Changeset 84638 in webkit

Timestamp:

Apr 22, 2011 9:48:35 AM (13 years ago)

Author:

Adam Roben

Message:

Give windowless plugins' context menus an owner window in the same thread as the plugin

In some cases, plugins pass the WKView's HWND to the ::TrackPopupMenu API. ::TrackPopupMenu
fails in this case because the WKView's HWND is owned by another process/thread. We work
around this by hooking the ::TrackPopupMenu API and providing our own window that's in the
same thread as the plugin instead.

I couldn't figure out how to write a test for this. :-(

Fixes <​http://webkit.org/b/51063> <rdar://problem/8769281> REGRESSION (WebKit2): No context
menu appears when right-clicking on windowless Flash plugin

Reviewed by Brian Weinstein, and looked at suspiciously by Jeff Miller.

• Platform/Module.h: Added installIATHook on Windows.

• Platform/win/ModuleWin.cpp:

(WebKit::overwriteReadOnlyMemory): New helper function. Basically a wrapper around memcpy,
but uses ::VirtualProtect to allow writing to otherwise-read-only memory.
(WebKit::findFunctionPointerAddress): New helper function. The first overload iterates over
the imported modules and functions looking for the given one. If found, returns the address
of the function pointer that is used when calling that function. The second overload calls
the first, first passing it an enumerator for the image's imported modules, then passing it
an iterator for the image's delay-loaded modules.
(WebKit::Module::installIATHook): Added. Finds the address of the function pointer that's
used when code in this module calls the given function, then overwrites the function pointer
with the passed-in one. Future calls to the given function made by code in this module
should then end up calling to the passed-in function instead of the original one.

• Shared/Plugins/Netscape/NetscapePluginModule.h:

(WebKit::NetscapePluginModule::module): Added this simple getter.

• WebProcess/Plugins/Netscape/NetscapePlugin.h: Added some new Windows-only members.

• WebProcess/Plugins/Netscape/win/NetscapePluginWin.cpp:

(WebKit::CurrentPluginSetter::CurrentPluginSetter):
(WebKit::CurrentPluginSetter::~CurrentPluginSetter):
This RAII class sets/unsets the currentPlugin global.

(WebKit::registerPluginView): Changed to use instanceHandle() instead of the mysterious
gInstance.
(WebKit::NetscapePlugin::platformPostInitialize): For windowless plugins, hook the
::TrackPopupMenu API and create a window to be used as the owner for context menus created
by this plugin. (Also changed the ::CreateWindowExW call for windowed plugins to pass an
instance handle so that the window will be associated with WebKit.dll instead of
WebKit2WebProcess.exe. This should have no visible effect, but is more correct.)
(WebKit::NetscapePlugin::platformDestroy): For windowless plugins, destroy the context menu
owner window we created above.

(WebKit::NetscapePlugin::platformPaint):
(WebKit::NetscapePlugin::platformHandleMouseEvent):
(WebKit::NetscapePlugin::platformHandleWheelEvent):
(WebKit::NetscapePlugin::platformSetFocus):
(WebKit::NetscapePlugin::platformHandleMouseEnterEvent):
(WebKit::NetscapePlugin::platformHandleMouseLeaveEvent):
(WebKit::NetscapePlugin::platformHandleKeyboardEvent):
Set ourselves as the current plugin.

(WebKit::NetscapePlugin::hookedTrackPopupMenu): Added. This is the function that actually
gets called when windowless plugins call ::TrackPopupMenu. If the passed-in owner window is
owned by the current thread, we have nothing to do; ::TrackPopupMenu should work just fine.
Otherwise, we use the current plugin's context menu owner window as the context menu's
owner. We also set focus to the new owner window because otherwise weird behavior results
(e.g., it's possible to scroll the WKView while the context menu is up).

