Issue %3005 - Move toolkit/components to components/

1 files changed, 728 insertions, 0 deletions

diff --git a/components/downloads/src/nsDownloadScanner.cpp b/components/downloads/src/nsDownloadScanner.cpp
new file mode 100644
index 000000000..1ef5b3660
--- /dev/null
+++ b/components/downloads/src/nsDownloadScanner.cpp
@@ -0,0 +1,728 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: se cin sw=2 ts=2 et : */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsDownloadScanner.h"
+#include <comcat.h>
+#include <process.h>
+#include "nsDownloadManager.h"
+#include "nsIXULAppInfo.h"
+#include "nsXULAppAPI.h"
+#include "nsIPrefService.h"
+#include "nsNetUtil.h"
+#include "prtime.h"
+#include "nsDeque.h"
+#include "nsIFileURL.h"
+#include "nsIPrefBranch.h"
+#include "nsXPCOMCIDInternal.h"
+
+/**
+ * Code overview
+ *
+ * Download scanner attempts to make use of one of two different virus
+ * scanning interfaces available on Windows - IOfficeAntiVirus (Windows
+ * 95/NT 4 and IE 5) and IAttachmentExecute (XPSP2 and up).  The latter
+ * interface supports calling IOfficeAntiVirus internally, while also
+ * adding support for XPSP2+ ADS forks which define security related
+ * prompting on downloaded content.  
+ *
+ * Both interfaces are synchronous and can take a while, so it is not a
+ * good idea to call either from the main thread. Some antivirus scanners can
+ * take a long time to scan or the call might block while the scanner shows
+ * its UI so if the user were to download many files that finished around the
+ * same time, they would have to wait a while if the scanning were done on
+ * exactly one other thread. Since the overhead of creating a thread is
+ * relatively small compared to the time it takes to download a file and scan
+ * it, a new thread is spawned for each download that is to be scanned. Since
+ * most of the mozilla codebase is not threadsafe, all the information needed
+ * for the scanner is gathered in the main thread in nsDownloadScanner::Scan::Start.
+ * The only function of nsDownloadScanner::Scan which is invoked on another
+ * thread is DoScan.
+ *
+ * Watchdog overview
+ *
+ * The watchdog is used internally by the scanner. It maintains a queue of
+ * current download scans. In a separate thread, it dequeues the oldest scan
+ * and waits on that scan's thread with a timeout given by WATCHDOG_TIMEOUT
+ * (default is 30 seconds). If the wait times out, then the watchdog notifies
+ * the Scan that it has timed out. If the scan really has timed out, then the
+ * Scan object will dispatch its run method to the main thread; this will
+ * release the watchdog thread's addref on the Scan. If it has not timed out
+ * (i.e. the Scan just finished in time), then the watchdog dispatches a 
+ * ReleaseDispatcher to release its ref of the Scan on the main thread.
+ *
+ * In order to minimize execution time, there are two events used to notify the
+ * watchdog thread of a non-empty queue and a quit event. Every blocking wait 
+ * that the watchdog thread does waits on the quit event; this lets the thread
+ * quickly exit when shutting down. Also, the download scan queue will be empty
+ * most of the time; rather than use a spin loop, a simple event is triggered
+ * by the main thread when a new scan is added to an empty queue. When the
+ * watchdog thread knows that it has run out of elements in the queue, it will
+ * wait on the new item event.
+ *
+ * Memory/resource leaks due to timeout:
+ * In the event of a timeout, the thread must remain alive; terminating it may
+ * very well cause the antivirus scanner to crash or be put into an
+ * inconsistent state; COM resources may also not be cleaned up. The downside
+ * is that we need to leave the thread running; suspending it may lead to a
+ * deadlock. Because the scan call may be ongoing, it may be dependent on the
+ * memory referenced by the MSOAVINFO structure, so we cannot free mName, mPath
+ * or mOrigin; this means that we cannot free the Scan object since doing so
+ * will deallocate that memory. Note that mDownload is set to null upon timeout
+ * or completion, so the download itself is never leaked. If the scan does
+ * eventually complete, then the all the memory and resources will be freed.
+ * It is possible, however extremely rare, that in the event of a timeout, the
+ * mStateSync critical section will leak its event; this will happen only if
+ * the scanning thread, watchdog thread or main thread try to enter the
+ * critical section when one of the others is already in it.
