/var/lib/jenkins/workspace/firefox-scan-build/toolkit/mozapps/update/updater/updater.cpp

Bug Summary

File:	var/lib/jenkins/workspace/firefox-scan-build/toolkit/mozapps/update/updater/updater.cpp
Warning:	line 4725, column 7 Potential leak of memory pointed to by 'action'
Annotated Source Code

Press '?' to see keyboard shortcuts
Show analyzer invocation
clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name updater.cpp -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -ffp-contract=off -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/toolkit/mozapps/update/updater/updater-dep -fcoverage-compilation-dir=/var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/toolkit/mozapps/update/updater/updater-dep -resource-dir /usr/lib/llvm-18/lib/clang/18 -include /var/lib/jenkins/workspace/firefox-scan-build/config/gcc_hidden.h -include /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/mozilla-config.h -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/dist/system_wrappers -U _FORTIFY_SOURCE -D _FORTIFY_SOURCE=2 -D DEBUG=1 -D DEP_UPDATER -D MAR_NSS -D SPRINTF_H_USES_VSNPRINTF -D NS_NO_XPCOM -D MAR_CHANNEL_ID="" -D MOZ_APP_VERSION="120.0a1" -I /var/lib/jenkins/workspace/firefox-scan-build/toolkit/mozapps/update/updater/updater-dep -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/toolkit/mozapps/update/updater/updater-dep -I /var/lib/jenkins/workspace/firefox-scan-build/toolkit/mozapps/update/common -I /var/lib/jenkins/workspace/firefox-scan-build/xpcom/base -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/dist/include -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/dist/include/nspr -I /var/lib/jenkins/workspace/firefox-scan-build/obj-x86_64-pc-linux-gnu/dist/include/nss -D MOZILLA_CLIENT -I /usr/include/gtk-3.0 -I /usr/include/pango-1.0 -I /usr/include/glib-2.0 -I /usr/lib/x86_64-linux-gnu/glib-2.0/include -I /usr/include/harfbuzz -I /usr/include/freetype2 -I /usr/include/libpng16 -I /usr/include/libmount -I /usr/include/blkid -I /usr/include/fribidi -I /usr/include/cairo -I /usr/include/pixman-1 -I /usr/include/gdk-pixbuf-2.0 -I /usr/include/x86_64-linux-gnu -I /usr/include/webp -I /usr/include/gio-unix-2.0 -I /usr/include/cloudproviders -I /usr/include/atk-1.0 -I /usr/include/at-spi2-atk/2.0 -I /usr/include/at-spi-2.0 -I /usr/include/dbus-1.0 -I /usr/lib/x86_64-linux-gnu/dbus-1.0/include -I /usr/include/gtk-3.0/unix-print -internal-isystem /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13 -internal-isystem /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/x86_64-linux-gnu/c++/13 -internal-isystem /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/backward -internal-isystem /usr/lib/llvm-18/lib/clang/18/include -internal-isystem /usr/local/include -internal-isystem /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O2 -Wno-error=tautological-type-limit-compare -Wno-invalid-offsetof -Wno-range-loop-analysis -Wno-error=deprecated -Wno-error=deprecated-anon-enum-enum-conversion -Wno-error=deprecated-enum-enum-conversion -Wno-error=deprecated-pragma -Wno-error=deprecated-this-capture -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wno-error=atomic-alignment -Wno-error=deprecated-builtins -Wno-psabi -Wno-error=builtin-macro-redefined -Wno-unknown-warning-option -fdeprecated-macro -ferror-limit 19 -stack-protector 2 -fstack-clash-protection -ftrivial-auto-var-init=pattern -fno-rtti -fgnuc-version=4.2.1 -fno-aligned-allocation -vectorize-loops -vectorize-slp -analyzer-checker optin.performance.Padding -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2023-09-28-025625-16803-1 -x c++ /var/lib/jenkins/workspace/firefox-scan-build/toolkit/mozapps/update/updater/updater.cpp
1/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

5/**
*  Manifest Format
*  ---------------
*
*  contents = 1*( line )
*  line     = method LWS *( param LWS ) CRLF
*  CRLF     = "\r\n"
*  LWS      = 1*( " " | "\t" )
*
*  Available methods for the manifest file:
*
*  updatev3.manifest
*  -----------------
*  method   = "add" | "add-if" | "add-if-not" | "patch" | "patch-if" |
*             "remove" | "rmdir" | "rmrfdir" | type
*
*  'add-if-not' adds a file if it doesn't exist.
*
*  'type' is the update type (e.g. complete or partial) and when present MUST
*  be the first entry in the update manifest. The type is used to support
*  removing files that no longer exist when when applying a complete update by
*  causing the actions defined in the precomplete file to be performed.
*
*  precomplete
*  -----------
*  method   = "remove" | "rmdir"
*/
32#include "bspatch.h"
33#include "progressui.h"
34#include "archivereader.h"
35#include "readstrings.h"
36#include "updatererrors.h"

38#include <stdio.h>
39#include <string.h>
40#include <stdlib.h>

42#include <sys/stat.h>
43#include <fcntl.h>
44#include <limits.h>
45#include <errno(*__errno_location ()).h>

47#include "updatecommon.h"
48#ifdef XP_MACOSX
49#  include "updaterfileutils_osx.h"
50#endif  // XP_MACOSX

52#include "mozilla/CmdLineAndEnvUtils.h"
53#include "mozilla/UniquePtr.h"
54#ifdef XP_WIN
55#  include "mozilla/Maybe.h"
56#  include "mozilla/WinHeaderOnlyUtils.h"
57#  include <climits>
58#endif  // XP_WIN

60// Amount of the progress bar to use in each of the 3 update stages,
61// should total 100.0.
62#define PROGRESS_PREPARE_SIZE20.0f 20.0f
63#define PROGRESS_EXECUTE_SIZE75.0f 75.0f
64#define PROGRESS_FINISH_SIZE5.0f 5.0f

66// Maximum amount of time in ms to wait for the parent process to close. The 30
67// seconds is rather long but there have been bug reports where the parent
68// process has exited after 10 seconds and it is better to give it a chance.
69#define PARENT_WAIT30000 30000

71#if defined(XP_MACOSX)
72// These functions are defined in launchchild_osx.mm
73void CleanupElevatedMacUpdate(bool aFailureOccurred);
74bool IsOwnedByGroupAdmin(const char* aAppBundle);
75bool IsRecursivelyWritable(const char* aPath);
76void LaunchChild(int argc, const char** argv);
77void LaunchMacPostProcess(const char* aAppBundle);
78bool ObtainUpdaterArguments(int* argc, char*** argv);
79bool ServeElevatedUpdate(int argc, const char** argv);
80void SetGroupOwnershipAndPermissions(const char* aAppBundle);
81bool PerformInstallationFromDMG(int argc, char** argv);
82struct UpdateServerThreadArgs {
int argc;
const NS_tchar** argv;
85};
86#endif

88#ifndef _O_BINARY0
89#  define _O_BINARY0 0
90#endif

92#ifndef NULL__null
93#  define NULL__null (0)
94#endif

96#ifndef SSIZE_MAX9223372036854775807L
97#  define SSIZE_MAX9223372036854775807L LONG_MAX9223372036854775807L
98#endif

100// We want to use execv to invoke the callback executable on platforms where
101// we were launched using execv.  See nsUpdateDriver.cpp.
102#if defined(XP_UNIX1) && !defined(XP_MACOSX)
103#  define USE_EXECV
104#endif

106#if defined(XP_OPENBSD)
107#  define stat64 stat
108#endif

110#if defined(MOZ_VERIFY_MAR_SIGNATURE1) && defined(MAR_NSS1)
111#  include "nss.h"
112#  include "prerror.h"
113#endif

115#include "crctable.h"

117#ifdef XP_WIN
118#  ifdef MOZ_MAINTENANCE_SERVICE
119#    include "registrycertificates.h"
120#  endif
121BOOL PathAppendSafe(LPWSTR base, LPCWSTR extra);
122BOOL PathGetSiblingFilePath(LPWSTR destinationBuffer, LPCWSTR siblingFilePath,
                          LPCWSTR newFileName);
124#  include "updatehelper.h"

126// Closes the handle if valid and if the updater is elevated returns with the
127// return code specified. This prevents multiple launches of the callback
128// application by preventing the elevated process from launching the callback.
129#  define EXIT_WHEN_ELEVATED(path, handle, retCode) \
  {                                               \
    if (handle != INVALID_HANDLE_VALUE) {         \
      CloseHandle(handle);                        \
    }                                             \
    if (NS_tremoveremove(path) && errno(*__errno_location ()) != ENOENT2) {    \
      return retCode;                             \
    }                                             \
  }
138#endif

140//-----------------------------------------------------------------------------

142// This BZ2_crc32Table variable lives in libbz2. We just took the
143// data structure from bz2 and created crctables.h

145static unsigned int crc32(const unsigned char* buf, unsigned int len) {
unsigned int crc = 0xffffffffL;

const unsigned char* end = buf + len;
for (; buf != end; ++buf)
  crc = (crc << 8) ^ BZ2_crc32Table[(crc >> 24) ^ *buf];

crc = ~crc;
return crc;
154}

156//-----------------------------------------------------------------------------

158// A simple stack based container for a FILE struct that closes the
159// file descriptor from its destructor.
160class AutoFile {
public:
explicit AutoFile(FILE* file = nullptr) : mFile(file) {}

~AutoFile() {
  if (mFile != nullptr) {
    fclose(mFile);
  }
}

AutoFile& operator=(FILE* file) {
  if (mFile != 0) {
    fclose(mFile);
  }
  mFile = file;
  return *this;
}

operator FILE*() { return mFile; }

FILE* get() { return mFile; }

private:
FILE* mFile;
184};

186struct MARChannelStringTable {
MARChannelStringTable() {
  MARChannelID = mozilla::MakeUnique<char[]>(1);
  MARChannelID[0] = '\0';
}

mozilla::UniquePtr<char[]> MARChannelID;
193};

195//-----------------------------------------------------------------------------

197#ifdef XP_MACOSX

199// Just a simple class that sets a umask value in its constructor and resets
200// it in its destructor.
201class UmaskContext {
public:
explicit UmaskContext(mode_t umaskToSet);
~UmaskContext();

private:
mode_t mPreviousUmask;
208};

210UmaskContext::UmaskContext(mode_t umaskToSet) {
mPreviousUmask = umask(umaskToSet);
212}

214UmaskContext::~UmaskContext() { umask(mPreviousUmask); }

216#endif

218//-----------------------------------------------------------------------------

220typedef void (*ThreadFunc)(void* param);

222#ifdef XP_WIN
223#  include <process.h>

225class Thread {
public:
int Run(ThreadFunc func, void* param) {
  mThreadFunc = func;
  mThreadParam = param;

  unsigned int threadID;

  mThread =
      (HANDLE)_beginthreadex(nullptr, 0, ThreadMain, this, 0, &threadID);

  return mThread ? 0 : -1;
}
int Join() {
  WaitForSingleObject(mThread, INFINITE);
  CloseHandle(mThread);
  return 0;
}

private:
static unsigned __stdcall ThreadMain(void* p) {
  Thread* self = (Thread*)p;
  self->mThreadFunc(self->mThreadParam);
  return 0;
}
HANDLE mThread;
ThreadFunc mThreadFunc;
void* mThreadParam;
253};

255#elif defined(XP_UNIX1)
256#  include <pthread.h>

258class Thread {
public:
int Run(ThreadFunc func, void* param) {
  return pthread_create(&thr, nullptr, (void* (*)(void*))func, param);
}
int Join() {
  void* result;
  return pthread_join(thr, &result);
}

private:
pthread_t thr;
270};

272#else
273#  error "Unsupported platform"
274#endif

276//-----------------------------------------------------------------------------

278static NS_tchar gPatchDirPath[MAXPATHLEN4096];
279static NS_tchar gInstallDirPath[MAXPATHLEN4096];
280static NS_tchar gWorkingDirPath[MAXPATHLEN4096];
281static ArchiveReader gArchiveReader;
282static bool gSucceeded = false;
283static bool sStagedUpdate = false;
284static bool sReplaceRequest = false;
285static bool sUsingService = false;

287// Normally, we run updates as a result of user action (the user started Firefox
288// or clicked a "Restart to Update" button). But there are some cases when
289// we are not:
290// a) The callback app is a background task. If true then the updater is
291//    likely being run as part of a background task.
292//    The updater could be run with no callback, but this only happens
293//    when performing a staged update (see calls to ProcessUpdates), and there
294//    are already checks for sStagedUpdate when showing UI or elevating.
295// b) The environment variable MOZ_APP_SILENT_START is set and not empty. This
296//    is set, for instance, on macOS when Firefox had no windows open for a
297//    while and restarted to apply updates.
298//
299// In these cases, the update should be installed silently, so we shouldn't:
300// a) show progress UI
301// b) prompt for elevation
302static bool sUpdateSilently = false;

304#ifdef XP_WIN
305static NS_tchar gCallbackRelPath[MAXPATHLEN4096];
306static NS_tchar gCallbackBackupPath[MAXPATHLEN4096];
307static NS_tchar gDeleteDirPath[MAXPATHLEN4096];

309// Whether to copy the update.log and update.status file to the update patch
310// directory from a secure directory.
311static bool gCopyOutputFiles = false;
312// Whether to write the update.log and update.status file to a secure directory.
313static bool gUseSecureOutputPath = false;
314#endif

316static const NS_tchar kWhitespace[] = NS_T(" \t")" \t";
317static const NS_tchar kNL[] = NS_T("\r\n")"\r\n";
318static const NS_tchar kQuote[] = NS_T("\"")"\"";

320static inline size_t mmin(size_t a, size_t b) { return (a > b) ? b : a; }

322static NS_tchar* mstrtok(const NS_tchar* delims, NS_tchar** str) {
if (!*str || !**str) {
  *str = nullptr;
  return nullptr;
}

// skip leading "whitespace"
NS_tchar* ret = *str;
const NS_tchar* d;
do {
  for (d = delims; *d != NS_T('\0')'\0'; ++d) {
    if (*ret == *d) {
      ++ret;
      break;
    }
  }
} while (*d);

if (!*ret) {
  *str = ret;
  return nullptr;
}

NS_tchar* i = ret;
do {
  for (d = delims; *d != NS_T('\0')'\0'; ++d) {
    if (*i == *d) {
      *i = NS_T('\0')'\0';
      *str = ++i;
      return ret;
    }
  }
  ++i;
} while (*i);

*str = nullptr;
return ret;
359}

361#if defined(TEST_UPDATER) || defined(XP_WIN) || defined(XP_MACOSX)
362static bool EnvHasValue(const char* name) {
const char* val = getenv(name);
return (val && *val);
365}
366#endif

368#ifdef XP_WIN
369/**
* Obtains the update ID from the secure id file located in secure output
* directory.
*
* @param  outBuf
*         A buffer of size UUID_LEN (e.g. 37) to store the result. The uuid is
*         36 characters in length and 1 more for null termination.
* @return true if successful
*/
378bool GetSecureID(char* outBuf) {
NS_tchar idFilePath[MAX_PATH + 1] = {L'\0'};
if (!GetSecureOutputFilePath(gPatchDirPath, L".id", idFilePath)) {
  return false;
}

AutoFile idFile(NS_tfopenfopen(idFilePath, NS_T("rb")"rb"));
if (idFile == nullptr) {
  return false;
}

size_t read = fread(outBuf, UUID_LEN - 1, 1, idFile);
if (read != 1) {
  return false;
}

outBuf[UUID_LEN - 1] = '\0';
return true;
396}
397#endif

399/**
* Calls LogFinish for the update log. On Windows, the unelevated updater copies
* the update status file and the update log file that were written by the
* elevated updater from the secure directory to the update patch directory.
*
* NOTE: All calls to WriteStatusFile MUST happen before calling output_finish
*       because this function copies the update status file for the elevated
*       updater and writing the status file after calling output_finish will
*       overwrite it.
*/
409static void output_finish() {
LogFinish()UpdateLog::GetPrimaryLog().Finish();
411#ifdef XP_WIN
if (gCopyOutputFiles) {
  NS_tchar srcStatusPath[MAXPATHLEN4096 + 1] = {NS_T('\0')'\0'};
  if (GetSecureOutputFilePath(gPatchDirPath, L".status", srcStatusPath)) {
    NS_tchar dstStatusPath[MAXPATHLEN4096 + 1] = {NS_T('\0')'\0'};
    NS_tsnprintfsnprintf(dstStatusPath,
                 sizeof(dstStatusPath) / sizeof(dstStatusPath[0]),
                 NS_T("%s\\update.status")"%s\\update.status", gPatchDirPath);
    CopyFileW(srcStatusPath, dstStatusPath, false);
  }

  NS_tchar srcLogPath[MAXPATHLEN4096 + 1] = {NS_T('\0')'\0'};
  if (GetSecureOutputFilePath(gPatchDirPath, L".log", srcLogPath)) {
    NS_tchar dstLogPath[MAXPATHLEN4096 + 1] = {NS_T('\0')'\0'};
    NS_tsnprintfsnprintf(dstLogPath, sizeof(dstLogPath) / sizeof(dstLogPath[0]),
                 NS_T("%s\\update.log")"%s\\update.log", gPatchDirPath);
    CopyFileW(srcLogPath, dstLogPath, false);
  }
}
430#endif
431}

433/**
* Coverts a relative update path to a full path.
*
* @param  relpath
*         The relative path to convert to a full path.
* @return valid filesystem full path or nullptr if memory allocation fails.
*/
440static NS_tchar* get_full_path(const NS_tchar* relpath) {
NS_tchar* destpath = sStagedUpdate ? gWorkingDirPath : gInstallDirPath;
size_t lendestpath = NS_tstrlenstrlen(destpath);
size_t lenrelpath = NS_tstrlenstrlen(relpath);
NS_tchar* s = new NS_tchar[lendestpath + lenrelpath + 2];

NS_tchar* c = s;

NS_tstrcpystrcpy(c, destpath);
c += lendestpath;
NS_tstrcatstrcat(c, NS_T("/")"/");
c++;

NS_tstrcatstrcat(c, relpath);
c += lenrelpath;
*c = NS_T('\0')'\0';
return s;
457}

459/**
* Converts a full update path into a relative path; reverses get_full_path.
*
* @param  fullpath
*         The absolute path to convert into a relative path.
* return pointer to the location within fullpath where the relative path starts
*        or fullpath itself if it already looks relative.
*/
467#ifndef XP_WIN
468static const NS_tchar* get_relative_path(const NS_tchar* fullpath) {
if (fullpath[0] != '/') {
  return fullpath;
}

NS_tchar* prefix = sStagedUpdate ? gWorkingDirPath : gInstallDirPath;

// If the path isn't long enough to be absolute, return it as-is.
if (NS_tstrlenstrlen(fullpath) <= NS_tstrlenstrlen(prefix)) {
  return fullpath;
}

return fullpath + NS_tstrlenstrlen(prefix) + 1;
481}
482#endif

484/**
* Gets the platform specific path and performs simple checks to the path. If
* the path checks don't pass nullptr will be returned.
*
* @param  line
*         The line from the manifest that contains the path.
* @param  isdir
*         Whether the path is a directory path. Defaults to false.
* @return valid filesystem path or nullptr if the path checks fail.
*/
494static NS_tchar* get_valid_path(NS_tchar** line, bool isdir = false) {
NS_tchar* path = mstrtok(kQuote, line);
if (!path) {
  LOG(("get_valid_path: unable to determine path: " LOG_S, *line))UpdateLog::GetPrimaryLog().Printf ("get_valid_path: unable to determine path: "
 "%s", *line);
  return nullptr;
}

// All paths must be relative from the current working directory
if (path[0] == NS_T('/')'/') {
  LOG(("get_valid_path: path must be relative: " LOG_S, path))UpdateLog::GetPrimaryLog().Printf ("get_valid_path: path must be relative: "
 "%s", path);
  return nullptr;
}

507#ifdef XP_WIN
// All paths must be relative from the current working directory
if (path[0] == NS_T('\\')'\\' || path[1] == NS_T(':')':') {
  LOG(("get_valid_path: path must be relative: " LOG_S, path))UpdateLog::GetPrimaryLog().Printf ("get_valid_path: path must be relative: "
 "%s", path);
  return nullptr;
}
513#endif

if (isdir) {
  // Directory paths must have a trailing forward slash.
  if (path[NS_tstrlenstrlen(path) - 1] != NS_T('/')'/') {
    LOG(UpdateLog::GetPrimaryLog().Printf ("get_valid_path: directory paths must have a trailing forward "
 "slash: " "%s", path)
        ("get_valid_path: directory paths must have a trailing forward "UpdateLog::GetPrimaryLog().Printf ("get_valid_path: directory paths must have a trailing forward "
 "slash: " "%s", path)
         "slash: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("get_valid_path: directory paths must have a trailing forward "
 "slash: " "%s", path)
         path))UpdateLog::GetPrimaryLog().Printf ("get_valid_path: directory paths must have a trailing forward "
 "slash: " "%s", path);
    return nullptr;
  }

  // Remove the trailing forward slash because stat on Windows will return
  // ENOENT if the path has a trailing slash.
  path[NS_tstrlenstrlen(path) - 1] = NS_T('\0')'\0';
}

// Don't allow relative paths that resolve to a parent directory.
if (NS_tstrstrstrstr(path, NS_T("..")"..") != nullptr) {
  LOG(("get_valid_path: paths must not contain '..': " LOG_S, path))UpdateLog::GetPrimaryLog().Printf ("get_valid_path: paths must not contain '..': "
 "%s", path);
  return nullptr;
}

return path;
537}

539/*
* Gets a quoted path. The return value is malloc'd and it is the responsibility
* of the caller to free it.
*
* @param  path
*         The path to quote.
* @return On success the quoted path and nullptr otherwise.
*/
547static NS_tchar* get_quoted_path(const NS_tchar* path) {
size_t lenQuote = NS_tstrlenstrlen(kQuote);
size_t lenPath = NS_tstrlenstrlen(path);
size_t len = lenQuote + lenPath + lenQuote + 1;

NS_tchar* s = (NS_tchar*)malloc(len * sizeof(NS_tchar));
if (!s) {
  return nullptr;
}

NS_tchar* c = s;
NS_tstrcpystrcpy(c, kQuote);
c += lenQuote;
NS_tstrcatstrcat(c, path);
c += lenPath;
NS_tstrcatstrcat(c, kQuote);
c += lenQuote;
*c = NS_T('\0')'\0';
return s;
566}

568static void ensure_write_permissions(const NS_tchar* path) {
569#ifdef XP_WIN
(void)_wchmod(path, _S_IREAD | _S_IWRITE);
571#else
struct stat fs;
if (!stat(path, &fs) && !(fs.st_mode & S_IWUSR0200)) {
  (void)chmod(path, fs.st_mode | S_IWUSR0200);
}
576#endif
577}

579static int ensure_remove(const NS_tchar* path) {
ensure_write_permissions(path);
int rv = NS_tremoveremove(path);
if (rv) {
  LOG(("ensure_remove: failed to remove file: " LOG_S ", rv: %d, err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_remove: failed to remove file: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       path, rv, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_remove: failed to remove file: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()));
}
return rv;
587}

589// Remove the directory pointed to by path and all of its files and
590// sub-directories.
591static int ensure_remove_recursive(const NS_tchar* path,
                                 bool continueEnumOnFailure = false) {
// We use lstat rather than stat here so that we can successfully remove
// symlinks.
struct NS_tstat_tstat sInfo;
int rv = NS_tlstatlstat(path, &sInfo);
if (rv) {
  // This error is benign
  return rv;
}
if (!S_ISDIR(sInfo.st_mode)((((sInfo.st_mode)) & 0170000) == (0040000))) {
  return ensure_remove(path);
}

NS_tDIRDIR* dir;
NS_tdirentdirent* entry;

dir = NS_topendiropendir(path);
if (!dir) {
  LOG(("ensure_remove_recursive: unable to open directory: " LOG_SUpdateLog::GetPrimaryLog().Printf ("ensure_remove_recursive: unable to open directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       ", rv: %d, err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_remove_recursive: unable to open directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       path, rv, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_remove_recursive: unable to open directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()));
  return rv;
}

while ((entry = NS_treaddirreaddir(dir)) != 0) {
  if (NS_tstrcmpstrcmp(entry->d_name, NS_T(".")".") &&
      NS_tstrcmpstrcmp(entry->d_name, NS_T("..")"..")) {
    NS_tchar childPath[MAXPATHLEN4096];
    NS_tsnprintfsnprintf(childPath, sizeof(childPath) / sizeof(childPath[0]),
                 NS_T("%s/%s")"%s/%s", path, entry->d_name);
    rv = ensure_remove_recursive(childPath);
    if (rv && !continueEnumOnFailure) {
      break;
    }
  }
}

NS_tclosedirclosedir(dir);

if (rv == OK0) {
  ensure_write_permissions(path);
  rv = NS_trmdirrmdir(path);
  if (rv) {
    LOG(("ensure_remove_recursive: unable to remove directory: " LOG_SUpdateLog::GetPrimaryLog().Printf ("ensure_remove_recursive: unable to remove directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
         ", rv: %d, err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_remove_recursive: unable to remove directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
         path, rv, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_remove_recursive: unable to remove directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()));
  }
}
return rv;
641}

