FoundationEssentials: try to make the file atomic behaviour more robust

We have observed `ERROR_ACCESS_DENIED` in CI on
`SetRenameInformationFile`. Try to make the path more robust by first
performing a kernel based rename with POSIX semantics. This requires
Windows 10 1809+. If that is unsuccessful, verify that attributes are
not to blame.

A failure may still occur if the file is on a different volume. In such
a case, fallback to the `MoveFileExW` operation to perform a copy +
delete operation.

Hopefully this should make the implementation more robust to failures.

Author: compnerd

Sources/FoundationEssentials/Data/Data+Writing.swift

@@ -19,6 +19,8 @@ internal import DarwinPrivate // for VREG
 
 internal import _FoundationCShims
 
+import WinSDK
+
 #if canImport(Darwin)
 import Darwin
 #elseif canImport(Android)
@@ -387,44 +389,119 @@ private func writeToFileAux(path inPath: PathOrURL, buffer: UnsafeRawBufferPoint
     // TODO: Somehow avoid copying back and forth to a String to hold the path
 
 #if os(Windows)
-    try inPath.path.withNTPathRepresentation { pwszPath in
-        var (fd, auxPath, temporaryDirectoryPath) = try createProtectedTemporaryFile(at: inPath.path, inPath: inPath, options: options, variant: "Folder")
+    var (fd, auxPath, temporaryDirectoryPath) = try createProtectedTemporaryFile(at: inPath.path, inPath: inPath, options: options, variant: "Folder")
 
-        // Cleanup temporary directory
-        defer { cleanupTemporaryDirectory(at: temporaryDirectoryPath) }
+    // Cleanup temporary directory
+    defer { cleanupTemporaryDirectory(at: temporaryDirectoryPath) }
 
-        guard fd >= 0 else {
-            throw CocoaError.errorWithFilePath(inPath, errno: errno, reading: false)
+    guard fd >= 0 else {
+        throw CocoaError.errorWithFilePath(inPath, errno: errno, reading: false)
+    }
+
+    defer { if fd >= 0 { _close(fd) } }
+
+    let callback = (reportProgress && Progress.current() != nil) ? Progress(totalUnitCount: Int64(buffer.count)) : nil
+
+    do {
+        try write(buffer: buffer, toFileDescriptor: fd, path: inPath, parentProgress: callback)
+    } catch {
+        try auxPath.withNTPathRepresentation { pwszAuxPath in
+            _ = DeleteFileW(pwszAuxPath)
         }
 
-        defer { if fd >= 0 { _close(fd) } }
+        if callback?.isCancelled ?? false {
+            throw CocoaError(.userCancelled)
+        } else {
+            throw CocoaError.errorWithFilePath(inPath, errno: errno, reading: false)
+        }
+    }
 
-        let callback = (reportProgress && Progress.current() != nil) ? Progress(totalUnitCount: Int64(buffer.count)) : nil
+    writeExtendedAttributes(fd: fd, attributes: attributes)
 
-        do {
-            try write(buffer: buffer, toFileDescriptor: fd, path: inPath, parentProgress: callback)
-        } catch {
-            try auxPath.withNTPathRepresentation { pwszAuxPath in
-                _ = DeleteFileW(pwszAuxPath)
-            }
+    _close(fd)
+    fd = -1
 
-            if callback?.isCancelled ?? false {
-                throw CocoaError(.userCancelled)
-            } else {
-                throw CocoaError.errorWithFilePath(inPath, errno: errno, reading: false)
+    try auxPath.withNTPathRepresentation { pwszAuxiliaryPath in
+        var hFile = CreateFileW(pwszAuxiliaryPath, DELETE,
+                                FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+                                nil, OPEN_EXISTING,
+                                FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT,
+                                nil)
+        if hFile == INVALID_HANDLE_VALUE {
+            let dwError = GetLastError()
+            _ = DeleteFileW(pwszAuxiliaryPath)
+            throw CocoaError.errorWithFilePath(inPath, win32: dwError, reading: false)
+        }
+        defer {
+            switch hFile {
+            case INVALID_HANDLE_VALUE:
+                break
+            default:
+                _ = CloseHandle(hFile)
             }
         }
 
-        writeExtendedAttributes(fd: fd, attributes: attributes)
+        try inPath.path.withNTPathRepresentation { pwszPath in
+            let cbSize = wcslen(pwszPath) * MemoryLayout<WCHAR>.size
+            let dwSize = DWORD(MemoryLayout<FILE_RENAME_INFO>.size + cbSize)
+            try withUnsafeTemporaryAllocation(byteCount: Int(dwSize),
+                                              alignment: MemoryLayout<FILE_RENAME_INFO>.alignment) { pBuffer in
+                var pInfo = pBuffer.baseAddress?.bindMemory(to: FILE_RENAME_INFO.self, capacity: 1)
+                pInfo?.pointee.Flags = FILE_RENAME_FLAG_POSIX_SEMANTICS | FILE_RENAME_FLAG_REPLACE_IF_EXISTS
+                pInfo?.pointee.RootDirectory = nil
+                pInfo?.pointee.FileNameLength = DWORD(cbSize)
+                let count = wcslen(pwszPath)
+                pBuffer.baseAddress?.advanced(by: MemoryLayout<FILE_RENAME_INFO>.offset(of: \.FileName)!)
+                                    .withMemoryRebound(to: WCHAR.self, capacity: count + 1) {
+                    wcscpy_s($0, count + 1, pwszPath)
+                    $0[count] = 0
+                }
 
