When implementing a workaround for [1], one needs to accept a global to be
bound even though it has become stale.
Often, a global's user data is free'd when the global needs to be destroyed.
Being able to set the global's user data (e.g. to NULL) can help preventing a
use-after-free.
(The alternative is to make the compositor responsible for keeping track of
stale user data objects via e.g. refcounting.)
[1]: https://gitlab.freedesktop.org/wayland/wayland/issues/10
Signed-off-by: Simon Ser <contact@emersion.fr>
The interface name provided by the client isn't used at all.
Check it matches the global's interface name to prevent object interface
mismatches between the client and the server. These are especially easy to get
when mixing up global names and other IDs in the client.
Signed-off-by: Simon Ser <simon.ser@intel.com>
Closes: https://gitlab.freedesktop.org/wayland/wayland/issues/113
In the current workflow, socket file will be deleted if it already exists.
However, if the socket file is a symbolic link and the file that it refers
to doesn't exist, we will got "Address already in use" because bind()
thinks the socket file exists and won't create it.
Now, use lstat() to determine whether the socket file exists.
Signed-off-by: Liu Wenlong <liuwl.fnst@cn.fujitsu.com>
Rather than have two versions of the macro with slightly different
interfaces, just use wl_container_of internally.
This also removes use of statement expressions, a GNU C extension.
Signed-off-by: Michael Forney <mforney@mforney.org>
The printf() format specifier "%m" is a glibc extension to print
the string returned by strerror(errno). While supported by other
libraries (e.g. uClibc and musl), it is not widely portable.
In Wayland code the format string is often passed to a logging
function that calls other syscalls before the conversion of "%m"
takes place. If one of such syscall modifies the value in errno,
the conversion of "%m" will incorrectly report the error string
corresponding to the new value of errno.
Remove all the occurrences of the specifier "%m" in Wayland code
by using directly the string returned by strerror(errno).
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Many languages such as C++ or Rust have an unwinding error-reporting
mechanism. Code in these languages can (and must!) wrap request handling
callbacks in unwind guards to avoid undefined behaviour.
As a consequence such code will detect internal server errors, but have
no way to communicate such failures to the client.
This adds a WL_DISPLAY_ERROR_IMPLEMENTATION error to wl_display so that
such code can notify (and disconnect) clients which hit internal bugs.
While servers can currently abuse other wl_display errors for the same
effect, adding an explicit error code allows clients to tell the
difference between errors which are their fault and errors which are the
server's fault. This is particularly interesting for automated bug
reporting.
v2: Rename error from "internal" to "implementation", in sympathy with
X11's BadImplementation error.
Add more justification in the commit message.
Signed-off-by: Christopher James Halse Rogers <christopher.halse.rogers@canonical.com>
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>
This will allow other wrappers around wl_resource_post_error to accept
variable argument lists.
Signed-off-by: Christopher James Halse Rogers <christopher.halse.rogers@canonical.com>
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>
In the past much code (weston, efl/enlightenment, mutter) has
freed structures containing wl_listeners from destroy handlers
without first removing the listener from the signal. As the
destroy notifier only fires once, this has largely gone
unnoticed until recently.
Other code does not (Qt, wlroots) - and removes itself from
the signal before free.
If somehow a destroy signal is listened to by code from both
kinds of callers, those that free will corrupt the lists for
those that don't, and Bad Things will happen.
To avoid these bad things, remove every item from the signal list
during destroy emit, and put it in a list all its own. This way
whether the listener is removed or not has no impact on the
following emits.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Markus Ongyerth <wl@ongy.net>
commit 3cddb3c692 casted len to an
unsigned value to compare to sizeof results. However,
wl_connection_read() can fail, setting errno to EAGAIN and returning
a value of -1.
When cast to an unsigned type this leads to a loop condition of true
when it should be false.
Signed-off-by: Dipen Somani <dipen.somani@samsung.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Bug [1] reported that wl_display_destroy() doesn't destroy clients, so
client socket file descriptors are being kept open until the compositor
process exits.
Patch [2] proposed to destroy clients in wl_display_destroy(). The
patch was not accepted because doing so changes the ABI.
Thus, a new wl_display_destroy_clients() function is added in this
patch. It should be called by compositors right before
wl_display_destroy().
