer if needed.
+  if (rename_info_buffer_size_ < struct_size) {
+    rename_info_buffer_.reset();
+    rename_info_buffer_.reset(new uint8_t[struct_size]);
+    rename_info_buffer_size_ = struct_size;
+  }
+
+  // Formulate a FILE_RENAME_INFO struct in the buffer.
+  FILE_RENAME_INFO* file_rename_info =
+      reinterpret_cast<FILE_RENAME_INFO*>(rename_info_buffer_.get());
+  file_rename_info->ReplaceIfExists = FALSE;
+  file_rename_info->RootDirectory = nullptr;
+  file_rename_info->FileNameLength = target.value().length();
+  ::memcpy(&file_rename_info->FileName[0], target.value().c_str(), path_bytes);
+
+  if (!::SetFileInformationByHandle(to_delete.Get(), FileRenameInfo,
+                                    file_rename_info, struct_size)) {
+    PLOG(ERROR) << "Failed to move item to " << target.value();
+    return false;
+  }
+  return true;
+}
 
 }  // namespace
 
 FilePath MakeAbsoluteFilePath(const FilePath& input) {
   ThreadRestrictions::AssertIOAllowed();
   wchar_t file_path[MAX_PATH];
   if (!_wfullpath(file_path, input.value().c_str(), MAX_PATH))
     return FilePath();
   return FilePath(file_path);
 }
 
 bool DeleteFile(const FilePath& path, bool recursive) {
+  return DeleteFileWithMetrics(path, recursive, nullptr);
+}
+
+bool DeleteFileWithMetrics(const FilePath& path,
+                           bool recursive,
+                           DeleteFileMetrics* metrics) {
   ThreadRestrictions::AssertIOAllowed();
 
+  // Wildcards are not supported.
+  DCHECK_EQ(path.BaseName().value().find_first_of(L"*?"),
+            FilePath::StringType::npos);
+
   if (path.empty())
     return true;
 
   if (path.value().length() >= MAX_PATH)
     return false;
 
-  // Handle any path with wildcards.
-  if (path.BaseName().value().find_first_of(L"*?") !=
-      FilePath::StringType::npos) {
-    return DeleteFileRecursive(path.DirName(), path.BaseName().value(),
-                               recursive);
-  }
-  DWORD attr = GetFileAttributes(path.value().c_str());
-  // We're done if we can't find the path.
-  if (attr == INVALID_FILE_ATTRIBUTES)
-    return true;
-  // We may need to clear the read-only bit.
-  if ((attr & FILE_ATTRIBUTE_READONLY) &&
-      !SetFileAttributes(path.value().c_str(),
-                          attr & ~FILE_ATTRIBUTE_READONLY)) {
-    return false;
-  }
-  // Directories are handled differently if they're recursive.
-  if (!(attr & FILE_ATTRIBUTE_DIRECTORY))
-    return !!::DeleteFile(path.value().c_str());
-  // Handle a simple, single file delete.
-  if (!recursive || DeleteFileRecursive(path, L"*", true))
-    return !!RemoveDirectory(path.value().c_str());
-
-  return false;
+  return TreeDeleter::RobustDelete(path, recursive, metrics);
 }
 
 bool DeleteFileAfterReboot(const FilePath& path) {
   ThreadRestrictions::AssertIOAllowed();
 
   if (path.value().length() >= MAX_PATH)
     return false;
 
   return MoveFileEx(path.value().c_str(), NULL,
                     MOVEFILE_DELAY_UNTIL_REBOOT |
@@ skipping 694 matching lines @@
     // Like Move, this function is not transactional, so we just
     // leave the copied bits behind if deleting from_path fails.
     // If to_path exists previously then we have already overwritten
     // it by now, we don't get better off by deleting the new bits.
   }
   return false;
 }
 
 }  // namespace internal
 }  // namespace base