tor-browser

FileUtils.cpp (29259B)

---

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=8 sts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "CacheCipherKeyManager.h"
#include "DBSchema.h"
#include "FileUtilsImpl.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/SnappyCompressOutputStream.h"
#include "mozilla/dom/InternalResponse.h"
#include "mozilla/dom/quota/DecryptingInputStream.h"
#include "mozilla/dom/quota/DecryptingInputStream_impl.h"
#include "mozilla/dom/quota/EncryptingOutputStream.h"
#include "mozilla/dom/quota/EncryptingOutputStream_impl.h"
#include "mozilla/dom/quota/FileStreams.h"
#include "mozilla/dom/quota/PersistenceType.h"
#include "mozilla/dom/quota/QuotaManager.h"
#include "mozilla/dom/quota/QuotaObject.h"
#include "mozilla/dom/quota/ResultExtensions.h"
#include "nsIFile.h"
#include "nsIObjectInputStream.h"
#include "nsIObjectOutputStream.h"
#include "nsIUUIDGenerator.h"
#include "nsNetCID.h"
#include "nsNetUtil.h"
#include "nsServiceManagerUtils.h"
#include "nsString.h"
#include "nsThreadUtils.h"
#include "snappy/snappy.h"

namespace mozilla::dom::cache {

static_assert(SNAPPY_VERSION == 0x010202);

using mozilla::dom::quota::Client;
using mozilla::dom::quota::CloneFileAndAppend;
using mozilla::dom::quota::GetDirEntryKind;
using mozilla::dom::quota::nsIFileKind;
using mozilla::dom::quota::QuotaManager;
using mozilla::dom::quota::QuotaObject;

namespace {

// Const variable for generate padding size.
// XXX This will be tweaked to something more meaningful in Bug 1383656.
const int64_t kRoundUpNumber = 20480;

// At the moment, the encrypted stream block size is assumed to be unchangeable
// between encrypting and decrypting blobs. This assumptions holds as long as we
// only encrypt in private browsing mode, but when we support encryption for
// persistent storage, this needs to be changed.
constexpr uint32_t kEncryptedStreamBlockSize = 4096;

enum BodyFileType { BODY_FILE_FINAL, BODY_FILE_TMP };

Result<NotNull<nsCOMPtr<nsIFile>>, nsresult> BodyIdToFile(
   nsIFile& aBaseDir, const nsID& aId, BodyFileType aType,
   bool aCreateDirIfNotExists = false);

int64_t RoundUp(int64_t aX, int64_t aY);

// The alogrithm for generating padding refers to the mitigation approach in
// https://github.com/whatwg/storage/issues/31.
// First, generate a random number between 0 and 100kB.
// Next, round up the sum of random number and response size to the nearest
// 20kB.
// Finally, the virtual padding size will be the result minus the response size.
int64_t BodyGeneratePadding(int64_t aBodyFileSize, uint32_t aPaddingInfo);

nsresult DirectoryPaddingWrite(nsIFile& aBaseDir,
                              DirPaddingFile aPaddingFileType,
                              int64_t aPaddingSize);

const auto kMorgueDirectory = u"morgue"_ns;

bool IsFileNotFoundError(const nsresult aRv) {
 return aRv == NS_ERROR_FILE_NOT_FOUND;
}

Result<NotNull<nsCOMPtr<nsIFile>>, nsresult> BodyGetCacheDir(
   nsIFile& aBaseDir, const nsID& aId, bool aCreateDirIfNotExists = true) {
 QM_TRY_UNWRAP(auto cacheDir, CloneFileAndAppend(aBaseDir, kMorgueDirectory));

 // Some file systems have poor performance when there are too many files
 // in a single directory.  Mitigate this issue by spreading the body
 // files out into sub-directories.  We use the last byte of the ID for
 // the name of the sub-directory.
 QM_TRY(MOZ_TO_RESULT(cacheDir->Append(IntToString(aId.m3[7]))));

 if (aCreateDirIfNotExists) {
   bool exists;
   QM_TRY(MOZ_TO_RESULT(cacheDir->Exists(&exists)));
   if (!exists) {
     QM_TRY(QM_OR_ELSE_LOG_VERBOSE_IF(
         // Expression.
         MOZ_TO_RESULT(cacheDir->Create(nsIFile::DIRECTORY_TYPE, 0755)),
         // Predicate.
         IsSpecificError<NS_ERROR_FILE_ALREADY_EXISTS>,
         // Fallback.
         ErrToDefaultOk<>));
   }
 }

 return WrapNotNullUnchecked(std::move(cacheDir));
}

}  // namespace

nsresult BodyCreateDir(nsIFile& aBaseDir) {
 QM_TRY_INSPECT(const auto& bodyDir,
                CloneFileAndAppend(aBaseDir, kMorgueDirectory));

