Only grant permissions to new extensions from sync if they have the expected version
[chromium-blink-merge.git] / chrome / browser / process_singleton_win.cc
blobd0c516657b3f84b6dc55b56b3735c8a60890664c
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/process_singleton.h"
7 #include <shellapi.h>
9 #include "base/base_paths.h"
10 #include "base/bind.h"
11 #include "base/command_line.h"
12 #include "base/files/file_path.h"
13 #include "base/process/process.h"
14 #include "base/process/process_info.h"
15 #include "base/strings/string_number_conversions.h"
16 #include "base/strings/stringprintf.h"
17 #include "base/strings/utf_string_conversions.h"
18 #include "base/time/time.h"
19 #include "base/win/metro.h"
20 #include "base/win/registry.h"
21 #include "base/win/scoped_handle.h"
22 #include "base/win/windows_version.h"
23 #include "chrome/browser/browser_process.h"
24 #include "chrome/browser/browser_process_platform_part.h"
25 #include "chrome/browser/chrome_process_finder_win.h"
26 #include "chrome/browser/metro_utils/metro_chrome_win.h"
27 #include "chrome/browser/shell_integration.h"
28 #include "chrome/browser/ui/simple_message_box.h"
29 #include "chrome/common/chrome_constants.h"
30 #include "chrome/common/chrome_paths.h"
31 #include "chrome/common/chrome_paths_internal.h"
32 #include "chrome/common/chrome_switches.h"
33 #include "chrome/grit/chromium_strings.h"
34 #include "chrome/installer/util/wmi.h"
35 #include "components/browser_watcher/exit_funnel_win.h"
36 #include "content/public/common/result_codes.h"
37 #include "net/base/escape.h"
38 #include "ui/base/l10n/l10n_util.h"
39 #include "ui/gfx/win/hwnd_util.h"
41 namespace {
43 const char kLockfile[] = "lockfile";
45 const int kMetroChromeActivationTimeoutMs = 3000;
47 // A helper class that acquires the given |mutex| while the AutoLockMutex is in
48 // scope.
49 class AutoLockMutex {
50 public:
51 explicit AutoLockMutex(HANDLE mutex) : mutex_(mutex) {
52 DWORD result = ::WaitForSingleObject(mutex_, INFINITE);
53 DPCHECK(result == WAIT_OBJECT_0) << "Result = " << result;
56 ~AutoLockMutex() {
57 BOOL released = ::ReleaseMutex(mutex_);
58 DPCHECK(released);
61 private:
62 HANDLE mutex_;
63 DISALLOW_COPY_AND_ASSIGN(AutoLockMutex);
66 // A helper class that releases the given |mutex| while the AutoUnlockMutex is
67 // in scope and immediately re-acquires it when going out of scope.
68 class AutoUnlockMutex {
69 public:
70 explicit AutoUnlockMutex(HANDLE mutex) : mutex_(mutex) {
71 BOOL released = ::ReleaseMutex(mutex_);
72 DPCHECK(released);
75 ~AutoUnlockMutex() {
76 DWORD result = ::WaitForSingleObject(mutex_, INFINITE);
77 DPCHECK(result == WAIT_OBJECT_0) << "Result = " << result;
80 private:
81 HANDLE mutex_;
82 DISALLOW_COPY_AND_ASSIGN(AutoUnlockMutex);
85 // Checks the visibility of the enumerated window and signals once a visible
86 // window has been found.
87 BOOL CALLBACK BrowserWindowEnumeration(HWND window, LPARAM param) {
88 bool* result = reinterpret_cast<bool*>(param);
89 *result = ::IsWindowVisible(window) != 0;
90 // Stops enumeration if a visible window has been found.
91 return !*result;
94 bool ParseCommandLine(const COPYDATASTRUCT* cds,
95 base::CommandLine* parsed_command_line,
96 base::FilePath* current_directory) {
97 // We should have enough room for the shortest command (min_message_size)
98 // and also be a multiple of wchar_t bytes. The shortest command
99 // possible is L"START\0\0" (empty current directory and command line).
