Catch any API mis-use with an assert. This should abort when the
user calls unreferences the pool more times than it's referenced.
Also change the refcount check to explicitly check for positive
counts. That makes the condition more readable.
Signed-off-by: Simon Ser <contact@emersion.fr>
wl_shm_buffer.pool is never set to NULL. The only time it's set is
in shm_pool_create_buffer, and the pool is guaranteed to be non-NULL
there.
Signed-off-by: Simon Ser <contact@emersion.fr>
While MAP_FAILED is generally defined to that value, we should not be
relying on implementation details of system headers.
Signed-off-by: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
Reviewed-by: Simon Ser <contact@emersion.fr>
If a client set the F_SEAL_SHRINK seal on the fd before passing it to
the compositor, the kernel will ensure this fd won’t be able to shrink,
ever. This allows us to avoid setting up the SIGBUS handlers on such
file descriptors.
Signed-off-by: Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
The printf() format specifier "%m" is a glibc extension to print
the string returned by strerror(errno). While supported by other
libraries (e.g. uClibc and musl), it is not widely portable.
In Wayland code the format string is often passed to a logging
function that calls other syscalls before the conversion of "%m"
takes place. If one of such syscall modifies the value in errno,
the conversion of "%m" will incorrectly report the error string
corresponding to the new value of errno.
Remove all the occurrences of the specifier "%m" in Wayland code
by using directly the string returned by strerror(errno).
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
When an mmap() fails, a WL_SHM_ERROR_INVALID_FD is raised and the client
is killed.
However, there is no indication of the actual system error that caused
mmap() to fail, which makes such error harder to investigate.
Provide the actual error message that caused mmap() to fail.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Add static const modifiers to the shm_pool_interface definition,
making it consistent with the other wl_*_interface definitions and
mundanely safer.
Note that this does not affect the ABI, according to abi-dumper and
abi-compliance-checker[1]; and weston and its shm-backed clients still
run as expected.
[1]: http://lvc.github.io/abi-compliance-checker/
Signed-off-by: Yong Bakos <ybakos@humanoriented.com>
Tested-by: Yong Bakos <ybakos@humanoriented.com>
Acked-by: Bryce Harrington <bryce@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Some headers and source files have been using types such as uint32_t
without explicitly including stdint.h.
Explicitly include stdint.h where appropriate.
Signed-off-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
wayland-shm.c uses WL_EXPORT and wl_array, which are defined in
wayland-util.h.
Include wayland-util.h explicitly, rather than transitively through
wayland-server.h.
Signed-off-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Sam Spilsbury <smspillaz@gmail.com>
If wl_shm_buffer_get_data() is called on a shm pool that has an external
reference and a pending resize, then the buffer may be outside the pool's
current mapping.
Log a warning if this happens.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
If a compositor is rendering in one thread while dispatching wayland
events in another, a wl_shm_pool_resize() could change the memory
mappings it's rendering from and cause a crash.
Now we defer wl_shm_pool_resize() if the compositor has references on a
pool, and perform the actual resize when it drops those references.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
This is a preliminary step towards deferring shm resize operations until
after the compositor has released all external references on a pool.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
If the client passed a size <= 0 to shm_create_pool, it would
go to err_free, which wouldn't close the fd, and thus leave it opened.
We can also move the size check before the struct wl_shm_pool
malloc, so in case the client passes a wrong size, it won't
do an unnecessary malloc and then free.
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
There's no situation where a shm buffer without a pool makes sense,
so we enforce the pool's existence a little more rigidly.
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Giulio Camuffo <giuliocamuffo@gmail.com>
In wayland-server.c we group the deprecated functions and
disable doxygen for them. Do that here too.
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Giulio Camuffo <giuliocamuffo@gmail.com>
From irc:
<pq> it creates a wl_buffer object in a way that no client can ever
access the storage.
So, let's replace it with return NULL; and mark it with attribute
deprecated in the header.
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Giulio Camuffo <giuliocamuffo@gmail.com>
Sometimes the compositor wants to make sure a shm pool doesn't disappear
out from under it.
For example, in Enlightenment, rendering happens in a separate thread
while the main thread can still dispatch events. If a client is destroyed
during rendering, all its resources are cleaned up and its shm pools are
unmapped. This causes the rendering thread to segfault.
This patch adds a way for the compositor to increment the refcount of the
shm pool so it can't disappear, and decrement it when it's finished.
The ref/unref are asymmetrical (ref returns the pool) because it's
possible the buffer itself will be gone when you need to unref the pool.
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
It would be possible to make the compositor leak file descriptors by
passing descriptors of open unmmapable files to it, such as /dev/null.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Linux will let you mmap a region of a file that is larger than the
size of the file. If you then try to read from that region the process
will get a SIGBUS signal. Currently the clients can use this to crash
a compositor because it can create a pool and lie about the size of
the file which will cause the compositor to try and read past the end
of it. The compositor can't simply check the size of the file to
verify that it is big enough because then there is a race condition
where the client may truncate the file after the check is performed.
This patch adds the following two public functions in the server API
which can be used wrap access to an SHM buffer:
void wl_shm_buffer_begin_access(struct wl_shm_buffer *buffer);
void wl_shm_buffer_end_access(struct wl_shm_buffer *buffer);
The first time wl_shm_buffer_begin_access is called a signal handler
for SIGBUS will be installed. If the signal is caught then the buffer
for the current pool is remapped to an anonymous private buffer at the
same address which allows the compositor to continue without crashing.
The end_access function will then post an error to the buffer
resource.
The current pool is stored as part of some thread-local storage so
that multiple threads can safely independently access separate
buffers.