+ *
+ * Reasoning for CheckAndSetState - there exists a race condition between the time when
+ * either the timeout or normal scan sets the state and when Scan::Run is
+ * executed on the main thread. Ex: mStatus could be set by Scan::DoScan* which
+ * then queues a dispatch on the main thread. Before that dispatch is executed,
+ * the timeout code fires and sets mStatus to AVSCAN_TIMEDOUT which then queues
+ * its dispatch to the main thread (the same function as DoScan*). Both
+ * dispatches run and both try to set the download state to AVSCAN_TIMEDOUT
+ * which is incorrect.
+ *
+ * There are 5 possible outcomes of the virus scan:
+ *    AVSCAN_GOOD     => the file is clean
+ *    AVSCAN_BAD      => the file has a virus
+ *    AVSCAN_UGLY     => the file had a virus, but it was cleaned
+ *    AVSCAN_FAILED   => something else went wrong with the virus scanner.
+ *    AVSCAN_TIMEDOUT => the scan (thread setup + execution) took too long
+ *
+ * Both the good and ugly states leave the user with a benign file, so they
+ * transition to the finished state. Bad files are sent to the blocked state.
+ * The failed and timedout states transition to finished downloads.
+ *
+ * Possible Future enhancements:
+ *  * Create an interface for scanning files in general
+ *  * Make this a service
+ *  * Get antivirus scanner status via WMI/registry
+ */
+
+// IAttachementExecute supports user definable settings for certain
+// security related prompts. This defines a general GUID for use in
+// all projects. Individual projects can define an individual guid
+// if they want to.
+#ifndef MOZ_VIRUS_SCANNER_PROMPT_GUID
+#define MOZ_VIRUS_SCANNER_PROMPT_GUID \
+  { 0xb50563d1, 0x16b6, 0x43c2, { 0xa6, 0x6a, 0xfa, 0xe6, 0xd2, 0x11, 0xf2, \
+  0xea } }
+#endif
+static const GUID GUID_MozillaVirusScannerPromptGeneric =
+  MOZ_VIRUS_SCANNER_PROMPT_GUID;
+
+// Initial timeout is 30 seconds
+#define WATCHDOG_TIMEOUT (30*PR_USEC_PER_SEC)
+
+// Maximum length for URI's passed into IAE
+#define MAX_IAEURILENGTH 1683
+
+class nsDownloadScannerWatchdog 
+{
+  typedef nsDownloadScanner::Scan Scan;
+public:
+  nsDownloadScannerWatchdog();
+  ~nsDownloadScannerWatchdog();
+
+  nsresult Init();
+  nsresult Shutdown();
+
+  void Watch(Scan *scan);
+private:
+  static unsigned int __stdcall WatchdogThread(void *p);
+  CRITICAL_SECTION mQueueSync;
+  nsDeque mScanQueue;
+  HANDLE mThread;
+  HANDLE mNewItemEvent;
+  HANDLE mQuitEvent;
+};
+
+nsDownloadScanner::nsDownloadScanner() :
+  mAESExists(false)
+{
+}
+ 
+// This destructor appeases the compiler; it would otherwise complain about an
+// incomplete type for nsDownloadWatchdog in the instantiation of
+// nsAutoPtr::~nsAutoPtr
+// Plus, it's a handy location to call nsDownloadScannerWatchdog::Shutdown from
+nsDownloadScanner::~nsDownloadScanner() {
+  if (mWatchdog)
+    (void)mWatchdog->Shutdown();
+}
+
+nsresult
+nsDownloadScanner::Init()
+{
+  // This CoInitialize/CoUninitialize pattern seems to be common in the Mozilla
+  // codebase. All other COM calls/objects are made on different threads.
+  nsresult rv = NS_OK;
+  CoInitialize(nullptr);
+
+  if (!IsAESAvailable()) {
+    CoUninitialize();
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+
+  mAESExists = true;
+
+  // Initialize scanning
+  mWatchdog = new nsDownloadScannerWatchdog();
+  if (mWatchdog) {
+    rv = mWatchdog->Init();
+    if (FAILED(rv))
+      mWatchdog = nullptr;
+  } else {
+    rv = NS_ERROR_OUT_OF_MEMORY;
+  }
+  
+  if (NS_FAILED(rv))
+    return rv;
+
+  return rv;
+}
+
+bool
+nsDownloadScanner::IsAESAvailable()
+{
+  // Try to instantiate IAE to see if it's available.    