 // Callers call this function without checking if the directory already
 // exists (idempotent usage). QM_OR_ELSE_WARN_IF is not used here since we
 // just want to log NS_ERROR_FILE_ALREADY_EXISTS result and not spam the
 // reports.
 QM_TRY(QM_OR_ELSE_LOG_VERBOSE_IF(
     // Expression.
     MOZ_TO_RESULT(bodyDir->Create(nsIFile::DIRECTORY_TYPE, 0755)),
     // Predicate.
     IsSpecificError<NS_ERROR_FILE_ALREADY_EXISTS>,
     // Fallback.
     ErrToDefaultOk<>));

 return NS_OK;
}

nsresult BodyDeleteDir(const CacheDirectoryMetadata& aDirectoryMetadata,
                      nsIFile& aBaseDir) {
 QM_TRY_INSPECT(const auto& bodyDir,
                CloneFileAndAppend(aBaseDir, kMorgueDirectory));

 QM_TRY(MOZ_TO_RESULT(RemoveNsIFileRecursively(aDirectoryMetadata, *bodyDir)));

 return NS_OK;
}

Result<nsCOMPtr<nsISupports>, nsresult> BodyStartWriteStream(
   const CacheDirectoryMetadata& aDirectoryMetadata, nsIFile& aBaseDir,
   const nsID& aBodyId, Maybe<CipherKey> aMaybeCipherKey,
   nsIInputStream& aSource, void* aClosure, nsAsyncCopyCallbackFun aCallback) {
 MOZ_DIAGNOSTIC_ASSERT(aClosure);
 MOZ_DIAGNOSTIC_ASSERT(aCallback);

 // Check if the final file already exists, in which case we error out.
 {
   QM_TRY_INSPECT(const auto& finalFile,
                  // There's no need to create the cache directory in this
                  // case since we're just checking.
                  BodyIdToFile(aBaseDir, aBodyId, BODY_FILE_FINAL,
                               /* aCreateDirIfNotExists */ false));

   QM_TRY_INSPECT(const bool& exists,
                  MOZ_TO_RESULT_INVOKE_MEMBER(*finalFile, Exists));

   QM_TRY(OkIf(!exists), Err(NS_ERROR_FILE_ALREADY_EXISTS));
 }

 QM_TRY_INSPECT(const auto& tmpFile,
                // We do want to create and write to the file here, so we do
                // need to ensure the directory exists.
                BodyIdToFile(aBaseDir, aBodyId, BODY_FILE_TMP,
                             /* aCreateDirIfNotExists */ true));

 QM_TRY_UNWRAP(nsCOMPtr<nsIOutputStream> fileStream,
               CreateFileOutputStream(aDirectoryMetadata.mPersistenceType,
                                      aDirectoryMetadata, Client::DOMCACHE,
                                      tmpFile.get()));

 const auto privateBody = aDirectoryMetadata.mIsPrivate;
 if (privateBody) {
   MOZ_DIAGNOSTIC_ASSERT(aMaybeCipherKey);

   fileStream = MakeRefPtr<quota::EncryptingOutputStream<CipherStrategy>>(
       std::move(fileStream), kEncryptedStreamBlockSize, *aMaybeCipherKey);
 }

 const auto compressed = MakeRefPtr<SnappyCompressOutputStream>(fileStream);

 const nsCOMPtr<nsIEventTarget> target =
     do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID);

 nsCOMPtr<nsISupports> copyContext;
 QM_TRY(MOZ_TO_RESULT(
     NS_AsyncCopy(&aSource, compressed, target, NS_ASYNCCOPY_VIA_WRITESEGMENTS,
                  compressed->BlockSize(), aCallback, aClosure, true,
                  true,  // close streams
                  getter_AddRefs(copyContext))));

 return std::move(copyContext);
}

void BodyCancelWrite(nsISupports& aCopyContext) {
 QM_WARNONLY_TRY(
     QM_TO_RESULT(NS_CancelAsyncCopy(&aCopyContext, NS_ERROR_ABORT)));