643static bool is_read_only(const NS_tchar* flags) {
size_t length = NS_tstrlenstrlen(flags);
if (length == 0) {
  return false;
}

// Make sure the string begins with "r"
if (flags[0] != NS_T('r')'r') {
  return false;
}

// Look for "r+" or "r+b"
if (length > 1 && flags[1] == NS_T('+')'+') {
  return false;
}

// Look for "rb+"
if (NS_tstrcmpstrcmp(flags, NS_T("rb+")"rb+") == 0) {
  return false;
}

return true;
665}

667static FILE* ensure_open(const NS_tchar* path, const NS_tchar* flags,
                       unsigned int options) {
ensure_write_permissions(path);
FILE* f = NS_tfopenfopen(path, flags);
if (is_read_only(flags)) {
  // Don't attempt to modify the file permissions if the file is being opened
  // in read-only mode.
  return f;
}
if (NS_tchmodchmod(path, options) != 0) {
  if (f != nullptr) {
    fclose(f);
  }
  return nullptr;
}
struct NS_tstat_tstat ss;
if (NS_tstatstat(path, &ss) != 0 || ss.st_mode != options) {
  if (f != nullptr) {
    fclose(f);
  }
  return nullptr;
}
return f;
690}

692// Ensure that the directory containing this file exists.
693static int ensure_parent_dir(const NS_tchar* path) {
int rv = OK0;

NS_tchar* slash = (NS_tchar*)NS_tstrrchrstrrchr(path, NS_T('/')'/');
if (slash) {
  *slash = NS_T('\0')'\0';
  rv = ensure_parent_dir(path);
  // Only attempt to create the directory if we're not at the root
  if (rv == OK0 && *path) {
    rv = NS_tmkdirmkdir(path, 0755);
    // If the directory already exists, then ignore the error.
    if (rv < 0 && errno(*__errno_location ()) != EEXIST17) {
      LOG(("ensure_parent_dir: failed to create directory: " LOG_S ", "UpdateLog::GetPrimaryLog().Printf ("ensure_parent_dir: failed to create directory: "
 "%s" ", " "err: %d", path, (*__errno_location ()))
           "err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_parent_dir: failed to create directory: "
 "%s" ", " "err: %d", path, (*__errno_location ()))
           path, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_parent_dir: failed to create directory: "
 "%s" ", " "err: %d", path, (*__errno_location ()));
      rv = WRITE_ERROR7;
    } else {
      rv = OK0;
    }
  }
  *slash = NS_T('/')'/';
}
return rv;
716}

718#ifdef XP_UNIX1
719static int ensure_copy_symlink(const NS_tchar* path, const NS_tchar* dest) {
// Copy symlinks by creating a new symlink to the same target
NS_tchar target[MAXPATHLEN4096 + 1] = {NS_T('\0')'\0'};
int rv = readlink(path, target, MAXPATHLEN4096);
if (rv == -1) {
  LOG(("ensure_copy_symlink: failed to read the link: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_copy_symlink: failed to read the link: "
 "%s" ", err: %d", path, (*__errno_location ()))
       path, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_copy_symlink: failed to read the link: "
 "%s" ", err: %d", path, (*__errno_location ()));
  return READ_ERROR6;
}
rv = symlink(target, dest);
if (rv == -1) {
  LOG(("ensure_copy_symlink: failed to create the new link: " LOG_SUpdateLog::GetPrimaryLog().Printf ("ensure_copy_symlink: failed to create the new link: "
 "%s" ", target: " "%s" " err: %d", dest, target, (*__errno_location
 ()))
       ", target: " LOG_S " err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_copy_symlink: failed to create the new link: "
 "%s" ", target: " "%s" " err: %d", dest, target, (*__errno_location
 ()))
       dest, target, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_copy_symlink: failed to create the new link: "
 "%s" ", target: " "%s" " err: %d", dest, target, (*__errno_location
 ()));
  return READ_ERROR6;
}
return 0;
736}
737#endif

739// Copy the file named path onto a new file named dest.
740static int ensure_copy(const NS_tchar* path, const NS_tchar* dest) {
741#ifdef XP_WIN
// Fast path for Windows
bool result = CopyFileW(path, dest, false);
if (!result) {
  LOG(("ensure_copy: failed to copy the file " LOG_S " over to " LOG_SUpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to copy the file "
 "%s" " over to " "%s" ", lasterr: %lx", path, dest, GetLastError
())
       ", lasterr: %lx",UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to copy the file "
 "%s" " over to " "%s" ", lasterr: %lx", path, dest, GetLastError
())
       path, dest, GetLastError()))UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to copy the file "
 "%s" " over to " "%s" ", lasterr: %lx", path, dest, GetLastError
());
  return WRITE_ERROR_FILE_COPY61;
}
return OK0;
751#else
struct NS_tstat_tstat ss;
int rv = NS_tlstatlstat(path, &ss);
if (rv) {
  LOG(("ensure_copy: failed to read file status info: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to read file status info: "
 "%s" ", err: %d", path, (*__errno_location ()))
       path, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to read file status info: "
 "%s" ", err: %d", path, (*__errno_location ()));
  return READ_ERROR6;
}

760#  ifdef XP_UNIX1
if (S_ISLNK(ss.st_mode)((((ss.st_mode)) & 0170000) == (0120000))) {
  return ensure_copy_symlink(path, dest);
}
764#  endif

AutoFile infile(ensure_open(path, NS_T("rb")"rb", ss.st_mode));
if (!infile) {
  LOG(("ensure_copy: failed to open the file for reading: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to open the file for reading: "
 "%s" ", err: %d", path, (*__errno_location ()))
       path, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to open the file for reading: "
 "%s" ", err: %d", path, (*__errno_location ()));
  return READ_ERROR6;
}
AutoFile outfile(ensure_open(dest, NS_T("wb")"wb", ss.st_mode));
if (!outfile) {
  LOG(("ensure_copy: failed to open the file for writing: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to open the file for writing: "
 "%s" ", err: %d", dest, (*__errno_location ()))
       dest, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to open the file for writing: "
 "%s" ", err: %d", dest, (*__errno_location ()));
  return WRITE_ERROR7;
}

// This block size was chosen pretty arbitrarily but seems like a reasonable
// compromise. For example, the optimal block size on a modern OS X machine
// is 100k */
const int blockSize = 32 * 1024;
void* buffer = malloc(blockSize);
if (!buffer) {
  return UPDATER_MEM_ERROR13;
}

while (!feof(infile.get())) {
  size_t read = fread(buffer, 1, blockSize, infile);
  if (ferror(infile.get())) {
    LOG(("ensure_copy: failed to read the file: " LOG_S ", err: %d", path,UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to read the file: "
 "%s" ", err: %d", path, (*__errno_location ()))
         errno))UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to read the file: "
 "%s" ", err: %d", path, (*__errno_location ()));
    free(buffer);
    return READ_ERROR6;
  }

  size_t written = 0;

  while (written < read) {
    size_t chunkWritten = fwrite(buffer, 1, read - written, outfile);
    if (chunkWritten <= 0) {
      LOG(("ensure_copy: failed to write the file: " LOG_S ", err: %d", dest,UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to write the file: "
 "%s" ", err: %d", dest, (*__errno_location ()))
           errno))UpdateLog::GetPrimaryLog().Printf ("ensure_copy: failed to write the file: "
 "%s" ", err: %d", dest, (*__errno_location ()));
      free(buffer);
      return WRITE_ERROR_FILE_COPY61;
    }

    written += chunkWritten;
  }
}

rv = NS_tchmodchmod(dest, ss.st_mode);

free(buffer);
return rv;
816#endif
817}

819template <unsigned N>
820struct copy_recursive_skiplist {
NS_tchar paths[N][MAXPATHLEN4096];

void append(unsigned index, const NS_tchar* path, const NS_tchar* suffix) {
  NS_tsnprintfsnprintf(paths[index], MAXPATHLEN4096, NS_T("%s/%s")"%s/%s", path, suffix);
}

bool find(const NS_tchar* path) {
  for (int i = 0; i < static_cast<int>(N); ++i) {
    if (!NS_tstricmpstrcasecmp(paths[i], path)) {
      return true;
    }
  }
  return false;
}
835};

837// Copy all of the files and subdirectories under path to a new directory named
838// dest. The path names in the skiplist will be skipped and will not be copied.
839template <unsigned N>
840static int ensure_copy_recursive(const NS_tchar* path, const NS_tchar* dest,
                               copy_recursive_skiplist<N>& skiplist) {
struct NS_tstat_tstat sInfo;
int rv = NS_tlstatlstat(path, &sInfo);
if (rv) {
  LOG(("ensure_copy_recursive: path doesn't exist: " LOG_SUpdateLog::GetPrimaryLog().Printf ("ensure_copy_recursive: path doesn't exist: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       ", rv: %d, err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_copy_recursive: path doesn't exist: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       path, rv, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_copy_recursive: path doesn't exist: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()));
  return READ_ERROR6;
}

851#ifdef XP_UNIX1
if (S_ISLNK(sInfo.st_mode)((((sInfo.st_mode)) & 0170000) == (0120000))) {
  return ensure_copy_symlink(path, dest);
}
855#endif

if (!S_ISDIR(sInfo.st_mode)((((sInfo.st_mode)) & 0170000) == (0040000))) {
  return ensure_copy(path, dest);
}

rv = NS_tmkdirmkdir(dest, sInfo.st_mode);
if (rv < 0 && errno(*__errno_location ()) != EEXIST17) {
  LOG(("ensure_copy_recursive: could not create destination directory: " LOG_SUpdateLog::GetPrimaryLog().Printf ("ensure_copy_recursive: could not create destination directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       ", rv: %d, err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_copy_recursive: could not create destination directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       path, rv, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_copy_recursive: could not create destination directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()));
  return WRITE_ERROR7;
}

NS_tDIRDIR* dir;
NS_tdirentdirent* entry;

dir = NS_topendiropendir(path);
if (!dir) {
  LOG(("ensure_copy_recursive: path is not a directory: " LOG_SUpdateLog::GetPrimaryLog().Printf ("ensure_copy_recursive: path is not a directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       ", rv: %d, err: %d",UpdateLog::GetPrimaryLog().Printf ("ensure_copy_recursive: path is not a directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       path, rv, errno))UpdateLog::GetPrimaryLog().Printf ("ensure_copy_recursive: path is not a directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()));
  return READ_ERROR6;
}

while ((entry = NS_treaddirreaddir(dir)) != 0) {
  if (NS_tstrcmpstrcmp(entry->d_name, NS_T(".")".") &&
      NS_tstrcmpstrcmp(entry->d_name, NS_T("..")"..")) {
    NS_tchar childPath[MAXPATHLEN4096];
    NS_tsnprintfsnprintf(childPath, sizeof(childPath) / sizeof(childPath[0]),
                 NS_T("%s/%s")"%s/%s", path, entry->d_name);
    if (skiplist.find(childPath)) {
      continue;
    }
    NS_tchar childPathDest[MAXPATHLEN4096];
    NS_tsnprintfsnprintf(childPathDest,
                 sizeof(childPathDest) / sizeof(childPathDest[0]),
                 NS_T("%s/%s")"%s/%s", dest, entry->d_name);
    rv = ensure_copy_recursive(childPath, childPathDest, skiplist);
    if (rv) {
      break;
    }
  }
}
NS_tclosedirclosedir(dir);
return rv;
901}

903// Renames the specified file to the new file specified. If the destination file
904// exists it is removed.
905static int rename_file(const NS_tchar* spath, const NS_tchar* dpath,
                     bool allowDirs = false) {
int rv = ensure_parent_dir(dpath);
if (rv) {
  return rv;
}

struct NS_tstat_tstat spathInfo;
rv = NS_tstatstat(spath, &spathInfo);
if (rv) {
  LOG(("rename_file: failed to read file status info: " LOG_S ", "UpdateLog::GetPrimaryLog().Printf ("rename_file: failed to read file status info: "
 "%s" ", " "err: %d", spath, (*__errno_location ()))
       "err: %d",UpdateLog::GetPrimaryLog().Printf ("rename_file: failed to read file status info: "
 "%s" ", " "err: %d", spath, (*__errno_location ()))
       spath, errno))UpdateLog::GetPrimaryLog().Printf ("rename_file: failed to read file status info: "
 "%s" ", " "err: %d", spath, (*__errno_location ()));
  return READ_ERROR6;
}

if (!S_ISREG(spathInfo.st_mode)((((spathInfo.st_mode)) & 0170000) == (0100000))) {
  if (allowDirs && !S_ISDIR(spathInfo.st_mode)((((spathInfo.st_mode)) & 0170000) == (0040000))) {
    LOG(("rename_file: path present, but not a file: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("rename_file: path present, but not a file: "
 "%s" ", err: %d", spath, (*__errno_location ()))
         spath, errno))UpdateLog::GetPrimaryLog().Printf ("rename_file: path present, but not a file: "
 "%s" ", err: %d", spath, (*__errno_location ()));
    return RENAME_ERROR_EXPECTED_FILE48;
  }
  LOG(("rename_file: proceeding to rename the directory"))UpdateLog::GetPrimaryLog().Printf ("rename_file: proceeding to rename the directory"
);
}

if (!NS_taccessaccess(dpath, F_OK0)) {
  if (ensure_remove(dpath)) {
    LOG(UpdateLog::GetPrimaryLog().Printf ("rename_file: destination file exists and could not be "
 "removed: " "%s", dpath)
        ("rename_file: destination file exists and could not be "UpdateLog::GetPrimaryLog().Printf ("rename_file: destination file exists and could not be "
 "removed: " "%s", dpath)
         "removed: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("rename_file: destination file exists and could not be "
 "removed: " "%s", dpath)
         dpath))UpdateLog::GetPrimaryLog().Printf ("rename_file: destination file exists and could not be "
 "removed: " "%s", dpath);
    return WRITE_ERROR_DELETE_FILE62;
  }
}

if (NS_trenamerename(spath, dpath) != 0) {
  LOG(("rename_file: failed to rename file - src: " LOG_S ", "UpdateLog::GetPrimaryLog().Printf ("rename_file: failed to rename file - src: "
 "%s" ", " "dst:" "%s" ", err: %d", spath, dpath, (*__errno_location
 ()))
       "dst:" LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("rename_file: failed to rename file - src: "
 "%s" ", " "dst:" "%s" ", err: %d", spath, dpath, (*__errno_location
 ()))
       spath, dpath, errno))UpdateLog::GetPrimaryLog().Printf ("rename_file: failed to rename file - src: "
 "%s" ", " "dst:" "%s" ", err: %d", spath, dpath, (*__errno_location
 ()));
  return WRITE_ERROR7;
}

return OK0;
948}

950#ifdef XP_WIN
951// Remove the directory pointed to by path and all of its files and
952// sub-directories. If a file is in use move it to the tobedeleted directory
953// and attempt to schedule removal of the file on reboot
954static int remove_recursive_on_reboot(const NS_tchar* path,
                                    const NS_tchar* deleteDir) {
struct NS_tstat_tstat sInfo;
int rv = NS_tlstatlstat(path, &sInfo);
if (rv) {
  // This error is benign
  return rv;
}

if (!S_ISDIR(sInfo.st_mode)((((sInfo.st_mode)) & 0170000) == (0040000))) {
  NS_tchar tmpDeleteFile[MAXPATHLEN4096 + 1];
  GetUUIDTempFilePath(deleteDir, L"rep", tmpDeleteFile);
  if (NS_tremoveremove(tmpDeleteFile) && errno(*__errno_location ()) != ENOENT2) {
    LOG(("remove_recursive_on_reboot: failed to remove temporary file: " LOG_SUpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: failed to remove temporary file: "
 "%s" ", err: %d", tmpDeleteFile, (*__errno_location ()))
         ", err: %d",UpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: failed to remove temporary file: "
 "%s" ", err: %d", tmpDeleteFile, (*__errno_location ()))
         tmpDeleteFile, errno))UpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: failed to remove temporary file: "
 "%s" ", err: %d", tmpDeleteFile, (*__errno_location ()));
  }
  rv = rename_file(path, tmpDeleteFile, false);
  if (MoveFileEx(rv ? path : tmpDeleteFile, nullptr,
                 MOVEFILE_DELAY_UNTIL_REBOOT)) {
    LOG(UpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: file will be removed on OS "
 "reboot: " "%s", rv ? path : tmpDeleteFile)
        ("remove_recursive_on_reboot: file will be removed on OS "UpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: file will be removed on OS "
 "reboot: " "%s", rv ? path : tmpDeleteFile)
         "reboot: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: file will be removed on OS "
 "reboot: " "%s", rv ? path : tmpDeleteFile)
         rv ? path : tmpDeleteFile))UpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: file will be removed on OS "
 "reboot: " "%s", rv ? path : tmpDeleteFile);
  } else {
    LOG((UpdateLog::GetPrimaryLog().Printf ( "remove_recursive_on_reboot: failed to schedule OS reboot removal of "
 "file: " "%s", rv ? path : tmpDeleteFile)
        "remove_recursive_on_reboot: failed to schedule OS reboot removal of "UpdateLog::GetPrimaryLog().Printf ( "remove_recursive_on_reboot: failed to schedule OS reboot removal of "
 "file: " "%s", rv ? path : tmpDeleteFile)
        "file: " LOG_S,UpdateLog::GetPrimaryLog().Printf ( "remove_recursive_on_reboot: failed to schedule OS reboot removal of "
 "file: " "%s", rv ? path : tmpDeleteFile)
        rv ? path : tmpDeleteFile))UpdateLog::GetPrimaryLog().Printf ( "remove_recursive_on_reboot: failed to schedule OS reboot removal of "
 "file: " "%s", rv ? path : tmpDeleteFile);
  }
  return rv;
}

NS_tDIRDIR* dir;
NS_tdirentdirent* entry;

dir = NS_topendiropendir(path);
if (!dir) {
  LOG(("remove_recursive_on_reboot: unable to open directory: " LOG_SUpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: unable to open directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       ", rv: %d, err: %d",UpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: unable to open directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
       path, rv, errno))UpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: unable to open directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()));
  return rv;
}

while ((entry = NS_treaddirreaddir(dir)) != 0) {
  if (NS_tstrcmpstrcmp(entry->d_name, NS_T(".")".") &&
      NS_tstrcmpstrcmp(entry->d_name, NS_T("..")"..")) {
    NS_tchar childPath[MAXPATHLEN4096];
    NS_tsnprintfsnprintf(childPath, sizeof(childPath) / sizeof(childPath[0]),
                 NS_T("%s/%s")"%s/%s", path, entry->d_name);
    // There is no need to check the return value of this call since this
    // function is only called after an update is successful and there is not
    // much that can be done to recover if it isn't successful. There is also
    // no need to log the value since it will have already been logged.
    remove_recursive_on_reboot(childPath, deleteDir);
  }
}

NS_tclosedirclosedir(dir);

if (rv == OK0) {
  ensure_write_permissions(path);
  rv = NS_trmdirrmdir(path);
  if (rv) {
    LOG(("remove_recursive_on_reboot: unable to remove directory: " LOG_SUpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: unable to remove directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
         ", rv: %d, err: %d",UpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: unable to remove directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()))
         path, rv, errno))UpdateLog::GetPrimaryLog().Printf ("remove_recursive_on_reboot: unable to remove directory: "
 "%s" ", rv: %d, err: %d", path, rv, (*__errno_location ()));
  }
}
return rv;
1024}
1025#endif

1027//-----------------------------------------------------------------------------

1029// Create a backup of the specified file by renaming it.
1030static int backup_create(const NS_tchar* path) {
NS_tchar backup[MAXPATHLEN4096];
NS_tsnprintfsnprintf(backup, sizeof(backup) / sizeof(backup[0]),
             NS_T("%s")"%s" BACKUP_EXT".moz-backup", path);

return rename_file(path, backup);
1036}

1038// Rename the backup of the specified file that was created by renaming it back
1039// to the original file.
1040static int backup_restore(const NS_tchar* path, const NS_tchar* relPath) {
NS_tchar backup[MAXPATHLEN4096];
NS_tsnprintfsnprintf(backup, sizeof(backup) / sizeof(backup[0]),
             NS_T("%s")"%s" BACKUP_EXT".moz-backup", path);

NS_tchar relBackup[MAXPATHLEN4096];
NS_tsnprintfsnprintf(relBackup, sizeof(relBackup) / sizeof(relBackup[0]),
             NS_T("%s")"%s" BACKUP_EXT".moz-backup", relPath);

if (NS_taccessaccess(backup, F_OK0)) {
  LOG(("backup_restore: backup file doesn't exist: " LOG_S, relBackup))UpdateLog::GetPrimaryLog().Printf ("backup_restore: backup file doesn't exist: "
 "%s", relBackup);
  return OK0;
}

return rename_file(backup, path);
1055}

1057// Discard the backup of the specified file that was created by renaming it.
1058static int backup_discard(const NS_tchar* path, const NS_tchar* relPath) {
NS_tchar backup[MAXPATHLEN4096];
NS_tsnprintfsnprintf(backup, sizeof(backup) / sizeof(backup[0]),
             NS_T("%s")"%s" BACKUP_EXT".moz-backup", path);

NS_tchar relBackup[MAXPATHLEN4096];
NS_tsnprintfsnprintf(relBackup, sizeof(relBackup) / sizeof(relBackup[0]),
             NS_T("%s")"%s" BACKUP_EXT".moz-backup", relPath);

// Nothing to discard
if (NS_taccessaccess(backup, F_OK0)) {
  return OK0;
}

int rv = ensure_remove(backup);
1073#if defined(XP_WIN)
if (rv && !sStagedUpdate && !sReplaceRequest) {
  LOG(("backup_discard: unable to remove: " LOG_S, relBackup))UpdateLog::GetPrimaryLog().Printf ("backup_discard: unable to remove: "
 "%s", relBackup);
  NS_tchar path[MAXPATHLEN4096 + 1];
  GetUUIDTempFilePath(gDeleteDirPath, L"moz", path);
  if (rename_file(backup, path)) {
    LOG(("backup_discard: failed to rename file:" LOG_S ", dst:" LOG_S,UpdateLog::GetPrimaryLog().Printf ("backup_discard: failed to rename file:"
 "%s" ", dst:" "%s", relBackup, relPath)
         relBackup, relPath))UpdateLog::GetPrimaryLog().Printf ("backup_discard: failed to rename file:"
 "%s" ", dst:" "%s", relBackup, relPath);
    return WRITE_ERROR_DELETE_BACKUP69;
  }
  // The MoveFileEx call to remove the file on OS reboot will fail if the
  // process doesn't have write access to the HKEY_LOCAL_MACHINE registry key
  // but this is ok since the installer / uninstaller will delete the
  // directory containing the file along with its contents after an update is
  // applied, on reinstall, and on uninstall.
  if (MoveFileEx(path, nullptr, MOVEFILE_DELAY_UNTIL_REBOOT)) {
    LOG(UpdateLog::GetPrimaryLog().Printf ("backup_discard: file renamed and will be removed on OS "
 "reboot: " "%s", relPath)
        ("backup_discard: file renamed and will be removed on OS "UpdateLog::GetPrimaryLog().Printf ("backup_discard: file renamed and will be removed on OS "
 "reboot: " "%s", relPath)
         "reboot: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("backup_discard: file renamed and will be removed on OS "
 "reboot: " "%s", relPath)
         relPath))UpdateLog::GetPrimaryLog().Printf ("backup_discard: file renamed and will be removed on OS "
 "reboot: " "%s", relPath);
  } else {
    LOG(UpdateLog::GetPrimaryLog().Printf ("backup_discard: failed to schedule OS reboot removal of "
 "file: " "%s", relPath)
        ("backup_discard: failed to schedule OS reboot removal of "UpdateLog::GetPrimaryLog().Printf ("backup_discard: failed to schedule OS reboot removal of "
 "file: " "%s", relPath)
         "file: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("backup_discard: failed to schedule OS reboot removal of "
 "file: " "%s", relPath)
         relPath))UpdateLog::GetPrimaryLog().Printf ("backup_discard: failed to schedule OS reboot removal of "
 "file: " "%s", relPath);
  }
}
1100#else
if (rv) {
  return WRITE_ERROR_DELETE_BACKUP69;
}
1104#endif

return OK0;
1107}

1109// Helper function for post-processing a temporary backup.
1110static void backup_finish(const NS_tchar* path, const NS_tchar* relPath,
                        int status) {
if (status == OK0) {
  backup_discard(path, relPath);
} else {
  backup_restore(path, relPath);
}
1117}

1119//-----------------------------------------------------------------------------

1121static int DoUpdate();

1123class Action {
public:
Action() : mProgressCost(1), mNext(nullptr) {}
virtual ~Action() = default;

virtual int Parse(NS_tchar* line) = 0;

// Do any preprocessing to ensure that the action can be performed.  Execute
// will be called if this Action and all others return OK from this method.
virtual int Prepare() = 0;

