As well as wl_display_dispatch_queue_pending_single.
The motivation is writing libwayland bindings for a dynamic language
with exceptions/non-local returns. Since it is invalid for a
wl_dispatcher_func_t callback provided to libwayland to not return,
there is no way to prevent dispatching of further events in the case of
an exception in the dynamic language event handler.
Furthermore, since creating/destroying Wayland objects in an event
handler affects the dispatching of subsequent events by libwayland,
it is not possible to collect Wayland events in a queue outside
libwayland and dispatch them one-by-one after
wl_display_dispatch_pending() returns.
Adding libwayland API to dispatch at most one pending event solves this
problem cleanly. The bindings can have libwayland dispatch a single
event, wait for wl_display_dispatch_pending_single() to return, run the
dynamic language event handler (which may longjmp away), and continue
the loop for as long as there are more events to dispatch.
References: https://codeberg.org/ifreund/janet-wayland
Signed-off-by: Isaac Freund <mail@isaacfreund.com>
Add a new function, wl_check_env_token, to scan for a token in a
comma-separated string.
Change wl_display_create in wayland-server.c and
wl_display_connect_to_fd in wayland-client.c to use that instead of a
simple substring search.
This means that WAYLAND_DEBUG will accept a value like "client,server"
but not "clientserver". But, this will make it easier to add other
tokens without worrying about overlap between them.
Signed-off-by: Kyle Brenneman <kbrenneman@nvidia.com>
If the length of a message exceeds the maximum length of the buffer, the
buffer size will reach its maximum value and stay there forever, with no
message ever being successfully processed. Since libwayland uses
level-triggered epoll, this will cause the compositor to loop forever
and consume CPU time. In libwayland 1.22 and below, there was an
explicit check that caused messages exceeding 4096 bytes to result in an
EOVERFLOW error, preventing the loop. However, this check was removed
between d074d52902 ("connection: Dynamically resize connection buffers").
To prevent this problem, always limit the size of messages to 4096 bytes.
Since the default and minimum buffer size is 4096 bytes, this ensures
that a single message will always fit in the buffer. It would be
possible to allow larger messages if the buffer size was larger, but the
maximum size of a message should not depend on the buffer size chosen by
the compositor.
Rejecting messages that exceed 4092 bytes seems to have the advantage of
reserving 4 bits, not 3, in the size field for future use. However,
message sizes in the range [0x0, 0x7] are invalid, so one can obtain a
fourth bit by negating the meaning of bit 12 if bits 0 through 11
(inclusive) are 0. Allowing 4096-byte messages provides the far more
important advantage that regressions compared to 1.22 are impossible
and regressions compared to 1.23 are extremely unlikely. The only case
where a regression is possible is:
- The receiving side is using libwayland 1.23.
- The sending side is either using libwayland 1.23 or is not using
libwayland.
- The sender sends a message exceeding 4096 bytes.
- If the sender of the large message is the client, the server has
increased the buffer size from the default value.
This combination is considered extremely unlikely, as libwayland 1.22
and below would disconnect upon receiving such a large message.
4096-byte messages, however, have always worked, so there was no reason
to avoid sending them.
Fixes: d074d52902 ("connection: Dynamically resize connection buffers").
Fixes: #494
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
This seems to have been the case since 2013.
This is useful for wrappers that need two pointers to identify proxies.
One pointer (stored in the user data) pointing to a singleton object to
identify that the proxy has a known structure. And one pointer (stored
in the dispatcher data) pointing to per-proxy data.
Signed-off-by: Julian Orth <ju.orth@gmail.com>
For dispatching messages on a queue with a timeout.
This slightly changes the samantics of wl_display_dispatch. Previously
it was possible for it to return even though there wasn't a single
dispatched event. The function correctly returned 0 in this case but it
is now used to indicate a timeout.
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
The log that appears before a display_error can be captured as crash
signature. Useful to know what it is.
This is cherry-picked from chromium https://crrev.com/c/4697877
Signed-off-by: Fangzhou Ge <fangzhoug@chromium.org>
From cleanup commit 0cecde304:
assert()s can be compiled away by #defining NDEBUG. Some build systems
do this. Using wl_abort gives a human readable error message and it
isn't compiled away.
That commit missed one final assert, presumably due to missing it with
grep because of a coding style issue. Fix that up, and remove inclusion
of <assert.h> as appropriate.
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
wl_proxy_get_queue can return NULL if the queue of the proxy was already
destroyed with wl_event_queue_destroy. In this case, the queue also has
no name anymore.
Fixes: b42218f ("client: Allow setting names for queues")
Signed-off-by: Sebastian Wick <sebastian.wick@redhat.com>
assert()s can be compiled away by #defining NDEBUG. Some build systems
do this. Using wl_abort gives a human readable error message and it
isn't compiled away. This commit closes issue #230.