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• Platform/Module.h (modified) (1 diff)
• Platform/win/ModuleWin.cpp (modified) (2 diffs)
• Shared/Plugins/Netscape/NetscapePluginModule.h (modified) (1 diff)
• WebProcess/Plugins/Netscape/NetscapePlugin.h (modified) (2 diffs)
• WebProcess/Plugins/Netscape/win/NetscapePluginWin.cpp (modified) (12 diffs)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2011-04-21  Adam Roben  <aroben@apple.com>
+
+        Give windowless plugins' context menus an owner window in the same thread as the plugin
+
+        In some cases, plugins pass the WKView's HWND to the ::TrackPopupMenu API. ::TrackPopupMenu
+        fails in this case because the WKView's HWND is owned by another process/thread. We work
+        around this by hooking the ::TrackPopupMenu API and providing our own window that's in the
+        same thread as the plugin instead.
+
+        I couldn't figure out how to write a test for this. :-(
+
+        Fixes <http://webkit.org/b/51063> <rdar://problem/8769281> REGRESSION (WebKit2): No context
+        menu appears when right-clicking on windowless Flash plugin
+
+        Reviewed by Brian Weinstein, and looked at suspiciously by Jeff Miller.
+
+        * Platform/Module.h: Added installIATHook on Windows.
+
+        * Platform/win/ModuleWin.cpp:
+        (WebKit::overwriteReadOnlyMemory): New helper function. Basically a wrapper around memcpy,
+        but uses ::VirtualProtect to allow writing to otherwise-read-only memory.
+        (WebKit::findFunctionPointerAddress): New helper function. The first overload iterates over
+        the imported modules and functions looking for the given one. If found, returns the address
+        of the function pointer that is used when calling that function. The second overload calls
+        the first, first passing it an enumerator for the image's imported modules, then passing it
+        an iterator for the image's delay-loaded modules.
+        (WebKit::Module::installIATHook): Added. Finds the address of the function pointer that's
+        used when code in this module calls the given function, then overwrites the function pointer
+        with the passed-in one. Future calls to the given function made by code in this module
+        should then end up calling to the passed-in function instead of the original one.
+
+        * Shared/Plugins/Netscape/NetscapePluginModule.h:
+        (WebKit::NetscapePluginModule::module): Added this simple getter.
+
+        * WebProcess/Plugins/Netscape/NetscapePlugin.h: Added some new Windows-only members.
+
+        * WebProcess/Plugins/Netscape/win/NetscapePluginWin.cpp:
+        (WebKit::CurrentPluginSetter::CurrentPluginSetter):
+        (WebKit::CurrentPluginSetter::~CurrentPluginSetter):
+        This RAII class sets/unsets the currentPlugin global.
+
+        (WebKit::registerPluginView): Changed to use instanceHandle() instead of the mysterious
+        gInstance.
+        (WebKit::NetscapePlugin::platformPostInitialize): For windowless plugins, hook the
+        ::TrackPopupMenu API and create a window to be used as the owner for context menus created
+        by this plugin. (Also changed the ::CreateWindowExW call for windowed plugins to pass an
+        instance handle so that the window will be associated with WebKit.dll instead of
+        WebKit2WebProcess.exe. This should have no visible effect, but is more correct.)
+        (WebKit::NetscapePlugin::platformDestroy): For windowless plugins, destroy the context menu
+        owner window we created above.
+
+        (WebKit::NetscapePlugin::platformPaint):
+        (WebKit::NetscapePlugin::platformHandleMouseEvent):
+        (WebKit::NetscapePlugin::platformHandleWheelEvent):
+        (WebKit::NetscapePlugin::platformSetFocus):
+        (WebKit::NetscapePlugin::platformHandleMouseEnterEvent):
+        (WebKit::NetscapePlugin::platformHandleMouseLeaveEvent):
+        (WebKit::NetscapePlugin::platformHandleKeyboardEvent):
+        Set ourselves as the current plugin.
+
+        (WebKit::NetscapePlugin::hookedTrackPopupMenu): Added. This is the function that actually
+        gets called when windowless plugins call ::TrackPopupMenu. If the passed-in owner window is
+        owned by the current thread, we have nothing to do; ::TrackPopupMenu should work just fine.
+        Otherwise, we use the current plugin's context menu owner window as the context menu's
+        owner. We also set focus to the new owner window because otherwise weird behavior results
+        (e.g., it's possible to scroll the WKView while the context menu is up).
+
 2011-04-21  Adam Roben  <aroben@apple.com>
 

trunk/Source/WebKit2/Platform/Module.h

@@ -61 +61 @@
 #endif
 
+#if PLATFORM(WIN)
+    void installIATHook(const char* importDLLName, const char* importFunctionName, const void* hookFunction);
+#endif
+
 private:
     void* platformFunctionPointer(const char* functionName) const;

trunk/Source/WebKit2/Platform/win/ModuleWin.cpp

@@ -27 +27 @@
 #include "Module.h"
 
+#include <WebCore/DelayLoadedModulesEnumerator.h>
+#include <WebCore/ImportedFunctionsEnumerator.h>
+#include <WebCore/ImportedModulesEnumerator.h>
 #include <shlwapi.h>
+
+using namespace WebCore;
 