// Perform the operation.  Return OK to indicate success.  After all actions
// have been executed, Finish will be called.  A requirement of Execute is
// that its operation be reversable from Finish.
virtual int Execute() = 0;

// Finish is called after execution of all actions.  If status is OK, then
// all actions were successfully executed.  Otherwise, some action failed.
virtual void Finish(int status) = 0;

int mProgressCost;

private:
Action* mNext;

friend class ActionList;
1149};

1151class RemoveFile : public Action {
public:
RemoveFile() : mSkip(0) {}

int Parse(NS_tchar* line) override;
int Prepare() override;
int Execute() override;
void Finish(int status) override;

private:
mozilla::UniquePtr<NS_tchar[]> mFile;
mozilla::UniquePtr<NS_tchar[]> mRelPath;
int mSkip;
1164};

1166int RemoveFile::Parse(NS_tchar* line) {
// format "<deadfile>"

NS_tchar* validPath = get_valid_path(&line);
if (!validPath) {
  return PARSE_ERROR5;
}

mRelPath = mozilla::MakeUnique<NS_tchar[]>(MAXPATHLEN4096);
NS_tstrcpystrcpy(mRelPath.get(), validPath);

mFile.reset(get_full_path(validPath));
if (!mFile) {
  return PARSE_ERROR5;
}

return OK0;
1183}

1185int RemoveFile::Prepare() {
// Skip the file if it already doesn't exist.
int rv = NS_taccessaccess(mFile.get(), F_OK0);
if (rv) {
  mSkip = 1;
  mProgressCost = 0;
  return OK0;
}

LOG(("PREPARE REMOVEFILE " LOG_S, mRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("PREPARE REMOVEFILE " "%s"
, mRelPath.get());

// Make sure that we're actually a file...
struct NS_tstat_tstat fileInfo;
rv = NS_tstatstat(mFile.get(), &fileInfo);
if (rv) {
  LOG(("failed to read file status info: " LOG_S ", err: %d", mFile.get(),UpdateLog::GetPrimaryLog().Printf ("failed to read file status info: "
 "%s" ", err: %d", mFile.get(), (*__errno_location ()))
       errno))UpdateLog::GetPrimaryLog().Printf ("failed to read file status info: "
 "%s" ", err: %d", mFile.get(), (*__errno_location ()));
  return READ_ERROR6;
}

if (!S_ISREG(fileInfo.st_mode)((((fileInfo.st_mode)) & 0170000) == (0100000))) {
  LOG(("path present, but not a file: " LOG_S, mFile.get()))UpdateLog::GetPrimaryLog().Printf ("path present, but not a file: "
 "%s", mFile.get());
  return DELETE_ERROR_EXPECTED_FILE47;
}

NS_tchar* slash = (NS_tchar*)NS_tstrrchrstrrchr(mFile.get(), NS_T('/')'/');
if (slash) {
  *slash = NS_T('\0')'\0';
  rv = NS_taccessaccess(mFile.get(), W_OK2);
  *slash = NS_T('/')'/';
} else {
  rv = NS_taccessaccess(NS_T(".")".", W_OK2);
}

if (rv) {
  LOG(("access failed: %d", errno))UpdateLog::GetPrimaryLog().Printf ("access failed: %d", (*__errno_location
 ()));
  return WRITE_ERROR_FILE_ACCESS_DENIED67;
}

return OK0;
1225}

1227int RemoveFile::Execute() {
if (mSkip) {
  return OK0;
}

LOG(("EXECUTE REMOVEFILE " LOG_S, mRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("EXECUTE REMOVEFILE " "%s"
, mRelPath.get());

// The file is checked for existence here and in Prepare since it might have
// been removed by a separate instruction: bug 311099.
int rv = NS_taccessaccess(mFile.get(), F_OK0);
if (rv) {
  LOG(("file cannot be removed because it does not exist; skipping"))UpdateLog::GetPrimaryLog().Printf ("file cannot be removed because it does not exist; skipping"
);
  mSkip = 1;
  return OK0;
}

if (sStagedUpdate) {
  // Staged updates don't need backup files so just remove it.
  rv = ensure_remove(mFile.get());
  if (rv) {
    return rv;
  }
} else {
  // Rename the old file. It will be removed in Finish.
  rv = backup_create(mFile.get());
  if (rv) {
    LOG(("backup_create failed: %d", rv))UpdateLog::GetPrimaryLog().Printf ("backup_create failed: %d"
, rv);
    return rv;
  }
}

return OK0;
1259}

1261void RemoveFile::Finish(int status) {
if (mSkip) {
  return;
}

LOG(("FINISH REMOVEFILE " LOG_S, mRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("FINISH REMOVEFILE " "%s",
 mRelPath.get());

// Staged updates don't create backup files.
if (!sStagedUpdate) {
  backup_finish(mFile.get(), mRelPath.get(), status);
}
1272}

1274class RemoveDir : public Action {
public:
RemoveDir() : mSkip(0) {}

int Parse(NS_tchar* line) override;
int Prepare() override;  // check that the source dir exists
int Execute() override;
void Finish(int status) override;

private:
mozilla::UniquePtr<NS_tchar[]> mDir;
mozilla::UniquePtr<NS_tchar[]> mRelPath;
int mSkip;
1287};

1289int RemoveDir::Parse(NS_tchar* line) {
// format "<deaddir>/"

NS_tchar* validPath = get_valid_path(&line, true);
if (!validPath) {
  return PARSE_ERROR5;
}

mRelPath = mozilla::MakeUnique<NS_tchar[]>(MAXPATHLEN4096);
NS_tstrcpystrcpy(mRelPath.get(), validPath);

mDir.reset(get_full_path(validPath));
if (!mDir) {
  return PARSE_ERROR5;
}

return OK0;
1306}

1308int RemoveDir::Prepare() {
// We expect the directory to exist if we are to remove it.
int rv = NS_taccessaccess(mDir.get(), F_OK0);
if (rv) {
  mSkip = 1;
  mProgressCost = 0;
  return OK0;
}

LOG(("PREPARE REMOVEDIR " LOG_S "/", mRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("PREPARE REMOVEDIR " "%s" "/"
, mRelPath.get());

// Make sure that we're actually a dir.
struct NS_tstat_tstat dirInfo;
rv = NS_tstatstat(mDir.get(), &dirInfo);
if (rv) {
  LOG(("failed to read directory status info: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("failed to read directory status info: "
 "%s" ", err: %d", mRelPath.get(), (*__errno_location ()))
       mRelPath.get(), errno))UpdateLog::GetPrimaryLog().Printf ("failed to read directory status info: "
 "%s" ", err: %d", mRelPath.get(), (*__errno_location ()));
  return READ_ERROR6;
}

if (!S_ISDIR(dirInfo.st_mode)((((dirInfo.st_mode)) & 0170000) == (0040000))) {
  LOG(("path present, but not a directory: " LOG_S, mRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("path present, but not a directory: "
 "%s", mRelPath.get());
  return DELETE_ERROR_EXPECTED_DIR46;
}

rv = NS_taccessaccess(mDir.get(), W_OK2);
if (rv) {
  LOG(("access failed: %d, %d", rv, errno))UpdateLog::GetPrimaryLog().Printf ("access failed: %d, %d", rv
, (*__errno_location ()));
  return WRITE_ERROR_DIR_ACCESS_DENIED68;
}

return OK0;
1340}

1342int RemoveDir::Execute() {
if (mSkip) {
  return OK0;
}

LOG(("EXECUTE REMOVEDIR " LOG_S "/", mRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("EXECUTE REMOVEDIR " "%s" "/"
, mRelPath.get());

// The directory is checked for existence at every step since it might have
// been removed by a separate instruction: bug 311099.
int rv = NS_taccessaccess(mDir.get(), F_OK0);
if (rv) {
  LOG(("directory no longer exists; skipping"))UpdateLog::GetPrimaryLog().Printf ("directory no longer exists; skipping"
);
  mSkip = 1;
}

return OK0;
1358}

1360void RemoveDir::Finish(int status) {
if (mSkip || status != OK0) {
  return;
}

LOG(("FINISH REMOVEDIR " LOG_S "/", mRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("FINISH REMOVEDIR " "%s" "/"
, mRelPath.get());

// The directory is checked for existence at every step since it might have
// been removed by a separate instruction: bug 311099.
int rv = NS_taccessaccess(mDir.get(), F_OK0);
if (rv) {
  LOG(("directory no longer exists; skipping"))UpdateLog::GetPrimaryLog().Printf ("directory no longer exists; skipping"
);
  return;
}

if (status == OK0) {
  if (NS_trmdirrmdir(mDir.get())) {
    LOG(("non-fatal error removing directory: " LOG_S "/, rv: %d, err: %d",UpdateLog::GetPrimaryLog().Printf ("non-fatal error removing directory: "
 "%s" "/, rv: %d, err: %d", mRelPath.get(), rv, (*__errno_location
 ()))
         mRelPath.get(), rv, errno))UpdateLog::GetPrimaryLog().Printf ("non-fatal error removing directory: "
 "%s" "/, rv: %d, err: %d", mRelPath.get(), rv, (*__errno_location
 ()));
  }
}
1381}

1383class AddFile : public Action {
public:
AddFile() : mAdded(false) {}

int Parse(NS_tchar* line) override;
int Prepare() override;
int Execute() override;
void Finish(int status) override;

private:
mozilla::UniquePtr<NS_tchar[]> mFile;
mozilla::UniquePtr<NS_tchar[]> mRelPath;
bool mAdded;
1396};

1398int AddFile::Parse(NS_tchar* line) {
// format "<newfile>"

NS_tchar* validPath = get_valid_path(&line);
if (!validPath) {
  return PARSE_ERROR5;
}

mRelPath = mozilla::MakeUnique<NS_tchar[]>(MAXPATHLEN4096);
NS_tstrcpystrcpy(mRelPath.get(), validPath);

mFile.reset(get_full_path(validPath));
if (!mFile) {
  return PARSE_ERROR5;
}

return OK0;
1415}

1417int AddFile::Prepare() {
LOG(("PREPARE ADD " LOG_S, mRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("PREPARE ADD " "%s", mRelPath
.get());

return OK0;
1421}

1423int AddFile::Execute() {
LOG(("EXECUTE ADD " LOG_S, mRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("EXECUTE ADD " "%s", mRelPath
.get());

int rv;

// First make sure that we can actually get rid of any existing file.
rv = NS_taccessaccess(mFile.get(), F_OK0);
if (rv == 0) {
  if (sStagedUpdate) {
    // Staged updates don't need backup files so just remove it.
    rv = ensure_remove(mFile.get());
  } else {
    rv = backup_create(mFile.get());
  }
  if (rv) {
    return rv;
  }
} else {
  rv = ensure_parent_dir(mFile.get());
  if (rv) {
    return rv;
  }
}

1447#ifdef XP_WIN
char sourcefile[MAXPATHLEN4096];
if (!WideCharToMultiByte(CP_UTF8, 0, mRelPath.get(), -1, sourcefile,
                         MAXPATHLEN4096, nullptr, nullptr)) {
  LOG(("error converting wchar to utf8: %lu", GetLastError()))UpdateLog::GetPrimaryLog().Printf ("error converting wchar to utf8: %lu"
, GetLastError());
  return STRING_CONVERSION_ERROR16;
}

rv = gArchiveReader.ExtractFile(sourcefile, mFile.get());
1456#else
rv = gArchiveReader.ExtractFile(mRelPath.get(), mFile.get());
1458#endif
if (!rv) {
  mAdded = true;
}
return rv;
1463}

1465void AddFile::Finish(int status) {
LOG(("FINISH ADD " LOG_S, mRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("FINISH ADD " "%s", mRelPath
.get());
// Staged updates don't create backup files.
if (!sStagedUpdate) {
  // When there is an update failure and a file has been added it is removed
  // here since there might not be a backup to replace it.
  if (status && mAdded) {
    if (NS_tremoveremove(mFile.get()) && errno(*__errno_location ()) != ENOENT2) {
      LOG(("non-fatal error after update failure removing added file: " LOG_SUpdateLog::GetPrimaryLog().Printf ("non-fatal error after update failure removing added file: "
 "%s" ", err: %d", mFile.get(), (*__errno_location ()))
           ", err: %d",UpdateLog::GetPrimaryLog().Printf ("non-fatal error after update failure removing added file: "
 "%s" ", err: %d", mFile.get(), (*__errno_location ()))
           mFile.get(), errno))UpdateLog::GetPrimaryLog().Printf ("non-fatal error after update failure removing added file: "
 "%s" ", err: %d", mFile.get(), (*__errno_location ()));
    }
  }
  backup_finish(mFile.get(), mRelPath.get(), status);
}
1480}

1482class PatchFile : public Action {
public:
PatchFile() : mPatchFile(nullptr), mPatchIndex(-1), buf(nullptr) {}

~PatchFile() override;

int Parse(NS_tchar* line) override;
int Prepare() override;  // should check for patch file and for checksum here
int Execute() override;
void Finish(int status) override;

private:
int LoadSourceFile(FILE* ofile);

static int sPatchIndex;

const NS_tchar* mPatchFile;
mozilla::UniquePtr<NS_tchar[]> mFile;
mozilla::UniquePtr<NS_tchar[]> mFileRelPath;
int mPatchIndex;
MBSPatchHeader header;
unsigned char* buf;
NS_tchar spath[MAXPATHLEN4096];
AutoFile mPatchStream;
1506};

1508int PatchFile::sPatchIndex = 0;

1510PatchFile::~PatchFile() {
// Make sure mPatchStream gets unlocked on Windows; the system will do that,
// but not until some indeterminate future time, and we want determinism.
// Normally this happens at the end of Execute, when we close the stream;
// this call is here in case Execute errors out.
1515#ifdef XP_WIN
if (mPatchStream) {
  UnlockFile((HANDLE)_get_osfhandle(fileno(mPatchStream)), 0, 0, -1, -1);
}
1519#endif
// Patch files are written to the <working_dir>/updating directory which is
// removed after the update has finished so don't delete patch files here.

if (buf) {
  free(buf);
}
1526}

1528int PatchFile::LoadSourceFile(FILE* ofile) {
struct stat os;
int rv = fstat(fileno((FILE*)ofile), &os);
if (rv) {
  LOG(("LoadSourceFile: unable to stat destination file: " LOG_S ", "UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: unable to stat destination file: "
 "%s" ", " "err: %d", mFileRelPath.get(), (*__errno_location (
)))
       "err: %d",UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: unable to stat destination file: "
 "%s" ", " "err: %d", mFileRelPath.get(), (*__errno_location (
)))
       mFileRelPath.get(), errno))UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: unable to stat destination file: "
 "%s" ", " "err: %d", mFileRelPath.get(), (*__errno_location (
)));
  return READ_ERROR6;
}

if (uint32_t(os.st_size) != header.slen) {
  LOG(UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: destination file size %d does not match expected "
 "size %d", uint32_t(os.st_size), header.slen)
      ("LoadSourceFile: destination file size %d does not match expected "UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: destination file size %d does not match expected "
 "size %d", uint32_t(os.st_size), header.slen)
       "size %d",UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: destination file size %d does not match expected "
 "size %d", uint32_t(os.st_size), header.slen)
       uint32_t(os.st_size), header.slen))UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: destination file size %d does not match expected "
 "size %d", uint32_t(os.st_size), header.slen);
  return LOADSOURCE_ERROR_WRONG_SIZE2;
}

buf = (unsigned char*)malloc(header.slen);
if (!buf) {
  return UPDATER_MEM_ERROR13;
}

size_t r = header.slen;
unsigned char* rb = buf;
while (r) {
  const size_t count = mmin(SSIZE_MAX9223372036854775807L, r);
  size_t c = fread(rb, 1, count, ofile);
  if (c != count) {
    LOG(("LoadSourceFile: error reading destination file: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: error reading destination file: "
 "%s", mFileRelPath.get())
         mFileRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: error reading destination file: "
 "%s", mFileRelPath.get());
    return READ_ERROR6;
  }

  r -= c;
  rb += c;
}

// Verify that the contents of the source file correspond to what we expect.

unsigned int crc = crc32(buf, header.slen);

if (crc != header.scrc32) {
  LOG(UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: destination file crc %d does not match expected "
 "crc %d", crc, header.scrc32)
      ("LoadSourceFile: destination file crc %d does not match expected "UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: destination file crc %d does not match expected "
 "crc %d", crc, header.scrc32)
       "crc %d",UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: destination file crc %d does not match expected "
 "crc %d", crc, header.scrc32)
       crc, header.scrc32))UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile: destination file crc %d does not match expected "
 "crc %d", crc, header.scrc32);
  return CRC_ERROR4;
}

return OK0;
1579}

1581int PatchFile::Parse(NS_tchar* line) {
// format "<patchfile>" "<filetopatch>"

// Get the path to the patch file inside of the mar
mPatchFile = mstrtok(kQuote, &line);
if (!mPatchFile) {
  return PARSE_ERROR5;
}

// consume whitespace between args
NS_tchar* q = mstrtok(kQuote, &line);
if (!q) {
  return PARSE_ERROR5;
}

NS_tchar* validPath = get_valid_path(&line);
if (!validPath) {
  return PARSE_ERROR5;
}

mFileRelPath = mozilla::MakeUnique<NS_tchar[]>(MAXPATHLEN4096);
NS_tstrcpystrcpy(mFileRelPath.get(), validPath);

mFile.reset(get_full_path(validPath));
if (!mFile) {
  return PARSE_ERROR5;
}

return OK0;
1610}

1612int PatchFile::Prepare() {
LOG(("PREPARE PATCH " LOG_S, mFileRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("PREPARE PATCH " "%s", mFileRelPath
.get());

// extract the patch to a temporary file
mPatchIndex = sPatchIndex++;

NS_tsnprintfsnprintf(spath, sizeof(spath) / sizeof(spath[0]),
             NS_T("%s/updating/%d.patch")"%s/updating/%d.patch", gWorkingDirPath, mPatchIndex);

// The removal of pre-existing patch files here is in case a previous update
// crashed and left these files behind.
if (NS_tremoveremove(spath) && errno(*__errno_location ()) != ENOENT2) {
  LOG(("failure removing pre-existing patch file: " LOG_S ", err: %d", spath,UpdateLog::GetPrimaryLog().Printf ("failure removing pre-existing patch file: "
 "%s" ", err: %d", spath, (*__errno_location ()))
       errno))UpdateLog::GetPrimaryLog().Printf ("failure removing pre-existing patch file: "
 "%s" ", err: %d", spath, (*__errno_location ()));
  return WRITE_ERROR7;
}

mPatchStream = NS_tfopenfopen(spath, NS_T("wb+")"wb+");
if (!mPatchStream) {
  return WRITE_ERROR7;
}

1634#ifdef XP_WIN
// Lock the patch file, so it can't be messed with between
// when we're done creating it and when we go to apply it.
if (!LockFile((HANDLE)_get_osfhandle(fileno(mPatchStream)), 0, 0, -1, -1)) {
  LOG(("Couldn't lock patch file: %lu", GetLastError()))UpdateLog::GetPrimaryLog().Printf ("Couldn't lock patch file: %lu"
, GetLastError());
  return LOCK_ERROR_PATCH_FILE73;
}

char sourcefile[MAXPATHLEN4096];
if (!WideCharToMultiByte(CP_UTF8, 0, mPatchFile, -1, sourcefile, MAXPATHLEN4096,
                         nullptr, nullptr)) {
  LOG(("error converting wchar to utf8: %lu", GetLastError()))UpdateLog::GetPrimaryLog().Printf ("error converting wchar to utf8: %lu"
, GetLastError());
  return STRING_CONVERSION_ERROR16;
}

int rv = gArchiveReader.ExtractFileToStream(sourcefile, mPatchStream);
1650#else
int rv = gArchiveReader.ExtractFileToStream(mPatchFile, mPatchStream);
1652#endif

return rv;
1655}

1657int PatchFile::Execute() {
LOG(("EXECUTE PATCH " LOG_S, mFileRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("EXECUTE PATCH " "%s", mFileRelPath
.get());

fseek(mPatchStream, 0, SEEK_SET0);

int rv = MBS_ReadHeader(mPatchStream, &header);
if (rv) {
  return rv;
}

FILE* origfile = nullptr;
1668#ifdef XP_WIN
if (NS_tstrcmpstrcmp(mFileRelPath.get(), gCallbackRelPath) == 0) {
  // Read from the copy of the callback when patching since the callback can't
  // be opened for reading to prevent the application from being launched.
  origfile = NS_tfopenfopen(gCallbackBackupPath, NS_T("rb")"rb");
} else {
  origfile = NS_tfopenfopen(mFile.get(), NS_T("rb")"rb");
}
1676#else
origfile = NS_tfopenfopen(mFile.get(), NS_T("rb")"rb");
1678#endif

if (!origfile) {
  LOG(("unable to open destination file: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("unable to open destination file: "
 "%s" ", err: %d", mFileRelPath.get(), (*__errno_location ())
)
       mFileRelPath.get(), errno))UpdateLog::GetPrimaryLog().Printf ("unable to open destination file: "
 "%s" ", err: %d", mFileRelPath.get(), (*__errno_location ())
);
  return READ_ERROR6;
}

rv = LoadSourceFile(origfile);
fclose(origfile);
if (rv) {
  LOG(("LoadSourceFile failed"))UpdateLog::GetPrimaryLog().Printf ("LoadSourceFile failed");
  return rv;
}

// Rename the destination file if it exists before proceeding so it can be
// used to restore the file to its original state if there is an error.
struct NS_tstat_tstat ss;
rv = NS_tstatstat(mFile.get(), &ss);
if (rv) {
  LOG(("failed to read file status info: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("failed to read file status info: "
 "%s" ", err: %d", mFileRelPath.get(), (*__errno_location ())
)
       mFileRelPath.get(), errno))UpdateLog::GetPrimaryLog().Printf ("failed to read file status info: "
 "%s" ", err: %d", mFileRelPath.get(), (*__errno_location ())
);
  return READ_ERROR6;
}

// Staged updates don't need backup files.
if (!sStagedUpdate) {
  rv = backup_create(mFile.get());
  if (rv) {
    return rv;
  }
}

1711#if defined(HAVE_POSIX_FALLOCATE1)
AutoFile ofile(ensure_open(mFile.get(), NS_T("wb+")"wb+", ss.st_mode));
posix_fallocate(fileno((FILE*)ofile), 0, header.dlen);
1714#elif defined(XP_WIN)
bool shouldTruncate = true;
// Creating the file, setting the size, and then closing the file handle
// lessens fragmentation more than any other method tested. Other methods that
// have been tested are:
// 1. _chsize / _chsize_s reduced fragmentation though not completely.
// 2. _get_osfhandle and then setting the size reduced fragmentation though
//    not completely. There are also reports of _get_osfhandle failing on
//    mingw.
HANDLE hfile = CreateFileW(mFile.get(), GENERIC_WRITE, 0, nullptr,
                           CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr);

if (hfile != INVALID_HANDLE_VALUE) {
  if (SetFilePointer(hfile, header.dlen, nullptr, FILE_BEGIN) !=
          INVALID_SET_FILE_POINTER &&
      SetEndOfFile(hfile) != 0) {
    shouldTruncate = false;
  }
  CloseHandle(hfile);
}

AutoFile ofile(ensure_open(
    mFile.get(), shouldTruncate ? NS_T("wb+")"wb+" : NS_T("rb+")"rb+", ss.st_mode));
1737#elif defined(XP_MACOSX)
AutoFile ofile(ensure_open(mFile.get(), NS_T("wb+")"wb+", ss.st_mode));
// Modified code from FileUtils.cpp
fstore_t store = {F_ALLOCATECONTIG, F_PEOFPOSMODE, 0, header.dlen};
// Try to get a continous chunk of disk space
rv = fcntl(fileno((FILE*)ofile), F_PREALLOCATE, &store);
if (rv == -1) {
  // OK, perhaps we are too fragmented, allocate non-continuous
  store.fst_flags = F_ALLOCATEALL;
  rv = fcntl(fileno((FILE*)ofile), F_PREALLOCATE, &store);
}

if (rv != -1) {
  ftruncate(fileno((FILE*)ofile), header.dlen);
}
1752#else
AutoFile ofile(ensure_open(mFile.get(), NS_T("wb+")"wb+", ss.st_mode));
1754#endif

if (ofile == nullptr) {
  LOG(("unable to create new file: " LOG_S ", err: %d", mFileRelPath.get(),UpdateLog::GetPrimaryLog().Printf ("unable to create new file: "
 "%s" ", err: %d", mFileRelPath.get(), (*__errno_location ())
)
       errno))UpdateLog::GetPrimaryLog().Printf ("unable to create new file: "
 "%s" ", err: %d", mFileRelPath.get(), (*__errno_location ())
);
  return WRITE_ERROR_OPEN_PATCH_FILE63;
}

1762#ifdef XP_WIN
if (!shouldTruncate) {
  fseek(ofile, 0, SEEK_SET0);
}
1766#endif

rv = MBS_ApplyPatch(&header, mPatchStream, buf, ofile);

