1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
|
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "Compatibility.h"
#include "mozilla/WindowsVersion.h"
#include "mozilla/WinHeaderOnlyUtils.h"
#include "mozilla/StaticPrefs_accessibility.h"
#include "nsExceptionHandler.h"
#include "nsIXULRuntime.h"
#include "nsPrintfCString.h"
#include "nsUnicharUtils.h"
#include "nsWindowsDllInterceptor.h"
#include "nsWinUtils.h"
#include "Statistics.h"
#include "AccessibleWrap.h"
#include "mozilla/Preferences.h"
#include <shlobj.h>
using namespace mozilla;
using namespace mozilla::a11y;
/**
* String versions of consumer flags. See GetHumanReadableConsumersStr.
*/
static const wchar_t* ConsumerStringMap[CONSUMERS_ENUM_LEN + 1] = {
L"NVDA", L"JAWS", L"OLDJAWS", L"WE", L"DOLPHIN",
L"SEROTEK", L"COBRA", L"ZOOMTEXT", L"KAZAGURU", L"YOUDAO",
L"UNKNOWN", L"UIAUTOMATION", L"VISPEROSHARED", L"\0"};
bool Compatibility::IsModuleVersionLessThan(HMODULE aModuleHandle,
unsigned long long aVersion) {
LauncherResult<ModuleVersion> version = GetModuleVersion(aModuleHandle);
if (version.isErr()) {
return true;
}
return version.unwrap() < aVersion;
}
////////////////////////////////////////////////////////////////////////////////
// Compatibility
////////////////////////////////////////////////////////////////////////////////
static WindowsDllInterceptor sUser32Interceptor;
static WindowsDllInterceptor::FuncHookType<decltype(&InSendMessageEx)>
sInSendMessageExStub;
static bool sInSendMessageExHackEnabled = false;
static PVOID sVectoredExceptionHandler = nullptr;
#if defined(_MSC_VER)
# include <intrin.h>
# pragma intrinsic(_ReturnAddress)
# define RETURN_ADDRESS() _ReturnAddress()
#elif defined(__GNUC__) || defined(__clang__)
# define RETURN_ADDRESS() \
__builtin_extract_return_addr(__builtin_return_address(0))
#endif
static inline bool IsCurrentThreadInBlockingMessageSend(
const DWORD aStateBits) {
// From the MSDN docs for InSendMessageEx
return (aStateBits & (ISMEX_REPLIED | ISMEX_SEND)) == ISMEX_SEND;
}
/**
* COM assumes that if you're invoking a proxy from an STA thread while
* InSendMessageEx reports that the calling thread is blocked, that you'll
* deadlock your own process. It returns the RPC_E_CANTCALLOUT_ININPUTSYNCCALL
* error code. This is not actually true in our case: we are calling into
* the multithreaded apartment via ALPC. In this hook, we check to see if the
* caller is COM, and if so, we lie to it.
*
* This hack is necessary for ATs who invoke COM proxies from within
* WH_CALLWNDPROC hooks, WinEvent hooks, or a WndProc handling a sent
* (as opposed to posted) message.
*/
static DWORD WINAPI InSendMessageExHook(LPVOID lpReserved) {
MOZ_ASSERT(XRE_IsParentProcess());
DWORD result = sInSendMessageExStub(lpReserved);
if (NS_IsMainThread() && sInSendMessageExHackEnabled &&
IsCurrentThreadInBlockingMessageSend(result)) {
// We want to take a strong reference to the dll so that it is never
// unloaded/reloaded from this point forward, hence we use LoadLibrary
// and not GetModuleHandle.
static const HMODULE comModule = []() -> HMODULE {
HMODULE module = LoadLibraryW(L"combase.dll");
if (!module) {
// combase is not present on Windows 7, so we fall back to ole32 there
module = LoadLibraryW(L"ole32.dll");
}
return module;
}();
MOZ_ASSERT(comModule);
if (!comModule) {
return result;
}
// Check if InSendMessageEx is being called from code within comModule
HMODULE callingModule;
if (GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
reinterpret_cast<LPCWSTR>(RETURN_ADDRESS()),
&callingModule) &&
callingModule == comModule) {
result = ISMEX_NOTIFY;
}
}
return result;
}
static LONG CALLBACK
DetectInSendMessageExCompat(PEXCEPTION_POINTERS aExceptionInfo) {
DWORD exceptionCode = aExceptionInfo->ExceptionRecord->ExceptionCode;
if (exceptionCode == static_cast<DWORD>(RPC_E_CANTCALLOUT_ININPUTSYNCCALL) &&
NS_IsMainThread()) {
sInSendMessageExHackEnabled = true;
// We don't need this exception handler anymore, so remove it
if (RemoveVectoredExceptionHandler(sVectoredExceptionHandler)) {
sVectoredExceptionHandler = nullptr;
}
}
return EXCEPTION_CONTINUE_SEARCH;
}
uint32_t Compatibility::sConsumers = Compatibility::UNKNOWN;
/**
* This function is safe to call multiple times.