 // TODO The partially written file must be cleaned up after the async copy
 // makes its callback.
}

Result<int64_t, nsresult> BodyFinalizeWrite(nsIFile& aBaseDir,
                                           const nsID& aId) {
 QM_TRY_INSPECT(const auto& tmpFile,
                BodyIdToFile(aBaseDir, aId, BODY_FILE_TMP));

 QM_TRY_INSPECT(const auto& finalFile,
                BodyIdToFile(aBaseDir, aId, BODY_FILE_FINAL));

 nsAutoString finalFileName;
 QM_TRY(MOZ_TO_RESULT(finalFile->GetLeafName(finalFileName)));

 // It's fine to not notify the QuotaManager that the path has been changed,
 // because its path will be updated and its size will be recalculated when
 // opening file next time.
 QM_TRY(MOZ_TO_RESULT(tmpFile->RenameTo(nullptr, finalFileName)));

 QM_TRY_INSPECT(const int64_t& fileSize,
                MOZ_TO_RESULT_INVOKE_MEMBER(*finalFile, GetFileSize));

 return fileSize;
}

Result<int64_t, nsresult> GetBodyDiskSize(nsIFile& aBaseDir, const nsID& aId) {
 QM_TRY_INSPECT(const auto& finalFile,
                BodyIdToFile(aBaseDir, aId, BODY_FILE_FINAL));

 QM_TRY_INSPECT(const int64_t& fileSize,
                MOZ_TO_RESULT_INVOKE_MEMBER(*finalFile, GetFileSize));

 return fileSize;
}

Result<MovingNotNull<nsCOMPtr<nsIInputStream>>, nsresult> BodyOpen(
   const CacheDirectoryMetadata& aDirectoryMetadata, nsIFile& aBaseDir,
   const nsID& aId, Maybe<CipherKey> aMaybeCipherKey) {
 QM_TRY_INSPECT(const auto& finalFile,
                BodyIdToFile(aBaseDir, aId, BODY_FILE_FINAL));

 QM_TRY_UNWRAP(nsCOMPtr<nsIInputStream> fileInputStream,
               CreateFileInputStream(aDirectoryMetadata.mPersistenceType,
                                     aDirectoryMetadata, Client::DOMCACHE,
                                     finalFile.get()));

 auto privateBody = aDirectoryMetadata.mIsPrivate;
 if (privateBody) {
   MOZ_DIAGNOSTIC_ASSERT(aMaybeCipherKey);

   fileInputStream = new quota::DecryptingInputStream<CipherStrategy>(
       WrapNotNull(std::move(fileInputStream)), kEncryptedStreamBlockSize,
       *aMaybeCipherKey);
 }
 return WrapMovingNotNull(std::move(fileInputStream));
}

nsresult BodyMaybeUpdatePaddingSize(
   const CacheDirectoryMetadata& aDirectoryMetadata, nsIFile& aBaseDir,
   const nsID& aId, const uint32_t aPaddingInfo, int64_t* aPaddingSizeInOut) {
 MOZ_DIAGNOSTIC_ASSERT(aPaddingSizeInOut);

 QM_TRY_INSPECT(const auto& bodyFile,
                BodyIdToFile(aBaseDir, aId, BODY_FILE_TMP));

 QuotaManager* quotaManager = QuotaManager::Get();
 MOZ_DIAGNOSTIC_ASSERT(quotaManager);

 int64_t fileSize = 0;
 RefPtr<QuotaObject> quotaObject = quotaManager->GetQuotaObject(
     aDirectoryMetadata.mPersistenceType, aDirectoryMetadata, Client::DOMCACHE,
     bodyFile.get(), -1, &fileSize);
 MOZ_DIAGNOSTIC_ASSERT(quotaObject);
 MOZ_DIAGNOSTIC_ASSERT(fileSize >= 0);
 // XXXtt: bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1422815
 if (!quotaObject) {
   return NS_ERROR_UNEXPECTED;
 }

 if (*aPaddingSizeInOut == InternalResponse::UNKNOWN_PADDING_SIZE) {
   *aPaddingSizeInOut = BodyGeneratePadding(fileSize, aPaddingInfo);
 }