+  RefPtr<IAttachmentExecute> ae;
+  HRESULT hr;
+  hr = CoCreateInstance(CLSID_AttachmentServices, nullptr, CLSCTX_INPROC,
+                        IID_IAttachmentExecute, getter_AddRefs(ae));
+  if (FAILED(hr)) {
+    NS_WARNING("Could not instantiate attachment execution service\n");
+    return false;
+  }
+  return true;
+}
+
+// If IAttachementExecute is available, use the CheckPolicy call to find out
+// if this download should be prevented due to Security Zone Policy settings.
+AVCheckPolicyState
+nsDownloadScanner::CheckPolicy(nsIURI *aSource, nsIURI *aTarget)
+{
+  nsresult rv;
+
+  if (!mAESExists || !aSource || !aTarget)
+    return AVPOLICY_DOWNLOAD;
+
+  nsAutoCString source;
+  rv = aSource->GetSpec(source);
+  if (NS_FAILED(rv))
+    return AVPOLICY_DOWNLOAD;
+
+  nsCOMPtr<nsIFileURL> fileUrl(do_QueryInterface(aTarget));
+  if (!fileUrl)
+    return AVPOLICY_DOWNLOAD;
+
+  nsCOMPtr<nsIFile> theFile;
+  nsAutoString aFileName;
+  if (NS_FAILED(fileUrl->GetFile(getter_AddRefs(theFile))) ||
+      NS_FAILED(theFile->GetLeafName(aFileName)))
+    return AVPOLICY_DOWNLOAD;
+
+  // IAttachementExecute prohibits src data: schemes by default but we
+  // support them. If this is a data src, skip off doing a policy check.
+  // (The file will still be scanned once it lands on the local system.)
+  bool isDataScheme(false);
+  nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(aSource);
+  if (innerURI)
+    (void)innerURI->SchemeIs("data", &isDataScheme);
+  if (isDataScheme)
+    return AVPOLICY_DOWNLOAD;
+
+  RefPtr<IAttachmentExecute> ae;
+  HRESULT hr;
+  hr = CoCreateInstance(CLSID_AttachmentServices, nullptr, CLSCTX_INPROC,
+                        IID_IAttachmentExecute, getter_AddRefs(ae));
+  if (FAILED(hr))
+    return AVPOLICY_DOWNLOAD;
+
+  (void)ae->SetClientGuid(GUID_MozillaVirusScannerPromptGeneric);
+  (void)ae->SetSource(NS_ConvertUTF8toUTF16(source).get());
+  (void)ae->SetFileName(aFileName.get());
+
+  // Any failure means the file download/exec will be blocked by the system.
+  // S_OK or S_FALSE imply it's ok.
+  hr = ae->CheckPolicy();
+
+  if (hr == S_OK)
+    return AVPOLICY_DOWNLOAD;
+
+  if (hr == S_FALSE)
+    return AVPOLICY_PROMPT;
+
+  if (hr == E_INVALIDARG)
+    return AVPOLICY_PROMPT;
+
+  return AVPOLICY_BLOCKED;
+}
+
+#ifndef THREAD_MODE_BACKGROUND_BEGIN
+#define THREAD_MODE_BACKGROUND_BEGIN 0x00010000
+#endif
+
+#ifndef THREAD_MODE_BACKGROUND_END
+#define THREAD_MODE_BACKGROUND_END 0x00020000
+#endif
+
+unsigned int __stdcall
+nsDownloadScanner::ScannerThreadFunction(void *p)
+{
+  HANDLE currentThread = GetCurrentThread();
+  NS_ASSERTION(!NS_IsMainThread(), "Antivirus scan should not be run on the main thread");
+  nsDownloadScanner::Scan *scan = static_cast<nsDownloadScanner::Scan*>(p);
+  if (!SetThreadPriority(currentThread, THREAD_MODE_BACKGROUND_BEGIN))
+    (void)SetThreadPriority(currentThread, THREAD_PRIORITY_IDLE);
+  scan->DoScan();