// Go ahead and do a bit of cleanup now to minimize runtime overhead.
// Make sure mPatchStream gets unlocked on Windows; the system will do that,
// but not until some indeterminate future time, and we want determinism.
1773#ifdef XP_WIN
UnlockFile((HANDLE)_get_osfhandle(fileno(mPatchStream)), 0, 0, -1, -1);
1775#endif
// Set mPatchStream to nullptr to make AutoFile close the file,
// so it can be deleted on Windows.
mPatchStream = nullptr;
// Patch files are written to the <working_dir>/updating directory which is
// removed after the update has finished so don't delete patch files here.
spath[0] = NS_T('\0')'\0';
free(buf);
buf = nullptr;

return rv;
1786}

1788void PatchFile::Finish(int status) {
LOG(("FINISH PATCH " LOG_S, mFileRelPath.get()))UpdateLog::GetPrimaryLog().Printf ("FINISH PATCH " "%s", mFileRelPath
.get());

// Staged updates don't create backup files.
if (!sStagedUpdate) {
  backup_finish(mFile.get(), mFileRelPath.get(), status);
}
1795}

1797class AddIfFile : public AddFile {
public:
int Parse(NS_tchar* line) override;
int Prepare() override;
int Execute() override;
void Finish(int status) override;

protected:
mozilla::UniquePtr<NS_tchar[]> mTestFile;
1806};

1808int AddIfFile::Parse(NS_tchar* line) {
// format "<testfile>" "<newfile>"

mTestFile.reset(get_full_path(get_valid_path(&line)));
if (!mTestFile) {
  return PARSE_ERROR5;
}

// consume whitespace between args
NS_tchar* q = mstrtok(kQuote, &line);
if (!q) {
  return PARSE_ERROR5;
}

return AddFile::Parse(line);
1823}

1825int AddIfFile::Prepare() {
// If the test file does not exist, then skip this action.
if (NS_taccessaccess(mTestFile.get(), F_OK0)) {
  mTestFile = nullptr;
  return OK0;
}

return AddFile::Prepare();
1833}

1835int AddIfFile::Execute() {
if (!mTestFile) {
  return OK0;
}

return AddFile::Execute();
1841}

1843void AddIfFile::Finish(int status) {
if (!mTestFile) {
  return;
}

AddFile::Finish(status);
1849}

1851class AddIfNotFile : public AddFile {
public:
int Parse(NS_tchar* line) override;
int Prepare() override;
int Execute() override;
void Finish(int status) override;

protected:
mozilla::UniquePtr<NS_tchar[]> mTestFile;
1860};

1862int AddIfNotFile::Parse(NS_tchar* line) {
// format "<testfile>" "<newfile>"

mTestFile.reset(get_full_path(get_valid_path(&line)));
if (!mTestFile) {
  return PARSE_ERROR5;
}

// consume whitespace between args
NS_tchar* q = mstrtok(kQuote, &line);
if (!q) {
  return PARSE_ERROR5;
}

return AddFile::Parse(line);
1877}

1879int AddIfNotFile::Prepare() {
// If the test file exists, then skip this action.
if (!NS_taccessaccess(mTestFile.get(), F_OK0)) {
  mTestFile = NULL__null;
  return OK0;
}

return AddFile::Prepare();
1887}

1889int AddIfNotFile::Execute() {
if (!mTestFile) {
  return OK0;
}

return AddFile::Execute();
1895}

1897void AddIfNotFile::Finish(int status) {
if (!mTestFile) {
  return;
}

AddFile::Finish(status);
1903}

1905class PatchIfFile : public PatchFile {
public:
int Parse(NS_tchar* line) override;
int Prepare() override;  // should check for patch file and for checksum here
int Execute() override;
void Finish(int status) override;

private:
mozilla::UniquePtr<NS_tchar[]> mTestFile;
1914};

1916int PatchIfFile::Parse(NS_tchar* line) {
// format "<testfile>" "<patchfile>" "<filetopatch>"

mTestFile.reset(get_full_path(get_valid_path(&line)));
if (!mTestFile) {
  return PARSE_ERROR5;
}

// consume whitespace between args
NS_tchar* q = mstrtok(kQuote, &line);
if (!q) {
  return PARSE_ERROR5;
}

return PatchFile::Parse(line);
1931}

1933int PatchIfFile::Prepare() {
// If the test file does not exist, then skip this action.
if (NS_taccessaccess(mTestFile.get(), F_OK0)) {
  mTestFile = nullptr;
  return OK0;
}

return PatchFile::Prepare();
1941}

1943int PatchIfFile::Execute() {
if (!mTestFile) {
  return OK0;
}

return PatchFile::Execute();
1949}

1951void PatchIfFile::Finish(int status) {
if (!mTestFile) {
  return;
}

PatchFile::Finish(status);
1957}

1959//-----------------------------------------------------------------------------

1961#ifdef XP_WIN
1962#  include "nsWindowsRestart.cpp"
1963#  include "nsWindowsHelpers.h"
1964#  include "uachelper.h"
1965#  ifdef MOZ_MAINTENANCE_SERVICE
1966#    include "pathhash.h"
1967#  endif

1969/**
* Launch the post update application (helper.exe). It takes in the path of the
* callback application to calculate the path of helper.exe. For service updates
* this is called from both the system account and the current user account.
*
* @param  installationDir The path to the callback application binary.
* @param  updateInfoDir   The directory where update info is stored.
* @return true if there was no error starting the process.
*/
1978bool LaunchWinPostProcess(const WCHAR* installationDir,
                        const WCHAR* updateInfoDir) {
WCHAR workingDirectory[MAX_PATH + 1] = {L'\0'};
wcsncpy(workingDirectory, installationDir, MAX_PATH);

// Launch helper.exe to perform post processing (e.g. registry and log file
// modifications) for the update.
WCHAR inifile[MAX_PATH + 1] = {L'\0'};
wcsncpy(inifile, installationDir, MAX_PATH);
if (!PathAppendSafe(inifile, L"updater.ini")) {
  return false;
}

WCHAR exefile[MAX_PATH + 1];
WCHAR exearg[MAX_PATH + 1];
if (!GetPrivateProfileStringW(L"PostUpdateWin", L"ExeRelPath", nullptr,
                              exefile, MAX_PATH + 1, inifile)) {
  return false;
}

if (!GetPrivateProfileStringW(L"PostUpdateWin", L"ExeArg", nullptr, exearg,
                              MAX_PATH + 1, inifile)) {
  return false;
}

// The relative path must not contain directory traversals, current directory,
// or colons.
if (wcsstr(exefile, L"..") != nullptr || wcsstr(exefile, L"./") != nullptr ||
    wcsstr(exefile, L".\\") != nullptr || wcsstr(exefile, L":") != nullptr) {
  return false;
}

// The relative path must not start with a decimal point, backslash, or
// forward slash.
if (exefile[0] == L'.' || exefile[0] == L'\\' || exefile[0] == L'/') {
  return false;
}

WCHAR exefullpath[MAX_PATH + 1] = {L'\0'};
wcsncpy(exefullpath, installationDir, MAX_PATH);
if (!PathAppendSafe(exefullpath, exefile)) {
  return false;
}

if (!IsValidFullPath(exefullpath)) {
  return false;
}

2026#  if !defined(TEST_UPDATER) && defined(MOZ_MAINTENANCE_SERVICE)
if (sUsingService &&
    !DoesBinaryMatchAllowedCertificates(installationDir, exefullpath)) {
  return false;
}
2031#  endif

WCHAR dlogFile[MAX_PATH + 1];
if (!PathGetSiblingFilePath(dlogFile, exefullpath, L"uninstall.update")) {
  return false;
}

WCHAR slogFile[MAX_PATH + 1] = {L'\0'};
if (gCopyOutputFiles) {
  if (!GetSecureOutputFilePath(gPatchDirPath, L".log", slogFile)) {
    return false;
  }
} else {
  wcsncpy(slogFile, updateInfoDir, MAX_PATH);
  if (!PathAppendSafe(slogFile, L"update.log")) {
    return false;
  }
}

WCHAR dummyArg[14] = {L'\0'};
wcsncpy(dummyArg, L"argv0ignored ",
        sizeof(dummyArg) / sizeof(dummyArg[0]) - 1);

size_t len = wcslen(exearg) + wcslen(dummyArg);
WCHAR* cmdline = (WCHAR*)malloc((len + 1) * sizeof(WCHAR));
if (!cmdline) {
  return false;
}

wcsncpy(cmdline, dummyArg, len);
wcscat(cmdline, exearg);

// We want to launch the post update helper app to update the Windows
// registry even if there is a failure with removing the uninstall.update
// file or copying the update.log file.
CopyFileW(slogFile, dlogFile, false);

STARTUPINFOW si = {sizeof(si), 0};
si.lpDesktop = const_cast<LPWSTR>(L"");  // -Wwritable-strings
PROCESS_INFORMATION pi = {0};

bool ok = CreateProcessW(exefullpath, cmdline,
                         nullptr,  // no special security attributes
                         nullptr,  // no special thread attributes
                         false,    // don't inherit filehandles
                         0,        // No special process creation flags
                         nullptr,  // inherit my environment
                         workingDirectory, &si, &pi);
free(cmdline);
if (ok) {
  WaitForSingleObject(pi.hProcess, INFINITE);
  CloseHandle(pi.hProcess);
  CloseHandle(pi.hThread);
}
return ok;
2086}

2088#endif

2090static void LaunchCallbackApp(const NS_tchar* workingDir, int argc,
                            NS_tchar** argv, bool usingService) {
putenv(const_cast<char*>("MOZ_LAUNCHED_CHILD=1"));

// Run from the specified working directory (see bug 312360).
if (NS_tchdirchdir(workingDir) != 0) {
  LOG(("Warning: chdir failed"))UpdateLog::GetPrimaryLog().Printf ("Warning: chdir failed");
}

2099#if defined(USE_EXECV)
execv(argv[0], argv);
2101#elif defined(XP_MACOSX)
LaunchChild(argc, (const char**)argv);
2103#elif defined(XP_WIN)
// Do not allow the callback to run when running an update through the
// service as session 0.  The unelevated updater.exe will do the launching.
if (!usingService) {
  HANDLE hProcess;
  if (WinLaunchChild(argv[0], argc, argv, nullptr, &hProcess)) {
    // Keep the current process around until the callback process has created
    // its message queue, to avoid the launched process's windows being forced
    // into the background.
    mozilla::WaitForInputIdle(hProcess);
    CloseHandle(hProcess);
  }
}
2116#else
2117#  warning "Need implementaton of LaunchCallbackApp"
2118#endif
2119}

2121static bool WriteToFile(const NS_tchar* aFilename, const char* aStatus) {
NS_tchar statusFilePath[MAXPATHLEN4096 + 1] = {NS_T('\0')'\0'};
2123#if defined(XP_WIN)
if (gUseSecureOutputPath) {
  if (!GetSecureOutputFilePath(gPatchDirPath, L".status", statusFilePath)) {
    return false;
  }
} else {
  NS_tsnprintfsnprintf(statusFilePath,
               sizeof(statusFilePath) / sizeof(statusFilePath[0]),
               NS_T("%s\\%s")"%s\\%s", gPatchDirPath, aFilename);
}
2133#else
NS_tsnprintfsnprintf(statusFilePath,
             sizeof(statusFilePath) / sizeof(statusFilePath[0]),
             NS_T("%s/%s")"%s/%s", gPatchDirPath, aFilename);
// Make sure that the directory for the update status file exists
if (ensure_parent_dir(statusFilePath)) {
  return false;
}
2141#endif

AutoFile statusFile(NS_tfopenfopen(statusFilePath, NS_T("wb+")"wb+"));
if (statusFile == nullptr) {
  return false;
}

if (fwrite(aStatus, strlen(aStatus), 1, statusFile) != 1) {
  return false;
}

2152#if defined(XP_WIN)
if (gUseSecureOutputPath) {
  // This is done after the update status file has been written so if the
  // write to the update status file fails an existing update status file
  // won't be used.
  if (!WriteSecureIDFile(gPatchDirPath)) {
    return false;
  }
}
2161#endif

return true;
2164}

2166/**
* Writes a string to the update.status file.
*
* NOTE: All calls to WriteStatusFile MUST happen before calling output_finish
*       because the output_finish function copies the update status file for
*       the elevated updater and writing the status file after calling
*       output_finish will overwrite it.
*
* @param  aStatus
*         The string to write to the update.status file.
* @return true on success.
*/
2178static bool WriteStatusFile(const char* aStatus) {
return WriteToFile(NS_T("update.status")"update.status", aStatus);
2180}

2182/**
* Writes a string to the update.status file based on the status param.
*
* NOTE: All calls to WriteStatusFile MUST happen before calling output_finish
*       because the output_finish function copies the update status file for
*       the elevated updater and writing the status file after calling
*       output_finish will overwrite it.
*
* @param  status
*         A status code used to determine what string to write to the
*         update.status file (see code).
*/
2194static void WriteStatusFile(int status) {
const char* text;

char buf[32];
if (status == OK0) {
  if (sStagedUpdate) {
    text = "applied\n";
  } else {
    text = "succeeded\n";
  }
} else {
  snprintf(buf, sizeof(buf) / sizeof(buf[0]), "failed: %d\n", status);
  text = buf;
}

WriteStatusFile(text);
2210}

2212#if defined(XP_WIN)
2213/*
* Parses the passed contents of an update status file and checks if the
* contained status matches the expected status.
*
* @param  statusString The status file contents.
* @param  expectedStatus The status to compare the update status file's
*                        contents against.
* @param  errorCode Optional out parameter. If a pointer is passed and the
*                   update status file contains an error code, the code
*                   will be returned via the out parameter. If a pointer is
*                   passed and the update status file does not contain an error
*                   code, or any error code after the status could not be
*                   parsed, mozilla::Nothing will be returned via this
*                   parameter.
* @return true if the status is set to the value indicated by expectedStatus.
*/
2229static bool UpdateStatusIs(const char* statusString, const char* expectedStatus,
                         mozilla::Maybe<int>* errorCode = nullptr) {
if (errorCode) {
  *errorCode = mozilla::Nothing();
}

// Parse the update status file. Expected format is:
//   Update status string
//   Optionally followed by:
//     Colon character (':')
//     Space character (' ')
//     Integer error code
//   Newline character
const char* statusEnd = strchr(statusString, ':');
if (statusEnd == nullptr) {
  statusEnd = strchr(statusString, '\n');
}
if (statusEnd == nullptr) {
  statusEnd = strchr(statusString, '\0');
}
size_t statusLen = statusEnd - statusString;
size_t expectedStatusLen = strlen(expectedStatus);

bool statusMatch =
    statusLen == expectedStatusLen &&
    strncmp(statusString, expectedStatus, expectedStatusLen) == 0;

// We only need to continue parsing if (a) there is a place to store the error
// code if we parse it, and (b) there is a status code to parse. If the status
// string didn't end with a ':', there won't be an error code after it.
if (!errorCode || *statusEnd != ':') {
  return statusMatch;
}

const char* errorCodeStart = statusEnd + 1;
char* errorCodeEnd = nullptr;
// strtol skips an arbitrary number of leading whitespace characters. This
// technically allows us to successfully consume slightly misformatted status
// files, since the expected format is for there to be a single space only.
long longErrorCode = strtol(errorCodeStart, &errorCodeEnd, 10);
if (errorCodeEnd != errorCodeStart && longErrorCode < INT_MAX2147483647 &&
    longErrorCode > INT_MIN(-2147483647 -1)) {
  // We don't allow equality with INT_MAX/INT_MIN for two reasons. It could
  // be that, on this platform, INT_MAX/INT_MIN equal LONG_MAX/LONG_MIN, which
  // is what strtol gives us if the parsed value was out of bounds. And those
  // values are already way, way outside the set of valid update error codes
  // anyways.
  errorCode->emplace(static_cast<int>(longErrorCode));
}
return statusMatch;
2279}

2281/*
* Reads the secure update status file and sets statusMatch to true if the
* status matches the expected status that was passed.
*
* @param  expectedStatus The status to compare the update status file's
*                        contents against.
* @param  statusMatch Out parameter for specifying if the status is set to
*                     the value indicated by expectedStatus
* @param  errorCode Optional out parameter. If a pointer is passed and the
*                   update status file contains an error code, the code
*                   will be returned via the out parameter. If a pointer is
*                   passed and the update status file does not contain an error
*                   code, or any error code after the status could not be
*                   parsed, mozilla::Nothing will be returned via this
*                   parameter.
* @return true if the information was retrieved successfully.
*/
2298static bool CompareSecureUpdateStatus(
  const char* expectedStatus, bool& statusMatch,
  mozilla::Maybe<int>* errorCode = nullptr) {
NS_tchar statusFilePath[MAX_PATH + 1] = {L'\0'};
if (!GetSecureOutputFilePath(gPatchDirPath, L".status", statusFilePath)) {
  return false;
}

AutoFile file(NS_tfopenfopen(statusFilePath, NS_T("rb")"rb"));
if (file == nullptr) {
  return false;
}

const size_t bufferLength = 32;
char buf[bufferLength] = {0};
size_t charsRead = fread(buf, sizeof(buf[0]), bufferLength - 1, file);
if (ferror(file)) {
  return false;
}
buf[charsRead] = '\0';

statusMatch = UpdateStatusIs(buf, expectedStatus, errorCode);
return true;
2321}

2323/*
* Reads the secure update status file and sets isSucceeded to true if the
* status is set to succeeded.
*
* @param  isSucceeded Out parameter for specifying if the status
*                     is set to succeeded or not.
* @return true if the information was retrieved successfully.
*/
2331static bool IsSecureUpdateStatusSucceeded(bool& isSucceeded) {
return CompareSecureUpdateStatus("succeeded", isSucceeded);
2333}
2334#endif

2336#ifdef MOZ_MAINTENANCE_SERVICE
2337/*
* Read the update.status file and sets isPendingService to true if
* the status is set to pending-service.
*
* @param  isPendingService Out parameter for specifying if the status
*         is set to pending-service or not.
* @return true if the information was retrieved and it is pending
*         or pending-service.
*/
2346static bool IsUpdateStatusPendingService() {
NS_tchar filename[MAXPATHLEN4096];
NS_tsnprintfsnprintf(filename, sizeof(filename) / sizeof(filename[0]),
             NS_T("%s/update.status")"%s/update.status", gPatchDirPath);

AutoFile file(NS_tfopenfopen(filename, NS_T("rb")"rb"));
if (file == nullptr) {
  return false;
}

const size_t bufferLength = 32;
char buf[bufferLength] = {0};
size_t charsRead = fread(buf, sizeof(buf[0]), bufferLength - 1, file);
if (ferror(file)) {
  return false;
}
buf[charsRead] = '\0';

return UpdateStatusIs(buf, "pending-service") ||
       UpdateStatusIs(buf, "applied-service");
2366}

2368/*
* Reads the secure update status file and sets isFailed to true if the
* status is set to failed.
*
* @param  isFailed Out parameter for specifying if the status
*                  is set to failed or not.
* @param  errorCode Optional out parameter. If a pointer is passed and the
*                   update status file contains an error code, the code
*                   will be returned via the out parameter. If a pointer is
*                   passed and the update status file does not contain an error
*                   code, or any error code after the status could not be
*                   parsed, mozilla::Nothing will be returned via this
*                   parameter.
* @return true if the information was retrieved successfully.
*/
2383static bool IsSecureUpdateStatusFailed(
  bool& isFailed, mozilla::Maybe<int>* errorCode = nullptr) {
return CompareSecureUpdateStatus("failed", isFailed, errorCode);
2386}

2388/**
* This function determines whether the error represented by the passed error
* code could potentially be recovered from or bypassed by updating without
* using the Maintenance Service (i.e. by showing a UAC prompt).
* We don't really want to show a UAC prompt, but it's preferable over the
* manual update doorhanger
*
* @param   errorCode An integer error code from the update.status file. Should
*                    be one of the codes enumerated in updatererrors.h.
* @returns true if the code represents a Maintenance Service specific error.
*          Otherwise, false.
*/
2400static bool IsServiceSpecificErrorCode(int errorCode) {
return ((errorCode >= 24 && errorCode <= 33) ||
        (errorCode >= 49 && errorCode <= 58));
2403}
2404#endif

2406/*
* Copy the entire contents of the application installation directory to the
* destination directory for the update process.
*
* @return 0 if successful, an error code otherwise.
*/
2412static int CopyInstallDirToDestDir() {
// These files should not be copied over to the updated app
2414#ifdef XP_WIN
2415#  define SKIPLIST_COUNT2 3
2416#elif XP_MACOSX
2417#  define SKIPLIST_COUNT2 0
2418#else
2419#  define SKIPLIST_COUNT2 2
2420#endif
copy_recursive_skiplist<SKIPLIST_COUNT2> skiplist;
2422#ifndef XP_MACOSX
skiplist.append(0, gInstallDirPath, NS_T("updated")"updated");
skiplist.append(1, gInstallDirPath, NS_T("updates/0")"updates/0");
2425#  ifdef XP_WIN
skiplist.append(2, gInstallDirPath, NS_T("updated.update_in_progress.lock")"updated.update_in_progress.lock");
2427#  endif
2428#endif

return ensure_copy_recursive(gInstallDirPath, gWorkingDirPath, skiplist);
2431}

2433/*
* Replace the application installation directory with the destination
* directory in order to finish a staged update task
*
* @return 0 if successful, an error code otherwise.
*/
2439static int ProcessReplaceRequest() {
// The replacement algorithm is like this:
// 1. Move destDir to tmpDir.  In case of failure, abort.
// 2. Move newDir to destDir.  In case of failure, revert step 1 and abort.
// 3. Delete tmpDir (or defer it to the next reboot).