 MOZ_DIAGNOSTIC_ASSERT(*aPaddingSizeInOut >= 0);

 if (!quotaObject->IncreaseSize(*aPaddingSizeInOut)) {
   return NS_ERROR_FILE_NO_DEVICE_SPACE;
 }

 return NS_OK;
}

nsresult BodyDeleteFiles(const CacheDirectoryMetadata& aDirectoryMetadata,
                        nsIFile& aBaseDir, const nsTArray<nsID>& aIdList) {
 for (const auto id : aIdList) {
   bool exists;

   QM_TRY_INSPECT(const auto& finalFile,
                  BodyIdToFile(aBaseDir, id, BODY_FILE_FINAL));
   QM_TRY(MOZ_TO_RESULT(finalFile->Exists(&exists)));
   if (exists) {
     QM_TRY(MOZ_TO_RESULT(RemoveNsIFile(aDirectoryMetadata, *finalFile,
                                        /* aTrackQuota */ true)));
   }

   QM_TRY_INSPECT(const auto& tempFile,
                  BodyIdToFile(aBaseDir, id, BODY_FILE_TMP));
   QM_TRY(MOZ_TO_RESULT(tempFile->Exists(&exists)));
   if (exists) {
     QM_TRY(MOZ_TO_RESULT(RemoveNsIFile(aDirectoryMetadata, *tempFile,
                                        /* aTrackQuota */ true)));
   }
 }

 return NS_OK;
}

namespace {

Result<NotNull<nsCOMPtr<nsIFile>>, nsresult> BodyIdToFile(
   nsIFile& aBaseDir, const nsID& aId, const BodyFileType aType,
   bool aCreateDirIfNotExists) {
 QM_TRY_UNWRAP(auto bodyFile,
               BodyGetCacheDir(aBaseDir, aId, aCreateDirIfNotExists));

 char idString[NSID_LENGTH];
 aId.ToProvidedString(idString);

 NS_ConvertASCIItoUTF16 fileName(idString);

 if (aType == BODY_FILE_FINAL) {
   fileName.AppendLiteral(".final");
 } else {
   fileName.AppendLiteral(".tmp");
 }

 QM_TRY(MOZ_TO_RESULT(bodyFile->Append(fileName)));

 return bodyFile;
}

int64_t RoundUp(const int64_t aX, const int64_t aY) {
 MOZ_DIAGNOSTIC_ASSERT(aX >= 0);
 MOZ_DIAGNOSTIC_ASSERT(aY > 0);

 MOZ_DIAGNOSTIC_ASSERT(INT64_MAX - ((aX - 1) / aY) * aY >= aY);
 return aY + ((aX - 1) / aY) * aY;
}

int64_t BodyGeneratePadding(const int64_t aBodyFileSize,
                           const uint32_t aPaddingInfo) {
 // Generate padding
 int64_t randomSize = static_cast<int64_t>(aPaddingInfo);
 MOZ_DIAGNOSTIC_ASSERT(INT64_MAX - aBodyFileSize >= randomSize);
 randomSize += aBodyFileSize;

 return RoundUp(randomSize, kRoundUpNumber) - aBodyFileSize;
}

nsresult DirectoryPaddingWrite(nsIFile& aBaseDir,
                              DirPaddingFile aPaddingFileType,
                              int64_t aPaddingSize) {
 MOZ_DIAGNOSTIC_ASSERT(aPaddingSize >= 0);

 QM_TRY_INSPECT(
     const auto& file,
     CloneFileAndAppend(aBaseDir, aPaddingFileType == DirPaddingFile::TMP_FILE
                                      ? nsLiteralString(PADDING_TMP_FILE_NAME)
                                      : nsLiteralString(PADDING_FILE_NAME)));

 QM_TRY_INSPECT(const auto& outputStream, NS_NewLocalFileOutputStream(file));

 nsCOMPtr<nsIObjectOutputStream> objectStream =
     NS_NewObjectOutputStream(outputStream);

 QM_TRY(MOZ_TO_RESULT(objectStream->Write64(aPaddingSize)));

 return NS_OK;
}

}  // namespace

nsresult BodyDeleteOrphanedFiles(
   const CacheDirectoryMetadata& aDirectoryMetadata, nsIFile& aBaseDir,
   nsTHashSet<nsID>& aKnownBodyIds) {
 // body files are stored in a directory structure like:
 //
 //  /morgue/01/{01fdddb2-884d-4c3d-95ba-0c8062f6c325}.final
 //  /morgue/02/{02fdddb2-884d-4c3d-95ba-0c8062f6c325}.tmp

 Maybe<CacheDirectoryMetadata> dirMetaData = Some(aDirectoryMetadata);