+  (void)SetThreadPriority(currentThread, THREAD_MODE_BACKGROUND_END);
+  _endthreadex(0);
+  return 0;
+}
+
+// The sole purpose of this class is to release an object on the main thread
+// It assumes that its creator will addref it and it will release itself on
+// the main thread too
+class ReleaseDispatcher : public mozilla::Runnable {
+public:
+  ReleaseDispatcher(nsISupports *ptr)
+    : mPtr(ptr) {}
+  NS_IMETHOD Run();
+private:
+  nsISupports *mPtr;
+};
+
+nsresult ReleaseDispatcher::Run() {
+  NS_ASSERTION(NS_IsMainThread(), "Antivirus scan release dispatch should be run on the main thread");
+  NS_RELEASE(mPtr);
+  NS_RELEASE_THIS();
+  return NS_OK;
+}
+
+nsDownloadScanner::Scan::Scan(nsDownloadScanner *scanner, nsDownload *download)
+  : mDLScanner(scanner), mThread(nullptr), 
+    mDownload(download), mStatus(AVSCAN_NOTSTARTED),
+    mSkipSource(false)
+{
+  InitializeCriticalSection(&mStateSync);
+}
+
+nsDownloadScanner::Scan::~Scan() {
+  DeleteCriticalSection(&mStateSync);
+}
+
+nsresult
+nsDownloadScanner::Scan::Start()
+{
+  mStartTime = PR_Now();
+
+  mThread = (HANDLE)_beginthreadex(nullptr, 0, ScannerThreadFunction,
+      this, CREATE_SUSPENDED, nullptr);
+  if (!mThread)
+    return NS_ERROR_OUT_OF_MEMORY;
+
+  nsresult rv = NS_OK;
+
+  // Get the path to the file on disk
+  nsCOMPtr<nsIFile> file;
+  rv = mDownload->GetTargetFile(getter_AddRefs(file));
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = file->GetPath(mPath);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // Grab the app name
+  nsCOMPtr<nsIXULAppInfo> appinfo =
+    do_GetService(XULAPPINFO_SERVICE_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  nsAutoCString name;
+  rv = appinfo->GetName(name);
+  NS_ENSURE_SUCCESS(rv, rv);
+  CopyUTF8toUTF16(name, mName);
+
+  // Get the origin
+  nsCOMPtr<nsIURI> uri;
+  rv = mDownload->GetSource(getter_AddRefs(uri));
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  nsAutoCString origin;
+  rv = uri->GetSpec(origin);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  // Certain virus interfaces do not like extremely long uris.
+  // Chop off the path and cgi data and just pass the base domain. 
+  if (origin.Length() > MAX_IAEURILENGTH) {
+    rv = uri->GetPrePath(origin);
+    NS_ENSURE_SUCCESS(rv, rv);
+  }
+
+  CopyUTF8toUTF16(origin, mOrigin);
+
+  // We count https/ftp/http as an http download
+  bool isHttp(false), isFtp(false), isHttps(false);
+  nsCOMPtr<nsIURI> innerURI = NS_GetInnermostURI(uri);
+  if (!innerURI) innerURI = uri;
+  (void)innerURI->SchemeIs("http", &isHttp);
+  (void)innerURI->SchemeIs("ftp", &isFtp);
+  (void)innerURI->SchemeIs("https", &isHttps);
+  mIsHttpDownload = isHttp || isFtp || isHttps;
+
+  // IAttachementExecute prohibits src data: schemes by default but we
+  // support them. Mark the download if it's a data scheme, so we
+  // can skip off supplying the src to IAttachementExecute when we scan
+  // the resulting file.