2445#ifdef XP_MACOSX
NS_tchar destDir[MAXPATHLEN4096];
NS_tsnprintfsnprintf(destDir, sizeof(destDir) / sizeof(destDir[0]),
             NS_T("%s/Contents")"%s/Contents", gInstallDirPath);
2449#elif XP_WIN
// Windows preserves the case of the file/directory names.  We use the
// GetLongPathName API in order to get the correct case for the directory
// name, so that if the user has used a different case when launching the
// application, the installation directory's name does not change.
NS_tchar destDir[MAXPATHLEN4096];
if (!GetLongPathNameW(gInstallDirPath, destDir,
                      sizeof(destDir) / sizeof(destDir[0]))) {
  return NO_INSTALLDIR_ERROR34;
}
2459#else
NS_tchar* destDir = gInstallDirPath;
2461#endif

NS_tchar tmpDir[MAXPATHLEN4096];
NS_tsnprintfsnprintf(tmpDir, sizeof(tmpDir) / sizeof(tmpDir[0]), NS_T("%s.bak")"%s.bak",
             destDir);

NS_tchar newDir[MAXPATHLEN4096];
NS_tsnprintfsnprintf(newDir, sizeof(newDir) / sizeof(newDir[0]),
2469#ifdef XP_MACOSX
             NS_T("%s/Contents")"%s/Contents", gWorkingDirPath);
2471#else
             NS_T("%s.bak/updated")"%s.bak/updated", gInstallDirPath);
2473#endif

// First try to remove the possibly existing temp directory, because if this
// directory exists, we will fail to rename destDir.
// No need to error check here because if this fails, we will fail in the
// next step anyways.
ensure_remove_recursive(tmpDir);

LOG(("Begin moving destDir (" LOG_S ") to tmpDir (" LOG_S ")", destDir,UpdateLog::GetPrimaryLog().Printf ("Begin moving destDir (" "%s"
 ") to tmpDir (" "%s" ")", destDir, tmpDir)
     tmpDir))UpdateLog::GetPrimaryLog().Printf ("Begin moving destDir (" "%s"
 ") to tmpDir (" "%s" ")", destDir, tmpDir);
int rv = rename_file(destDir, tmpDir, true);
2484#ifdef XP_WIN
// On Windows, if Firefox is launched using the shortcut, it will hold a
// handle to its installation directory open, which might not get released in
// time. Therefore we wait a little bit here to see if the handle is released.
// If it's not released, we just fail to perform the replace request.
const int max_retries = 10;
int retries = 0;
while (rv == WRITE_ERROR7 && (retries++ < max_retries)) {
  LOG(UpdateLog::GetPrimaryLog().Printf ("PerformReplaceRequest: destDir rename attempt %d failed. "
 "File: " "%s" ". Last error: %lu, err: %d", retries, destDir
, GetLastError(), rv)
      ("PerformReplaceRequest: destDir rename attempt %d failed. "UpdateLog::GetPrimaryLog().Printf ("PerformReplaceRequest: destDir rename attempt %d failed. "
 "File: " "%s" ". Last error: %lu, err: %d", retries, destDir
, GetLastError(), rv)
       "File: " LOG_S ". Last error: %lu, err: %d",UpdateLog::GetPrimaryLog().Printf ("PerformReplaceRequest: destDir rename attempt %d failed. "
 "File: " "%s" ". Last error: %lu, err: %d", retries, destDir
, GetLastError(), rv)
       retries, destDir, GetLastError(), rv))UpdateLog::GetPrimaryLog().Printf ("PerformReplaceRequest: destDir rename attempt %d failed. "
 "File: " "%s" ". Last error: %lu, err: %d", retries, destDir
, GetLastError(), rv);

  Sleep(100);

  rv = rename_file(destDir, tmpDir, true);
}
2501#endif
if (rv) {
  // The status file will have 'pending' written to it so there is no value in
  // returning an error specific for this failure.
  LOG(("Moving destDir to tmpDir failed, err: %d", rv))UpdateLog::GetPrimaryLog().Printf ("Moving destDir to tmpDir failed, err: %d"
, rv);
  return rv;
}

LOG(("Begin moving newDir (" LOG_S ") to destDir (" LOG_S ")", newDir,UpdateLog::GetPrimaryLog().Printf ("Begin moving newDir (" "%s"
 ") to destDir (" "%s" ")", newDir, destDir)
     destDir))UpdateLog::GetPrimaryLog().Printf ("Begin moving newDir (" "%s"
 ") to destDir (" "%s" ")", newDir, destDir);
rv = rename_file(newDir, destDir, true);
2512#ifdef XP_MACOSX
if (rv) {
  LOG(("Moving failed. Begin copying newDir (" LOG_S ") to destDir (" LOG_SUpdateLog::GetPrimaryLog().Printf ("Moving failed. Begin copying newDir ("
 "%s" ") to destDir (" "%s" ")", newDir, destDir)
       ")",UpdateLog::GetPrimaryLog().Printf ("Moving failed. Begin copying newDir ("
 "%s" ") to destDir (" "%s" ")", newDir, destDir)
       newDir, destDir))UpdateLog::GetPrimaryLog().Printf ("Moving failed. Begin copying newDir ("
 "%s" ") to destDir (" "%s" ")", newDir, destDir);
  copy_recursive_skiplist<0> skiplist;
  rv = ensure_copy_recursive(newDir, destDir, skiplist);
}
2520#endif
if (rv) {
  LOG(("Moving newDir to destDir failed, err: %d", rv))UpdateLog::GetPrimaryLog().Printf ("Moving newDir to destDir failed, err: %d"
, rv);
  LOG(("Now, try to move tmpDir back to destDir"))UpdateLog::GetPrimaryLog().Printf ("Now, try to move tmpDir back to destDir"
);
  ensure_remove_recursive(destDir);
  int rv2 = rename_file(tmpDir, destDir, true);
  if (rv2) {
    LOG(("Moving tmpDir back to destDir failed, err: %d", rv2))UpdateLog::GetPrimaryLog().Printf ("Moving tmpDir back to destDir failed, err: %d"
, rv2);
  }
  // The status file will be have 'pending' written to it so there is no value
  // in returning an error specific for this failure.
  return rv;
}

2534#if !defined(XP_WIN) && !defined(XP_MACOSX)
// Platforms that have their updates directory in the installation directory
// need to have the last-update.log and backup-update.log files moved from the
// old installation directory to the new installation directory.
NS_tchar tmpLog[MAXPATHLEN4096];
NS_tsnprintfsnprintf(tmpLog, sizeof(tmpLog) / sizeof(tmpLog[0]),
             NS_T("%s/updates/last-update.log")"%s/updates/last-update.log", tmpDir);
if (!NS_taccessaccess(tmpLog, F_OK0)) {
  NS_tchar destLog[MAXPATHLEN4096];
  NS_tsnprintfsnprintf(destLog, sizeof(destLog) / sizeof(destLog[0]),
               NS_T("%s/updates/last-update.log")"%s/updates/last-update.log", destDir);
  if (NS_tremoveremove(destLog) && errno(*__errno_location ()) != ENOENT2) {
    LOG(("non-fatal error removing log file: " LOG_S ", err: %d", destLog,UpdateLog::GetPrimaryLog().Printf ("non-fatal error removing log file: "
 "%s" ", err: %d", destLog, (*__errno_location ()))
         errno))UpdateLog::GetPrimaryLog().Printf ("non-fatal error removing log file: "
 "%s" ", err: %d", destLog, (*__errno_location ()));
  }
  NS_trenamerename(tmpLog, destLog);
}
2551#endif

LOG(("Now, remove the tmpDir"))UpdateLog::GetPrimaryLog().Printf ("Now, remove the tmpDir");
rv = ensure_remove_recursive(tmpDir, true);
if (rv) {
  LOG(("Removing tmpDir failed, err: %d", rv))UpdateLog::GetPrimaryLog().Printf ("Removing tmpDir failed, err: %d"
, rv);
2557#ifdef XP_WIN
  NS_tchar deleteDir[MAXPATHLEN4096];
  NS_tsnprintfsnprintf(deleteDir, sizeof(deleteDir) / sizeof(deleteDir[0]),
               NS_T("%s\\%s")"%s\\%s", destDir, DELETE_DIR);
  // Attempt to remove the tobedeleted directory and then recreate it if it
  // was successfully removed.
  _wrmdir(deleteDir);
  if (NS_taccessaccess(deleteDir, F_OK0)) {
    NS_tmkdirmkdir(deleteDir, 0755);
  }
  remove_recursive_on_reboot(tmpDir, deleteDir);
2568#endif
}

2571#ifdef XP_MACOSX
// On OS X, we we need to remove the staging directory after its Contents
// directory has been moved.
NS_tchar updatedAppDir[MAXPATHLEN4096];
NS_tsnprintfsnprintf(updatedAppDir, sizeof(updatedAppDir) / sizeof(updatedAppDir[0]),
             NS_T("%s/Updated.app")"%s/Updated.app", gPatchDirPath);
ensure_remove_recursive(updatedAppDir);
2578#endif

gSucceeded = true;

return 0;
2583}

2585#if defined(XP_WIN) && defined(MOZ_MAINTENANCE_SERVICE)
2586static void WaitForServiceFinishThread(void* param) {
// We wait at most 10 minutes, we already waited 5 seconds previously
// before deciding to show this UI.
WaitForServiceStop(SVC_NAME, 595);
QuitProgressUI();
2591}
2592#endif

2594#ifdef MOZ_VERIFY_MAR_SIGNATURE1
2595/**
* This function reads in the ACCEPTED_MAR_CHANNEL_IDS from update-settings.ini
*
* @param path    The path to the ini file that is to be read
* @param results A pointer to the location to store the read strings
* @return OK on success
*/
2602static int ReadMARChannelIDs(const NS_tchar* path,
                           MARChannelStringTable* results) {
const unsigned int kNumStrings = 1;
const char* kUpdaterKeys = "ACCEPTED_MAR_CHANNEL_IDS\0";
int result = ReadStrings(path, kUpdaterKeys, kNumStrings,
                         &results->MARChannelID, "Settings");

return result;
2610}
2611#endif

2613static int GetUpdateFileName(NS_tchar* fileName, int maxChars) {
NS_tsnprintfsnprintf(fileName, maxChars, NS_T("%s/update.mar")"%s/update.mar", gPatchDirPath);
return OK0;
2616}

2618static void UpdateThreadFunc(void* param) {
// open ZIP archive and process...
int rv;
if (sReplaceRequest) {
1
Assuming 'sReplaceRequest' is false→
2
←
Taking false branch→
  rv = ProcessReplaceRequest();
} else {
  NS_tchar dataFile[MAXPATHLEN4096];
  rv = GetUpdateFileName(dataFile, sizeof(dataFile) / sizeof(dataFile[0]));
  if (rv2.1
'rv' is equal to OK
 == OK0) {
3
←
Taking true branch→
    rv = gArchiveReader.Open(dataFile);
  }

2630#ifdef MOZ_VERIFY_MAR_SIGNATURE1
  if (rv == OK0) {
4
←
Assuming 'rv' is equal to OK→
5
←
Taking true branch→
    rv = gArchiveReader.VerifySignature();
  }

  if (rv == OK0) {
6
←
Assuming 'rv' is equal to OK→
7
←
Taking true branch→
    NS_tchar updateSettingsPath[MAXPATHLEN4096];
    NS_tsnprintfsnprintf(updateSettingsPath,
                 sizeof(updateSettingsPath) / sizeof(updateSettingsPath[0]),
2639#  ifdef XP_MACOSX
                 NS_T("%s/Contents/Resources/update-settings.ini")"%s/Contents/Resources/update-settings.ini",
2641#  else
                 NS_T("%s/update-settings.ini")"%s/update-settings.ini",
2643#  endif
                 gInstallDirPath);
    MARChannelStringTable MARStrings;
    if (ReadMARChannelIDs(updateSettingsPath, &MARStrings) != OK0) {
8
←
Assuming the condition is false→
9
←
Taking false branch→
      rv = UPDATE_SETTINGS_FILE_CHANNEL38;
    } else {
      rv = gArchiveReader.VerifyProductInformation(
          MARStrings.MARChannelID.get(), MOZ_APP_VERSION"120.0a1");
    }
  }
2653#endif

  if (rv == OK0 && sStagedUpdate) {
10
←
Assuming 'rv' is equal to OK→
11
←
Assuming 'sStagedUpdate' is false→
12
←
Taking false branch→
2656#ifdef TEST_UPDATER
    // The MOZ_TEST_SKIP_UPDATE_STAGE environment variable prevents copying
    // the files in dist/bin in the test updater when staging an update since
    // this can cause tests to timeout.
    if (EnvHasValue("MOZ_TEST_SKIP_UPDATE_STAGE")) {
      rv = OK0;
    } else if (EnvHasValue("MOZ_TEST_SLOW_SKIP_UPDATE_STAGE")) {
      // The following is to simulate staging so the UI tests have time to
      // show that the update is being staged.
      NS_tchar continueFilePath[MAXPATHLEN4096] = {NS_T('\0')'\0'};
      NS_tsnprintfsnprintf(continueFilePath,
                   sizeof(continueFilePath) / sizeof(continueFilePath[0]),
                   NS_T("%s/continueStaging")"%s/continueStaging", gInstallDirPath);
      // Use 300 retries for staging requests to lessen the likelihood of
      // tests intermittently failing on verify tasks due to launching the
      // updater. The total time to wait with the default interval of 100 ms
      // is approximately 30 seconds. The total time for tests is longer to
      // account for the extra time it takes for the updater to launch.
      const int max_retries = 300;
      int retries = 0;
      while (retries++ < max_retries) {
2677#  ifdef XP_WIN
        Sleep(100);
2679#  else
        usleep(100000);
2681#  endif
        // Continue after the continue file exists and is removed.
        if (!NS_tremoveremove(continueFilePath)) {
          break;
        }
      }
      rv = OK0;
    } else {
      rv = CopyInstallDirToDestDir();
    }
2691#else
    rv = CopyInstallDirToDestDir();
2693#endif
  }

  if (rv12.1
'rv' is equal to OK
 == OK0) {
13
←
Taking true branch→
    rv = DoUpdate();
14
←
Calling 'DoUpdate'→
    gArchiveReader.Close();
    NS_tchar updatingDir[MAXPATHLEN4096];
    NS_tsnprintfsnprintf(updatingDir, sizeof(updatingDir) / sizeof(updatingDir[0]),
                 NS_T("%s/updating")"%s/updating", gWorkingDirPath);
    ensure_remove_recursive(updatingDir);
  }
}

if (rv && (sReplaceRequest || sStagedUpdate)) {
  ensure_remove_recursive(gWorkingDirPath);
  // When attempting to replace the application, we should fall back
  // to non-staged updates in case of a failure.  We do this by
  // setting the status to pending, exiting the updater, and
  // launching the callback application.  The callback application's
  // startup path will see the pending status, and will start the
  // updater application again in order to apply the update without
  // staging.
  if (sReplaceRequest) {
    WriteStatusFile(sUsingService ? "pending-service" : "pending");
  } else {
    WriteStatusFile(rv);
  }
  LOG(("failed: %d", rv))UpdateLog::GetPrimaryLog().Printf ("failed: %d", rv);
2721#ifdef TEST_UPDATER
  // Some tests need to use --test-process-updates again.
  putenv(const_cast<char*>("MOZ_TEST_PROCESS_UPDATES="));
2724#endif
} else {
2726#ifdef TEST_UPDATER
  const char* forceErrorCodeString = getenv("MOZ_FORCE_ERROR_CODE");
  if (forceErrorCodeString && *forceErrorCodeString) {
    rv = atoi(forceErrorCodeString);
  }
2731#endif
  if (rv) {
    LOG(("failed: %d", rv))UpdateLog::GetPrimaryLog().Printf ("failed: %d", rv);
  } else {
2735#ifdef XP_MACOSX
    // If the update was successful we need to update the timestamp on the
    // top-level Mac OS X bundle directory so that Mac OS X's Launch Services
    // picks up any major changes when the bundle is updated.
    if (!sStagedUpdate && utimes(gInstallDirPath, nullptr) != 0) {
      LOG(("Couldn't set access/modification time on application bundle."))UpdateLog::GetPrimaryLog().Printf ("Couldn't set access/modification time on application bundle."
);
    }
2742#endif
    LOG(("succeeded"))UpdateLog::GetPrimaryLog().Printf ("succeeded");
  }
  WriteStatusFile(rv);
}

LOG(("calling QuitProgressUI"))UpdateLog::GetPrimaryLog().Printf ("calling QuitProgressUI");
QuitProgressUI();
2750}

2752#ifdef XP_MACOSX
2753static void ServeElevatedUpdateThreadFunc(void* param) {
UpdateServerThreadArgs* threadArgs = (UpdateServerThreadArgs*)param;
gSucceeded = ServeElevatedUpdate(threadArgs->argc, threadArgs->argv);
if (!gSucceeded) {
  WriteStatusFile(ELEVATION_CANCELED9);
}
QuitProgressUI();
2760}

2762void freeArguments(int argc, char** argv) {
for (int i = 0; i < argc; i++) {
  free(argv[i]);
}
free(argv);
2767}
2768#endif

2770int LaunchCallbackAndPostProcessApps(int argc, NS_tchar** argv,
                                   int callbackIndex
2772#ifdef XP_WIN
                                   ,
                                   const WCHAR* elevatedLockFilePath,
                                   HANDLE updateLockFileHandle
2776#elif XP_MACOSX
                                   ,
                                   bool isElevated,
                                   mozilla::UniquePtr<UmaskContext>
                                       umaskContext
2781#endif
2782) {
2783#ifdef XP_MACOSX
umaskContext.reset();
2785#endif

if (argc > callbackIndex) {
2788#if defined(XP_WIN)
  if (gSucceeded) {
    if (!LaunchWinPostProcess(gInstallDirPath, gPatchDirPath)) {
      fprintf(stderrstderr, "The post update process was not launched");
    }

2794#  ifdef MOZ_MAINTENANCE_SERVICE
    // The service update will only be executed if it is already installed.
    // For first time installs of the service, the install will happen from
    // the PostUpdate process. We do the service update process here
    // because it's possible we are updating with updater.exe without the
    // service if the service failed to apply the update. We want to update
    // the service to a newer version in that case. If we are not running
    // through the service, then MOZ_USING_SERVICE will not exist.
    if (!sUsingService) {
      StartServiceUpdate(gInstallDirPath);
    }
2805#  endif
  }
  EXIT_WHEN_ELEVATED(elevatedLockFilePath, updateLockFileHandle, 0);
2808#elif XP_MACOSX
  if (!isElevated) {
    if (gSucceeded) {
      LaunchMacPostProcess(gInstallDirPath);
    }
2813#endif

  LaunchCallbackApp(argv[5], argc - callbackIndex, argv + callbackIndex,
                    sUsingService);
2817#ifdef XP_MACOSX
}    // if (!isElevated)
2819#endif /* XP_MACOSX */
2820}
2821return 0;
2822}

2824bool ShouldRunSilently(int argc, NS_tchar** argv) {
2825#ifdef MOZ_BACKGROUNDTASKS1
// If the callback has a --backgroundtask switch, consider it a background
// task. The CheckArg semantics aren't reproduced in full here,
// there's e.g. no check for a parameter and no case-insensitive comparison.
for (int i = 1; i < argc; ++i) {
  if (const auto option = mozilla::internal::ReadAsOption(argv[i])) {
    const NS_tchar* arg = option.value();
    if (NS_tstrcmpstrcmp(arg, NS_T("backgroundtask")"backgroundtask") == 0) {
      return true;
    }
  }
}
2837#endif  // MOZ_BACKGROUNDTASKS

2839#if defined(XP_WIN) || defined(XP_MACOSX)
if (EnvHasValue("MOZ_APP_SILENT_START")) {
  return true;
}
2843#endif

return false;
2846}

2848int NS_mainmain(int argc, NS_tchar** argv) {
2849#ifdef MOZ_MAINTENANCE_SERVICE
sUsingService = EnvHasValue("MOZ_USING_SERVICE");
putenv(const_cast<char*>("MOZ_USING_SERVICE="));
2852#endif

// The callback is the remaining arguments starting at callbackIndex.
// The argument specified by callbackIndex is the callback executable and the
// argument prior to callbackIndex is the working directory.
const int callbackIndex = 6;

// `isDMGInstall` is only ever true for macOS, but we are declaring it here
// to avoid a ton of extra #ifdef's.
bool isDMGInstall = false;

2863#ifdef XP_MACOSX
// We want to control file permissions explicitly, or else we could end up
// corrupting installs for other users on the system. Accordingly, set the
// umask to 0 for all file creations below and reset it on exit. See Bug
// 1337007
mozilla::UniquePtr<UmaskContext> umaskContext(new UmaskContext(0));

bool isElevated =
    strstr(argv[0], "/Library/PrivilegedHelperTools/org.mozilla.updater") !=
    0;
if (isElevated) {
  if (!ObtainUpdaterArguments(&argc, &argv)) {
    // Won't actually get here because ObtainUpdaterArguments will terminate
    // the current process on failure.
    return 1;
  }
}

if (argc == 4 && (strstr(argv[1], "-dmgInstall") != 0)) {
  isDMGInstall = true;
  if (isElevated) {
    PerformInstallationFromDMG(argc, argv);
    freeArguments(argc, argv);
    CleanupElevatedMacUpdate(true);
    return 0;
  }
}
2890#endif

if (!isDMGInstall) {
  // Skip update-related code path for DMG installs.

2895#if defined(MOZ_VERIFY_MAR_SIGNATURE1) && defined(MAR_NSS1)
  // If using NSS for signature verification, initialize NSS but minimize
  // the portion we depend on by avoiding all of the NSS databases.
  if (NSS_NoDB_Init(nullptr) != SECSuccess) {
    PRErrorCode error = PR_GetError();
    fprintf(stderrstderr, "Could not initialize NSS: %s (%d)",
            PR_ErrorToName(error), (int)error);
    _exit(1);
  }
2904#endif

  // To process an update the updater command line must at a minimum have the
  // directory path containing the updater.mar file to process as the first
  // argument, the install directory as the second argument, and the directory
  // to apply the update to as the third argument. When the updater is
  // launched by another process the PID of the parent process should be
  // provided in the optional fourth argument and the updater will wait on the
  // parent process to exit if the value is non-zero and the process is
  // present. This is necessary due to not being able to update files that are
  // in use on Windows. The optional fifth argument is the callback's working
  // directory and the optional sixth argument is the callback path. The
  // callback is the application to launch after updating and it will be
  // launched when these arguments are provided whether the update was
  // successful or not. All remaining arguments are optional and are passed to
  // the callback when it is launched.
  if (argc < 4) {
    fprintf(stderrstderr,
            "Usage: updater patch-dir install-dir apply-to-dir [wait-pid "
            "[callback-working-dir callback-path args...]]\n");
2924#ifdef XP_MACOSX
    if (isElevated) {
      freeArguments(argc, argv);
      CleanupElevatedMacUpdate(true);
    }
2929#endif
    return 1;
  }

2933#if defined(TEST_UPDATER) && defined(XP_WIN)
  // The tests use nsIProcess to launch the updater and it is simpler for the
  // tests to just set an environment variable and have the test updater set
  // the current working directory than it is to set the current working
  // directory in the test itself.
  if (EnvHasValue("CURWORKDIRPATH")) {
    const WCHAR* val = _wgetenv(L"CURWORKDIRPATH");
    NS_tchdirchdir(val);
  }
2942#endif

}  // if (!isDMGInstall)

// The directory containing the update information.
NS_tstrncpystrncpy(gPatchDirPath, argv[1], MAXPATHLEN4096);
gPatchDirPath[MAXPATHLEN4096 - 1] = NS_T('\0')'\0';

2950#ifdef XP_WIN
NS_tchar elevatedLockFilePath[MAXPATHLEN4096] = {NS_T('\0')'\0'};
NS_tsnprintfsnprintf(elevatedLockFilePath,
             sizeof(elevatedLockFilePath) / sizeof(elevatedLockFilePath[0]),
             NS_T("%s\\update_elevated.lock")"%s\\update_elevated.lock", gPatchDirPath);
gUseSecureOutputPath =
    sUsingService || (NS_tremoveremove(elevatedLockFilePath) && errno(*__errno_location ()) != ENOENT2);
2957#endif

if (!isDMGInstall) {
  // This check is also performed in workmonitor.cpp since the maintenance
  // service can be called directly.
  if (!IsValidFullPath(argv[1])) {
    // Since the status file is written to the patch directory and the patch
    // directory is invalid don't write the status file.
    fprintf(stderrstderr,
            "The patch directory path is not valid for this "
            "application (" LOG_S"%s" ")\n",
            argv[1]);
2969#ifdef XP_MACOSX
    if (isElevated) {
      freeArguments(argc, argv);
      CleanupElevatedMacUpdate(true);
    }
2974#endif
    return 1;
  }

  // This check is also performed in workmonitor.cpp since the maintenance
  // service can be called directly.
  if (!IsValidFullPath(argv[2])) {
    WriteStatusFile(INVALID_INSTALL_DIR_PATH_ERROR75);
    fprintf(stderrstderr,
            "The install directory path is not valid for this "
            "application (" LOG_S"%s" ")\n",
            argv[2]);
2986#ifdef XP_MACOSX
    if (isElevated) {
      freeArguments(argc, argv);
      CleanupElevatedMacUpdate(true);
    }
2991#endif
    return 1;
  }

}  // if (!isDMGInstall)

// The directory we're going to update to.
// We copy this string because we need to remove trailing slashes.  The C++
// standard says that it's always safe to write to strings pointed to by argv
// elements, but I don't necessarily believe it.
NS_tstrncpystrncpy(gInstallDirPath, argv[2], MAXPATHLEN4096);
gInstallDirPath[MAXPATHLEN4096 - 1] = NS_T('\0')'\0';
NS_tchar* slash = NS_tstrrchrstrrchr(gInstallDirPath, NS_SLASH'/');
if (slash && !slash[1]) {
  *slash = NS_T('\0')'\0';
}

3008#ifdef XP_WIN
bool useService = false;
bool testOnlyFallbackKeyExists = false;
// Prevent the updater from falling back from updating with the Maintenance
// Service to updating without the Service. Used for Service tests.
// This is set below via the MOZ_NO_SERVICE_FALLBACK environment variable.
bool noServiceFallback = false;
// Force the updater to use the Maintenance Service incorrectly, causing it
// to fail. Used to test the mechanism that allows the updater to fall back
// from using the Maintenance Service to updating without it.
// This is set below via the MOZ_FORCE_SERVICE_FALLBACK environment variable.
bool forceServiceFallback = false;
3020#endif

if (!isDMGInstall) {
3023#ifdef XP_WIN
  // We never want the service to be used unless we build with
  // the maintenance service.
3026#  ifdef MOZ_MAINTENANCE_SERVICE
  useService = IsUpdateStatusPendingService();
3028#    ifdef TEST_UPDATER
  noServiceFallback = EnvHasValue("MOZ_NO_SERVICE_FALLBACK");
  putenv(const_cast<char*>("MOZ_NO_SERVICE_FALLBACK="));
  forceServiceFallback = EnvHasValue("MOZ_FORCE_SERVICE_FALLBACK");
  putenv(const_cast<char*>("MOZ_FORCE_SERVICE_FALLBACK="));
  // Our tests run with a different apply directory for each test.
  // We use this registry key on our test machines to store the
  // allowed name/issuers.
  testOnlyFallbackKeyExists = DoesFallbackKeyExist();
3037#    endif
3038#  endif

  // Remove everything except close window from the context menu
  {
    HKEY hkApp = nullptr;
    RegCreateKeyExW(HKEY_CURRENT_USER, L"Software\\Classes\\Applications", 0,
                    nullptr, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE, nullptr,
                    &hkApp, nullptr);
    RegCloseKey(hkApp);
    if (RegCreateKeyExW(HKEY_CURRENT_USER,
                        L"Software\\Classes\\Applications\\updater.exe", 0,
                        nullptr, REG_OPTION_VOLATILE, KEY_SET_VALUE, nullptr,
                        &hkApp, nullptr) == ERROR_SUCCESS) {
      RegSetValueExW(hkApp, L"IsHostApp", 0, REG_NONE, 0, 0);
      RegSetValueExW(hkApp, L"NoOpenWith", 0, REG_NONE, 0, 0);
      RegSetValueExW(hkApp, L"NoStartPage", 0, REG_NONE, 0, 0);
      RegCloseKey(hkApp);
    }
  }
3057#endif