 QM_TRY_INSPECT(const auto& dir,
                CloneFileAndAppend(aBaseDir, kMorgueDirectory));

 // Iterate over all the intermediate morgue subdirs
 QM_TRY(quota::CollectEachFile(
     *dir,
     [&dirMetaData, &aKnownBodyIds](
         const nsCOMPtr<nsIFile>& subdir) -> Result<Ok, nsresult> {
       QM_TRY_INSPECT(const auto& dirEntryKind, GetDirEntryKind(*subdir));

       switch (dirEntryKind) {
         case nsIFileKind::ExistsAsDirectory: {
           const auto removeOrphanedFiles =
               [&dirMetaData, &aKnownBodyIds](
                   nsIFile& bodyFile,
                   const nsACString& leafName) -> Result<bool, nsresult> {
             // Finally, parse the uuid out of the name.  If it fails to parse,
             // then ignore the file.
             auto cleanup = MakeScopeExit([&dirMetaData, &bodyFile] {
               DebugOnly<nsresult> result =
                   RemoveNsIFile(dirMetaData, bodyFile);
               MOZ_ASSERT(NS_SUCCEEDED(result));
             });

             nsID id;
             QM_TRY(OkIf(id.Parse(leafName.BeginReading())), true);

             if (!aKnownBodyIds.Contains(id)) {
               return true;
             }

             cleanup.release();

             return false;
           };

           // QM_OR_ELSE_WARN_IF is not used here since we just want to log
           // NS_ERROR_FILE_FS_CORRUPTED result and not spam the reports (even
           // a warning in the reports is not desired).
           QM_TRY(QM_OR_ELSE_LOG_VERBOSE_IF(
               // Expression.
               MOZ_TO_RESULT(BodyTraverseFilesForCleanup(dirMetaData, *subdir,
                                                         removeOrphanedFiles)),
               // Predicate.
               IsSpecificError<NS_ERROR_FILE_FS_CORRUPTED>,
               // Fallback. We treat NS_ERROR_FILE_FS_CORRUPTED as if the
               // directory did not exist at all.
               ErrToDefaultOk<>));
           break;
         }

         case nsIFileKind::ExistsAsFile: {
           // If a file got in here somehow, try to remove it and move on
           DebugOnly<nsresult> result = RemoveNsIFile(dirMetaData, *subdir,
                                                      /* aTrackQuota */ false);
           MOZ_ASSERT(NS_SUCCEEDED(result));
           break;
         }

         case nsIFileKind::DoesNotExist:
           // Ignore files that got removed externally while iterating.
           break;
       }

       return Ok{};
     }));

 return NS_OK;
}

namespace {

Result<nsCOMPtr<nsIFile>, nsresult> GetMarkerFileHandle(
   const CacheDirectoryMetadata& aDirectoryMetadata) {
 QM_TRY_UNWRAP(auto marker,
               CloneFileAndAppend(*aDirectoryMetadata.mDir, u"cache"_ns));

 QM_TRY(MOZ_TO_RESULT(marker->Append(u"context_open.marker"_ns)));

 return marker;
}

}  // namespace

nsresult CreateMarkerFile(const CacheDirectoryMetadata& aDirectoryMetadata) {
 QM_TRY_INSPECT(const auto& marker, GetMarkerFileHandle(aDirectoryMetadata));

 // Callers call this function without checking if the file already exists
 // (idempotent usage). QM_OR_ELSE_WARN_IF is not used here since we just want
 // to log NS_ERROR_FILE_ALREADY_EXISTS result and not spam the reports.
 //
 // TODO: In theory if this file exists, then Context::~Context should have
 // cleaned it up, but obviously we can crash and not clean it up, which is
 // the whole point of the marker file. In that case, we'll realize the marker
 // file exists in SetupAction::RunSyncWithDBOnTarget and do some cleanup, but
 // we won't delete the marker file, so if we see this marker file, it is part
 // of our standard operating procedure to redundantly try and create the
 // marker here. We currently treat this as idempotent usage, but we could
 // make sure to delete the marker file when handling the existing marker
 // file in SetupAction::RunSyncWithDBOnTarget and change
 // QM_OR_ELSE_LOG_VERBOSE_IF to QM_OR_ELSE_WARN_IF in the end.
 QM_TRY(QM_OR_ELSE_LOG_VERBOSE_IF(
     // Expression.
     MOZ_TO_RESULT(marker->Create(nsIFile::NORMAL_FILE_TYPE, 0644)),
     // Predicate.
     IsSpecificError<NS_ERROR_FILE_ALREADY_EXISTS>,
     // Fallback.
     ErrToDefaultOk<>));