+  (void)innerURI->SchemeIs("data", &mSkipSource);
+
+  // ResumeThread returns the previous suspend count
+  if (1 != ::ResumeThread(mThread)) {
+    CloseHandle(mThread);
+    return NS_ERROR_UNEXPECTED;
+  }
+  return NS_OK;
+}
+
+nsresult
+nsDownloadScanner::Scan::Run()
+{
+  NS_ASSERTION(NS_IsMainThread(), "Antivirus scan dispatch should be run on the main thread");
+
+  // Cleanup our thread
+  if (mStatus != AVSCAN_TIMEDOUT)
+    WaitForSingleObject(mThread, INFINITE);
+  CloseHandle(mThread);
+
+  DownloadState downloadState = 0;
+  EnterCriticalSection(&mStateSync);
+  switch (mStatus) {
+    case AVSCAN_BAD:
+      downloadState = nsIDownloadManager::DOWNLOAD_DIRTY;
+      break;
+    default:
+    case AVSCAN_FAILED:
+    case AVSCAN_GOOD:
+    case AVSCAN_UGLY:
+    case AVSCAN_TIMEDOUT:
+      downloadState = nsIDownloadManager::DOWNLOAD_FINISHED;
+      break;
+  }
+  LeaveCriticalSection(&mStateSync);
+  // Download will be null if we already timed out
+  if (mDownload)
+    (void)mDownload->SetState(downloadState);
+
+  // Clean up some other variables
+  // In the event of a timeout, our destructor won't be called
+  mDownload = nullptr;
+
+  NS_RELEASE_THIS();
+  return NS_OK;
+}
+
+static DWORD
+ExceptionFilterFunction(DWORD exceptionCode) {
+  switch(exceptionCode) {
+    case EXCEPTION_ACCESS_VIOLATION:
+    case EXCEPTION_ILLEGAL_INSTRUCTION:
+    case EXCEPTION_IN_PAGE_ERROR:
+    case EXCEPTION_PRIV_INSTRUCTION:
+    case EXCEPTION_STACK_OVERFLOW:
+      return EXCEPTION_EXECUTE_HANDLER;
+    default:
+      return EXCEPTION_CONTINUE_SEARCH;
+  }
+}
+
+bool
+nsDownloadScanner::Scan::DoScanAES()
+{
+  // This warning is for the destructor of ae which will not be invoked in the
+  // event of a win32 exception
+#pragma warning(disable: 4509)
+  HRESULT hr;
+  RefPtr<IAttachmentExecute> ae;
+  MOZ_SEH_TRY {
+    hr = CoCreateInstance(CLSID_AttachmentServices, nullptr, CLSCTX_ALL,
+                          IID_IAttachmentExecute, getter_AddRefs(ae));
+  } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
+    return CheckAndSetState(AVSCAN_NOTSTARTED,AVSCAN_FAILED);
+  }
+
+  // If we (somehow) already timed out, then don't bother scanning
+  if (CheckAndSetState(AVSCAN_SCANNING, AVSCAN_NOTSTARTED)) {
+    AVScanState newState;
+    if (SUCCEEDED(hr)) {
+      bool gotException = false;
+      MOZ_SEH_TRY {
+        (void)ae->SetClientGuid(GUID_MozillaVirusScannerPromptGeneric);
+        (void)ae->SetLocalPath(mPath.get());
+        // Provide the src for everything but data: schemes.
+        if (!mSkipSource)
+          (void)ae->SetSource(mOrigin.get());
+
+        // Save() will invoke the scanner
+        hr = ae->Save();
+      } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
+        gotException = true;
+      }
+
+      MOZ_SEH_TRY {
+        ae = nullptr;
+      } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
+        gotException = true;
+      }
+
+      if(gotException) {
+        newState = AVSCAN_FAILED;
+      }
+      else if (SUCCEEDED(hr)) { // Passed the scan
+        newState = AVSCAN_GOOD;
+      }
+      else if (HRESULT_CODE(hr) == ERROR_FILE_NOT_FOUND) {
+        NS_WARNING("Downloaded file disappeared before it could be scanned");
+        newState = AVSCAN_FAILED;
+      }
+      else if (hr == E_INVALIDARG) {
+        NS_WARNING("IAttachementExecute returned invalid argument error");
+        newState = AVSCAN_FAILED;
+      }
+      else { 
+        newState = AVSCAN_UGLY;
+      }
+    }
+    else {
+      newState = AVSCAN_FAILED;
+    }
+    return CheckAndSetState(newState, AVSCAN_SCANNING);
+  }
+  return false;
+}
+#pragma warning(default: 4509)
+
+void
+nsDownloadScanner::Scan::DoScan()
+{
+  CoInitialize(nullptr);
+
+  if (DoScanAES()) {
+    // We need to do a few more things on the main thread
+    NS_DispatchToMainThread(this);
+  } else {
+    // We timed out, so just release
+    ReleaseDispatcher* releaser = new ReleaseDispatcher(this);
+    if(releaser) {
+      NS_ADDREF(releaser);
+      NS_DispatchToMainThread(releaser);
+    }
+  }
+
+  MOZ_SEH_TRY {
+    CoUninitialize();
+  } MOZ_SEH_EXCEPT(ExceptionFilterFunction(GetExceptionCode())) {
+    // Not much we can do at this point...
