| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the remote side sends sufficiently large `length` field, it will
overflow the `p` pointer. Technically it is undefined behavior, in
practice it makes `p < end`, so the length check passes. Attempts to
access the data later causes crashes.
This issue manifests only on 32bit systems, but the behavior is
undefined everywhere.
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DIV_ROUNDUP macro would overflow when trying to round values higher
than MAX_UINT32 - (a - 1). The result is 0 after the division. This is
potential security issue when demarshalling an array because the length
check is performed with the overflowed value, but then the original huge
value is stored for later use.
The issue was present only on 32bit platforms. The use of size_t in the
DIV_ROUNDUP macro already promoted everything to 64 bit size on 64 bit
systems.
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Derek Foreman <derek.foreman.samsung@gmail.com>
Style changes by Derek Foreman
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit d94a8722cb29d8b897672be66ff3c9ff79eab6fe
warned this was coming, back in 2013.
I've seen libraries that have wayland client and server using functions
in the same file. Since struct wl_buffer still exists as an opaque
entity in client code, the vestigial deprecated wl_buffer from the
server include will generate warnings when not building with
WL_HIDE_DEPRECATED.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Acked-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
| |
Nothing on the client side uses it since
9fe75537ad207c1496e6d9be41a8f5af4b876506 which was just before the 0.99
release.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-By: Markus Ongyerth <wl@ongy.net>
|
| |
|
|
|
|
|
|
|
| |
It's already possible to reference foreign interfaces, so it
should also be possible to reference foreign enums.
Signed-off-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the past much code (weston, efl/enlightenment, mutter) has
freed structures containing wl_listeners from destroy handlers
without first removing the listener from the signal. As the
destroy notifier only fires once, this has largely gone
unnoticed until recently.
Other code does not (Qt, wlroots) - and removes itself from
the signal before free.
If somehow a destroy signal is listened to by code from both
kinds of callers, those that free will corrupt the lists for
those that don't, and Bad Things will happen.
To avoid these bad things, remove every item from the signal list
during destroy emit, and put it in a list all its own. This way
whether the listener is removed or not has no impact on the
following emits.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Markus Ongyerth <wl@ongy.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 3cddb3c692acd3536a7cc8542a29f0cc3c0ac3d6 casted len to an
unsigned value to compare to sizeof results. However,
wl_connection_read() can fail, setting errno to EAGAIN and returning
a value of -1.
When cast to an unsigned type this leads to a loop condition of true
when it should be false.
Signed-off-by: Dipen Somani <dipen.somani@samsung.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
|
| |
|
|
|
|
|
|
| |
previous commit, a9187853d44db41206b5d16a770d4db108972812 added
a trailing { on a line it shouldn't have, and I pushed without
building first.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
commit 239ba39331420f953de35c337ae57db35573f9cb which was intended
to stop leaking fds in events for zombie objects didn't notice that
passing 0 to wl_connection_close_fds_in() would still close fds.
Test the fd count before calling.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
| |
Missing a closing bracket.
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
| |
A more generic way to evaluating various attributes, __has_attribute is
available with gcc, clang, even the Oracle/Sun compiler.
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The options are used to indicate how the code will be used - will it be
public, as part of a DSO or private.
In nearly every instance, people want to use the latter. One noticeable
exception is the wayland libraries. They provide the base marshalling
protocol that everyone uses.
The option "code" was deprecated in favour of "public-code" with a
warning message produced to guide people.
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
|
| |
|
|
|
|
|
| |
v2: Rebase, address wayland-client-uninstalled
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com> (v1)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Like the similar wl_log() message further into this function that was
fixed in commit 2fc248dc2c877d02694db40aad52180d71373d5a this should
be printing the sender_id saved earlier instead of *p.
Since p is incremented during the loop it would not only print an
incorrect object id, it could read past the end of the array.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
| |
|
|
|
|
|
| |
Now we have all the wayland-egl bits in a single place.
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Arnaud Vrac <avrac@freebox.fr>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When an mmap() fails, a WL_SHM_ERROR_INVALID_FD is raised and the client
is killed.
However, there is no indication of the actual system error that caused
mmap() to fail, which makes such error harder to investigate.
Provide the actual error message that caused mmap() to fail.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug [1] reported that wl_display_destroy() doesn't destroy clients, so
client socket file descriptors are being kept open until the compositor
process exits.
Patch [2] proposed to destroy clients in wl_display_destroy(). The
patch was not accepted because doing so changes the ABI.
Thus, a new wl_display_destroy_clients() function is added in this
patch. It should be called by compositors right before
wl_display_destroy().
[1] https://bugs.freedesktop.org/show_bug.cgi?id=99142
[2] https://patchwork.freedesktop.org/patch/128832/
Signed-off-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Acked-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
| |
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 52609ddf79a96fee0465006e2c6339a3a5d23a87 was intended to
set fds to -1 in the arg list, however it failed to account for
version information at the start of signatures.
Most noticably, this broke mesa's create_prime_buffer by setting
width to -1 instead of the fd, as the width was the argument
following the fd, and the version was one byte long.