}  // if (!isDMGInstall)

// If there is a PID specified and it is not '0' then wait for the process to
// exit.
NS_tpidint pid = 0;
if (argc > 4) {
  pid = NS_tatoiatoi(argv[4]);
  if (pid == -1) {
    // This is a signal from the parent process that the updater should stage
    // the update.
    sStagedUpdate = true;
  } else if (NS_tstrstrstrstr(argv[4], NS_T("/replace")"/replace")) {
    // We're processing a request to replace the application with a staged
    // update.
    sReplaceRequest = true;
  }
}

if (!isDMGInstall) {
  // This check is also performed in workmonitor.cpp since the maintenance
  // service can be called directly.
  if (!IsValidFullPath(argv[3])) {
    WriteStatusFile(INVALID_WORKING_DIR_PATH_ERROR76);
    fprintf(stderrstderr,
            "The working directory path is not valid for this "
            "application (" LOG_S"%s" ")\n",
            argv[3]);
3086#ifdef XP_MACOSX
    if (isElevated) {
      freeArguments(argc, argv);
      CleanupElevatedMacUpdate(true);
    }
3091#endif
    return 1;
  }
  // The directory we're going to update to.
  // We copy this string because we need to remove trailing slashes.  The C++
  // standard says that it's always safe to write to strings pointed to by
  // argv elements, but I don't necessarily believe it.
  NS_tstrncpystrncpy(gWorkingDirPath, argv[3], MAXPATHLEN4096);
  gWorkingDirPath[MAXPATHLEN4096 - 1] = NS_T('\0')'\0';
  slash = NS_tstrrchrstrrchr(gWorkingDirPath, NS_SLASH'/');
  if (slash && !slash[1]) {
    *slash = NS_T('\0')'\0';
  }

  if (argc > callbackIndex) {
    if (!IsValidFullPath(argv[callbackIndex])) {
      WriteStatusFile(INVALID_CALLBACK_PATH_ERROR77);
      fprintf(stderrstderr,
              "The callback file path is not valid for this "
              "application (" LOG_S"%s" ")\n",
              argv[callbackIndex]);
3112#ifdef XP_MACOSX
      if (isElevated) {
        freeArguments(argc, argv);
        CleanupElevatedMacUpdate(true);
      }
3117#endif
      return 1;
    }

    size_t len = NS_tstrlenstrlen(gInstallDirPath);
    NS_tchar callbackInstallDir[MAXPATHLEN4096] = {NS_T('\0')'\0'};
    NS_tstrncpystrncpy(callbackInstallDir, argv[callbackIndex], len);
    if (NS_tstrcmpstrcmp(gInstallDirPath, callbackInstallDir) != 0) {
      WriteStatusFile(INVALID_CALLBACK_DIR_ERROR78);
      fprintf(stderrstderr,
              "The callback file must be located in the "
              "installation directory (" LOG_S"%s" ")\n",
              argv[callbackIndex]);
3130#ifdef XP_MACOSX
      if (isElevated) {
        freeArguments(argc, argv);
        CleanupElevatedMacUpdate(true);
      }
3135#endif
      return 1;
    }

    sUpdateSilently =
        ShouldRunSilently(argc - callbackIndex, argv + callbackIndex);
  }

}  // if (!isDMGInstall)

if (!sUpdateSilently && !isDMGInstall
3146#ifdef XP_MACOSX
    && !isElevated
3148#endif
) {
  InitProgressUI(&argc, &argv);
}

3153#ifdef XP_MACOSX
if (!isElevated && (!IsRecursivelyWritable(argv[2]) || isDMGInstall)) {
  // If the app directory isn't recursively writeable or if this is a DMG
  // install, an elevated helper process is required.
  if (sUpdateSilently) {
    // An elevated update always requires an elevation dialog, so if we are
    // updating silently, don't do an elevated update.
    // This means that we cannot successfully perform silent updates from
    // non-admin accounts on a Mac.
    // It also means that we cannot silently perform the first update by an
    // admin who was not the installing user. Once the first update has been
    // installed, the permissions of the installation directory should be
    // changed such that we don't need to elevate in the future.
    // Firefox shouldn't actually launch the updater at all in this case. This
    // is defense in depth.
    WriteStatusFile(SILENT_UPDATE_NEEDED_ELEVATION_ERROR105);
    fprintf(stderrstderr,
            "Skipping update to avoid elevation prompt from silent update.");
  } else {
    UpdateServerThreadArgs threadArgs;
    threadArgs.argc = argc;
    threadArgs.argv = const_cast<const NS_tchar**>(argv);

    Thread t1;
    if (t1.Run(ServeElevatedUpdateThreadFunc, &threadArgs) == 0) {
      // Show an indeterminate progress bar while an elevated update is in
      // progress.
      if (!isDMGInstall) {
        ShowProgressUI(true);
      }
    }
    t1.Join();
  }

  LaunchCallbackAndPostProcessApps(argc, argv, callbackIndex, false,
                                   std::move(umaskContext));
  return gSucceeded ? 0 : 1;
}
3191#endif

3193#ifdef XP_WIN
HANDLE updateLockFileHandle = INVALID_HANDLE_VALUE;
3195#endif

if (!isDMGInstall) {
  NS_tchar logFilePath[MAXPATHLEN4096 + 1] = {L'\0'};
3199#ifdef XP_WIN
  if (gUseSecureOutputPath) {
    // Remove the secure output files so it is easier to determine when new
    // files are created in the unelevated updater.
    RemoveSecureOutputFiles(gPatchDirPath);

    (void)GetSecureOutputFilePath(gPatchDirPath, L".log", logFilePath);
  } else {
    NS_tsnprintfsnprintf(logFilePath, sizeof(logFilePath) / sizeof(logFilePath[0]),
                 NS_T("%s\\update.log")"%s\\update.log", gPatchDirPath);
  }
3210#else
    NS_tsnprintfsnprintf(logFilePath, sizeof(logFilePath) / sizeof(logFilePath[0]),
                 NS_T("%s/update.log")"%s/update.log", gPatchDirPath);
3213#endif
  LogInit(logFilePath)UpdateLog::GetPrimaryLog().Init(logFilePath);

  if (!WriteStatusFile("applying")) {
    LOG(("failed setting status to 'applying'"))UpdateLog::GetPrimaryLog().Printf ("failed setting status to 'applying'"
);
3218#ifdef XP_MACOSX
    if (isElevated) {
      freeArguments(argc, argv);
      CleanupElevatedMacUpdate(true);
    }
3223#endif
    output_finish();
    return 1;
  }

  if (sStagedUpdate) {
    LOG(("Performing a staged update"))UpdateLog::GetPrimaryLog().Printf ("Performing a staged update"
);
  } else if (sReplaceRequest) {
    LOG(("Performing a replace request"))UpdateLog::GetPrimaryLog().Printf ("Performing a replace request"
);
  }

  LOG(("PATCH DIRECTORY " LOG_S, gPatchDirPath))UpdateLog::GetPrimaryLog().Printf ("PATCH DIRECTORY " "%s", gPatchDirPath
);
  LOG(("INSTALLATION DIRECTORY " LOG_S, gInstallDirPath))UpdateLog::GetPrimaryLog().Printf ("INSTALLATION DIRECTORY " "%s"
, gInstallDirPath);
  LOG(("WORKING DIRECTORY " LOG_S, gWorkingDirPath))UpdateLog::GetPrimaryLog().Printf ("WORKING DIRECTORY " "%s",
 gWorkingDirPath);

3238#if defined(XP_WIN)
  // These checks are also performed in workmonitor.cpp since the maintenance
  // service can be called directly.
  if (_wcsnicmp(gWorkingDirPath, gInstallDirPath, MAX_PATH) != 0) {
    if (!sStagedUpdate && !sReplaceRequest) {
      WriteStatusFile(INVALID_APPLYTO_DIR_ERROR74);
      LOG(UpdateLog::GetPrimaryLog().Printf ("Installation directory and working directory must be the same "
 "for non-staged updates. Exiting.")
          ("Installation directory and working directory must be the same "UpdateLog::GetPrimaryLog().Printf ("Installation directory and working directory must be the same "
 "for non-staged updates. Exiting.")
           "for non-staged updates. Exiting."))UpdateLog::GetPrimaryLog().Printf ("Installation directory and working directory must be the same "
 "for non-staged updates. Exiting.");
      output_finish();
      return 1;
    }

    NS_tchar workingDirParent[MAX_PATH];
    NS_tsnprintfsnprintf(workingDirParent,
                 sizeof(workingDirParent) / sizeof(workingDirParent[0]),
                 NS_T("%s")"%s", gWorkingDirPath);
    if (!PathRemoveFileSpecW(workingDirParent)) {
      WriteStatusFile(REMOVE_FILE_SPEC_ERROR71);
      LOG(("Error calling PathRemoveFileSpecW: %lu", GetLastError()))UpdateLog::GetPrimaryLog().Printf ("Error calling PathRemoveFileSpecW: %lu"
, GetLastError());
      output_finish();
      return 1;
    }

    if (_wcsnicmp(workingDirParent, gInstallDirPath, MAX_PATH) != 0) {
      WriteStatusFile(INVALID_APPLYTO_DIR_STAGED_ERROR72);
      LOG(UpdateLog::GetPrimaryLog().Printf ("The apply-to directory must be the same as or "
 "a child of the installation directory! Exiting.")
          ("The apply-to directory must be the same as or "UpdateLog::GetPrimaryLog().Printf ("The apply-to directory must be the same as or "
 "a child of the installation directory! Exiting.")
           "a child of the installation directory! Exiting."))UpdateLog::GetPrimaryLog().Printf ("The apply-to directory must be the same as or "
 "a child of the installation directory! Exiting.");
      output_finish();
      return 1;
    }
  }
3271#endif

3273#ifdef XP_WIN
  if (pid > 0) {
    HANDLE parent = OpenProcess(SYNCHRONIZE, false, (DWORD)pid);
    // May return nullptr if the parent process has already gone away.
    // Otherwise, wait for the parent process to exit before starting the
    // update.
    if (parent) {
      DWORD waitTime = PARENT_WAIT30000;
3281#  ifdef TEST_UPDATER
      if (EnvHasValue("MOZ_TEST_SHORTER_WAIT_PID")) {
        // Use a shorter time to wait for the PID to exit for the test.
        waitTime = 100;
      }
3286#  endif
      DWORD result = WaitForSingleObject(parent, waitTime);
      CloseHandle(parent);
      if (result != WAIT_OBJECT_0) {
        // Continue to update since the parent application sometimes doesn't
        // exit (see bug 1375242) so any fixes to the parent application will
        // be applied instead of leaving the client in a broken state.
        LOG(("The parent process didn't exit! Continuing with update."))UpdateLog::GetPrimaryLog().Printf ("The parent process didn't exit! Continuing with update."
);
      }
    }
  }
3297#endif

3299#ifdef XP_WIN
  if (sReplaceRequest || sStagedUpdate) {
    // On Windows, when performing a stage or replace request the current
    // working directory for the process must be changed so it isn't locked.
    NS_tchar sysDir[MAX_PATH + 1] = {L'\0'};
    if (GetSystemDirectoryW(sysDir, MAX_PATH + 1)) {
      NS_tchdirchdir(sysDir);
    }
  }

  // lastFallbackError keeps track of the last error for the service not being
  // used, in case of an error when fallback is not enabled we write the
  // error to the update.status file.
  // When fallback is disabled (MOZ_NO_SERVICE_FALLBACK does not exist) then
  // we will instead fallback to not using the service and display a UAC
  // prompt.
  int lastFallbackError = FALLBACKKEY_UNKNOWN_ERROR100;

  // Check whether a second instance of the updater should be launched by the
  // maintenance service or with the 'runas' verb when write access is denied
  // to the installation directory.
  if (!sUsingService &&
      (argc > callbackIndex || sStagedUpdate || sReplaceRequest)) {
    NS_tchar updateLockFilePath[MAXPATHLEN4096];
    if (sStagedUpdate) {
      // When staging an update, the lock file is:
      // <install_dir>\updated.update_in_progress.lock
      NS_tsnprintfsnprintf(updateLockFilePath,
                   sizeof(updateLockFilePath) / sizeof(updateLockFilePath[0]),
                   NS_T("%s/updated.update_in_progress.lock")"%s/updated.update_in_progress.lock",
                   gInstallDirPath);
    } else if (sReplaceRequest) {
      // When processing a replace request, the lock file is:
      // <install_dir>\..\moz_update_in_progress.lock
      NS_tchar installDir[MAXPATHLEN4096];
      NS_tstrcpystrcpy(installDir, gInstallDirPath);
      NS_tchar* slash = (NS_tchar*)NS_tstrrchrstrrchr(installDir, NS_SLASH'/');
      *slash = NS_T('\0')'\0';
      NS_tsnprintfsnprintf(updateLockFilePath,
                   sizeof(updateLockFilePath) / sizeof(updateLockFilePath[0]),
                   NS_T("%s\\moz_update_in_progress.lock")"%s\\moz_update_in_progress.lock", installDir);
    } else {
      // In the non-staging update case, the lock file is:
      // <install_dir>\<app_name>.exe.update_in_progress.lock
      NS_tsnprintfsnprintf(updateLockFilePath,
                   sizeof(updateLockFilePath) / sizeof(updateLockFilePath[0]),
                   NS_T("%s.update_in_progress.lock")"%s.update_in_progress.lock", argv[callbackIndex]);
    }

    // The update_in_progress.lock file should only exist during an update. In
    // case it exists attempt to remove it and exit if that fails to prevent
    // simultaneous updates occurring.
    if (NS_tremoveremove(updateLockFilePath) && errno(*__errno_location ()) != ENOENT2) {
      // Try to fall back to the old way of doing updates if a staged
      // update fails.
      if (sReplaceRequest) {
        // Note that this could fail, but if it does, there isn't too much we
        // can do in order to recover anyways.
        WriteStatusFile("pending");
      } else if (sStagedUpdate) {
        WriteStatusFile(DELETE_ERROR_STAGING_LOCK_FILE44);
      }
      LOG(("Update already in progress! Exiting"))UpdateLog::GetPrimaryLog().Printf ("Update already in progress! Exiting"
);
      output_finish();
      return 1;
    }

    updateLockFileHandle =
        CreateFileW(updateLockFilePath, GENERIC_READ | GENERIC_WRITE, 0,
                    nullptr, OPEN_ALWAYS, FILE_FLAG_DELETE_ON_CLOSE, nullptr);

    // Even if a file has no sharing access, you can still get its attributes
    bool startedFromUnelevatedUpdater =
        GetFileAttributesW(elevatedLockFilePath) != INVALID_FILE_ATTRIBUTES;

    // If we're running from the service, then we were started with the same
    // token as the service so the permissions are already dropped.  If we're
    // running from an elevated updater that was started from an unelevated
    // updater, then we drop the permissions here. We do not drop the
    // permissions on the originally called updater because we use its token
    // to start the callback application.
    if (startedFromUnelevatedUpdater) {
      // Disable every privilege we don't need. Processes started using
      // CreateProcess will use the same token as this process.
      UACHelper::DisablePrivileges(nullptr);
    }

    if (updateLockFileHandle == INVALID_HANDLE_VALUE ||
        (useService && testOnlyFallbackKeyExists &&
         (noServiceFallback || forceServiceFallback))) {
      HANDLE elevatedFileHandle;
      if (NS_tremoveremove(elevatedLockFilePath) && errno(*__errno_location ()) != ENOENT2) {
        LOG(("Unable to create elevated lock file! Exiting"))UpdateLog::GetPrimaryLog().Printf ("Unable to create elevated lock file! Exiting"
);
        output_finish();
        return 1;
      }

      elevatedFileHandle = CreateFileW(
          elevatedLockFilePath, GENERIC_READ | GENERIC_WRITE, 0, nullptr,
          OPEN_ALWAYS, FILE_FLAG_DELETE_ON_CLOSE, nullptr);
      if (elevatedFileHandle == INVALID_HANDLE_VALUE) {
        LOG(("Unable to create elevated lock file! Exiting"))UpdateLog::GetPrimaryLog().Printf ("Unable to create elevated lock file! Exiting"
);
        output_finish();
        return 1;
      }

      auto cmdLine = mozilla::MakeCommandLine(argc - 1, argv + 1);
      if (!cmdLine) {
        CloseHandle(elevatedFileHandle);
        output_finish();
        return 1;
      }

3412#  ifdef MOZ_MAINTENANCE_SERVICE
3413// Only invoke the service for installations in Program Files.
3414// This check is duplicated in workmonitor.cpp because the service can
3415// be invoked directly without going through the updater.
3416#    ifndef TEST_UPDATER
      if (useService) {
        useService = IsProgramFilesPath(gInstallDirPath);
      }
3420#    endif

      // Make sure the path to the updater to use for the update is on local.
      // We do this check to make sure that file locking is available for
      // race condition security checks.
      if (useService) {
        BOOL isLocal = FALSE;
        useService = IsLocalFile(argv[0], isLocal) && isLocal;
      }

      // If we have unprompted elevation we should NOT use the service
      // for the update. Service updates happen with the SYSTEM account
      // which has more privs than we need to update with.
      // Windows 8 provides a user interface so users can configure this
      // behavior and it can be configured in the registry in all Windows
      // versions that support UAC.
      if (useService) {
        BOOL unpromptedElevation;
        if (IsUnpromptedElevation(unpromptedElevation)) {
          useService = !unpromptedElevation;
        }
      }

      // Make sure the service registry entries for the instsallation path
      // are available.  If not don't use the service.
      if (useService) {
        WCHAR maintenanceServiceKey[MAX_PATH + 1];
        if (CalculateRegistryPathFromFilePath(gInstallDirPath,
                                              maintenanceServiceKey)) {
          HKEY baseKey = nullptr;
          if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, maintenanceServiceKey, 0,
                            KEY_READ | KEY_WOW64_64KEY,
                            &baseKey) == ERROR_SUCCESS) {
            RegCloseKey(baseKey);
          } else {
3455#    ifdef TEST_UPDATER
            useService = testOnlyFallbackKeyExists;
3457#    endif
            if (!useService) {
              lastFallbackError = FALLBACKKEY_NOKEY_ERROR102;
            }
          }
        } else {
          useService = false;
          lastFallbackError = FALLBACKKEY_REGPATH_ERROR101;
        }
      }

      // Originally we used to write "pending" to update.status before
      // launching the service command.  This is no longer needed now
      // since the service command is launched from updater.exe.  If anything
      // fails in between, we can fall back to using the normal update process
      // on our own.

      // If we still want to use the service try to launch the service
      // comamnd for the update.
      if (useService) {
        // Get the secure ID before trying to update so it is possible to
        // determine if the updater or the maintenance service has created a
        // new one.
        char uuidStringBefore[UUID_LEN] = {'\0'};
        bool checkID = GetSecureID(uuidStringBefore);
        // Write a catchall service failure status in case it fails without
        // changing the status.
        WriteStatusFile(SERVICE_UPDATE_STATUS_UNCHANGED58);

        int serviceArgc = argc;
        if (forceServiceFallback && serviceArgc > 2) {
          // To force the service to fail, we can just pass it too few
          // arguments. However, we don't want to pass it no arguments,
          // because then it won't have enough information to write out the
          // update status file telling us that it failed.
          serviceArgc = 2;
        }

        // If the update couldn't be started, then set useService to false so
        // we do the update the old way.
        DWORD ret =
            LaunchServiceSoftwareUpdateCommand(serviceArgc, (LPCWSTR*)argv);
        useService = (ret == ERROR_SUCCESS);
        // If the command was launched then wait for the service to be done.
        if (useService) {
          bool showProgressUI = false;
          // Never show the progress UI when staging updates or in a
          // background task.
          if (!sStagedUpdate && !sUpdateSilently) {
            // We need to call this separately instead of allowing
            // ShowProgressUI to initialize the strings because the service
            // will move the ini file out of the way when running updater.
            showProgressUI = !InitProgressUIStrings();
          }

          // Wait for the service to stop for 5 seconds.  If the service
          // has still not stopped then show an indeterminate progress bar.
          DWORD lastState = WaitForServiceStop(SVC_NAME, 5);
          if (lastState != SERVICE_STOPPED) {
            Thread t1;
            if (t1.Run(WaitForServiceFinishThread, nullptr) == 0 &&
                showProgressUI) {
              ShowProgressUI(true, false);
            }
            t1.Join();
          }

          lastState = WaitForServiceStop(SVC_NAME, 1);
          if (lastState != SERVICE_STOPPED) {
            // If the service doesn't stop after 10 minutes there is
            // something seriously wrong.
            lastFallbackError = FALLBACKKEY_SERVICE_NO_STOP_ERROR103;
            useService = false;
          } else {
            // Copy the secure output files if the secure ID has changed.
            gCopyOutputFiles = true;
            char uuidStringAfter[UUID_LEN] = {'\0'};
            if (checkID && GetSecureID(uuidStringAfter) &&
                strncmp(uuidStringBefore, uuidStringAfter,
                        sizeof(uuidStringBefore)) == 0) {
              LOG(UpdateLog::GetPrimaryLog().Printf ("The secure ID hasn't changed after launching the updater "
 "using the service")
                  ("The secure ID hasn't changed after launching the updater "UpdateLog::GetPrimaryLog().Printf ("The secure ID hasn't changed after launching the updater "
 "using the service")
                   "using the service"))UpdateLog::GetPrimaryLog().Printf ("The secure ID hasn't changed after launching the updater "
 "using the service");
              gCopyOutputFiles = false;
            }
            if (gCopyOutputFiles && !sStagedUpdate && !noServiceFallback) {
              // If the Maintenance Service fails for a Service-specific
              // reason, we ought to fall back to attempting to update
              // without the Service.
              // However, we need the secure output files to be able to be
              // check the error code, and we can't fall back when we are
              // staging, because we will need to show a UAC.
              bool updateFailed;
              mozilla::Maybe<int> maybeErrorCode;
              bool success =
                  IsSecureUpdateStatusFailed(updateFailed, &maybeErrorCode);
              if (success && updateFailed && maybeErrorCode.isSome() &&
                  IsServiceSpecificErrorCode(maybeErrorCode.value())) {
                useService = false;
              }
            }
          }
        } else {
          lastFallbackError = FALLBACKKEY_LAUNCH_ERROR104;
        }
      }
3563#  endif

      // If the service can't be used when staging an update, make sure that
      // the UAC prompt is not shown!
      if (!useService && sStagedUpdate) {
        if (updateLockFileHandle != INVALID_HANDLE_VALUE) {
          CloseHandle(updateLockFileHandle);
        }
        // Set an error so the failure is reported. This will be reset
        // to pending so the update can be applied during the next startup,
        // see bug 1552853.
        WriteStatusFile(UNEXPECTED_STAGING_ERROR43);
        LOG(UpdateLog::GetPrimaryLog().Printf ("Non-critical update staging error! Falling back to non-staged "
 "updates and exiting")
            ("Non-critical update staging error! Falling back to non-staged "UpdateLog::GetPrimaryLog().Printf ("Non-critical update staging error! Falling back to non-staged "
 "updates and exiting")
             "updates and exiting"))UpdateLog::GetPrimaryLog().Printf ("Non-critical update staging error! Falling back to non-staged "
 "updates and exiting");
        output_finish();
        // We don't have a callback when staging so we can just exit.
        return 0;
      }

      // If the service can't be used when in a background task, make sure
      // that the UAC prompt is not shown!
      if (!useService && sUpdateSilently) {
        if (updateLockFileHandle != INVALID_HANDLE_VALUE) {
          CloseHandle(updateLockFileHandle);
        }
        // Set an error so we don't get into an update loop when the callback
        // runs. This will be reset to pending by handleUpdateFailure in
        // UpdateService.jsm.
        WriteStatusFile(SILENT_UPDATE_NEEDED_ELEVATION_ERROR105);
        LOG(("Skipping update to avoid UAC prompt from background task."))UpdateLog::GetPrimaryLog().Printf ("Skipping update to avoid UAC prompt from background task."
);
        output_finish();

        LaunchCallbackApp(argv[5], argc - callbackIndex, argv + callbackIndex,
                          sUsingService);
        return 0;
      }

      // If we didn't want to use the service at all, or if an update was
      // already happening, or launching the service command failed, then
      // launch the elevated updater.exe as we do without the service.
      // We don't launch the elevated updater in the case that we did have
      // write access all along because in that case the only reason we're
      // using the service is because we are testing.
      if (!useService && !noServiceFallback &&
          (updateLockFileHandle == INVALID_HANDLE_VALUE ||
           forceServiceFallback)) {
        // Get the secure ID before trying to update so it is possible to
        // determine if the updater has created a new one.
        char uuidStringBefore[UUID_LEN] = {'\0'};
        bool checkID = GetSecureID(uuidStringBefore);
        // Write a catchall failure status in case it fails without changing
        // the status.
        WriteStatusFile(UPDATE_STATUS_UNCHANGED79);