+  }
+}
+
+HANDLE
+nsDownloadScanner::Scan::GetWaitableThreadHandle() const
+{
+  HANDLE targetHandle = INVALID_HANDLE_VALUE;
+  (void)DuplicateHandle(GetCurrentProcess(), mThread,
+                        GetCurrentProcess(), &targetHandle,
+                        SYNCHRONIZE, // Only allow clients to wait on this handle
+                        FALSE, // cannot be inherited by child processes
+                        0);
+  return targetHandle;
+}
+
+bool
+nsDownloadScanner::Scan::NotifyTimeout()
+{
+  bool didTimeout = CheckAndSetState(AVSCAN_TIMEDOUT, AVSCAN_SCANNING) ||
+                      CheckAndSetState(AVSCAN_TIMEDOUT, AVSCAN_NOTSTARTED);
+  if (didTimeout) {
+    // We need to do a few more things on the main thread
+    NS_DispatchToMainThread(this);
+  }
+  return didTimeout;
+}
+
+bool
+nsDownloadScanner::Scan::CheckAndSetState(AVScanState newState, AVScanState expectedState) {
+  bool gotExpectedState = false;
+  EnterCriticalSection(&mStateSync);
+  if((gotExpectedState = (mStatus == expectedState)))
+    mStatus = newState;
+  LeaveCriticalSection(&mStateSync);
+  return gotExpectedState;
+}
+
+nsresult
+nsDownloadScanner::ScanDownload(nsDownload *download)
+{
+  if (!mAESExists)
+    return NS_ERROR_NOT_AVAILABLE;
+
+  // No ref ptr, see comment below
+  Scan *scan = new Scan(this, download);
+  if (!scan)
+    return NS_ERROR_OUT_OF_MEMORY;
+
+  NS_ADDREF(scan);
+
+  nsresult rv = scan->Start();
+
+  // Note that we only release upon error. On success, the scan is passed off
+  // to a new thread. It is eventually released in Scan::Run on the main thread.
+  if (NS_FAILED(rv))
+    NS_RELEASE(scan);
+  else
+    // Notify the watchdog
+    mWatchdog->Watch(scan);
+
+  return rv;
+}
+
+nsDownloadScannerWatchdog::nsDownloadScannerWatchdog() 
+  : mNewItemEvent(nullptr), mQuitEvent(nullptr) {
+  InitializeCriticalSection(&mQueueSync);
+}
+nsDownloadScannerWatchdog::~nsDownloadScannerWatchdog() {
+  DeleteCriticalSection(&mQueueSync);
+}
+
+nsresult
+nsDownloadScannerWatchdog::Init() {
+  // Both events are auto-reset
+  mNewItemEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr);
+  if (INVALID_HANDLE_VALUE == mNewItemEvent)
+    return NS_ERROR_OUT_OF_MEMORY;
+  mQuitEvent = CreateEvent(nullptr, FALSE, FALSE, nullptr);
+  if (INVALID_HANDLE_VALUE == mQuitEvent) {
+    (void)CloseHandle(mNewItemEvent);
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  // This thread is always running, however it will be asleep
+  // for most of the dlmgr's lifetime
+  mThread = (HANDLE)_beginthreadex(nullptr, 0, WatchdogThread,
+                                   this, 0, nullptr);
+  if (!mThread) {
+    (void)CloseHandle(mNewItemEvent);
+    (void)CloseHandle(mQuitEvent);
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  return NS_OK;
+}
+
+nsresult
+nsDownloadScannerWatchdog::Shutdown() {
+  // Tell the watchdog thread to quite
+  (void)SetEvent(mQuitEvent);
+  (void)WaitForSingleObject(mThread, INFINITE);
+  (void)CloseHandle(mThread);
+  // Manually clear and release the queued scans
+  while (mScanQueue.GetSize() != 0) {
+    Scan *scan = reinterpret_cast<Scan*>(mScanQueue.Pop());
+    NS_RELEASE(scan);
+  }
+  (void)CloseHandle(mNewItemEvent);
+  (void)CloseHandle(mQuitEvent);
+  return NS_OK;
+}
+
+void