 namespace WebKit {
@@ -46 +51 @@
 }
 
+static void memcpyToReadOnlyMemory(void* destination, const void* source, size_t size)
+{
+    DWORD originalProtection;
+    if (!::VirtualProtect(destination, size, PAGE_READWRITE, &originalProtection))
+        return;
+
+    memcpy(destination, source, size);
+
+    ::VirtualProtect(destination, size, originalProtection, &originalProtection);
+}
+
+static const void* const* findFunctionPointerAddress(ImportedModulesEnumeratorBase& modules, const char* importDLLName, const char* importFunctionName)
+{
+    for (; !modules.isAtEnd(); modules.next()) {
+        if (_stricmp(importDLLName, modules.currentModuleName()))
+            continue;
+
+        for (ImportedFunctionsEnumerator functions = modules.functionsEnumerator(); !functions.isAtEnd(); functions.next()) {
+            const char* currentFunctionName = functions.currentFunctionName();
+            if (!currentFunctionName || strcmp(importFunctionName, currentFunctionName))
+                continue;
+
+            return functions.addressOfCurrentFunctionPointer();
+        }
+
+        break;
+    }
+
+    return 0;
+}
+
+static const void* const* findFunctionPointerAddress(HMODULE module, const char* importDLLName, const char* importFunctionName)
+{
+    PEImage image(module);
+
+    ImportedModulesEnumerator importedModules(image);
+    if (const void* const* functionPointerAddress = findFunctionPointerAddress(importedModules, importDLLName, importFunctionName))
+        return functionPointerAddress;
+
+    DelayLoadedModulesEnumerator delayLoadedModules(image);
+    return findFunctionPointerAddress(delayLoadedModules, importDLLName, importFunctionName);
+}
+
+void Module::installIATHook(const char* importDLLName, const char* importFunctionName, const void* hookFunction)
+{
+    if (!m_module)
+        return;
+
+    // The Import Address Table (IAT) contains one function pointer for each function imported by
+    // this module. When code in this module calls that function, the function pointer from the IAT
+    // is used. We find that function pointer and overwrite it with hookFunction so that
+    // hookFunction will be called instead.
+
+    const void* const* functionPointerAddress = findFunctionPointerAddress(m_module, importDLLName, importFunctionName);
+    if (!functionPointerAddress || *functionPointerAddress == hookFunction)
+        return;
+
+    memcpyToReadOnlyMemory(const_cast<const void**>(functionPointerAddress), &hookFunction, sizeof(hookFunction));
+}
+
 void* Module::platformFunctionPointer(const char* functionName) const
 {

trunk/Source/WebKit2/Shared/Plugins/Netscape/NetscapePluginModule.h

@@ -60 +60 @@
     bool clearSiteData(const String& site, uint64_t flags, uint64_t maxAge);
 
+    Module* module() const { return m_module.get(); }
+
 private:
     explicit NetscapePluginModule(const String& pluginPath);

trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NetscapePlugin.h

@@ -186 +186 @@
     virtual PluginController* controller();
 
+#if PLUGIN_ARCHITECTURE(WIN)
+    static BOOL WINAPI hookedTrackPopupMenu(HMENU, UINT uFlags, int x, int y, int nReserved, HWND, const RECT*);
+#endif
+
     PluginController* m_pluginController;
     uint64_t m_nextRequestID;
@@ -235 +239 @@
 #elif PLUGIN_ARCHITECTURE(WIN)
     HWND m_window;
+    HWND m_contextMenuOwnerWindow;
 #elif PLUGIN_ARCHITECTURE(X11)
     Pixmap m_drawable;

trunk/Source/WebKit2/WebProcess/Plugins/Netscape/win/NetscapePluginWin.cpp

@@ -29 +29 @@
 #include "PluginController.h"
 #include "WebEvent.h"
+#include <WebCore/DefWndProcWindowClass.h>
 #include <WebCore/GraphicsContext.h>
 #include <WebCore/LocalWindowsContext.h>
 #include <WebCore/NotImplemented.h>
+#include <WebCore/WebCoreInstanceHandle.h>
 
 using namespace WebCore;
 
-extern "C" HINSTANCE gInstance;
-
 namespace WebKit {
+
+static NetscapePlugin* currentPlugin;
+
+class CurrentPluginSetter {
+    WTF_MAKE_NONCOPYABLE(CurrentPluginSetter);
+public:
+    explicit CurrentPluginSetter(NetscapePlugin* plugin)
+        : m_plugin(plugin)
+        , m_formerCurrentPlugin(currentPlugin)
+    {
+        currentPlugin = m_plugin;
+    }
+
+    ~CurrentPluginSetter()
+    {
+        ASSERT(currentPlugin == m_plugin);
+        currentPlugin = m_formerCurrentPlugin;
+    }
+
+private:
+    NetscapePlugin* m_plugin;
+    NetscapePlugin* m_formerCurrentPlugin;
+};
 
