Without this commit, wl_display_roundtrip_queue() is vulnerable to a
race condition, causing the callback to be dispatched on the wrong
queue.
The race condition happens if some non-main thread calls
wl_display_roundtrip_queue() with its thread local queue, and the main
thread reads and dispatches the callback event from the
wl_display_sync() call before the thread local queue is set.
The issue is fixed by using a proxy wrapper, making the initialization
of the callback proxy atomic, effectively making it no longer possible
for some other thread to dispatch the proxy before the correct thread
local queue is set.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
[Pekka: check display_wrapper]
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Using the libwayland-client client API with multiple threads with
thread local queues are prone to race conditions.
The problem is that one thread can read and queue events after another
thread creates a proxy but before it sets the queue.
This may result in the event to the proxy being silently dropped, or
potentially dispatched on the wrong thread had the creating thread set
the implementation before setting the queue.
This patch introduces API to solve this case by introducing "proxy
wrappers". In short, a proxy wrapper is a wl_proxy struct that will
never itself proxy any events, but may be used by the client to set a
queue, and use it instead of the original proxy when sending requests
that creates new proxies. When sending requests, the wrapper will
work in the same way as the normal proxy object, but the proxy created
by sending a request (for example wl_display.sync) will inherit to the
same proxy queue as the wrapper.
https://bugs.freedesktop.org/show_bug.cgi?id=91273
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
proxy_destroy() is just the implementation of the atomic part of
wl_proxy_destroy(), so lets make it static.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
the code is something like:
if (object == NULL && ...) {
object = NULL;
return;
}
first, the object is already NULL, second, the assignment has no effect
since we return from the function right away
Signed-off-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Analogous to last two commits.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Quentin Glidic <sardemff7+git@sardemff7.net>
Analogous to previous commit but for the server(-core) header.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Quentin Glidic <sardemff7+git@sardemff7.net>
Adding extern "C" wrapper before includes (especially system ones) is
illadvised as the headers themselves can behave diffently in that case.
See the section "Including C Headers in C++ Code" in the following
http://www.oracle.com/technetwork/articles/servers-storage-dev/mixingcandcpluspluscode-305840.html
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Quentin Glidic <sardemff7+git@sardemff7.net>
Adds one space to the @param lines in generated .h files,
aligning the indentation with the rest of the comment block.
Signed-off-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Although autogen.sh has a --disable-dtd-validation option, it is
on by default, so it seems convenient to add the generated symlink
to .gitignore.
Signed-off-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
If wl_shm_buffer_get_data() is called on a shm pool that has an external
reference and a pending resize, then the buffer may be outside the pool's
current mapping.
Log a warning if this happens.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
If a compositor is rendering in one thread while dispatching wayland
events in another, a wl_shm_pool_resize() could change the memory
mappings it's rendering from and cause a crash.
Now we defer wl_shm_pool_resize() if the compositor has references on a
pool, and perform the actual resize when it drops those references.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
This is a preliminary step towards deferring shm resize operations until
after the compositor has released all external references on a pool.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
If the client passed a size <= 0 to shm_create_pool, it would
go to err_free, which wouldn't close the fd, and thus leave it opened.
We can also move the size check before the struct wl_shm_pool
malloc, so in case the client passes a wrong size, it won't
do an unnecessary malloc and then free.
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
This switches the scanner to generate doxygen-compatible tags for the
generated protocol headers, and hooks up the doxygen build to generate server
and client-side API documentation. That documentation is now in
Client/ and Server/, respectively.
GENERATE_HTML is on by default and must be disabled for the xml/man targets to
avoid messing up the new documentation. We disable all three three targets in
the doxyfile (xml and man default to NO anyway) to make it obvious that they
need to be set in the per-target instructions.
Each protocol is a separate doxygen @page, with each interface a @subpage.
Wayland only has one protocol, wayland-protocols will have these nested.
Each protocol page has a list of interfaces and the copyright and description
where available.
All interfaces are grouped by doxygen @defgroup and @ingroups and appear in
"Modules" in the generated output. Each interface subpage has the description
and a link to the actual API doc.
Function, struct and #defines are documented in doxygen style and associated
with the matching interface.
Note that pages and groups have fixed HTML file names and are directly
linkable/bookmark-able.