+nsDownloadScannerWatchdog::Watch(Scan *scan) {
+  bool wasEmpty;
+  // Note that there is no release in this method
+  // The scan will be released by the watchdog ALWAYS on the main thread
+  // when either the watchdog thread processes the scan or the watchdog
+  // is shut down
+  NS_ADDREF(scan);
+  EnterCriticalSection(&mQueueSync);
+  wasEmpty = mScanQueue.GetSize()==0;
+  mScanQueue.Push(scan);
+  LeaveCriticalSection(&mQueueSync);
+  // If the queue was empty, then the watchdog thread is/will be asleep
+  if (wasEmpty)
+    (void)SetEvent(mNewItemEvent);
+}
+
+unsigned int
+__stdcall
+nsDownloadScannerWatchdog::WatchdogThread(void *p) {
+  NS_ASSERTION(!NS_IsMainThread(), "Antivirus scan watchdog should not be run on the main thread");
+  nsDownloadScannerWatchdog *watchdog = (nsDownloadScannerWatchdog*)p;
+  HANDLE waitHandles[3] = {watchdog->mNewItemEvent, watchdog->mQuitEvent, INVALID_HANDLE_VALUE};
+  DWORD waitStatus;
+  DWORD queueItemsLeft = 0;
+  // Loop until quit event or error
+  while (0 != queueItemsLeft ||
+         ((WAIT_OBJECT_0 + 1) !=
+           (waitStatus =
+              WaitForMultipleObjects(2, waitHandles, FALSE, INFINITE)) &&
+         waitStatus != WAIT_FAILED)) {
+    Scan *scan = nullptr;
+    PRTime startTime, expectedEndTime, now;
+    DWORD waitTime;
+
+    // Pop scan from queue
+    EnterCriticalSection(&watchdog->mQueueSync);
+    scan = reinterpret_cast<Scan*>(watchdog->mScanQueue.Pop());
+    queueItemsLeft = watchdog->mScanQueue.GetSize();
+    LeaveCriticalSection(&watchdog->mQueueSync);
+
+    // Calculate expected end time
+    startTime = scan->GetStartTime();
+    expectedEndTime = WATCHDOG_TIMEOUT + startTime;
+    now = PR_Now();
+    // PRTime is not guaranteed to be a signed integral type (afaik), but
+    // currently it is
+    if (now > expectedEndTime) {
+      waitTime = 0;
+    } else {
+      // This is a positive value, and we know that it will not overflow
+      // (bounded by WATCHDOG_TIMEOUT)
+      // waitTime is in milliseconds, nspr uses microseconds
+      waitTime = static_cast<DWORD>((expectedEndTime - now)/PR_USEC_PER_MSEC);
+    }
+    HANDLE hThread = waitHandles[2] = scan->GetWaitableThreadHandle();
+
+    // Wait for the thread (obj 1) or quit event (obj 0)
+    waitStatus = WaitForMultipleObjects(2, (waitHandles+1), FALSE, waitTime);
+    CloseHandle(hThread);
+
+    ReleaseDispatcher* releaser = new ReleaseDispatcher(scan);
+    if(!releaser)
+      continue;
+    NS_ADDREF(releaser);
+    // Got quit event or error
+    if (waitStatus == WAIT_FAILED || waitStatus == WAIT_OBJECT_0) {
+      NS_DispatchToMainThread(releaser);
+      break;
+    // Thread exited normally
+    } else if (waitStatus == (WAIT_OBJECT_0+1)) {
+      NS_DispatchToMainThread(releaser);
+      continue;
+    // Timeout case
+    } else { 
+      NS_ASSERTION(waitStatus == WAIT_TIMEOUT, "Unexpected wait status in dlmgr watchdog thread");
+      if (!scan->NotifyTimeout()) {
+        // If we didn't time out, then release the thread
+        NS_DispatchToMainThread(releaser);
+      } else {
+        // NotifyTimeout did a dispatch which will release the scan, so we
+        // don't need to release the scan
+        NS_RELEASE(releaser);
+      }
+    }
+  }
+  _endthreadex(0);
+  return 0;
+}