 static LPCWSTR windowClassName = L"org.webkit.NetscapePluginWindow";
@@ -51 +74 @@
     windowClass.style = CS_DBLCLKS;
     windowClass.lpfnWndProc = ::DefWindowProcW;
-    windowClass.hInstance = gInstance;
+    windowClass.hInstance = instanceHandle();
     windowClass.hCursor = ::LoadCursorW(0, IDC_ARROW);
     windowClass.hbrBackground = reinterpret_cast<HBRUSH>(COLOR_WINDOW + 1);
@@ -68 +91 @@
     if (!m_isWindowed) {
         m_window = 0;
+
+        // Windowless plugins need a little help showing context menus since our containingWindow()
+        // is in a different process. See <http://webkit.org/b/51063>.
+        m_pluginModule->module()->installIATHook("user32.dll", "TrackPopupMenu", hookedTrackPopupMenu);
+        m_contextMenuOwnerWindow = ::CreateWindowExW(0, defWndProcWindowClassName(), 0, WS_CHILD, 0, 0, 0, 0, containingWindow(), 0, instanceHandle(), 0);
+
         return true;
     }
@@ -73 +102 @@
     registerPluginView();
 
-    m_window = ::CreateWindowExW(0, windowClassName, 0, WS_CHILD | WS_VISIBLE, 0, 0, 0, 0, containingWindow(), 0, 0, 0);
+    m_window = ::CreateWindowExW(0, windowClassName, 0, WS_CHILD | WS_VISIBLE, 0, 0, 0, 0, containingWindow(), 0, instanceHandle(), 0);
     if (!m_window)
         return false;
@@ -89 +118 @@
 {
     if (!m_isWindowed) {
+        ASSERT(m_contextMenuOwnerWindow);
+        ::DestroyWindow(m_contextMenuOwnerWindow);
         ASSERT(!m_window);
         return;
@@ -138 +169 @@
 void NetscapePlugin::platformPaint(GraphicsContext* context, const IntRect& dirtyRect, bool)
 {
+    CurrentPluginSetter setCurrentPlugin(this);
+
     // FIXME: Call SetWindow here if we haven't called it yet (see r59904).
 
@@ -247 +280 @@
 bool NetscapePlugin::platformHandleMouseEvent(const WebMouseEvent& event)
 {
+    CurrentPluginSetter setCurrentPlugin(this);
+
     if (m_isWindowed)
         return false;
@@ -257 +292 @@
 bool NetscapePlugin::platformHandleWheelEvent(const WebWheelEvent&)
 {
+    CurrentPluginSetter setCurrentPlugin(this);
+
     notImplemented();
     return false;
@@ -263 +300 @@
 void NetscapePlugin::platformSetFocus(bool)
 {
+    CurrentPluginSetter setCurrentPlugin(this);
+
     notImplemented();
 }
@@ -268 +307 @@
 bool NetscapePlugin::platformHandleMouseEnterEvent(const WebMouseEvent& event)
 {
+    CurrentPluginSetter setCurrentPlugin(this);
+
     if (m_isWindowed)
         return false;
@@ -278 +319 @@
 bool NetscapePlugin::platformHandleMouseLeaveEvent(const WebMouseEvent& event)
 {
+    CurrentPluginSetter setCurrentPlugin(this);
+
     if (m_isWindowed)
         return false;
@@ -288 +331 @@
 bool NetscapePlugin::platformHandleKeyboardEvent(const WebKeyboardEvent&)
 {
+    CurrentPluginSetter setCurrentPlugin(this);
+
     notImplemented();
     return false;
 }
 
+BOOL NetscapePlugin::hookedTrackPopupMenu(HMENU hMenu, UINT uFlags, int x, int y, int nReserved, HWND hWnd, const RECT* prcRect)
+{
+    // ::TrackPopupMenu fails when it is passed a window that is owned by another thread. If this
+    // happens, we substitute a dummy window that is owned by this thread.
+
+    if (::GetWindowThreadProcessId(hWnd, 0) == ::GetCurrentThreadId())
+        return ::TrackPopupMenu(hMenu, uFlags, x, y, nReserved, hWnd, prcRect);
+
+    HWND originalFocusWindow = 0;
+
+    ASSERT(currentPlugin);
+    if (currentPlugin) {
+        ASSERT(!currentPlugin->m_isWindowed);
+        ASSERT(currentPlugin->m_contextMenuOwnerWindow);
+        ASSERT(::GetWindowThreadProcessId(currentPlugin->m_contextMenuOwnerWindow, 0) == ::GetCurrentThreadId());
+        hWnd = currentPlugin->m_contextMenuOwnerWindow;
+
+        // If we don't focus the dummy window, the user will be able to scroll the page while the
+        // context menu is up, e.g.
+        originalFocusWindow = ::SetFocus(hWnd);
+    }
+
+    BOOL result = ::TrackPopupMenu(hMenu, uFlags, x, y, nReserved, hWnd, prcRect);
+
+    if (originalFocusWindow)
+        ::SetFocus(originalFocusWindow);
+
+    return result;
+}
+
 } // namespace WebKit