The @mainpage is a separate file that's included at build time. It doesn't
contain much other than links to where the interesting bits are. It's a static
file though that supports markdown, so we can extend it easily in the future.
For doxygen we need the new options EXTRACT_ALL and OPTIMIZE_OUTPUT_FOR_C so
it scans C code properly. EXTRACT_STATIC is needed since most of the protocol
hooks are static.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Before this patch:
$ scanelf -lpqe ./wayland-scanner
RWX --- --- ./wayland-scanner
That indicates the stack is executable, which is a bad thing for
security. Wayland-scanner does not actually need an executable stack, it
is just an oversight from using an .S file in the sources.
Add a special incantation in dtddata.S to make it not cause the stack to
become executable.
Reported-by: Mart Raudsepp <leio@gentoo.org>
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Tested-by: Mart Raudsepp <leio@gentoo.org>
When configured with --disable-dtd-validation:
CPPAS src/dtddata.o
src/dtddata.S: Assembler messages:
src/dtddata.S:39: Error: file not found: src/wayland.dtd.embed
Makefile:1520: recipe for target 'src/dtddata.o' failed
This is because the variable name used does not match the implicit
variable name in autoconf.
Fix the variable name, making both --disable-dtd-validation and
--enable-dtd-validation to what they should.
Do not try to build dtddata.S if dtd-validation is disabled. It depends
on wayland.dtd.embed which is created by configure only if
dtd-validation is enabled.
If not building dtddata.S, also make sure the extern definitions in
scanner.c are compiled out.
Bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=575212
Reported-by: leio@gentoo.org
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Quentin Glidic <sardemff7+git@sardemff7.net>
Tested-by: Bryce Harrington <bryce@osg.samsung.com>
If an error is received on a destroyed object, we'd get NULL passed
to display_handle_error() instead of a pointer to a valid wl_proxy.
The logging is changed to report [unknown interface] and [unknown id]
instead of the actual interface name and id.
The wl_display_get_protocol_error() documentation is updated to handle
the situation. For when the proxy was NULL, the object id 0 and
interface NULL is written.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
[Pekka: changed the error message wording]
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Acked-by: Jonas Ådahl <jadahl@gmail.com>
This reverts commit 88ff135ad4.
The parent interface version may be higher than this interface version,
and the child object should inherit that version.
This check is wrong.
We shouldn't ever create a resource with version less than 1 or
greater than the interface version.
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
When we are adding padding bytes making our wl_buffer buffer content 4
byte aligned, we are just moving the pointer. Since the buffer is
allocated using plain malloc(), this means our padding bytes are
effectively uninitialized data, which could be anything previously
allocated in the server process. As we'll be sharing this buffer
content with arbitrary clients, we are effectively sharing private
memory with every client, and even though a well behaving client will
discard any such memory, a malicious client may not.
Therefor, to avoid any potential missuse of the uninitialized padding
memory shared between the server and client, initialize the buffer
content to 0, making the padding bytes always 0.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Some copyright strings could result in broken generated header files with
unmatched */
This change:
Runs the loop long enough so the copyright[i] == 0 test can actually
happen. (if there was no \n no copyright text was printed, */ still was)
Prints the opening /* even if there was whitespace at the start of
the very first line.
Only emits a */ if a /* was printed.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Jon A. Cruz <jonc@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Don't just print prefix the errors with "protocol", but the actual file
name, if wayland-scanner was passed with the filename of the protocol
file. If wayland-scanner is reading from stdin, errors will be prefixed
with "<stdin>" instead of "protocol".
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: David Fort <contact@hardening-consulting.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
0 is not a valid version number for registry bind requests, so
let's check for it in registry_bind.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
This adds an API to get the file descriptor for a client.
The client file descriptor can be used for a wayland compositor to validate
a request from a client if there are any additional information provided from
the client's file descriptor.
For instance, this will be helpful in some linux distributions, in which SELinux
or SMACK is enabled. In those environments, each file (including socket) will have
each security contexts in its inode as xattr member variable. A wayland compositor
can validate a client request by getting the file descriptor of the client and
by checking the security contexts associated with the file descriptor.
Signed-off-by: Sung-Jin Park <input.hacker@gmail.com>
This provides a standardized mechanism for tracking protocol object
versions in client code. The wl_display object is created with version 1.