[1] https://bugs.freedesktop.org/show_bug.cgi?id=99142
[2] https://patchwork.freedesktop.org/patch/128832/
Signed-off-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Acked-by: Daniel Stone <daniels@collabora.com>
The client connection is destroyed by the server in several
circumstances. This patch adds log messages in case the connection is
destroyed due to an error other than normal hangup.
Signed-off-by: Mathias Fiedler <mathias_fiedler@mentor.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
On the client side we're going to need to know if an object from the
map is a zombie before we attempt to dereference it, so we need to
pass this to the iterator.
Reviewed-by: Daniel Stone <daniels@collabora.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
This seems foolishly cosmetic on the surface - and will reorder log
messages in certain failure cases. "request could not be marshalled"
will now appear after logging the request that failed to marshal
instead of before.
The real point of this is that a follow up patch will make
wl_closure_send() set fds to -1 as it buffers them for send, so
they can be more easily cleaned up.
Doing that while leaving this order unchanged would result in
printing -1 for fds instead of their value.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Those struct members are no longer used so we can remove them.
Signed-off-by: Sergi Granell <xerpi.g.12@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Fix this set of warnings appearing three times during a build:
/home/pq/git/wayland/src/wayland-server.c:1868: warning: class
`wl_priv_signal' for related function `wl_priv_signal_init' is not
documented.
/home/pq/git/wayland/src/wayland-server.c:1884: warning: class
`wl_priv_signal' for related function `wl_priv_signal_add' is not
documented.
/home/pq/git/wayland/src/wayland-server.c:1899: warning: class
`wl_priv_signal' for related function `wl_priv_signal_get' is not
documented.
Our Wayland docbook don't include private things, so make sure these do
not end up there. This removes the mention of wl_priv_signal_emit from
the Server API docbook. I have no idea why the other functions did not
appear there.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Yong Bakos <ybakos@humanoriented.com>
Check that all the objects in an event belong to the same client as
the resource posting it. This prevents a compositor from accidentally
mixing client objects and posting an event that causes a client to
abort with a cryptic message.
Instead the client will now be disconnected as it is when the compositor
tries to send a null for a non-nullable object, and a log message
will be printed by the compositor.
Reviewed-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Until now, we haven't done anything to prevent sending additional
events to clients after posting an error.
Acked-by: Daniel Stone <daniels@collabora.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
These have grown a little in size but are almost identical, factor
out the common code.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
The old wl_signal is kept for backwards compatibility, as that is also
present in the deprecated public wl_resource struct, and that must be
kept working.
Signed-off-by: Giulio Camuffo <giulio.camuffo@kdab.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
wl_list_for_each_safe, which is used by wl_signal_emit is not really
safe. If a signal has two listeners, and the first one removes and
re-inits the second one, it would enter an infinite loop, which was hit
in weston on resource destruction, which emits a signal.
This commit adds a new version of wl_signal, called wl_priv_signal,
which is private in wayland-server.c and which does not have this problem.
The old wl_signal cannot be improved without breaking backwards compatibility.
Signed-off-by: Giulio Camuffo <giulio.camuffo@kdab.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
When using a wl_global, a server may need to retrieve the associated
wl_interface and user data.
Add a couple of convenient functions wl_global_get_interface() and
wl_global_get_user_data() for this purpose.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Add a new API to let compositor decide whether or not a wl_global
should be advertised to the clients via wl_registry_bind() or
display_get_registry()
By using its own filter, the compositor can decide which wl_global would
be listed to clients.
Compositors can use this mechanism to hide their own private interfaces
that regular clients should not use.
- Hiding interfaces that expose compositor implementation details
makes it harder for clients to identify the compositor. Therefore
clients are a little less likely to develop compositor-specific
workarounds instead of reporting problems upstream.
- Hiding can be used to diminish the problems from missing namespacing:
if two compositors happen to use the same named global with
different interfaces for their special-purpose clients, the client
expecting the different interface would probably never see it
advertised.
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Yong Bakos <ybakos@humanoriented.com>
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
The new wl_display_add_protocol_logger allows to set a function as
a logger, which will get called when a new request is received or an
event is sent.
This is akin to setting WAYLAND_DEBUG=1, but more powerful because it
can be enabled at run time and allows to show the log e.g. in a UI view.
A test is added for the new functionality.