 // Note, we don't need to fsync here.  We only care about actually
 // writing the marker if later modifications to the Cache are
 // actually flushed to the disk.  If the OS crashes before the marker
 // is written then we are ensured no other changes to the Cache were
 // flushed either.

 return NS_OK;
}

nsresult DeleteMarkerFile(const CacheDirectoryMetadata& aDirectoryMetadata) {
 QM_TRY_INSPECT(const auto& marker, GetMarkerFileHandle(aDirectoryMetadata));

 DebugOnly<nsresult> result =
     RemoveNsIFile(aDirectoryMetadata, *marker, /* aTrackQuota */ false);
 MOZ_ASSERT(NS_SUCCEEDED(result));

 // Again, no fsync is necessary.  If the OS crashes before the file
 // removal is flushed, then the Cache will search for stale data on
 // startup.  This will cause the next Cache access to be a bit slow, but
 // it seems appropriate after an OS crash.

 return NS_OK;
}

bool MarkerFileExists(const CacheDirectoryMetadata& aDirectoryMetadata) {
 QM_TRY_INSPECT(const auto& marker, GetMarkerFileHandle(aDirectoryMetadata),
                false);

 QM_TRY_RETURN(MOZ_TO_RESULT_INVOKE_MEMBER(marker, Exists), false);
}

nsresult RemoveNsIFileRecursively(
   const Maybe<CacheDirectoryMetadata>& aDirectoryMetadata, nsIFile& aFile,
   const bool aTrackQuota) {
 // XXX This assertion proves that we can remove aTrackQuota and just check
 // aClientMetadata
 MOZ_DIAGNOSTIC_ASSERT_IF(aTrackQuota, aDirectoryMetadata);

 QM_TRY_INSPECT(const auto& dirEntryKind, GetDirEntryKind(aFile));

 switch (dirEntryKind) {
   case nsIFileKind::ExistsAsDirectory:
     // Unfortunately, we need to traverse all the entries and delete files one
     // by
     // one to update their usages to the QuotaManager.
     QM_TRY(quota::CollectEachFile(
         aFile,
         [&aDirectoryMetadata, &aTrackQuota](
             const nsCOMPtr<nsIFile>& file) -> Result<Ok, nsresult> {
           QM_TRY(MOZ_TO_RESULT(RemoveNsIFileRecursively(aDirectoryMetadata,
                                                         *file, aTrackQuota)));

           return Ok{};
         }));

     // In the end, remove the folder
     QM_TRY(MOZ_TO_RESULT(aFile.Remove(/* recursive */ false)));

     break;

   case nsIFileKind::ExistsAsFile:
     return RemoveNsIFile(aDirectoryMetadata, aFile, aTrackQuota);

   case nsIFileKind::DoesNotExist:
     // Ignore files that got removed externally while iterating.
     break;
 }

 return NS_OK;
}

nsresult RemoveNsIFile(const Maybe<CacheDirectoryMetadata>& aDirectoryMetadata,
                      nsIFile& aFile, const bool aTrackQuota) {
 // XXX This assertion proves that we can remove aTrackQuota and just check
 // aClientMetadata
 MOZ_DIAGNOSTIC_ASSERT_IF(aTrackQuota, aDirectoryMetadata);

 int64_t fileSize = 0;
 if (aTrackQuota) {
   QM_TRY_INSPECT(
       const auto& maybeFileSize,
       QM_OR_ELSE_WARN_IF(
           // Expression.
           MOZ_TO_RESULT_INVOKE_MEMBER(aFile, GetFileSize).map(Some<int64_t>),
           // Predicate.
           IsFileNotFoundError,
           // Fallback.
           ErrToDefaultOk<Maybe<int64_t>>));

   if (!maybeFileSize) {
     return NS_OK;
   }

   fileSize = *maybeFileSize;
 }

 QM_TRY(QM_OR_ELSE_WARN_IF(
     // Expression.
     MOZ_TO_RESULT(aFile.Remove(/* recursive */ false)),
     // Predicate.
     IsFileNotFoundError,
     // Fallback.
     ErrToDefaultOk<>));

 if (fileSize > 0) {
   MOZ_ASSERT(aTrackQuota);
   DecreaseUsageForDirectoryMetadata(*aDirectoryMetadata, fileSize);
 }

 return NS_OK;
}

void DecreaseUsageForDirectoryMetadata(
   const CacheDirectoryMetadata& aDirectoryMetadata,
   const int64_t aUpdatingSize) {
 MOZ_DIAGNOSTIC_ASSERT(aUpdatingSize > 0);