Every time an object is created from within wl_registry_bind, it gets the
bound version. Every other time an object is created, it simply inherits
it's version from the parent object that created it.
(comments and minor reformatting added
by Derek Foreman <derekf@osg.samsung.com>)
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Second trivial commit squashed into this one:
Authored by Derek Foreman <derekf@osg.samsung.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
(it's literally one of code and a lot of comments)
This sets wl_display's version (for proxy version query purposes)
to 0. Any proxy created with unversioned API (this happens when
a client compiled with old headers links against new wayland)
will inherit this 0.
This gives us a way for new libraries linked by old clients to
realize they can't know a proxy's version.
wl_display's version being unqueryable (always returning 0) is
an acceptable side effect, since it's a special object you can't
bind specific versions of anyway.
Second half:
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Jason Ekstrand <jason@jlekstrand.net>
wl_display_flush() may fail with EAGAIN which means that not all data
waiting in the buffer has been flushed. We later block until there is
data to read, which could mean that we block on input from the
compositor without having sent out all data from the client. Avoid this
by fully flushing the socket before starting to wait.
This commit also changes the array length of the struct pollfd array
from 2 to 1, as only one element was ever used.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Instead of doing things that do the equivalent of using
wl_display_prepare_read() and friends, just use the public API. The
only semantical difference is that we will now unlock and lock the mutex
more times compared to before.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
If flushing hits EPIPE it should not make it a fatal error since it
would make it impossible to process the rest of the data available in
the buffer. Instead, let reading the socket make EPIPE fatal, letting
the client have the possibility to process the last messages including
any error causing the termination.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
There was documentation about how to integrate the display server file
descriptor in the documentation about wl_display_dispatch_pending().
This is not the right place to put it, and it also had incorrect usage
of the API (calling wl_display_dispatch_queue() on input on an unrelated
fd) as an example.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Daniel Stone <daniels@collabora.com>
The current documentation about wl_display_dispatch() states one may not
mix wl_display_dispatch(_queue)() with wl_display_prepare_read() and
friends, but this is a misconception about how
wl_display_dispatch(_queue)() works. The fact is that the dispatch
functions does the equivalent of what the preparation API does
internally, and it is safe to use together.
What is not safe is to dispatch using the wl_display_dispatch(_queue)()
functions while being prepared to read using wl_display_read_events().
This patch rewrites the documentation to correctly state when the
various API's are thread safe and how they may not be used.
https://bugs.freedesktop.org/show_bug.cgi?id=91767
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
The gratuitous %m jammed onto the end of the string prints errno
concatenated with the word "version".
I've removed the %m, and printed some additional information about the
failure.
Also, reversed the order of the expressions in the conditional to
make it match the english in the log message.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
if display_resource = wl_resource_create() fails in bind_display(),
we call wl_client_post_no_memory() which is wrong, since this function
uses display_resource (which is NULL at this point).
said simply: don't send an error to resource that you've just failed to create)
https://bugs.freedesktop.org/show_bug.cgi?id=91356
Reported-by: Ashim <ashim.shah@samsung.com>
Signed-off-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Without this 'proxy' argument, the '%p' formatter prints a constant
garbage value.
Signed-off-by: Victor Berger <victor.berger@m4x.org>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
When processing a closure, data in the connection can be consumed again
if the closure itself invokes extra event dispatch. In that case the
remaining data size is also altered, so the variable len should be
updated after the closure is processed.
Signed-off-by: Jaeyoon Jung <jaeyoon.jung@lge.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Put the various misplaced functions in the right class; partly because
its where they belong, and partly to make intra-class \ref(erences)
happy.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
If an event or request have a "since" attribute that is larger than
the version of the interface it is in, fail with an explaining error
message.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
A statement was added at the same indentation level as the true branch
of the if statement, but since there were no brackets, it would be
executed independently of the result of the if condition.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
This adds functionality to allow system-level control over handing out
file descriptors for sockets, to allow tighter security when running a
Wayland compositor under a Wayland session server. Allows writing
socket activated Wayland servers.
Signed-off-by: Bryce Harrington <bryce@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Cc: Sung-Jin Park <sj76.park@samsung.com>
Cc: Sangjin Lee <lsj119@samsung.com>
