In wl_display_add_shm_format(), check the return value from
wl_array_add() before dereferencing it and assigning it a value.
Return the resulting pointer back to the caller.
Signed-off-by: U. Artie Eoff <ullysses.a.eoff@intel.com>
POSIX says to set errno=0 before calling strtol since
the return value alne cannot tell a failure.
on ubuntu armel I get:
../src/wayland-scanner client-header < ../../protocol/wayland.xml > wayland-client-protocol.h
<stdin>:1188: error: invalid integer (2)
Signed-off-by: Adrian Negreanu <adrian.m.negreanu@intel.com>
Restart the poll() if we take a signal. This is easily triggered in
an application that ends up blocking in eglSwapBuffers(), and causes EGL
to fail to allocate a back buffer.
This will be useful in order to implement the
EGL_WL_create_wayland_buffer_from_image extension. The buffers created
within Mesa's Wayland platform are created using the the wl_drm object
as a proxy factory which means they will be set to use Mesa's internal
event queue. However, these buffers will be owned by the client
application so they ideally need to use the default event loop. This
function provides a way to set the proxy's event queue back to the
default.
krh: Edited from Neils original patch to just use wl_proxy_set_queue() with
a NULL argument instead of introducing a new function.
If posix_fallocate is available, use it to detect when we are running
out of buffer space.
Propagate the failure properly through the various functions, stopping
loading cursors but keeping the cursors that were already successfully
loaded.
This may result in an animated cursor not having all of its images, or a
cursor theme not having all of its cursors. When that happens, the
failure is NOT communicated to the application. Instead, the application
will get NULL from wl_cursor_theme_get_cursor() for a cursor that was
not loaded successfully. If an animated cursor is missing only some
images, the animation is truncated but the cursor is still available.
This patch relies on the commit "os: use posix_fallocate in creating
sharable buffers" for defining HAVE_POSIX_FALLOCATE.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
If posix_fallocate is available, use it instead of ftruncate. Unlike
ftruncate, when posix_fallocate succeeds, it guarantees that you cannot
run out of disk space, when later writing to the mmap()'ed file.
With posix_fallocate, if os_create_anonymous_file() succeeds, the
program cannot get a SIGBUS later from accessing this file via mmap. If
there is insufficient disk space, the function fails and errno is set to
ENOSPC.
This is useful on systems, that limit the available buffer space by
having XDG_RUNTIME_DIR on a small tmpfs.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Otherwise the tail of fds_in buffer would just shift beyond the beginning.
That confuses the actual request handler and results in a crash further on
due to corrupted tail.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
A bug in Weston's toytoolkit gave me an hour of debugging headaches.
Improve the error messages that we send if a client requests an invalid
global, either by name or by version.
The server requires clients to only allocate one ID ahead of the previously
highest ID in order to keep the ID range tight. Failure to do so will
make the server close the client connection. However, the way we allocate
new IDs is racy. The generated code looks like:
new_proxy = wl_proxy_create(...);
wl_proxy_marshal(proxy, ... new_proxy, ...);
If two threads do this at the same time, there's a chance that thread A
will allocate a proxy, then get pre-empted by thread B which then allocates
a proxy and then passes it to wl_proxy_marshal(). The ID for thread As
proxy will be one higher that the currently highest ID, but the ID for
thread Bs proxy will be two higher. But since thread B prempted thread A
before it could send its new ID, B will send its new ID first, the server
will see the ID from thread Bs proxy first, and will reject it.
We fix this by introducing wl_proxy_marshal_constructor(). This
function is identical to wl_proxy_marshal(), except that it will
allocate a wl_proxy for NEW_ID arguments and send it, all under the
display mutex. By introducing a new function, we maintain backwards
compatibility with older code from the generator, and make sure that
the new generated code has an explicit dependency on a new enough
libwayland-client.so.
A virtual Wayland merit badge goes to Kalle Vahlman, who tracked this
down and analyzed the issue.
Reported-by: Kalle Vahlman <kalle.vahlman@movial.com>
The sub-surface protocol was originally committed into Weston on May
10th, 2013, in commit 2396aec6842c709a714f3825dbad9fd88478f2e6. The
design for the protocol had started in the beginning of December 2012. I
think it is high time to move this into the core now.
This patch copies the sub-surface protocol as it was in Weston on Nov
15th, 2013, into Wayland. Weston gets a patch to remove the protocol from
there.
Sub-surface is a wl_surface role. You create a wl_surface as usual, and
assign it the sub-surface role and a parent wl_surface. Sub-surfaces are
an integral part of the parent surface, and stay glued to the parent.
For window management, a window is the union of the top-level
wl_surface and all its sub-surfaces. Sub-surfaces are not clipped to the
parent, and the union of the surface tree can be larger than the
(top-level) wl_surface at its root.
The representative use case for sub-surfaces is a video player window.
When the video content is given its own wl_surface, there is no need to
modify the video frame contents after decoding or copy them into a whole
window sized buffer before submitting it to the compositor. This allows
efficient, zero-copy video presentation paths, where video decoding
hardware produces a (YUV) buffer, which eventually ends up in a
(YUV-capable) hardware overlay and is scanned out directly.
This can also be used for zero-copy presentation of windowed OpenGL
content, where the OpenGL rendering engine does not need to draw or
avoid window decorations.
Sub-surfaces allow mixing different buffer types into the same window,
e.g. software-rendered decorations in wl_shm buffers, and live content
in EGL-based buffers.
However, the sub-surface extension does not offer clipping or scaling
facilities, or accurate presentation timing. Those are topics for
additional extensions.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
It would be possible to make the compositor leak file descriptors by
passing descriptors of open unmmapable files to it, such as /dev/null.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
The generated code only support one new-id per request, since the stubs
return the new proxy. It's still possible to send requests with multiple
new-id arguments, but it must be done with
wl_proxy_marshal_array_constructor().
Linux will let you mmap a region of a file that is larger than the
size of the file. If you then try to read from that region the process
will get a SIGBUS signal. Currently the clients can use this to crash
a compositor because it can create a pool and lie about the size of
the file which will cause the compositor to try and read past the end
of it. The compositor can't simply check the size of the file to
verify that it is big enough because then there is a race condition
where the client may truncate the file after the check is performed.
This patch adds the following two public functions in the server API
which can be used wrap access to an SHM buffer:
void wl_shm_buffer_begin_access(struct wl_shm_buffer *buffer);
void wl_shm_buffer_end_access(struct wl_shm_buffer *buffer);
The first time wl_shm_buffer_begin_access is called a signal handler
for SIGBUS will be installed. If the signal is caught then the buffer
for the current pool is remapped to an anonymous private buffer at the
same address which allows the compositor to continue without crashing.
The end_access function will then post an error to the buffer
resource.
The current pool is stored as part of some thread-local storage so
that multiple threads can safely independently access separate
buffers.
Eventually we may want to add some more API so that compositors can
hook into the signal handler or replace it entirely if they also want
to do some SIGBUS handling.
The scanner is not very forgiving if the protocol doesn't match it's
expectations and crashes without much of a notice. Thus, validate the protocol
against a DTD.
Move the protocol subdir forward so we validate first before trying anything
else, and install the DTD so we can validate weston's protocols as well.
In wl_display_dispatch_queue, if poll fails then it would previously
return immediately and leak a reference in display->reader_count. Then
if the application ignores the error and tries to read again it will
block forever. This can happen for example if the poll fails with
EINTR which the application might consider to be a recoverable error.
This patch makes it cancel the read so the reader_count will be
decremented when poll fails.