 QuotaManager* quotaManager = QuotaManager::Get();
 MOZ_DIAGNOSTIC_ASSERT(quotaManager);

 quotaManager->DecreaseUsageForClient(
     quota::ClientMetadata{aDirectoryMetadata, Client::DOMCACHE},
     aUpdatingSize);
}

bool DirectoryPaddingFileExists(nsIFile& aBaseDir,
                               DirPaddingFile aPaddingFileType) {
 QM_TRY_INSPECT(
     const auto& file,
     CloneFileAndAppend(aBaseDir, aPaddingFileType == DirPaddingFile::TMP_FILE
                                      ? nsLiteralString(PADDING_TMP_FILE_NAME)
                                      : nsLiteralString(PADDING_FILE_NAME)),
     false);

 QM_TRY_RETURN(MOZ_TO_RESULT_INVOKE_MEMBER(file, Exists), false);
}

Result<int64_t, nsresult> DirectoryPaddingGet(nsIFile& aBaseDir) {
 MOZ_DIAGNOSTIC_ASSERT(
     !DirectoryPaddingFileExists(aBaseDir, DirPaddingFile::TMP_FILE));

 QM_TRY_INSPECT(
     const auto& file,
     CloneFileAndAppend(aBaseDir, nsLiteralString(PADDING_FILE_NAME)));

 QM_TRY_UNWRAP(auto stream, NS_NewLocalFileInputStream(file));

 QM_TRY_INSPECT(const auto& bufferedStream,
                NS_NewBufferedInputStream(stream.forget(), 512));

 const nsCOMPtr<nsIObjectInputStream> objectStream =
     NS_NewObjectInputStream(bufferedStream);

 QM_TRY_RETURN(MOZ_TO_RESULT_INVOKE_MEMBER(objectStream, Read64)
                   .map([](const uint64_t val) { return int64_t(val); }));
}

nsresult DirectoryPaddingInit(nsIFile& aBaseDir) {
 QM_TRY(
     MOZ_TO_RESULT(DirectoryPaddingWrite(aBaseDir, DirPaddingFile::FILE, 0)));

 return NS_OK;
}

nsresult UpdateDirectoryPaddingFile(nsIFile& aBaseDir,
                                   mozIStorageConnection& aConn,
                                   const int64_t aIncreaseSize,
                                   const int64_t aDecreaseSize,
                                   const bool aTemporaryFileExist) {
 MOZ_DIAGNOSTIC_ASSERT(aIncreaseSize >= 0);
 MOZ_DIAGNOSTIC_ASSERT(aDecreaseSize >= 0);

 const auto directoryPaddingGetResult =
     aTemporaryFileExist ? Maybe<int64_t>{} : [&aBaseDir] {
       QM_TRY_RETURN(QM_OR_ELSE_WARN_IF(
                         // Expression.
                         DirectoryPaddingGet(aBaseDir).map(Some<int64_t>),
                         // Predicate.
                         IsFileNotFoundError,
                         // Fallback.
                         ErrToDefaultOk<Maybe<int64_t>>),
                     Maybe<int64_t>{});
     }();

 QM_TRY_INSPECT(
     const int64_t& currentPaddingSize,
     ([directoryPaddingGetResult, &aBaseDir, &aConn, aIncreaseSize,
       aDecreaseSize]() -> Result<int64_t, nsresult> {
       if (!directoryPaddingGetResult) {
         // Fail to read padding size from the dir padding file, so try to
         // restore.