*/
/* static */
void Compatibility::InitConsumers() {
HMODULE jawsHandle = ::GetModuleHandleW(L"jhook");
if (jawsHandle) {
sConsumers |=
IsModuleVersionLessThan(jawsHandle, MAKE_FILE_VERSION(19, 0, 0, 0))
? OLDJAWS
: JAWS;
}
if (::GetModuleHandleW(L"gwm32inc")) sConsumers |= WE;
if (::GetModuleHandleW(L"dolwinhk")) sConsumers |= DOLPHIN;
if (::GetModuleHandleW(L"STSA32")) sConsumers |= SEROTEK;
if (::GetModuleHandleW(L"nvdaHelperRemote")) sConsumers |= NVDA;
if (::GetModuleHandleW(L"OsmHooks") || ::GetModuleHandleW(L"OsmHks64"))
sConsumers |= COBRA;
if (::GetModuleHandleW(L"WebFinderRemote")) sConsumers |= ZOOMTEXT;
if (::GetModuleHandleW(L"Kazahook")) sConsumers |= KAZAGURU;
if (::GetModuleHandleW(L"TextExtractorImpl32") ||
::GetModuleHandleW(L"TextExtractorImpl64"))
sConsumers |= YOUDAO;
if (::GetModuleHandleW(L"uiautomation") ||
::GetModuleHandleW(L"uiautomationcore"))
sConsumers |= UIAUTOMATION;
if (::GetModuleHandleW(L"AccEventCache")) {
sConsumers |= VISPEROSHARED;
}
// If we have a known consumer remove the unknown bit.
if (sConsumers != Compatibility::UNKNOWN)
sConsumers &= ~Compatibility::UNKNOWN;
}
/* static */
bool Compatibility::HasKnownNonUiaConsumer() {
InitConsumers();
return sConsumers & ~(Compatibility::UNKNOWN | UIAUTOMATION);
}
void Compatibility::Init() {
// Note we collect some AT statistics/telemetry here for convenience.
InitConsumers();
CrashReporter::AnnotateCrashReport(
CrashReporter::Annotation::AccessibilityInProcClient,
nsPrintfCString("0x%X", sConsumers));
// Gather telemetry
uint32_t temp = sConsumers;
for (int i = 0; temp; i++) {
if (temp & 0x1) statistics::A11yConsumers(i);
temp >>= 1;
}
// Turn off new tab switching for Jaws and WE.
if (sConsumers & (JAWS | OLDJAWS | WE)) {
// Check to see if the pref for disallowing CtrlTab is already set. If so,
// bail out (respect the user settings). If not, set it.
if (!Preferences::HasUserValue("browser.ctrlTab.disallowForScreenReaders"))
Preferences::SetBool("browser.ctrlTab.disallowForScreenReaders", true);
}
// If we have a consumer who is not NVDA, we enable detection for the
// InSendMessageEx compatibility hack. NVDA does not require this.
// We also skip UIA, as we see crashes there.
if ((sConsumers & (~(UIAUTOMATION | NVDA))) && BrowserTabsRemoteAutostart()) {
sUser32Interceptor.Init("user32.dll");
sInSendMessageExStub.Set(sUser32Interceptor, "InSendMessageEx",
&InSendMessageExHook);
// The vectored exception handler allows us to catch exceptions ahead of any
// SEH handlers.
if (!sVectoredExceptionHandler) {
// We need to let ASan's ShadowExceptionHandler remain in the firstHandler
// position, otherwise we'll get infinite recursion when our handler
// faults on shadow memory.
const ULONG firstHandler = FALSE;
sVectoredExceptionHandler = AddVectoredExceptionHandler(
firstHandler, &DetectInSendMessageExCompat);
}
}
}
// static
void Compatibility::GetHumanReadableConsumersStr(nsAString& aResult) {
bool appened = false;
uint32_t index = 0;
for (uint32_t consumers = sConsumers; consumers; consumers = consumers >> 1) {
if (consumers & 0x1) {
if (appened) {
aResult.AppendLiteral(",");
}
aResult.Append(ConsumerStringMap[index]);
appened = true;
}
if (++index > CONSUMERS_ENUM_LEN) {
break;
}
}
}
// Time when SuppressA11yForClipboardCopy() was called, as returned by
// ::GetTickCount().
static DWORD sA11yClipboardCopySuppressionStartTime = 0;
/* static */
void Compatibility::SuppressA11yForClipboardCopy() {
// Bug 1774285: Windows Suggested Actions (introduced in Windows 11 22H2)
// might walk the a11y tree using UIA whenever anything is copied to the
// clipboard. This causes an unacceptable hang, particularly when the cache
// is disabled.
bool doSuppress = [&] {
switch (
StaticPrefs::accessibility_windows_suppress_after_clipboard_copy()) {
case 0:
return false;
case 1:
return true;
default:
return NeedsWindows11SuggestedActionsWorkaround();
}
}();
if (doSuppress) {
sA11yClipboardCopySuppressionStartTime = ::GetTickCount();
}
}
/* static */
bool Compatibility::IsA11ySuppressedForClipboardCopy() {
constexpr DWORD kSuppressTimeout = 1500; // ms
if (!sA11yClipboardCopySuppressionStartTime) {
return false;
}
return ::GetTickCount() - sA11yClipboardCopySuppressionStartTime <
kSuppressTimeout;
}
|