Eventually we may want to add some more API so that compositors can
hook into the signal handler or replace it entirely if they also want
to do some SIGBUS handling.
The wl_client_add/new_object() functions sends out an NO_MEMORY error if
the allocation fails. This was convenient in a couple of places where
that was all the error handling that was needed. Unfortunately that
looks like out-of-memory isn't handled at the call site and set a bad
precedent for not cleaning up properly or not handling at all.
As we're introducing wl_resource_create() as a replacement for those two
functions, let's remove the automatic error event posting and require
the caller to do that if necessary.
This commit also introduces a new helper, wl_client_post_no_memory() to
make it possible to send NO_MEMORY events from bind where we don't have
a wl_resource.
A new function, wl_resource_create(), lets the compositor create a
wl_resource for a given version of the interface. Passing 0 for the
object ID will allocate a new ID. The implementation, user data and
destructor can be set with wl_resource_set_implementation().
These two functions deprecates wl_client_add/new_object and the
main difference and motivation is the ability to provide a version number
for the resource. This lets the compositor track which version of the
interface a client has created and we'll use that to verify incoming requests.
Signed-off-by: Jason Ekstrand <jason@jlekstrand.net>
With the work to add wl_resource accessors and port weston to use them,
we're ready to make wl_resource and wl_object opaque structs. We keep
wl_buffer in the header for EGL stacks to use, but don't expose it by
default. In time we'll remove it completely, but for now it provides a
transition paths for code that still uses wl_buffer.
Reviewed-by: Jason Ekstrand<jason@jlekstrand.net>
This commit does not break ABI. It merely changes the types of some things
and adds a wl_shm_buffer_get function.
Signed-off-by: Jason Ekstrand <jason@jlekstrand.net>
This commit adds a wl_resource_init function for initializing wl_resource
structures similar to wl_client_add_object.
From this commit forward, wl_resource structures should not be initialized
manually, but should use wl_resource_init. In the event of a change to the
wl_resource structure, this allows us to protect against regressions by filling
in added fields with reasonable defaults. In this way, while changing
wl_object or wl_resource still constitutes an ABI break, compositors following
this rule will only need to be recompiled in order to properly link against the
new version.
Signed-off-by: Jason Ekstrand <jason@jlekstrand.net>
This avoids a valgrind error like:
==31496== Conditional jump or move depends on uninitialised value(s)
==31496== at 0x407620: weston_buffer_post_release (compositor.c:928)
==31496== by 0x406AEB: weston_surface_attach (compositor.c:725)
==31496== by 0x409EB8: pointer_attach (compositor.c:2009)
==31496== by 0x34ECE05D63: ffi_call_unix64 (unix64.S:75)
==31496== by 0x34ECE05784: ffi_call (ffi64.c:486)
==31496== by 0x5674C4D: wl_closure_invoke (connection.c:770)
==31496== by 0x566ECCB: wl_client_connection_data (wayland-server.c:255)
==31496== by 0x56722F9: wl_event_source_fd_dispatch (event-loop.c:79)
==31496== by 0x5672C99: wl_event_loop_dispatch (event-loop.c:410)
==31496== by 0x56705FF: wl_display_run (wayland-server.c:1004)
==31496== by 0x40C775: main (compositor.c:2937)
==31496== Uninitialised value was created by a heap allocation
==31496== at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==31496== by 0x5670EA7: shm_pool_create_buffer (wayland-shm.c:113)
==31496== by 0x34ECE05D63: ffi_call_unix64 (unix64.S:75)
==31496== by 0x34ECE05784: ffi_call (ffi64.c:486)
==31496== by 0x5674C4D: wl_closure_invoke (connection.c:770)
==31496== by 0x566ECCB: wl_client_connection_data (wayland-server.c:255)
==31496== by 0x56722F9: wl_event_source_fd_dispatch (event-loop.c:79)
==31496== by 0x5672C99: wl_event_loop_dispatch (event-loop.c:410)
==31496== by 0x56705FF: wl_display_run (wayland-server.c:1004)
==31496== by 0x40C775: main (compositor.c:2937)
The wayland protocol, as X, uses timestamps to match up certain
requests with input events. The problem is that sometimes we need to
send out an event that doesn't have a corresponding timestamped input
event. For example, the pointer focus surface goes away and new
surface needs to receive a pointer enter event. These events are
normally timestamped with the evdev event timestamp, but in this case,
we don't have a evdev timestamp. So we have to go to gettimeofday (or
clock_gettime()) and then we don't know if it's coming from the same
time source etc.
However for all these cases we don't need a real time timestamp, we
just need a serial number that encodes the order of events inside the
server. So we introduce a serial number mechanism that we can use to
order events. We still need real-time timestamps for actual input
device events (motion, buttons, keys, touch), to be able to reason
about double-click speed and movement speed so events that correspond to user input carry both a serial number and a timestamp.
The serial number also give us a mechanism to key together events that
are "logically the same" such as a unicode event and a keycode event,
or a motion event and a relative event from a raw device.
There's a big cost to setting up and tearing down a mmap and faulting in
the pages to back it. For cases where we're continuously reallocating
shm wl_buffers (resizing a surface, typically) it is a big performance
improvement to be able to reuse a mmap area. This change makes the shm
buffer allocation a two step process: first allocate a wl_shm_pool, then
allocate a buffer from the pool. The wl_shm_pool encapsulate the shared
memory pool, and lets clients allocate wl_buffers backed by chunks of that
memory. Buffers are allocated at an offset into the pool, so it's possible
to create multiple buffers from one pool, for example for icons or cursor
images.