This should close https://bugs.kde.org/show_bug.cgi?id=389200
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
| |
The client connection is destroyed by the server in several
circumstances. This patch adds log messages in case the connection is
destroyed due to an error other than normal hangup.
Signed-off-by: Mathias Fiedler <mathias_fiedler@mentor.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
|
| |
|
|
|
|
|
|
|
|
| |
We need to close file descriptors sent to zombie proxies to avoid leaking
them, and perhaps more importantly, to prevent them from being dispatched
in events on other objects (since they would previously be left in the
buffer and potentially fed to following events destined for live proxies)
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using the singleton zombie object doesn't allow us to posthumously retain
object interface information, which makes it difficult to properly inter
future events destined for the recently deceased proxy.
Notably, this makes it impossible for zombie proxy destined file
descriptors to be properly consumed.
When we create a proxy, we now create a zombie-state object to hold
information about the file descriptors in events it can receive. This
will allow us, in a future patch, to close those FDs.
[daniels: Split Derek's patch into a few smaller ones.]
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Closures created to hold events which will be dispatched on the client,
take a reference to the proxy for the object the event was sent to, as
well as the proxies for all objects referenced in that event.
These references are dropped immediately before dispatch, with the
display lock also being released. This leaves the potential for a
vanishingly small race, where another thread drops the last reference
on one of the proxies used in an event as it is being dispatched.
Fix this by splitting decrease_closure_args_refcount into two functions:
one which validates the objects (to ensure that clients are not returned
objects which they have destroyed), and another which unrefs all proxies
on the closure (object event was sent to, all referenced objects) as
well as the closure itself. For symmetry, increase_closure_args_refcount
is now the place where the refcount for the proxy for the object the
event was sent to, is increased.
This also happens to fix a bug: previously, if an event was sent to a
client-destroyed object, and the event had object arguments, a reference
would be leaked on the proxy for each of the object arguments.
Found by inspection whilst reviewing the zombie-FD-leak series.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Cc: Jonas Ådahl <jadahl@gmail.com>
Cc: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
| |
|
|
|
|
|
|
|
|
| |
Rather than open-coded decrement-and-maybe-free, introduce a
wl_proxy_unref helper to do this for us. This will come in useful for
future patches, where we may also have to free a zombie object.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Cc: Jonas Ådahl <jadahl@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit e273c7cde added a refcount to wl_proxy. The refcount is set to 1
on creation, decreased when the client explicitly destroys the proxy,
and is increased and decreased every time an event referencing that
proxy is queued.
Assuming no bugs, this means the refcount cannot reach 0 without the
proxy being explicitly destroyed. However, some (not all) of the
proxy-unref paths were only destroying the proxy if it had already been
deleted. This should already be enforced by refcounting, so remove the
check and rely solely on the refcount as the arbiter of when to free a
proxy.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Cc: Jonas Ådahl <jadahl@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since we now have the WL_MAP_ENTRY_ZOMBIE flag to determine whether or
not a client-side object is a zombie, we can remove the faux object.
[daniels: Extracted from Derek's bespoke-zombie patch as an intermediate
step.]
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
| |
This makes it easier for future patches in the series, which can
possibly return NULL for extant map entries.
[daniels: Extracted from Derek's bespoke-zombie patch as an intermediate
step.]
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new map entry flag to indicate that the object received is valid,
but a zombie. Previously this relied on a fixed object pointer, but
future patches in this series will have map entries returning either
NULL, or a different structure type entirely, for zombie objects.
wl_object_is_zombie() now solely uses the new flag to determine whether
or not the object is a zombie.
[daniels: Extracted from Derek's bespoke-zombie patch as an intermediate
step.]
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a helper function which determines whether or not an object is a
zombie.
[daniels: Extracted from Derek's bespoke-zombie patch as an intermediate
step.]
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
| |
On the client side we're going to need to know if an object from the
map is a zombie before we attempt to dereference it, so we need to
pass this to the iterator.
Reviewed-by: Daniel Stone <daniels@collabora.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we have a closure that can't be dispatched for some reason, and it
contains file descriptors, we must close those descriptors to prevent
leaking them.
Previous commits ensure that only FDs belonging to this invocation of
the closure, i.e. not FDs provided by the client for marshalling, nor
FDs which have already been dispatched to either client or server, will
be left in the closure by destroy time.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This initializes all the fd arguments in closures to -1 and clears
them back to -1 when they've been dispatched or serialized.
This means that any valid fd in a closure is currently libwayland's
responsibility to close in the case of an error.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
| |
Moves the common/similar bits into one place.
This has a minor functional change - count and message are now initialized
immediately, previously they'd only be set if (de)marshal was successful.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This seems foolishly cosmetic on the surface - and will reorder log
messages in certain failure cases. "request could not be marshalled"
will now appear after logging the request that failed to marshal
instead of before.
The real point of this is that a follow up patch will make
wl_closure_send() set fds to -1 as it buffers them for send, so
they can be more easily cleaned up.