         // Not delete the temporary padding file here, because we're going
         // to overwrite it below anyway.
         QM_TRY(MOZ_TO_RESULT(
             DirectoryPaddingDeleteFile(aBaseDir, DirPaddingFile::FILE)));

         // We don't need to add the aIncreaseSize or aDecreaseSize here,
         // because it's already encompassed within the database.
         QM_TRY_RETURN(db::FindOverallPaddingSize(aConn));
       }

       int64_t currentPaddingSize = directoryPaddingGetResult.value();
       bool shouldRevise = false;

       if (aIncreaseSize > 0) {
         if (INT64_MAX - currentPaddingSize < aDecreaseSize) {
           shouldRevise = true;
         } else {
           currentPaddingSize += aIncreaseSize;
         }
       }

       if (aDecreaseSize > 0) {
         if (currentPaddingSize < aDecreaseSize) {
           shouldRevise = true;
         } else if (!shouldRevise) {
           currentPaddingSize -= aDecreaseSize;
         }
       }

       if (shouldRevise) {
         // If somehow runing into this condition, the tracking padding size is
         // incorrect.
         // Delete padding file to indicate the padding size is incorrect for
         // avoiding error happening in the following lines.
         QM_TRY(MOZ_TO_RESULT(
             DirectoryPaddingDeleteFile(aBaseDir, DirPaddingFile::FILE)));

         QM_TRY_UNWRAP(currentPaddingSize, db::FindOverallPaddingSize(aConn));

         // XXXtt: we should have an easy way to update (increase or
         // recalulate) padding size in the QM. For now, only correct the
         // padding size in padding file and make QM be able to get the correct
         // size in the next QM initialization. We still want to catch this in
         // the debug build.
         MOZ_ASSERT(false, "The padding size is unsync with QM");
       }

#ifdef DEBUG
       const int64_t lastPaddingSize = currentPaddingSize;
       QM_TRY_UNWRAP(currentPaddingSize, db::FindOverallPaddingSize(aConn));

       MOZ_DIAGNOSTIC_ASSERT(currentPaddingSize == lastPaddingSize);
#endif  // DEBUG

       return currentPaddingSize;
     }()));

 MOZ_DIAGNOSTIC_ASSERT(currentPaddingSize >= 0);

 QM_TRY(MOZ_TO_RESULT(DirectoryPaddingWrite(aBaseDir, DirPaddingFile::TMP_FILE,
                                            currentPaddingSize)));

 return NS_OK;
}

nsresult DirectoryPaddingFinalizeWrite(nsIFile& aBaseDir) {
 MOZ_DIAGNOSTIC_ASSERT(
     DirectoryPaddingFileExists(aBaseDir, DirPaddingFile::TMP_FILE));

 QM_TRY_INSPECT(
     const auto& file,
     CloneFileAndAppend(aBaseDir, nsLiteralString(PADDING_TMP_FILE_NAME)));

 QM_TRY(MOZ_TO_RESULT(
     file->RenameTo(nullptr, nsLiteralString(PADDING_FILE_NAME))));

 return NS_OK;
}

Result<int64_t, nsresult> DirectoryPaddingRestore(nsIFile& aBaseDir,
                                                 mozIStorageConnection& aConn,
                                                 const bool aMustRestore) {
 // The content of padding file is untrusted, so remove it here.
 QM_TRY(MOZ_TO_RESULT(
     DirectoryPaddingDeleteFile(aBaseDir, DirPaddingFile::FILE)));

 QM_TRY_INSPECT(const int64_t& paddingSize, db::FindOverallPaddingSize(aConn));
 MOZ_DIAGNOSTIC_ASSERT(paddingSize >= 0);

 QM_TRY(MOZ_TO_RESULT(DirectoryPaddingWrite(aBaseDir, DirPaddingFile::FILE,
                                            paddingSize)),
        (aMustRestore ? Err(tryTempError)
                      : Result<int64_t, nsresult>{paddingSize}));

 QM_TRY(MOZ_TO_RESULT(
     DirectoryPaddingDeleteFile(aBaseDir, DirPaddingFile::TMP_FILE)));

 return paddingSize;
}

nsresult DirectoryPaddingDeleteFile(nsIFile& aBaseDir,
                                   DirPaddingFile aPaddingFileType) {
 QM_TRY_INSPECT(
     const auto& file,
     CloneFileAndAppend(aBaseDir, aPaddingFileType == DirPaddingFile::TMP_FILE
                                      ? nsLiteralString(PADDING_TMP_FILE_NAME)
                                      : nsLiteralString(PADDING_FILE_NAME)));

 QM_TRY(QM_OR_ELSE_WARN_IF(
     // Expression.
     MOZ_TO_RESULT(file->Remove(/* recursive */ false)),
     // Predicate.
     IsFileNotFoundError,
     // Fallback.
     ErrToDefaultOk<>));

 return NS_OK;
}

}  // namespace mozilla::dom::cache