100 static const int min_message_size = 7;
101 if (cds->cbData < min_message_size * sizeof(wchar_t) ||
102 cds->cbData % sizeof(wchar_t) != 0) {
103 LOG(WARNING) << "Invalid WM_COPYDATA, length = " << cds->cbData;
104 return false;
107 // We split the string into 4 parts on NULLs.
108 DCHECK(cds->lpData);
109 const std::wstring msg(static_cast<wchar_t*>(cds->lpData),
110 cds->cbData / sizeof(wchar_t));
111 const std::wstring::size_type first_null = msg.find_first_of(L'\0');
112 if (first_null == 0 || first_null == std::wstring::npos) {
113 // no NULL byte, don't know what to do
114 LOG(WARNING) << "Invalid WM_COPYDATA, length = " << msg.length() <<
115 ", first null = " << first_null;
116 return false;
119 // Decode the command, which is everything until the first NULL.
120 if (msg.substr(0, first_null) == L"START") {
121 // Another instance is starting parse the command line & do what it would
122 // have done.
123 VLOG(1) << "Handling STARTUP request from another process";
124 const std::wstring::size_type second_null =
125 msg.find_first_of(L'\0', first_null + 1);
126 if (second_null == std::wstring::npos ||
127 first_null == msg.length() - 1 || second_null == msg.length()) {
128 LOG(WARNING) << "Invalid format for start command, we need a string in 4 "
129 "parts separated by NULLs";
130 return false;
133 // Get current directory.
134 *current_directory = base::FilePath(msg.substr(first_null + 1,
135 second_null - first_null));
137 const std::wstring::size_type third_null =
138 msg.find_first_of(L'\0', second_null + 1);
139 if (third_null == std::wstring::npos ||
140 third_null == msg.length()) {
141 LOG(WARNING) << "Invalid format for start command, we need a string in 4 "
142 "parts separated by NULLs";
145 // Get command line.
146 const std::wstring cmd_line =
147 msg.substr(second_null + 1, third_null - second_null);
148 *parsed_command_line = base::CommandLine::FromString(cmd_line);
149 return true;
151 return false;
154 bool ProcessLaunchNotification(
155 const ProcessSingleton::NotificationCallback& notification_callback,
156 UINT message,
157 WPARAM wparam,
158 LPARAM lparam,
159 LRESULT* result) {
160 if (message != WM_COPYDATA)
161 return false;
163 // Handle the WM_COPYDATA message from another process.
164 const COPYDATASTRUCT* cds = reinterpret_cast<COPYDATASTRUCT*>(lparam);
166 base::CommandLine parsed_command_line(base::CommandLine::NO_PROGRAM);
167 base::FilePath current_directory;
168 if (!ParseCommandLine(cds, &parsed_command_line, &current_directory)) {
169 *result = TRUE;
170 return true;
173 *result = notification_callback.Run(parsed_command_line, current_directory) ?
174 TRUE : FALSE;
175 return true;
178 // Returns true if Chrome needs to be relaunched into Windows 8 immersive mode.
179 // Following conditions apply:-
180 // 1. Windows 8 or greater.
181 // 2. Not in Windows 8 immersive mode.
182 // 3. Chrome is default browser.
183 // 4. Process integrity level is not high.
184 // 5. The profile data directory is the default directory.
185 // 6. Last used mode was immersive/machine is a tablet.
186 // TODO(ananta)
187 // Move this function to a common place as the Windows 8 delegate_execute
188 // handler can possibly use this.
189 bool ShouldLaunchInWindows8ImmersiveMode(const base::FilePath& user_data_dir) {
190 // Returning false from this function doesn't mean we don't launch immersive
191 // mode in Aura. This function is specifically called in case when we need
192 // to relaunch desktop launched chrome into immersive mode through 'relaunch'
193 // menu. In case of Aura, we will use delegate_execute to do the relaunch.