Signed-off-by: Giulio Camuffo <giulio.camuffo@kdab.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
To complement on the new resource created signal, this allows to
iterate over the existing resources of a client.
Signed-off-by: Giulio Camuffo <giulio.camuffo@kdab.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
[Pekka: added empty lines, init ret in for_each_helper()]
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
This change allows to add a resource creation listener to a wl_client,
which will be notified when a new resource is created for that client.
The alternative would be to have a per wl_display listener, but i think
that resources are really client specific objects, so it makes sense
to use the wl_client as the context.
Signed-off-by: Giulio Camuffo <giulio.camuffo@kdab.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
[Pekka: added wl_list_remove() in TEST(new_resource).]
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
This patch chooses the wl_list_for_each-style of iterating over
the clients, instead of using an iterator function, because i think
it is easier to use.
Signed-off-by: Giulio Camuffo <giulio.camuffo@kdab.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Using display object, Emit a signal if a new client is created.
In the server-side, we can get the destroy event of a client,
But there is no way to get the created event of it.
Of course, we can get the client object from the global registry
binding callbacks.
But it can be called several times with same client object.
And even if A client creates display object,
(so there is a connection), The server could not know that.
There could be more use-cases not only for this.
Giulio: a test is added for the new functionality
Signed-off-by: Sung-jae Park <nicesj@nicesj.com>
Signed-off-by: Giulio Camuffo <giulio.camuffo@kdab.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
wayland-server.c directly depends on wayland-util.h, and will include
wayland-server-protocol.h via wayland-server.h.
Explicitly include wayland-util.h, making this dependency clear.
Remove the redundant inclusion of wayland-server-protocol.h.
Signed-off-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
The Wayland docbook and the doxygen html docs had been presenting
wl_display_get_additional_shm_formats as part of the public API, but the
prototype for this function is in wayland-private.h.
Add a \private annotation to the doc comment, preventing doxygen from
publishing this function as public.
Add logic to the publican xsl to only transform elements with a "prot"
attribute value of "public".
Signed-off-by: Yong Bakos <ybakos@humanoriented.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
This reverts commit 88ff135ad4.
The parent interface version may be higher than this interface version,
and the child object should inherit that version.
This check is wrong.
We shouldn't ever create a resource with version less than 1 or
greater than the interface version.
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
0 is not a valid version number for registry bind requests, so
let's check for it in registry_bind.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
This adds an API to get the file descriptor for a client.
The client file descriptor can be used for a wayland compositor to validate
a request from a client if there are any additional information provided from
the client's file descriptor.
For instance, this will be helpful in some linux distributions, in which SELinux
or SMACK is enabled. In those environments, each file (including socket) will have
each security contexts in its inode as xattr member variable. A wayland compositor
can validate a client request by getting the file descriptor of the client and
by checking the security contexts associated with the file descriptor.
Signed-off-by: Sung-Jin Park <input.hacker@gmail.com>
The gratuitous %m jammed onto the end of the string prints errno
concatenated with the word "version".
I've removed the %m, and printed some additional information about the
failure.
Also, reversed the order of the expressions in the conditional to
make it match the english in the log message.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
if display_resource = wl_resource_create() fails in bind_display(),
we call wl_client_post_no_memory() which is wrong, since this function
uses display_resource (which is NULL at this point).
said simply: don't send an error to resource that you've just failed to create)
https://bugs.freedesktop.org/show_bug.cgi?id=91356
Reported-by: Ashim <ashim.shah@samsung.com>
Signed-off-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
When processing a closure, data in the connection can be consumed again
if the closure itself invokes extra event dispatch. In that case the
remaining data size is also altered, so the variable len should be
updated after the closure is processed.
Signed-off-by: Jaeyoon Jung <jaeyoon.jung@lge.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
This adds functionality to allow system-level control over handing out
file descriptors for sockets, to allow tighter security when running a
Wayland compositor under a Wayland session server. Allows writing
socket activated Wayland servers.
Signed-off-by: Bryce Harrington <bryce@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Cc: Sung-Jin Park <sj76.park@samsung.com>
Cc: Sangjin Lee <lsj119@samsung.com>
There are two same error messages with different cause.
Let user know what is the cause of the error.
Signed-off-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
There are functions below the "Deprecated functions below" comment
that are not deprecated.
Move the deprecated functions back down, and add a comment at the
end of the file to try to keep this from happening again.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
