The llvm static analyzer tool reported "Use of memory after it is freed"
in dispatch_event() because the proxy is used after being freed if the
reference count reaches zero without the destroyed flag being set. This
would never happen in practice because the owner of the proxy object
always holds a reference until calling wl_proxy_destroy() which would
also set the destroyed flag.
Since this is the case, it is safe to do the reference count check only
if the destroyed flag is set, as it can never reach zero if not.
This commit doesn't change the behavior of the function, but makes the
static analyzer more happy.
Fixes https://bugs.freedesktop.org/show_bug.cgi?id=61385
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
The primary purpose of this patch is to clean up wl_closure and separate
closure storage, libffi, and the wire format. To that end, a number of changes
have been made:
- The maximum number of closure arguments has been changed from a magic number
to a #define WL_CLOSURE_MAX_ARGS
- A wl_argument union has been added for storing a generalized closure
argument and wl_closure has been converted to use wl_argument instead of the
combination of libffi, the wire format, and a dummy extra buffer. As of
now, the "extra" field in wl_closure should be treated as bulk storage and
never direclty referenced outside of wl_connection_demarshal.
- Everything having to do with libffi has been moved into wl_closure_invoke
and the convert_arguments_to_ffi helper function.
- Everything having to do with the wire format has been restricted to
wl_connection_demarshal and the new static serialize_closure function. The
wl_closure_send and wl_closure_queue functions are now light wrappers around
serialize_closure.
Signed-off-by: Jason Ekstrand <jason@jlekstrand.net>
This is a useful shorthand for client application debugging macros,
since you can ask the object class from the object itself.
Signed-off-by: Pekka Paalanen <ppaalanen@gmail.com>
This is there to enforce that we don't have interfaces with a destroy
request that isn't a destructor. The check never worked because of the
typo, but we also don't have any interfaces like that.
Most extra data are just pointers, but in case of fds we store an int in
the extra space. That can cause un-aligned access to pointers on 64 bit
architectures. Make sure we always align pointer storage correctly.
The need for wl_display_update_func_t was removed in
commit 53d24713a3
Author: Kristian Høgsberg <krh@bitplanet.net>
Date: Thu Oct 4 16:54:22 2012 -0400
Change filedescriptor API to be thread safe
and wl_callback_func_t does not seem to have ever been used in the first place.
Signed-off-by: Pekka Paalanen <ppaalanen@gmail.com>
The scanner would not allow two consecutive requests on an interface to
have the same since number, so if a new version of an interface added
two new request the version number would have to be increased by two.
Since wl_display_dispatch() returns the number of processed events or -1
on error, only cancel the roundtrip if an -1 is returned.
This also fixes a potential memory corruption bug happening when
wl_display_roundtrip() does an early return and the callback later
writes to the then out of scope stack allocated `done' parameter.
Introduced by 33b7637b45.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
On the client side EGL, all the wl_buffer.release events need to be
processed before buffer allocation, otherwise a third buffer might
be allocated unnecessarily. However, the buffer allocation should
not block in the case no event was received. In order to do that, a
non-blocking queue dispatch function is needed.
By default the server will dump protocol for both the server and its
clients when run with WAYLAND_DEBUG=1. That's still the case, but it now
also understands WAYLAND_DEBUG=client or WAYLAND_DEBUG=server, which
will only enable debug dumping on either client or server side.
When events are queued, the associated proxy objects (target proxy and
potentially closure argument proxies) are verified being valid. However,
as any event may destroy some proxy object, validity needs to be
verified again before dispatching. Before this change this was done by
again looking up the object via the display object map, but that did not
work because a delete_id event could be dispatched out-of-order if it
was queued in another queue, causing the object map to either have a new
proxy object with the same id or none at all, had it been destroyed in
an earlier event in the queue.
Instead, make wl_proxy reference counted and increase the reference
counter of every object associated with an event when it is queued. In
wl_proxy_destroy() set a flag saying the proxy has been destroyed by the
application and only free the proxy if the reference counter reaches
zero after decreasing it.
Before dispatching, verify that a proxy object still is valid by
checking that the flag set in wl_proxy_destroy() has not been set. When
dequeuing the event, all associated proxy objects are dereferenced and
free:ed if the reference counter reaches zero. As proxy reference counter
is initiated to 1, when dispatching an event it can never reach zero
without having the destroyed flag set.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
The _* namespace and identifiers with double underscore are reserved
by the C standard. That makes __wl_container_of is double plus bad,
so lets just call it wl_container_of.
Exporting unprefixed symbols is a pretty bad idea so don't do that.
Instea of redefining it WL_ARRAY_LENGTH, we just move the define to
our private header. The scanner generates code that uses ARRAY_LENGTH,
but we can just make it count the number elements and emit an integer
constant instead.
We don't have a use case for this and the actual semantics and
synchronization behavior of wl_egl_pixmap were never really well-defined.
It also doesn't provide the cross-process buffer sharing that make
window systems pixmaps useful in other window systems.
Touch grabs allow the compositor to be placed into a mode where touch events
temporarily bypass their default behavior and perform other operations.
Wayland already supports keyboard and pointer grabs, but was lacking
corresponding touch support. The default touch grab handlers here contain the
client event delivery code that was previously called directly in weston.
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
If any callback or helper function fails with a fatal error, we now
set the last_error flag and prevent all further I/O on the wl_display. We
wake up all sleeping event-queues and notify the caller that they
should shutdown wl_display.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
We need access to all event-queues of a single wl_display object. For
instance during connection-errors, we need to be able to wake up all event
queues. Otherwise, they will be stuck waiting for incoming events.
The API user is responsible to keep a wl_display object around until all
event-queues that were created on it are destroyed.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
wl_connection_read() assumes that the caller dispatched all messages
before calling it. wl_buffer_put_iov() does only provide enough room so we
fill the buffer. So the only case when the buffer overflows, is when a
previous read filled up the buffer but we couldn't parse a single message
from it. In this case, the client sent a message bigger than our buffer
and we should return an error and close the connection.
krh: Edited from Davids original patch to just check that the buffer
isn't full before we try reading into it.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
We rely on well-defined unsigned overflow behaviour so let's make the
index fields actually unsigned. Signed ints aren't guaranteed to have the
behavior we want (could be either ones or twos complement).
If we read more FDs than we have room for, we currently leak FDs because
we overwrite previous still pending FDs. Instead, we do now close incoming
FDs if the buffer is full and return EOVERFLOW.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Same problem as we had with close_fds(). We cannot rely on the fds_out
buffer being filled with less than MAX_FDS_OUT file descriptors.
Therefore, write at most MAX_FDS_OUT file-descriptors to the outgoing
buffer.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Same problem as with outgoing FDs. We need to close these on shutdown,
otherwise we leak open file descriptors.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
If we push two messages via wl_connection_write() and both messages
contain more than MAX_FDS_OUT file-descriptors combined, then
wl_connection_flush() will write only MAX_FDS_OUT of them, but close all
pending ones, too.
Furthermore, close_fds() will copy more FDs out of the buffer than it can
hold and cause a buffer overflow. Therefore, we simply pass a maximum
limit to close_fds().
During shutdown, we simply close all available FDs.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
When destroying a wl_connection object, there might still be data in the
queue. We would leak open file-descriptors so we must close them.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
If we cannot increase the array for new entries, we now return 0 instead
of accessing invalid memory.
krh: Edited to return 0 on failure instead. In the initialization path,
we call wl_map_insert_new() to insert NULL at index 0, which also returns
0 but not as an error. Since we do that up front, every other case of
returning 0 is an unambiguous error.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