194 return false;
197 bool DisplayShouldKillMessageBox() {
198 return chrome::ShowMessageBox(
199 NULL, l10n_util::GetStringUTF16(IDS_PRODUCT_NAME),
200 l10n_util::GetStringUTF16(IDS_BROWSER_HUNGBROWSER_MESSAGE),
201 chrome::MESSAGE_BOX_TYPE_QUESTION) !=
202 chrome::MESSAGE_BOX_RESULT_NO;
205 } // namespace
207 // Microsoft's Softricity virtualization breaks the sandbox processes.
208 // So, if we detect the Softricity DLL we use WMI Win32_Process.Create to
209 // break out of the virtualization environment.
210 // http://code.google.com/p/chromium/issues/detail?id=43650
211 bool ProcessSingleton::EscapeVirtualization(
212 const base::FilePath& user_data_dir) {
213 if (::GetModuleHandle(L"sftldr_wow64.dll") ||
214 ::GetModuleHandle(L"sftldr.dll")) {
215 int process_id;
216 if (!installer::WMIProcess::Launch(::GetCommandLineW(), &process_id))
217 return false;
218 is_virtualized_ = true;
219 // The new window was spawned from WMI, and won't be in the foreground.
220 // So, first we sleep while the new chrome.exe instance starts (because
221 // WaitForInputIdle doesn't work here). Then we poll for up to two more
222 // seconds and make the window foreground if we find it (or we give up).
223 HWND hwnd = 0;
224 ::Sleep(90);
225 for (int tries = 200; tries; --tries) {
226 hwnd = chrome::FindRunningChromeWindow(user_data_dir);
227 if (hwnd) {
228 ::SetForegroundWindow(hwnd);
229 break;
231 ::Sleep(10);
233 return true;
235 return false;
238 ProcessSingleton::ProcessSingleton(
239 const base::FilePath& user_data_dir,
240 const NotificationCallback& notification_callback)
241 : notification_callback_(notification_callback),
242 is_virtualized_(false),
243 lock_file_(INVALID_HANDLE_VALUE),
244 user_data_dir_(user_data_dir),
245 should_kill_remote_process_callback_(
246 base::Bind(&DisplayShouldKillMessageBox)) {
249 ProcessSingleton::~ProcessSingleton() {
250 if (lock_file_ != INVALID_HANDLE_VALUE)
251 ::CloseHandle(lock_file_);
254 // Code roughly based on Mozilla.
255 ProcessSingleton::NotifyResult ProcessSingleton::NotifyOtherProcess() {
256 if (is_virtualized_)
257 return PROCESS_NOTIFIED; // We already spawned the process in this case.
258 if (lock_file_ == INVALID_HANDLE_VALUE && !remote_window_) {
259 return LOCK_ERROR;
260 } else if (!remote_window_) {
261 return PROCESS_NONE;
264 switch (chrome::AttemptToNotifyRunningChrome(remote_window_, false)) {
265 case chrome::NOTIFY_SUCCESS:
266 return PROCESS_NOTIFIED;
267 case chrome::NOTIFY_FAILED:
268 remote_window_ = NULL;
269 return PROCESS_NONE;
270 case chrome::NOTIFY_WINDOW_HUNG:
271 // Record a hung rendezvous event in this process' exit funnel.
272 browser_watcher::ExitFunnel::RecordSingleEvent(
273 chrome::kBrowserExitCodesRegistryPath, L"RendezvousToHungBrowser");
274 break;
277 DWORD process_id = 0;
278 DWORD thread_id = ::GetWindowThreadProcessId(remote_window_, &process_id);
279 if (!thread_id || !process_id) {
280 remote_window_ = NULL;
281 return PROCESS_NONE;
283 base::Process process = base::Process::Open(process_id);
285 // The window is hung. Scan for every window to find a visible one.