        SHELLEXECUTEINFO sinfo;
        memset(&sinfo, 0, sizeof(SHELLEXECUTEINFO));
        sinfo.cbSize = sizeof(SHELLEXECUTEINFO);
        sinfo.fMask = SEE_MASK_FLAG_NO_UI | SEE_MASK_FLAG_DDEWAIT |
                      SEE_MASK_NOCLOSEPROCESS;
        sinfo.hwnd = nullptr;
        sinfo.lpFile = argv[0];
        sinfo.lpParameters = cmdLine.get();
        if (forceServiceFallback) {
          // In testing, we don't actually want a UAC prompt. We should
          // already have the permissions such that we shouldn't need it.
          // And we don't have a good way of accepting the prompt in
          // automation.
          sinfo.lpVerb = L"open";
          // This handle is what lets the updater that we spawn below know
          // that it's the elevated updater. We are going to close it so that
          // it doesn't know that and will run un-elevated. Doing this make
          // this makes for an imperfect test of the service fallback
          // functionality because it changes how the (usually) elevated
          // updater runs. One of the effects of this is that the secure
          // output files will not be used. So that functionality won't really
          // be covered by testing. But we can't really have the updater run
          // elevated, because that would require a UAC, which we have no way
          // to deal with in automation.
          CloseHandle(elevatedFileHandle);
          // We need to let go of the update lock to let the un-elevated
          // updater we are about to spawn update.
          if (updateLockFileHandle != INVALID_HANDLE_VALUE) {
            CloseHandle(updateLockFileHandle);
          }
        } else {
          sinfo.lpVerb = L"runas";
        }
        sinfo.nShow = SW_SHOWNORMAL;

        bool result = ShellExecuteEx(&sinfo);

        if (result) {
          WaitForSingleObject(sinfo.hProcess, INFINITE);
          CloseHandle(sinfo.hProcess);

          // Copy the secure output files if the secure ID has changed.
          gCopyOutputFiles = true;
          char uuidStringAfter[UUID_LEN] = {'\0'};
          if (checkID && GetSecureID(uuidStringAfter) &&
              strncmp(uuidStringBefore, uuidStringAfter,
                      sizeof(uuidStringBefore)) == 0) {
            LOG(UpdateLog::GetPrimaryLog().Printf ("The secure ID hasn't changed after launching the updater "
 "using runas")
                ("The secure ID hasn't changed after launching the updater "UpdateLog::GetPrimaryLog().Printf ("The secure ID hasn't changed after launching the updater "
 "using runas")
                 "using runas"))UpdateLog::GetPrimaryLog().Printf ("The secure ID hasn't changed after launching the updater "
 "using runas");
            gCopyOutputFiles = false;
          }
        } else {
          // Don't copy the secure output files if the elevation request was
          // canceled since the status file written below is in the patch
          // directory. At this point it should already be set to false and
          // this is set here to make it clear that it should be false at this
          // point and to prevent future changes from regressing this code.
          gCopyOutputFiles = false;
          WriteStatusFile(ELEVATION_CANCELED9);
        }
      }

      // If we started the elevated updater, and it finished, check the secure
      // update status file to make sure that it succeeded, and if it did we
      // need to launch the PostUpdate process in the unelevated updater which
      // is running in the current user's session. Note that we don't need to
      // do this when staging an update since the PostUpdate step runs during
      // the replace request.
      if (!sStagedUpdate) {
        bool updateStatusSucceeded = false;
        if (IsSecureUpdateStatusSucceeded(updateStatusSucceeded) &&
            updateStatusSucceeded) {
          if (!LaunchWinPostProcess(gInstallDirPath, gPatchDirPath)) {
            fprintf(stderrstderr,
                    "The post update process which runs as the user"
                    " for service update could not be launched.");
          }
        }
      }

      CloseHandle(elevatedFileHandle);

      if (updateLockFileHandle != INVALID_HANDLE_VALUE) {
        CloseHandle(updateLockFileHandle);
      }

      if (!useService && noServiceFallback) {
        // When the service command was not launched at all.
        // We should only reach this code path because we had write access
        // all along to the directory and a fallback key existed, and we
        // have fallback disabled (MOZ_NO_SERVICE_FALLBACK env var exists).
        // We only currently use this env var from XPCShell tests.
        gCopyOutputFiles = false;
        WriteStatusFile(lastFallbackError);
      }

      // The logging output needs to be finished before launching the callback
      // application so the update status file contains the value from the
      // secure directory used by the maintenance service and the elevated
      // updater.
      output_finish();
      if (argc > callbackIndex) {
        LaunchCallbackApp(argv[5], argc - callbackIndex, argv + callbackIndex,
                          sUsingService);
      }
      return 0;

      // This is the end of the code block for launching another instance of
      // the updater using either the maintenance service or with the 'runas'
      // verb when the updater doesn't have write access to the installation
      // directory.
    }
    // This is the end of the code block when the updater was not launched by
    // the service that checks whether the updater has write access to the
    // installation directory.
  }
  // If we made it this far this is the updater instance that will perform the
  // actual update and gCopyOutputFiles will be false (e.g. the default
  // value).
3738#endif

  if (sStagedUpdate) {
3741#ifdef TEST_UPDATER
    // This allows testing that the correct UI after an update staging failure
    // that falls back to applying the update on startup. It is simulated due
    // to the difficulty of creating the conditions for this type of staging
    // failure.
    if (EnvHasValue("MOZ_TEST_STAGING_ERROR")) {
3747#  ifdef XP_WIN
      if (updateLockFileHandle != INVALID_HANDLE_VALUE) {
        CloseHandle(updateLockFileHandle);
      }
3751#  endif
      // WRITE_ERROR is one of the cases where the staging failure falls back
      // to applying the update on startup.
      WriteStatusFile(WRITE_ERROR7);
      output_finish();
      return 0;
    }
3758#endif
    // When staging updates, blow away the old installation directory and
    // create it from scratch.
    ensure_remove_recursive(gWorkingDirPath);
  }
  if (!sReplaceRequest) {
    // Try to create the destination directory if it doesn't exist
    int rv = NS_tmkdirmkdir(gWorkingDirPath, 0755);
    if (rv != OK0 && errno(*__errno_location ()) != EEXIST17) {
3767#ifdef XP_MACOSX
      if (isElevated) {
        freeArguments(argc, argv);
        CleanupElevatedMacUpdate(true);
      }
3772#endif
      output_finish();
      return 1;
    }
  }

3778#ifdef XP_WIN
  NS_tchar applyDirLongPath[MAXPATHLEN4096];
  if (!GetLongPathNameW(
          gWorkingDirPath, applyDirLongPath,
          sizeof(applyDirLongPath) / sizeof(applyDirLongPath[0]))) {
    WriteStatusFile(WRITE_ERROR_APPLY_DIR_PATH65);
    LOG(("NS_main: unable to find apply to dir: " LOG_S, gWorkingDirPath))UpdateLog::GetPrimaryLog().Printf ("NS_main: unable to find apply to dir: "
 "%s", gWorkingDirPath);
    output_finish();
    EXIT_WHEN_ELEVATED(elevatedLockFilePath, updateLockFileHandle, 1);
    if (argc > callbackIndex) {
      LaunchCallbackApp(argv[5], argc - callbackIndex, argv + callbackIndex,
                        sUsingService);
    }
    return 1;
  }

  HANDLE callbackFile = INVALID_HANDLE_VALUE;
  if (argc > callbackIndex) {
    // If the callback executable is specified it must exist for a successful
    // update.  It is important we null out the whole buffer here because
    // later we make the assumption that the callback application is inside
    // the apply-to dir.  If we don't have a fully null'ed out buffer it can
    // lead to stack corruption which causes crashes and other problems.
    NS_tchar callbackLongPath[MAXPATHLEN4096];
    ZeroMemory(callbackLongPath, sizeof(callbackLongPath));
    NS_tchar* targetPath = argv[callbackIndex];
    NS_tchar buffer[MAXPATHLEN4096 * 2] = {NS_T('\0')'\0'};
    size_t bufferLeft = MAXPATHLEN4096 * 2;
    if (sReplaceRequest) {
      // In case of replace requests, we should look for the callback file in
      // the destination directory.
      size_t commonPrefixLength =
          PathCommonPrefixW(argv[callbackIndex], gInstallDirPath, nullptr);
      NS_tchar* p = buffer;
      NS_tstrncpystrncpy(p, argv[callbackIndex], commonPrefixLength);
      p += commonPrefixLength;
      bufferLeft -= commonPrefixLength;
      NS_tstrncpystrncpy(p, gInstallDirPath + commonPrefixLength, bufferLeft);

      size_t len = NS_tstrlenstrlen(gInstallDirPath + commonPrefixLength);
      p += len;
      bufferLeft -= len;
      *p = NS_T('\\')'\\';
      ++p;
      bufferLeft--;
      *p = NS_T('\0')'\0';
      NS_tchar installDir[MAXPATHLEN4096];
      NS_tstrcpystrcpy(installDir, gInstallDirPath);
      size_t callbackPrefixLength =
          PathCommonPrefixW(argv[callbackIndex], installDir, nullptr);
      NS_tstrncpystrncpy(p,
                  argv[callbackIndex] +
                      std::max(callbackPrefixLength, commonPrefixLength),
                  bufferLeft);
      targetPath = buffer;
    }
    if (!GetLongPathNameW(
            targetPath, callbackLongPath,
            sizeof(callbackLongPath) / sizeof(callbackLongPath[0]))) {
      WriteStatusFile(WRITE_ERROR_CALLBACK_PATH66);
      LOG(("NS_main: unable to find callback file: " LOG_S, targetPath))UpdateLog::GetPrimaryLog().Printf ("NS_main: unable to find callback file: "
 "%s", targetPath);
      output_finish();
      EXIT_WHEN_ELEVATED(elevatedLockFilePath, updateLockFileHandle, 1);
      if (argc > callbackIndex) {
        LaunchCallbackApp(argv[5], argc - callbackIndex, argv + callbackIndex,
                          sUsingService);
      }
      return 1;
    }

    // Doing this is only necessary when we're actually applying a patch.
    if (!sReplaceRequest) {
      int len = NS_tstrlenstrlen(applyDirLongPath);
      NS_tchar* s = callbackLongPath;
      NS_tchar* d = gCallbackRelPath;
      // advance to the apply to directory and advance past the trailing
      // backslash if present.
      s += len;
      if (*s == NS_T('\\')'\\') {
        ++s;
      }

      // Copy the string and replace backslashes with forward slashes along
      // the way.
      do {
        if (*s == NS_T('\\')'\\') {
          *d = NS_T('/')'/';
        } else {
          *d = *s;
        }
        ++s;
        ++d;
      } while (*s);
      *d = NS_T('\0')'\0';
      ++d;

      const size_t callbackBackupPathBufSize =
          sizeof(gCallbackBackupPath) / sizeof(gCallbackBackupPath[0]);
      const int callbackBackupPathLen =
          NS_tsnprintfsnprintf(gCallbackBackupPath, callbackBackupPathBufSize,
                       NS_T("%s" CALLBACK_BACKUP_EXT)"%s" CALLBACK_BACKUP_EXT, argv[callbackIndex]);

      if (callbackBackupPathLen < 0 ||
          callbackBackupPathLen >=
              static_cast<int>(callbackBackupPathBufSize)) {
        WriteStatusFile(USAGE_ERROR3);
        LOG(("NS_main: callback backup path truncated"))UpdateLog::GetPrimaryLog().Printf ("NS_main: callback backup path truncated"
);
        output_finish();

        // Don't attempt to launch the callback when the callback path is
        // longer than expected.
        EXIT_WHEN_ELEVATED(elevatedLockFilePath, updateLockFileHandle, 1);
        return 1;
      }

      // Make a copy of the callback executable so it can be read when
      // patching.
      if (!CopyFileW(argv[callbackIndex], gCallbackBackupPath, false)) {
        DWORD copyFileError = GetLastError();
        if (copyFileError == ERROR_ACCESS_DENIED) {
          WriteStatusFile(WRITE_ERROR_ACCESS_DENIED35);
        } else {
          WriteStatusFile(WRITE_ERROR_CALLBACK_APP37);
        }
        LOG(("NS_main: failed to copy callback file " LOG_SUpdateLog::GetPrimaryLog().Printf ("NS_main: failed to copy callback file "
 "%s" " into place at " "%s", argv[callbackIndex], gCallbackBackupPath
)
             " into place at " LOG_S,UpdateLog::GetPrimaryLog().Printf ("NS_main: failed to copy callback file "
 "%s" " into place at " "%s", argv[callbackIndex], gCallbackBackupPath
)
             argv[callbackIndex], gCallbackBackupPath))UpdateLog::GetPrimaryLog().Printf ("NS_main: failed to copy callback file "
 "%s" " into place at " "%s", argv[callbackIndex], gCallbackBackupPath
);
        output_finish();
        EXIT_WHEN_ELEVATED(elevatedLockFilePath, updateLockFileHandle, 1);
        LaunchCallbackApp(argv[callbackIndex], argc - callbackIndex,
                          argv + callbackIndex, sUsingService);
        return 1;
      }

      // Since the process may be signaled as exited by WaitForSingleObject
      // before the release of the executable image try to lock the main
      // executable file multiple times before giving up.  If we end up giving
      // up, we won't fail the update.
      const int max_retries = 10;
      int retries = 1;
      DWORD lastWriteError = 0;
      do {
        // By opening a file handle wihout FILE_SHARE_READ to the callback
        // executable, the OS will prevent launching the process while it is
        // being updated.
        callbackFile = CreateFileW(targetPath, DELETE | GENERIC_WRITE,
                                   // allow delete, rename, and write
                                   FILE_SHARE_DELETE | FILE_SHARE_WRITE,
                                   nullptr, OPEN_EXISTING, 0, nullptr);
        if (callbackFile != INVALID_HANDLE_VALUE) {
          break;
        }

        lastWriteError = GetLastError();
        LOG(UpdateLog::GetPrimaryLog().Printf ("NS_main: callback app file open attempt %d failed. "
 "File: " "%s" ". Last error: %lu", retries, targetPath, lastWriteError
)
            ("NS_main: callback app file open attempt %d failed. "UpdateLog::GetPrimaryLog().Printf ("NS_main: callback app file open attempt %d failed. "
 "File: " "%s" ". Last error: %lu", retries, targetPath, lastWriteError
)
             "File: " LOG_S ". Last error: %lu",UpdateLog::GetPrimaryLog().Printf ("NS_main: callback app file open attempt %d failed. "
 "File: " "%s" ". Last error: %lu", retries, targetPath, lastWriteError
)
             retries, targetPath, lastWriteError))UpdateLog::GetPrimaryLog().Printf ("NS_main: callback app file open attempt %d failed. "
 "File: " "%s" ". Last error: %lu", retries, targetPath, lastWriteError
);

        Sleep(100);
      } while (++retries <= max_retries);

      // CreateFileW will fail if the callback executable is already in use.
      if (callbackFile == INVALID_HANDLE_VALUE) {
        bool proceedWithoutExclusive = true;

        // Fail the update if the last error was not a sharing violation.
        if (lastWriteError != ERROR_SHARING_VIOLATION) {
          LOG((UpdateLog::GetPrimaryLog().Printf ( "NS_main: callback app file in use, failed to exclusively open "
 "executable file: " "%s", argv[callbackIndex])
              "NS_main: callback app file in use, failed to exclusively open "UpdateLog::GetPrimaryLog().Printf ( "NS_main: callback app file in use, failed to exclusively open "
 "executable file: " "%s", argv[callbackIndex])
              "executable file: " LOG_S,UpdateLog::GetPrimaryLog().Printf ( "NS_main: callback app file in use, failed to exclusively open "
 "executable file: " "%s", argv[callbackIndex])
              argv[callbackIndex]))UpdateLog::GetPrimaryLog().Printf ( "NS_main: callback app file in use, failed to exclusively open "
 "executable file: " "%s", argv[callbackIndex]);
          if (lastWriteError == ERROR_ACCESS_DENIED) {
            WriteStatusFile(WRITE_ERROR_ACCESS_DENIED35);
          } else {
            WriteStatusFile(WRITE_ERROR_CALLBACK_APP37);
          }

          proceedWithoutExclusive = false;
        }

        // Fail even on sharing violation from a background task, since a
        // background task has a higher risk of interfering with a running
        // app. Note that this does not apply when staging (when an exclusive
        // lock isn't necessary), as there is no callback.
        if (lastWriteError == ERROR_SHARING_VIOLATION && sUpdateSilently) {
          LOG((UpdateLog::GetPrimaryLog().Printf ( "NS_main: callback app file in use, failed to exclusively open "
 "executable file from background task: " "%s", argv[callbackIndex
])
              "NS_main: callback app file in use, failed to exclusively open "UpdateLog::GetPrimaryLog().Printf ( "NS_main: callback app file in use, failed to exclusively open "
 "executable file from background task: " "%s", argv[callbackIndex
])
              "executable file from background task: " LOG_S,UpdateLog::GetPrimaryLog().Printf ( "NS_main: callback app file in use, failed to exclusively open "
 "executable file from background task: " "%s", argv[callbackIndex
])
              argv[callbackIndex]))UpdateLog::GetPrimaryLog().Printf ( "NS_main: callback app file in use, failed to exclusively open "
 "executable file from background task: " "%s", argv[callbackIndex
]);
          WriteStatusFile(WRITE_ERROR_BACKGROUND_TASK_SHARING_VIOLATION106);

          proceedWithoutExclusive = false;
        }

        if (!proceedWithoutExclusive) {
          if (NS_tremoveremove(gCallbackBackupPath) && errno(*__errno_location ()) != ENOENT2) {
            LOG(UpdateLog::GetPrimaryLog().Printf ("NS_main: unable to remove backup of callback app file, "
 "path: " "%s", gCallbackBackupPath)
                ("NS_main: unable to remove backup of callback app file, "UpdateLog::GetPrimaryLog().Printf ("NS_main: unable to remove backup of callback app file, "
 "path: " "%s", gCallbackBackupPath)
                 "path: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("NS_main: unable to remove backup of callback app file, "
 "path: " "%s", gCallbackBackupPath)
                 gCallbackBackupPath))UpdateLog::GetPrimaryLog().Printf ("NS_main: unable to remove backup of callback app file, "
 "path: " "%s", gCallbackBackupPath);
          }
          output_finish();
          EXIT_WHEN_ELEVATED(elevatedLockFilePath, updateLockFileHandle, 1);
          LaunchCallbackApp(argv[5], argc - callbackIndex,
                            argv + callbackIndex, sUsingService);
          return 1;
        }

        LOG(UpdateLog::GetPrimaryLog().Printf ("NS_main: callback app file in use, continuing without "
 "exclusive access for executable file: " "%s", argv[callbackIndex
])
            ("NS_main: callback app file in use, continuing without "UpdateLog::GetPrimaryLog().Printf ("NS_main: callback app file in use, continuing without "
 "exclusive access for executable file: " "%s", argv[callbackIndex
])
             "exclusive access for executable file: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("NS_main: callback app file in use, continuing without "
 "exclusive access for executable file: " "%s", argv[callbackIndex
])
             argv[callbackIndex]))UpdateLog::GetPrimaryLog().Printf ("NS_main: callback app file in use, continuing without "
 "exclusive access for executable file: " "%s", argv[callbackIndex
]);
      }
    }
  }

  // DELETE_DIR is not required when performing a staged update or replace
  // request; it can be used during a replace request but then it doesn't
  // use gDeleteDirPath.
  if (!sStagedUpdate && !sReplaceRequest) {
    // The directory to move files that are in use to on Windows. This
    // directory will be deleted after the update is finished, on OS reboot
    // using MoveFileEx if it contains files that are in use, or by the post
    // update process after the update finishes. On Windows when performing a
    // normal update (e.g. the update is not a staged update and is not a
    // replace request) gWorkingDirPath is the same as gInstallDirPath and
    // gWorkingDirPath is used because it is the destination directory.
    NS_tsnprintfsnprintf(gDeleteDirPath,
                 sizeof(gDeleteDirPath) / sizeof(gDeleteDirPath[0]),
                 NS_T("%s/%s")"%s/%s", gWorkingDirPath, DELETE_DIR);

    if (NS_taccessaccess(gDeleteDirPath, F_OK0)) {
      NS_tmkdirmkdir(gDeleteDirPath, 0755);
    }
  }
4014#endif /* XP_WIN */

  // Run update process on a background thread. ShowProgressUI may return
  // before QuitProgressUI has been called, so wait for UpdateThreadFunc to
  // terminate. Avoid showing the progress UI when staging an update, or if
  // this is an elevated process on OSX.
  Thread t;
  if (t.Run(UpdateThreadFunc, nullptr) == 0) {
    if (!sStagedUpdate && !sReplaceRequest && !sUpdateSilently
4023#ifdef XP_MACOSX
        && !isElevated
4025#endif
    ) {
      ShowProgressUI();
    }
  }
  t.Join();

4032#ifdef XP_WIN
  if (argc > callbackIndex && !sReplaceRequest) {
    if (callbackFile != INVALID_HANDLE_VALUE) {
      CloseHandle(callbackFile);
    }
    // Remove the copy of the callback executable.
    if (NS_tremoveremove(gCallbackBackupPath) && errno(*__errno_location ()) != ENOENT2) {
      LOG(UpdateLog::GetPrimaryLog().Printf ("NS_main: non-fatal error removing backup of callback app file, "
 "path: " "%s", gCallbackBackupPath)
          ("NS_main: non-fatal error removing backup of callback app file, "UpdateLog::GetPrimaryLog().Printf ("NS_main: non-fatal error removing backup of callback app file, "
 "path: " "%s", gCallbackBackupPath)
           "path: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("NS_main: non-fatal error removing backup of callback app file, "
 "path: " "%s", gCallbackBackupPath)
           gCallbackBackupPath))UpdateLog::GetPrimaryLog().Printf ("NS_main: non-fatal error removing backup of callback app file, "
 "path: " "%s", gCallbackBackupPath);
    }
  }

  if (!sStagedUpdate && !sReplaceRequest && _wrmdir(gDeleteDirPath)) {
    LOG(("NS_main: unable to remove directory: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("NS_main: unable to remove directory: "
 "%s" ", err: %d", DELETE_DIR, (*__errno_location ()))
         DELETE_DIR, errno))UpdateLog::GetPrimaryLog().Printf ("NS_main: unable to remove directory: "
 "%s" ", err: %d", DELETE_DIR, (*__errno_location ()));
    // The directory probably couldn't be removed due to it containing files
    // that are in use and will be removed on OS reboot. The call to remove
    // the directory on OS reboot is done after the calls to remove the files
    // so the files are removed first on OS reboot since the directory must be
    // empty for the directory removal to be successful. The MoveFileEx call
    // to remove the directory on OS reboot will fail if the process doesn't
    // have write access to the HKEY_LOCAL_MACHINE registry key but this is ok
    // since the installer / uninstaller will delete the directory along with
    // its contents after an update is applied, on reinstall, and on
    // uninstall.
    if (MoveFileEx(gDeleteDirPath, nullptr, MOVEFILE_DELAY_UNTIL_REBOOT)) {
      LOG(("NS_main: directory will be removed on OS reboot: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("NS_main: directory will be removed on OS reboot: "
 "%s", DELETE_DIR)
           DELETE_DIR))UpdateLog::GetPrimaryLog().Printf ("NS_main: directory will be removed on OS reboot: "
 "%s", DELETE_DIR);
    } else {
      LOG(UpdateLog::GetPrimaryLog().Printf ("NS_main: failed to schedule OS reboot removal of "
 "directory: " "%s", DELETE_DIR)
          ("NS_main: failed to schedule OS reboot removal of "UpdateLog::GetPrimaryLog().Printf ("NS_main: failed to schedule OS reboot removal of "
 "directory: " "%s", DELETE_DIR)
           "directory: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("NS_main: failed to schedule OS reboot removal of "
 "directory: " "%s", DELETE_DIR)
           DELETE_DIR))UpdateLog::GetPrimaryLog().Printf ("NS_main: failed to schedule OS reboot removal of "
 "directory: " "%s", DELETE_DIR);
    }
  }
4069#endif /* XP_WIN */

}  // if (!isDMGInstall)

4073#ifdef XP_MACOSX
if (isElevated) {
  SetGroupOwnershipAndPermissions(gInstallDirPath);
  freeArguments(argc, argv);
  CleanupElevatedMacUpdate(false);
} else if (IsOwnedByGroupAdmin(gInstallDirPath)) {
  // If the group ownership of the Firefox .app bundle was set to the "admin"
  // group during a previous elevated update, we need to ensure that all files
  // in the bundle have group ownership of "admin" as well as write permission
  // for the group to not break updates in the future.
  SetGroupOwnershipAndPermissions(gInstallDirPath);
}
4085#endif /* XP_MACOSX */

output_finish();

int retVal = LaunchCallbackAndPostProcessApps(argc, argv, callbackIndex
4090#ifdef XP_WIN
                                              ,
                                              elevatedLockFilePath,
                                              updateLockFileHandle
4094#elif XP_MACOSX
                                                ,
                                                isElevated,
                                                std::move(umaskContext)
4098#endif
);

return retVal ? retVal : (gSucceeded ? 0 : 1);
4102}

4104class ActionList {
public:
ActionList() : mFirst(nullptr), mLast(nullptr), mCount(0) {}
~ActionList();

void Append(Action* action);
int Prepare();
int Execute();
void Finish(int status);

private:
Action* mFirst;
Action* mLast;
int mCount;
4118};

