We rely on well-defined unsigned overflow behaviour so let's make the
index fields actually unsigned. Signed ints aren't guaranteed to have the
behavior we want (could be either ones or twos complement).
If we read more FDs than we have room for, we currently leak FDs because
we overwrite previous still pending FDs. Instead, we do now close incoming
FDs if the buffer is full and return EOVERFLOW.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Same problem as we had with close_fds(). We cannot rely on the fds_out
buffer being filled with less than MAX_FDS_OUT file descriptors.
Therefore, write at most MAX_FDS_OUT file-descriptors to the outgoing
buffer.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Same problem as with outgoing FDs. We need to close these on shutdown,
otherwise we leak open file descriptors.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
If we push two messages via wl_connection_write() and both messages
contain more than MAX_FDS_OUT file-descriptors combined, then
wl_connection_flush() will write only MAX_FDS_OUT of them, but close all
pending ones, too.
Furthermore, close_fds() will copy more FDs out of the buffer than it can
hold and cause a buffer overflow. Therefore, we simply pass a maximum
limit to close_fds().
During shutdown, we simply close all available FDs.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
When destroying a wl_connection object, there might still be data in the
queue. We would leak open file-descriptors so we must close them.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
We can't use the same behaviour in both the client and the server. In the
client this is a wl_proxy pointer in the server it's a pointer to the
uint32_t object id. This doesn't fix the problem, but it's a slightly
more useful default, since we typically use WAYLAND_DEBUG on the client.
In most cases the pointer equality test is sufficient. However, in
some cases, depending on how things are split across shared objects,
we can end up with multiple instances of the interface metadata
constants. So if the pointers match, the interfaces are equal, if
they don't match we have to compare the interface names.
On the client side where we queue up multiple events before dispatching, we
need to look up the receiving proxy and argument proxies immediately before
calling the handler. Between queueing up multiple events and eventually
invoking the handler, previous handlers may have destroyed some of the
proxies.
The update callback for the file descriptors was always a bit awkward and
un-intuitive. The idea was that whenever the protocol code needed to
write data to the fd it would call the 'update' function. This function
would adjust the mainloop so that it polls for POLLOUT on the fd so we
can eventually flush the data to the socket.
The problem is that in multi-threaded applications, any thread can issue
a request, which writes data to the output buffer and thus triggers the
update callback. Thus, we'll be calling out with the display mutex
held and may call from any thread.
The solution is to eliminate the udpate callback and just require that
the application or server flushes all connection buffers before blocking.
This turns out to be a simpler API, although we now require clients to
deal with EAGAIN and non-blocking writes. It also saves a few syscalls,
since the socket will be writable most of the time and most writes will
complete, so we avoid changing epoll to poll for POLLOUT, then write and
then change it back for each write.
Expose these to other files using wayland-private.h, so wayland-client.c
can walk NULLables properly.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
If a new object id arrives ensure that there is an empty array entry
created, otherwise we might get out of sync for new ids if object isn't
created by interface implementation.
Most of the time it does not make sense to pass a NULL object, string, or array
to a protocol request. This commit adds an explicit “allow-null” attribute
to mark the request arguments where NULL makes sense.
Passing a NULL object, string, or array to a protocol request which is not
marked as allow-null is now an error. An implementation will never receive
a NULL value for these arguments from a client.
Signed-off-by: Christopher James Halse Rogers <christopher.halse.rogers@canonical.com>
When the server send a new object ID, the client used to have to allocate
the proxy manually and without type-safety. We now allocate the proxy
in a client-side post-processing step on the incoming closure.
'fixed' is a signed decimal type which offers a sign bit, 23 bits of
integer precision, and 8 bits of decimal precision. This is exposed as
an opaque struct with conversion helpers to and from double and int on
the C API side.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Some system C libraries do not have MSG_CMSG_CLOEXEC. This flag would
automatically set O_CLOEXEC flag on any received file descriptors.
Provide a fallback that does it manually. If setting CLOEXEC fails, the
file descriptor is closed immediately, which will lead to failures but
avoid leaks. However, setting CLOEXEC is not really expected to fail
occasionally.
Add tests for the wrapper. The setup is copied from connection-test.c.
Signed-off-by: Pekka Paalanen <ppaalanen@gmail.com>
Some system C libraries do not have F_DUPFD_CLOEXEC. Provide a fallback.
Add tests for the new wl_os_dupfd_cloexec() wrapper.
Add per-wrapper call counters in os_wrappers-test.c. Makes it easier to
determine the minimum required number of wrapped calls.
Signed-off-by: Pekka Paalanen <ppaalanen@gmail.com>
connection.c:530: warning: format '%lu' expects type 'long unsigned
int', but argument 2 has type 'unsigned int'
/connection.c:560: warning: format '%lu' expects type 'long unsigned
int', but argument 2 has type 'unsigned int'
Signed-off-by: Pekka Paalanen <ppaalanen@gmail.com>
The buffer used by wl_connection_data to receive a cmsg is 128 bytes
long. This can hold at most 28 fds but when a cmsg is generated for
sending the fds, there is no check for this limitation. The man page
for recvmsg does not show any way of recovering from MSG_CTRUNC, that
happens when the buffer supplied for cmsg is too short.
Fix this by flushing the data to be written instead of generating a
cmsg buffer longer than the maximum.
In case the client isn't responding, this will block the compositor.
Instead we flush with MSG_DONTWAIT, which lets us fill up the kernel buffer
as much as we can (after not returning EPOLLOUT anymore it still can take
80k more), and then disconnect the client if we get EAGAIN.
This commit brings a big change to the DND and copy/paste interfaces.
Most importantly the functionality is now independent of wl_shell.
The wl_shell interface is intended for desktop style UI interaction and
an optional and experimental interface.
The new interface also allows receiving the DND data multiple times or
multiple times during the drag, and the mechanism for offering and receiving
data is now shared between DND and selections.
Some events, such as the display.delete_id, aren't very urgent and we
would like to not always send them immdiately and cause an unnecessary
context switch. The wl_resource_queue_event() function will place the
event in the connection output buffer but not request the main loop to
poll for writable. The effect is that the event will just sit in the
output buffer until a more important event comes around and requires
flushing.
We need to make sure the client doesn't reuse an object ID until the
server has seen the destroy request. When a client destroys an ID
the server will now respond with the display.delete_id event, which lets
the client block reuse until it receives the event.