286 bool visible_window = false;
287 ::EnumThreadWindows(thread_id,
288 &BrowserWindowEnumeration,
289 reinterpret_cast<LPARAM>(&visible_window));
291 // If there is a visible browser window, ask the user before killing it.
292 if (visible_window && !should_kill_remote_process_callback_.Run()) {
293 // The user denied. Quit silently.
294 return PROCESS_NOTIFIED;
297 // Record the termination event in the hung process' exit funnel.
298 browser_watcher::ExitFunnel funnel;
299 if (funnel.Init(chrome::kBrowserExitCodesRegistryPath, process.Handle()))
300 funnel.RecordEvent(L"HungBrowserTerminated");
302 // Time to take action. Kill the browser process.
303 process.Terminate(content::RESULT_CODE_HUNG, true);
304 remote_window_ = NULL;
305 return PROCESS_NONE;
308 ProcessSingleton::NotifyResult
309 ProcessSingleton::NotifyOtherProcessOrCreate() {
310 ProcessSingleton::NotifyResult result = PROCESS_NONE;
311 if (!Create()) {
312 result = NotifyOtherProcess();
313 if (result == PROCESS_NONE)
314 result = PROFILE_IN_USE;
315 } else {
316 g_browser_process->platform_part()->PlatformSpecificCommandLineProcessing(
317 *base::CommandLine::ForCurrentProcess());
319 return result;
322 // Look for a Chrome instance that uses the same profile directory. If there
323 // isn't one, create a message window with its title set to the profile
324 // directory path.
325 bool ProcessSingleton::Create() {
326 static const wchar_t kMutexName[] = L"Local\\ChromeProcessSingletonStartup!";
327 static const wchar_t kMetroActivationEventName[] =
328 L"Local\\ChromeProcessSingletonStartupMetroActivation!";
330 remote_window_ = chrome::FindRunningChromeWindow(user_data_dir_);
331 if (!remote_window_ && !EscapeVirtualization(user_data_dir_)) {
332 // Make sure we will be the one and only process creating the window.
333 // We use a named Mutex since we are protecting against multi-process
334 // access. As documented, it's clearer to NOT request ownership on creation
335 // since it isn't guaranteed we will get it. It is better to create it
336 // without ownership and explicitly get the ownership afterward.
337 base::win::ScopedHandle only_me(::CreateMutex(NULL, FALSE, kMutexName));
338 if (!only_me.IsValid()) {
339 DPLOG(FATAL) << "CreateMutex failed";
340 return false;
343 AutoLockMutex auto_lock_only_me(only_me.Get());
345 // We now own the mutex so we are the only process that can create the
346 // window at this time, but we must still check if someone created it
347 // between the time where we looked for it above and the time the mutex
348 // was given to us.
349 remote_window_ = chrome::FindRunningChromeWindow(user_data_dir_);
352 // In Win8+, a new Chrome process launched in Desktop mode may need to be
353 // transmuted into Metro Chrome (see ShouldLaunchInWindows8ImmersiveMode for
354 // heuristics). To accomplish this, the current Chrome activates Metro
355 // Chrome, releases the startup mutex, and waits for metro Chrome to take
356 // the singleton. From that point onward, the command line for this Chrome
357 // process will be sent to Metro Chrome by the usual channels.
358 if (!remote_window_ && base::win::GetVersion() >= base::win::VERSION_WIN8 &&
359 !base::win::IsMetroProcess()) {
360 // |metro_activation_event| is created right before activating a Metro
361 // Chrome (note that there can only be one Metro Chrome process; by OS
362 // design); all following Desktop processes will then wait for this event
363 // to be signaled by Metro Chrome which will do so as soon as it grabs
364 // this singleton (should any of the waiting processes timeout waiting for
365 // the signal they will try to grab the singleton for themselves which
366 // will result in a forced Desktop Chrome launch in the worst case).