-        _close(fd)
-        fd = -1
+                if !SetFileInformationByHandle(hFile, FileRenameInfoEx, pInfo, dwSize) {
+                    let dwError = GetLastError()
+                    if dwError == ERROR_ACCESS_DENIED {
+                        let dwAttributes = GetFileAttributesW(pwszPath)
+                        if dwAttributes > 0,
+                                dwAttributes & (FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM) != 0 {
+                            // The target file is read-only, hidden or a system file. Remove those attributes and try again.
+                            if SetFileAttributesW(pwszPath, dwAttributes & ~(FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM)) {
+                                if SetFileInformationByHandle(hFile, FileRenameInfoEx, pInfo, dwSize) {
+                                    return
+                                }
+                                // Try to restore the attributes, but ignore any error
+                                _ = SetFileAttributesW(pwszPath, dwAttributes)
+                            }
+                        }
+                    }
+                    guard dwError == ERROR_NOT_SAME_DEVICE else {
+                        _ = DeleteFileW(pwszAuxiliaryPath)
+                        throw CocoaError.errorWithFilePath(inPath, win32: dwError, reading: false)
+                    }
 
-        try auxPath.withNTPathRepresentation { pwszAuxiliaryPath in
-            guard MoveFileExW(pwszAuxiliaryPath, pwszPath, MOVEFILE_COPY_ALLOWED | MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH) else {
-                let dwError = GetLastError()
-                _ = DeleteFileW(pwszAuxiliaryPath)
-                throw CocoaError.errorWithFilePath(inPath, win32: dwError, reading: false)
+                    _ = CloseHandle(hFile)
+                    hFile = INVALID_HANDLE_VALUE
+
+                    // The move is across volumes.
+                    guard MoveFileExW(pwszAuxiliaryPath, pwszPath, MOVEFILE_COPY_ALLOWED | MOVEFILE_REPLACE_EXISTING) else {
+                        let dwError = GetLastError()
+                        if dwError == ERROR_ACCESS_DENIED {
+                            let dwAttributes = GetFileAttributesW(pwszPath)
+                            if dwAttributes > 0,
+                                    dwAttributes & (FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM) != 0 {
+                                // The target file is read-only, hidden or a system file. Remove those attributes and try again.
+                                if SetFileAttributesW(pwszPath, dwAttributes & ~(FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM)) {
+                                    if MoveFileExW(pwszAuxiliaryPath, pwszPath, MOVEFILE_COPY_ALLOWED | MOVEFILE_REPLACE_EXISTING) {
+                                        return
+                                    }
+                                    // Try to restore the attributes, but ignore any error
+                                    _ = SetFileAttributesW(pwszPath, dwAttributes)
+                                }
+                            }
+                        }
+                        _ = DeleteFileW(pwszAuxiliaryPath)
+                        throw CocoaError.errorWithFilePath(inPath, win32: dwError, reading: false)
+                    }
+                }
             }
         }
     }

Sources/FoundationEssentials/WinSDK+Extensions.swift

@@ -41,6 +41,10 @@ package var CREATE_NEW: DWORD {
     DWORD(WinSDK.CREATE_NEW)
 }
 
+package var DELETE: DWORD {
+    DWORD(WinSDK.DELETE)
+}
+
 package var ERROR_ACCESS_DENIED: DWORD {
     DWORD(WinSDK.ERROR_ACCESS_DENIED)
 }
@@ -133,10 +137,18 @@ package var FILE_ATTRIBUTE_READONLY: DWORD {
     DWORD(WinSDK.FILE_ATTRIBUTE_READONLY)
 }
 
+package var FILE_ATTRIBUTE_HIDDEN: DWORD {
+    DWORD(WinSDK.FILE_ATTRIBUTE_HIDDEN)
+}
+
 package var FILE_ATTRIBUTE_REPARSE_POINT: DWORD {
     DWORD(WinSDK.FILE_ATTRIBUTE_REPARSE_POINT)
 }
 
+package var FILE_ATTRIBUTE_SYSTEM: DWORD {
+    DWORD(WinSDK.FILE_ATTRIBUTE_SYSTEM)
+}
+
 package var FILE_FLAG_BACKUP_SEMANTICS: DWORD {
     DWORD(WinSDK.FILE_FLAG_BACKUP_SEMANTICS)
 }
@@ -153,6 +165,14 @@ package var FILE_NAME_NORMALIZED: DWORD {
     DWORD(WinSDK.FILE_NAME_NORMALIZED)
 }
 
+package var FILE_RENAME_FLAG_POSIX_SEMANTICS: DWORD {
+    DWORD(WinSDK.FILE_RENAME_FLAG_POSIX_SEMANTICS)
+}
+
+package var FILE_RENAME_FLAG_REPLACE_IF_EXISTS: DWORD {
+    DWORD(WinSDK.FILE_RENAME_FLAG_REPLACE_IF_EXISTS)
+}
+
 package var FILE_SHARE_DELETE: DWORD {
     DWORD(WinSDK.FILE_SHARE_DELETE)
 }