4120ActionList::~ActionList() {
Action* a = mFirst;
while (a) {
  Action* b = a;
  a = a->mNext;
  delete b;
}
4127}

4129void ActionList::Append(Action* action) {
if (mLast) {
  mLast->mNext = action;
} else {
  mFirst = action;
}

mLast = action;
mCount++;
4138}

4140int ActionList::Prepare() {
// If the action list is empty then we should fail in order to signal that
// something has gone wrong. Otherwise we report success when nothing is
// actually done. See bug 327140.
if (mCount == 0) {
  LOG(("empty action list"))UpdateLog::GetPrimaryLog().Printf ("empty action list");
  return MAR_ERROR_EMPTY_ACTION_LIST1;
}

Action* a = mFirst;
int i = 0;
while (a) {
  int rv = a->Prepare();
  if (rv) {
    return rv;
  }

  float percent = float(++i) / float(mCount);
  UpdateProgressUI(PROGRESS_PREPARE_SIZE20.0f * percent);

  a = a->mNext;
}

return OK0;
4164}

4166int ActionList::Execute() {
int currentProgress = 0, maxProgress = 0;
Action* a = mFirst;
while (a) {
  maxProgress += a->mProgressCost;
  a = a->mNext;
}

a = mFirst;
while (a) {
  int rv = a->Execute();
  if (rv) {
    LOG(("### execution failed"))UpdateLog::GetPrimaryLog().Printf ("### execution failed");
    return rv;
  }

  currentProgress += a->mProgressCost;
  float percent = float(currentProgress) / float(maxProgress);
  UpdateProgressUI(PROGRESS_PREPARE_SIZE20.0f + PROGRESS_EXECUTE_SIZE75.0f * percent);

  a = a->mNext;
}

return OK0;
4190}

4192void ActionList::Finish(int status) {
Action* a = mFirst;
int i = 0;
while (a) {
  a->Finish(status);

  float percent = float(++i) / float(mCount);
  UpdateProgressUI(PROGRESS_PREPARE_SIZE20.0f + PROGRESS_EXECUTE_SIZE75.0f +
                   PROGRESS_FINISH_SIZE5.0f * percent);

  a = a->mNext;
}

if (status == OK0) {
  gSucceeded = true;
}
4208}

4210#ifdef XP_WIN
4211int add_dir_entries(const NS_tchar* dirpath, ActionList* list) {
int rv = OK0;
WIN32_FIND_DATAW finddata;
HANDLE hFindFile;
NS_tchar searchspec[MAXPATHLEN4096];
NS_tchar foundpath[MAXPATHLEN4096];

NS_tsnprintfsnprintf(searchspec, sizeof(searchspec) / sizeof(searchspec[0]),
             NS_T("%s*")"%s*", dirpath);
mozilla::UniquePtr<const NS_tchar> pszSpec(get_full_path(searchspec));

hFindFile = FindFirstFileW(pszSpec.get(), &finddata);
if (hFindFile != INVALID_HANDLE_VALUE) {
  do {
    // Don't process the current or parent directory.
    if (NS_tstrcmpstrcmp(finddata.cFileName, NS_T(".")".") == 0 ||
        NS_tstrcmpstrcmp(finddata.cFileName, NS_T("..")"..") == 0) {
      continue;
    }

    NS_tsnprintfsnprintf(foundpath, sizeof(foundpath) / sizeof(foundpath[0]),
                 NS_T("%s%s")"%s%s", dirpath, finddata.cFileName);
    if (finddata.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
      NS_tsnprintfsnprintf(foundpath, sizeof(foundpath) / sizeof(foundpath[0]),
                   NS_T("%s/")"%s/", foundpath);
      // Recurse into the directory.
      rv = add_dir_entries(foundpath, list);
      if (rv) {
        LOG(("add_dir_entries error: " LOG_S ", err: %d", foundpath, rv))UpdateLog::GetPrimaryLog().Printf ("add_dir_entries error: " "%s"
 ", err: %d", foundpath, rv);
        return rv;
      }
    } else {
      // Add the file to be removed to the ActionList.
      NS_tchar* quotedpath = get_quoted_path(foundpath);
      if (!quotedpath) {
        return PARSE_ERROR5;
      }

      mozilla::UniquePtr<Action> action(new RemoveFile());
      rv = action->Parse(quotedpath);
      if (rv) {
        LOG(("add_dir_entries Parse error on recurse: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("add_dir_entries Parse error on recurse: "
 "%s" ", err: %d", quotedpath, rv)
             quotedpath, rv))UpdateLog::GetPrimaryLog().Printf ("add_dir_entries Parse error on recurse: "
 "%s" ", err: %d", quotedpath, rv);
        free(quotedpath);
        return rv;
      }
      free(quotedpath);

      list->Append(action.release());
    }
  } while (FindNextFileW(hFindFile, &finddata) != 0);

  FindClose(hFindFile);
  {
    // Add the directory to be removed to the ActionList.
    NS_tchar* quotedpath = get_quoted_path(dirpath);
    if (!quotedpath) {
      return PARSE_ERROR5;
    }

    mozilla::UniquePtr<Action> action(new RemoveDir());
    rv = action->Parse(quotedpath);
    if (rv) {
      LOG(("add_dir_entries Parse error on close: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("add_dir_entries Parse error on close: "
 "%s" ", err: %d", quotedpath, rv)
           quotedpath, rv))UpdateLog::GetPrimaryLog().Printf ("add_dir_entries Parse error on close: "
 "%s" ", err: %d", quotedpath, rv);
    } else {
      list->Append(action.release());
    }
    free(quotedpath);
  }
}

return rv;
4284}

4286#elif defined(HAVE_FTS_H1)
int add_dir_entries(const NS_tchar* dirpath, ActionList* list) {
  int rv = OK0;
  FTS* ftsdir;
  FTSENT* ftsdirEntry;
  mozilla::UniquePtr<NS_tchar[]> searchpath(get_full_path(dirpath));

  // Remove the trailing slash so the paths don't contain double slashes. The
  // existence of the slash has already been checked in DoUpdate.
  searchpath[NS_tstrlenstrlen(searchpath.get()) - 1] = NS_T('\0')'\0';
  char* const pathargv[] = {searchpath.get(), nullptr};

  // FTS_NOCHDIR is used so relative paths from the destination directory are
  // returned.
  if (!(ftsdir = fts_open(pathargv,
                          FTS_PHYSICAL0x0010 | FTS_NOSTAT0x0008 | FTS_XDEV0x0040 | FTS_NOCHDIR0x0004,
                          nullptr))) {
    return UNEXPECTED_FILE_OPERATION_ERROR42;
  }

  while ((ftsdirEntry = fts_read(ftsdir)) != nullptr) {
    NS_tchar foundpath[MAXPATHLEN4096];
    NS_tchar* quotedpath = nullptr;
    mozilla::UniquePtr<Action> action;

    switch (ftsdirEntry->fts_info) {
      // Filesystem objects that shouldn't be in the application's directories
      case FTS_SL12:
      case FTS_SLNONE13:
      case FTS_DEFAULT3:
        LOG(("add_dir_entries: found a non-standard file: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("add_dir_entries: found a non-standard file: "
 "%s", ftsdirEntry->fts_path)
             ftsdirEntry->fts_path))UpdateLog::GetPrimaryLog().Printf ("add_dir_entries: found a non-standard file: "
 "%s", ftsdirEntry->fts_path);
        // Fall through and try to remove as a file
        [[fallthrough]];

      // Files
      case FTS_F8:
      case FTS_NSOK11:
        // Add the file to be removed to the ActionList.
        NS_tsnprintfsnprintf(foundpath, sizeof(foundpath) / sizeof(foundpath[0]),
                     NS_T("%s")"%s", ftsdirEntry->fts_accpath);
        quotedpath = get_quoted_path(get_relative_path(foundpath));
        if (!quotedpath) {
          rv = UPDATER_QUOTED_PATH_MEM_ERROR14;
          break;
        }
        action.reset(new RemoveFile());
        rv = action->Parse(quotedpath);
        free(quotedpath);
        if (!rv) {
          list->Append(action.release());
        }
        break;

      // Directories
      case FTS_DP6:
        // Add the directory to be removed to the ActionList.
        NS_tsnprintfsnprintf(foundpath, sizeof(foundpath) / sizeof(foundpath[0]),
                     NS_T("%s/")"%s/", ftsdirEntry->fts_accpath);
        quotedpath = get_quoted_path(get_relative_path(foundpath));
        if (!quotedpath) {
          rv = UPDATER_QUOTED_PATH_MEM_ERROR14;
          break;
        }

        action.reset(new RemoveDir());
        rv = action->Parse(quotedpath);
        free(quotedpath);
        if (!rv) {
          list->Append(action.release());
        }
        break;

      // Errors
      case FTS_DNR4:
      case FTS_NS10:
        // ENOENT is an acceptable error for FTS_DNR and FTS_NS and means that
        // we're racing with ourselves. Though strange, the entry will be
        // removed anyway.
        if (ENOENT2 == ftsdirEntry->fts_errno) {
          rv = OK0;
          break;
        }
        [[fallthrough]];

      case FTS_ERR7:
        rv = UNEXPECTED_FILE_OPERATION_ERROR42;
        LOG(("add_dir_entries: fts_read() error: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("add_dir_entries: fts_read() error: "
 "%s" ", err: %d", ftsdirEntry->fts_path, ftsdirEntry->
fts_errno)
             ftsdirEntry->fts_path, ftsdirEntry->fts_errno))UpdateLog::GetPrimaryLog().Printf ("add_dir_entries: fts_read() error: "
 "%s" ", err: %d", ftsdirEntry->fts_path, ftsdirEntry->
fts_errno);
        break;

      case FTS_DC2:
        rv = UNEXPECTED_FILE_OPERATION_ERROR42;
        LOG(("add_dir_entries: fts_read() returned FT_DC: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("add_dir_entries: fts_read() returned FT_DC: "
 "%s", ftsdirEntry->fts_path)
             ftsdirEntry->fts_path))UpdateLog::GetPrimaryLog().Printf ("add_dir_entries: fts_read() returned FT_DC: "
 "%s", ftsdirEntry->fts_path);
        break;

      default:
        // FTS_D is ignored and FTS_DP is used instead (post-order).
        rv = OK0;
        break;
    }

    if (rv != OK0) {
      break;
    }
  }

  fts_close(ftsdir);

  return rv;
}

4399#else

4401int add_dir_entries(const NS_tchar* dirpath, ActionList* list) {
int rv = OK0;
NS_tchar foundpath[PATH_MAX4096];
struct {
  dirent dent_buffer;
  char chars[NAME_MAX255];
} ent_buf;
struct dirent* ent;
mozilla::UniquePtr<NS_tchar[]> searchpath(get_full_path(dirpath));

DIR* dir = opendir(searchpath.get());
if (!dir) {
  LOG(("add_dir_entries error on opendir: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("add_dir_entries error on opendir: "
 "%s" ", err: %d", searchpath.get(), (*__errno_location ()))
       searchpath.get(), errno))UpdateLog::GetPrimaryLog().Printf ("add_dir_entries error on opendir: "
 "%s" ", err: %d", searchpath.get(), (*__errno_location ()));
  return UNEXPECTED_FILE_OPERATION_ERROR42;
}

while (readdir_r(dir, (dirent*)&ent_buf, &ent) == 0 && ent) {
  if ((strcmp(ent->d_name, ".") == 0) || (strcmp(ent->d_name, "..") == 0)) {
    continue;
  }

  NS_tsnprintfsnprintf(foundpath, sizeof(foundpath) / sizeof(foundpath[0]),
               NS_T("%s%s")"%s%s", searchpath.get(), ent->d_name);
  struct stat64 st_buf;
  int test = stat64(foundpath, &st_buf);
  if (test) {
    closedir(dir);
    return UNEXPECTED_FILE_OPERATION_ERROR42;
  }
  if (S_ISDIR(st_buf.st_mode)((((st_buf.st_mode)) & 0170000) == (0040000))) {
    NS_tsnprintfsnprintf(foundpath, sizeof(foundpath) / sizeof(foundpath[0]),
                 NS_T("%s%s/")"%s%s/", dirpath, ent->d_name);
    // Recurse into the directory.
    rv = add_dir_entries(foundpath, list);
    if (rv) {
      LOG(("add_dir_entries error: " LOG_S ", err: %d", foundpath, rv))UpdateLog::GetPrimaryLog().Printf ("add_dir_entries error: " "%s"
 ", err: %d", foundpath, rv);
      closedir(dir);
      return rv;
    }
  } else {
    // Add the file to be removed to the ActionList.
    NS_tchar* quotedpath = get_quoted_path(get_relative_path(foundpath));
    if (!quotedpath) {
      closedir(dir);
      return PARSE_ERROR5;
    }

    mozilla::UniquePtr<Action> action(new RemoveFile());
    rv = action->Parse(quotedpath);
    if (rv) {
      LOG(("add_dir_entries Parse error on recurse: " LOG_S ", err: %d",UpdateLog::GetPrimaryLog().Printf ("add_dir_entries Parse error on recurse: "
 "%s" ", err: %d", quotedpath, rv)
           quotedpath, rv))UpdateLog::GetPrimaryLog().Printf ("add_dir_entries Parse error on recurse: "
 "%s" ", err: %d", quotedpath, rv);
      free(quotedpath);
      closedir(dir);
      return rv;
    }
    free(quotedpath);

    list->Append(action.release());
  }
}
closedir(dir);

// Add the directory to be removed to the ActionList.
NS_tchar* quotedpath = get_quoted_path(get_relative_path(dirpath));
if (!quotedpath) {
  return PARSE_ERROR5;
}

mozilla::UniquePtr<Action> action(new RemoveDir());
rv = action->Parse(quotedpath);
if (rv) {
  LOG(("add_dir_entries Parse error on close: " LOG_S ", err: %d", quotedpath,UpdateLog::GetPrimaryLog().Printf ("add_dir_entries Parse error on close: "
 "%s" ", err: %d", quotedpath, rv)
       rv))UpdateLog::GetPrimaryLog().Printf ("add_dir_entries Parse error on close: "
 "%s" ", err: %d", quotedpath, rv);
} else {
  list->Append(action.release());
}
free(quotedpath);

return rv;
4482}

4484#endif

4486/*
* Gets the contents of an update manifest file. The return value is malloc'd
* and it is the responsibility of the caller to free it.
*
* @param  manifest
*         The full path to the manifest file.
* @return On success the contents of the manifest and nullptr otherwise.
*/
4494static NS_tchar* GetManifestContents(const NS_tchar* manifest) {
AutoFile mfile(NS_tfopenfopen(manifest, NS_T("rb")"rb"));
if (mfile == nullptr) {
  LOG(("GetManifestContents: error opening manifest file: " LOG_S, manifest))UpdateLog::GetPrimaryLog().Printf ("GetManifestContents: error opening manifest file: "
 "%s", manifest);
  return nullptr;
}

struct stat ms;
int rv = fstat(fileno((FILE*)mfile), &ms);
if (rv) {
  LOG(("GetManifestContents: error stating manifest file: " LOG_S, manifest))UpdateLog::GetPrimaryLog().Printf ("GetManifestContents: error stating manifest file: "
 "%s", manifest);
  return nullptr;
}

char* mbuf = (char*)malloc(ms.st_size + 1);
if (!mbuf) {
  return nullptr;
}

size_t r = ms.st_size;
char* rb = mbuf;
while (r) {
  const size_t count = mmin(SSIZE_MAX9223372036854775807L, r);
  size_t c = fread(rb, 1, count, mfile);
  if (c != count) {
    LOG(("GetManifestContents: error reading manifest file: " LOG_S,UpdateLog::GetPrimaryLog().Printf ("GetManifestContents: error reading manifest file: "
 "%s", manifest)
         manifest))UpdateLog::GetPrimaryLog().Printf ("GetManifestContents: error reading manifest file: "
 "%s", manifest);
    free(mbuf);
    return nullptr;
  }

  r -= c;
  rb += c;
}
*rb = '\0';

4530#ifndef XP_WIN
return mbuf;
4532#else
  NS_tchar* wrb = (NS_tchar*)malloc((ms.st_size + 1) * sizeof(NS_tchar));
  if (!wrb) {
    free(mbuf);
    return nullptr;
  }

  if (!MultiByteToWideChar(CP_UTF8, MB_ERR_INVALID_CHARS, mbuf, -1, wrb,
                           ms.st_size + 1)) {
    LOG(("GetManifestContents: error converting utf8 to utf16le: %lu",UpdateLog::GetPrimaryLog().Printf ("GetManifestContents: error converting utf8 to utf16le: %lu"
, GetLastError())
         GetLastError()))UpdateLog::GetPrimaryLog().Printf ("GetManifestContents: error converting utf8 to utf16le: %lu"
, GetLastError());
    free(mbuf);
    free(wrb);
    return nullptr;
  }
  free(mbuf);

  return wrb;
4550#endif
4551}

4553int AddPreCompleteActions(ActionList* list) {
4554#ifdef XP_MACOSX
mozilla::UniquePtr<NS_tchar[]> manifestPath(
    get_full_path(NS_T("Contents/Resources/precomplete")"Contents/Resources/precomplete"));
4557#else
  mozilla::UniquePtr<NS_tchar[]> manifestPath(
      get_full_path(NS_T("precomplete")"precomplete"));
4560#endif

NS_tchar* buf = GetManifestContents(manifestPath.get());
if (!buf) {
  LOG(UpdateLog::GetPrimaryLog().Printf ("AddPreCompleteActions: error getting contents of precomplete "
 "manifest")
      ("AddPreCompleteActions: error getting contents of precomplete "UpdateLog::GetPrimaryLog().Printf ("AddPreCompleteActions: error getting contents of precomplete "
 "manifest")
       "manifest"))UpdateLog::GetPrimaryLog().Printf ("AddPreCompleteActions: error getting contents of precomplete "
 "manifest");
  // Applications aren't required to have a precomplete manifest. The mar
  // generation scripts enforce the presence of a precomplete manifest.
  return OK0;
}
NS_tchar* rb = buf;

int rv;
NS_tchar* line;
while ((line = mstrtok(kNL, &rb)) != 0) {
  // skip comments
  if (*line == NS_T('#')'#') {
    continue;
  }

  NS_tchar* token = mstrtok(kWhitespace, &line);
  if (!token) {
    LOG(("AddPreCompleteActions: token not found in manifest"))UpdateLog::GetPrimaryLog().Printf ("AddPreCompleteActions: token not found in manifest"
);
    free(buf);
    return PARSE_ERROR5;
  }

  Action* action = nullptr;
  if (NS_tstrcmpstrcmp(token, NS_T("remove")"remove") == 0) {  // rm file
    action = new RemoveFile();
  } else if (NS_tstrcmpstrcmp(token, NS_T("remove-cc")"remove-cc") ==
             0) {  // no longer supported
    continue;
  } else if (NS_tstrcmpstrcmp(token, NS_T("rmdir")"rmdir") == 0) {  // rmdir if  empty
    action = new RemoveDir();
  } else {
    LOG(("AddPreCompleteActions: unknown token: " LOG_S, token))UpdateLog::GetPrimaryLog().Printf ("AddPreCompleteActions: unknown token: "
 "%s", token);
    free(buf);
    return PARSE_ERROR5;
  }

  if (!action) {
    free(buf);
    return BAD_ACTION_ERROR15;
  }

  rv = action->Parse(line);
  if (rv) {
    delete action;
    free(buf);
    return rv;
  }

  list->Append(action);
}

free(buf);
return OK0;
4619}

4621int DoUpdate() {
NS_tchar manifest[MAXPATHLEN4096];
NS_tsnprintfsnprintf(manifest, sizeof(manifest) / sizeof(manifest[0]),
             NS_T("%s/updating/update.manifest")"%s/updating/update.manifest", gWorkingDirPath);
ensure_parent_dir(manifest);

// extract the manifest
int rv = gArchiveReader.ExtractFile("updatev3.manifest", manifest);
if (rv) {
15
←
Assuming 'rv' is 0→
16
←
Taking false branch→
  LOG(("DoUpdate: error extracting manifest file"))UpdateLog::GetPrimaryLog().Printf ("DoUpdate: error extracting manifest file"
);
  return rv;
}

NS_tchar* buf = GetManifestContents(manifest);
// The manifest is located in the <working_dir>/updating directory which is
// removed after the update has finished so don't delete it here.
if (!buf16.1
'buf' is non-null
) {
17
←
Taking false branch→
  LOG(("DoUpdate: error opening manifest file: " LOG_S, manifest))UpdateLog::GetPrimaryLog().Printf ("DoUpdate: error opening manifest file: "
 "%s", manifest);
  return READ_ERROR6;
}
NS_tchar* rb = buf;

ActionList list;
NS_tchar* line;
bool isFirstAction = true;
while ((line = mstrtok(kNL, &rb)) != 0) {
18
←
Assuming the condition is true→
19
←
Loop condition is true.  Entering loop body→
  // skip comments
  if (*line == NS_T('#')'#') {
20
←
Assuming the condition is false→
21
←
Taking false branch→
    continue;
  }

  NS_tchar* token = mstrtok(kWhitespace, &line);
  if (!token) {
22
←
Assuming 'token' is non-null→
23
←
Taking false branch→
    LOG(("DoUpdate: token not found in manifest"))UpdateLog::GetPrimaryLog().Printf ("DoUpdate: token not found in manifest"
);
    free(buf);
    return PARSE_ERROR5;
  }

  if (isFirstAction23.1
'isFirstAction' is true
) {
24
←
Taking true branch→
    isFirstAction = false;
    // The update manifest isn't required to have a type declaration. The mar
    // generation scripts enforce the presence of the type declaration.
    if (NS_tstrcmpstrcmp(token, NS_T("type")"type") == 0) {
25
←
Assuming the condition is false→
26
←
Taking false branch→
      const NS_tchar* type = mstrtok(kQuote, &line);
      LOG(("UPDATE TYPE " LOG_S, type))UpdateLog::GetPrimaryLog().Printf ("UPDATE TYPE " "%s", type);
      if (NS_tstrcmpstrcmp(type, NS_T("complete")"complete") == 0) {
        rv = AddPreCompleteActions(&list);
        if (rv) {
          free(buf);
          return rv;
        }
      }
      continue;
    }
  }

  Action* action = nullptr;
  if (NS_tstrcmpstrcmp(token, NS_T("remove")"remove") == 0) {  // rm file
27
←
Assuming the condition is false→
28
←
Taking false branch→
    action = new RemoveFile();
  } else if (NS_tstrcmpstrcmp(token, NS_T("rmdir")"rmdir") == 0) {  // rmdir if empty
29
←
Taking true branch→
    action = new RemoveDir();
30
←
Memory is allocated→
  } else if (NS_tstrcmpstrcmp(token, NS_T("rmrfdir")"rmrfdir") == 0) {  // rmdir recursive
    const NS_tchar* reldirpath = mstrtok(kQuote, &line);
    if (!reldirpath) {
      free(buf);
      return PARSE_ERROR5;
    }

    if (reldirpath[NS_tstrlenstrlen(reldirpath) - 1] != NS_T('/')'/') {
      free(buf);
      return PARSE_ERROR5;
    }

    rv = add_dir_entries(reldirpath, &list);
    if (rv) {
      free(buf);
      return rv;
    }

    continue;
  } else if (NS_tstrcmpstrcmp(token, NS_T("add")"add") == 0) {
    action = new AddFile();
  } else if (NS_tstrcmpstrcmp(token, NS_T("patch")"patch") == 0) {
    action = new PatchFile();
  } else if (NS_tstrcmpstrcmp(token, NS_T("add-if")"add-if") == 0) {  // Add if exists
    action = new AddIfFile();
  } else if (NS_tstrcmpstrcmp(token, NS_T("add-if-not")"add-if-not") ==
             0) {  // Add if not exists
    action = new AddIfNotFile();
  } else if (NS_tstrcmpstrcmp(token, NS_T("patch-if")"patch-if") == 0) {  // Patch if exists
    action = new PatchIfFile();
  } else {
    LOG(("DoUpdate: unknown token: " LOG_S, token))UpdateLog::GetPrimaryLog().Printf ("DoUpdate: unknown token: "
 "%s", token);
    free(buf);
    return PARSE_ERROR5;
  }

  if (!action30.1
'action' is non-null
) {
31
←
Taking false branch→
    free(buf);
    return BAD_ACTION_ERROR15;
  }

  rv = action->Parse(line);
  if (rv31.1
'rv' is 5
) {
32
←
Taking true branch→
    free(buf);
33
←
Potential leak of memory pointed to by 'action'
    return rv;
  }

  list.Append(action);
}

rv = list.Prepare();
if (rv) {
  free(buf);
  return rv;
}

rv = list.Execute();

list.Finish(rv);
free(buf);
return rv;
4743}