367 base::win::ScopedHandle metro_activation_event(
368 ::OpenEvent(SYNCHRONIZE, FALSE, kMetroActivationEventName));
369 if (!metro_activation_event.IsValid() &&
370 ShouldLaunchInWindows8ImmersiveMode(user_data_dir_)) {
371 // No Metro activation is under way, but the desire is to launch in
372 // Metro mode: activate and rendez-vous with the activated process.
373 metro_activation_event.Set(
374 ::CreateEvent(NULL, TRUE, FALSE, kMetroActivationEventName));
375 if (!chrome::ActivateMetroChrome()) {
376 // Failed to launch immersive Chrome, default to launching on Desktop.
377 LOG(ERROR) << "Failed to launch immersive chrome";
378 metro_activation_event.Close();
382 if (metro_activation_event.IsValid()) {
383 // Release |only_me| (to let Metro Chrome grab this singleton) and wait
384 // until the event is signaled (i.e. Metro Chrome was successfully
385 // activated). Ignore timeout waiting for |metro_activation_event|.
387 AutoUnlockMutex auto_unlock_only_me(only_me.Get());
389 DWORD result = ::WaitForSingleObject(metro_activation_event.Get(),
390 kMetroChromeActivationTimeoutMs);
391 DPCHECK(result == WAIT_OBJECT_0 || result == WAIT_TIMEOUT)
392 << "Result = " << result;
395 // Check if this singleton was successfully grabbed by another process
396 // (hopefully Metro Chrome). Failing to do so, this process will grab
397 // the singleton and launch in Desktop mode.
398 remote_window_ = chrome::FindRunningChromeWindow(user_data_dir_);
402 if (!remote_window_) {
403 // We have to make sure there is no Chrome instance running on another
404 // machine that uses the same profile.
405 base::FilePath lock_file_path = user_data_dir_.AppendASCII(kLockfile);
406 lock_file_ = ::CreateFile(lock_file_path.value().c_str(),
407 GENERIC_WRITE,
408 FILE_SHARE_READ,
409 NULL,
410 CREATE_ALWAYS,
411 FILE_ATTRIBUTE_NORMAL |
412 FILE_FLAG_DELETE_ON_CLOSE,
413 NULL);
414 DWORD error = ::GetLastError();
415 LOG_IF(WARNING, lock_file_ != INVALID_HANDLE_VALUE &&
416 error == ERROR_ALREADY_EXISTS) << "Lock file exists but is writable.";
417 LOG_IF(ERROR, lock_file_ == INVALID_HANDLE_VALUE)
418 << "Lock file can not be created! Error code: " << error;
420 if (lock_file_ != INVALID_HANDLE_VALUE) {
421 // Set the window's title to the path of our user data directory so
422 // other Chrome instances can decide if they should forward to us.
423 bool result = window_.CreateNamed(
424 base::Bind(&ProcessLaunchNotification, notification_callback_),
425 user_data_dir_.value());
426 CHECK(result && window_.hwnd());
429 if (base::win::GetVersion() >= base::win::VERSION_WIN8) {
430 // Make sure no one is still waiting on Metro activation whether it
431 // succeeded (i.e., this is the Metro process) or failed.
432 base::win::ScopedHandle metro_activation_event(
433 ::OpenEvent(EVENT_MODIFY_STATE, FALSE, kMetroActivationEventName));
434 if (metro_activation_event.IsValid())
435 ::SetEvent(metro_activation_event.Get());
440 return window_.hwnd() != NULL;
443 void ProcessSingleton::Cleanup() {
446 void ProcessSingleton::OverrideShouldKillRemoteProcessCallbackForTesting(
447 const ShouldKillRemoteProcessCallback& display_dialog_callback) {
448 should_kill_remote_process_callback_ = display_dialog_callback;