Doing that while leaving this order unchanged would result in
printing -1 for fds instead of their value.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
| |
We can sizeof the struct type instead of declaring a pointer and
taking the size of what it points to.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to support system compositor instances, it is necessary to
allow clients' wl_display_connect() to find the compositor's listening
socket somewhere outside of XDG_RUNTIME_DIR. For a full account, see
the discussion beginning here:
https://lists.freedesktop.org/archives/wayland-devel/2017-November/035664.html
This change adjusts the client-side connection logic so that, if
WAYLAND_DISPLAY is formatted as an absolute pathname, the socket
connection attempt is made to just $WAYLAND_DISPLAY rather than
usual user-private location $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY.
This change is based on Davide Bettio's submission of the same concept
at:
https://lists.freedesktop.org/archives/wayland-devel/2015-August/023838.html.
v4 changes:
* Improved internal comments and some boundary-condition
error checks in test case.
* Refer to compositor as "Wayland server" rather than "Wayland
display" in wl_display_connect() doxygen comments.
* Remove redundant descriptions of parameter-interpretation
mechanics from wl_display_connect() manpage. Reworked things
to make it clear that 'name' and $WAYLAND_DISLAY are each
capable of encoding absolute server socket paths.
* Remove callout to reference implementation behavior in protocol
documented. In its place there is now a simple statement that
implementations can optionally support absolute socket paths.
v3 changes:
* Added test case.
* Clarified documentation to note that 'name' parameter to wl_display_connect()
can also be an absolute path.
v2 changes:
* Added backward incompatibility note to wl_display_connect() manpage.
* Rephased wl_display_connect() manpage changes to precisely match actual
changed behavior.
* Added mention of new absolute path behavior in wl_display_connect()
doxygen comments.
* Mentioned new absolute path interpretation of WAYLAND_DISPLAY in
protocol documentation.
Signed-off-by: Matt Hoosier <matt.hoosier@gmail.com>
Acked-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
| |
|
|
|
|
|
|
| |
Add a --strict flag for making wayland-scanner fail if the DTD
verification fails. This is useful for testing, so that a test case can
fail a scan when the protocol doesn't comply with the DTD.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
|
| |
|
|
|
|
|
| |
There were two places where we did the same calculation manually.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Both the blocks in this if/else clause do the same thing, so combine
the comparisons into one.
No functional change.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
All current callers close all fds, so this has gone unnoticed, but if
we close less than all fds with close_fds() we leak all the unclosed
ones and ruin further event demarshalling.
A future patch will close less than the full buffer's worth of fds,
so this is now noticed.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This *technically* changes the semantics of the return value of the source callbacks.
Previously you could return a negative number from a source callback and it would prevent
*other* source callbacks from triggering a subsequent recheck.
Doing that seems like such a bad idea it's not worth supporting.
v2: Log this case if it is hit, so we don't silently change behaviour.
Signed-off-by: Christopher James Halse Rogers <christopher.halse.rogers@canonical.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add some inline information, what the macro is used for, why it came to
be and what we shouldn't do if we consider further deprecation in the future
deprecation.
Cc: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
| |
|
|
|
|
|
|
|
|
|
| |
This documents all the public API related to wl_event_loop and
wl_event_source objects.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Yong Bakos <ybakos@humanoriented.com>
[Pekka: fixed typos pointed by Yong]
[Pekka: fixed typos pointed by Christopher]
Reviewed-By: Christopher James Halse Rogers <christopher.halse.rogers@canonical.com>
|
| |
|
|
|
|
|
| |
File uses tabs, barring the few instances fixed with this patch.
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
| |
|
|
|
|
|
| |
Nothing in the existing codebase references the file.
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
| |
|
|
|
|
|
|
|
|
|
| |
GCC 7 now requires an explicit comment noting that case statements
without a break fall through. We already had one of those in the
scanner, but GCC wasn't smart enough to pick it up.
Quiet the warning by making the comment less elaborate.
Signed-off-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Yong Bakos <ybakos@humanoriented.com>
|
| |
|
|
|
|
|
|
|
| |
Used only internally and explicitly marked as such with commit
cf04b0a18f2 ("Move private definitions and prototypes to new
zwayland-private.h")
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
| |
|
|
|
|
|
| |
Those struct members are no longer used so we can remove them.
Signed-off-by: Sergi Granell <xerpi.g.12@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix this set of warnings appearing three times during a build:
/home/pq/git/wayland/src/wayland-server.c:1868: warning: class
`wl_priv_signal' for related function `wl_priv_signal_init' is not
documented.
/home/pq/git/wayland/src/wayland-server.c:1884: warning: class
`wl_priv_signal' for related function `wl_priv_signal_add' is not
documented.
/home/pq/git/wayland/src/wayland-server.c:1899: warning: class
`wl_priv_signal' for related function `wl_priv_signal_get' is not
documented.
Our Wayland docbook don't include private things, so make sure these do
not end up there. This removes the mention of wl_priv_signal_emit from
the Server API docbook. I have no idea why the other functions did not
appear there.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Yong Bakos <ybakos@humanoriented.com>
|
| |
|
|
|
| |
Signed-off-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
|