Signed-off-by: meltq <tejasvipin76@gmail.com>
Currently WAYLAND_DEBUG text ignores events that have no listener.
It can be helpful to know when you're receiving unhandled events,
as you may have forgotten to add a listener, or adding a dispatch
may have magically seemed to fix code that doesn't appear to be
dispatching anything.
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
When using fixed size connection buffers, if either the client or the
server is sending requests faster than the other end can cope with, the
connection buffers will fill up, eventually killing the connection.
This can be a problem for example with Xwayland mapping a lot of
windows, faster than the Wayland compositor can cope with, or a
high-rate mouse flooding the Wayland client with pointer events.
To avoid the issue, resize the connection buffers dynamically when they
get full.
Both data and fd buffers are resized on demand.
The default max buffer size is controlled via the wl_display interface
while each client's connection buffer size is adjustable for finer
control.
The purpose is to explicitly have larger connection buffers for specific
clients such as Xwayland, or set a larger buffer size for the client
with pointer focus to deal with a higher input events rate.
v0: Manuel:
Dynamically resize connection buffers - Both data and fd buffers are
resized on demand.
v1: Olivier
1. Add support for unbounded buffers on the client side and growable
(yet limited) connection buffers on the server side.
2. Add the API to set the default maximum size and a limit for a given
client.
3. Add tests for growable connection buffers and adjustable limits.
v2: Additional fixes by John:
1. Fix the size calculation in ring_buffer_check_space()
2. Fix wl_connection_read() to return gracefully once it has read up to
the max buffer size, rather than returning an error.
3. If wl_connection_flush() fails with EAGAIN but the transmit
ring-buffer has space remaining (or can be expanded),
wl_connection_queue() should store the message rather than
returning an error.
4. When the receive ring-buffer is at capacity but more data is
available to be read, wl_connection_read() should attempt to
expand the ring-buffer in order to read the remaining data.
v3: Thomas Lukaszewicz <tluk@chromium.org>
Add a test for unbounded buffers
v4: Add a client API as well to force bounded buffers (unbounded
by default (Olivier)
v5: Simplify ring_buffer_ensure_space() (Sebastian)
Co-authored-by: Olivier Fourdan <ofourdan@redhat.com>
Co-authored-by: John Lindgren <john@jlindgren.net>
Co-authored-by: Sebastian Wick <sebastian@sebastianwick.net>
Signed-off-by: Manuel Stoeckl <code@mstoeckl.com>
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: John Lindgren <john@jlindgren.net>
Signed-off-by: Sebastian Wick <sebastian@sebastianwick.net>
Closes: https://gitlab.freedesktop.org/wayland/wayland/-/issues/237
This is less cryptic to read than letters, and allows the compiler
to check switch statements exhaustiveness.
Signed-off-by: Simon Ser <contact@emersion.fr>
Allow setting a name for an event queue. The queue is used only for
printing additional debug information.
Debug output can now show the name of the event queue an event is
dispatched from, or the event queue of a proxy when a request is made.
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
This can be useful for additional validation purposes when handling
proxies. This is similar to existing server side API
wl_global_get_display.
Signed-off-by: David Edmundson <david@davidedmundson.co.uk>
Wayland debug logs resemble email addresses. This is a problem when
anonymizing logs from users. For example:
[2512874.343] xdg_surface@700.configure(333)
In the above log line, the substring "surface@700.config" can be
mistaken for an email address and redacted during anonymization.
Signed-off-by: Alex Yang <aycyang@google.com>
If the default queue is being destroyed, the client is disconnecting
from the wl_display, so there is no possibility of subsequent events
being queued to the destroyed default queue, which is what this warning
is about.
Note that interacting with (e.g., destroying) a wl_proxy after its
wl_display is destroyed is a certain memory error, and this warning will
indirectly warn about this issue. However, this memory error should be
detected and warned about through a more deliberate mechanism.
Signed-off-by: Alexandros Frantzis <alexandros.frantzis@collabora.com>
Detect when we are trying to add an event to a destroyed queue,
and abort instead of causing a use-after-free memory error.
This situation can occur when an wl_event_queue is destroyed before
its attached wl_proxy objects.
Signed-off-by: Alexandros Frantzis <alexandros.frantzis@collabora.com>
Log a warning if the queue is destroyed while proxies are still
attached, to help developers debug and fix potential memory errors.
Signed-off-by: Alexandros Frantzis <alexandros.frantzis@collabora.com>
Maintain a list of all wl_proxy objects that are attached to a
wl_event_queue. We will use this information in upcoming commits to warn
about improper object destruction order that can lead to memory errors.
Signed-off-by: Alexandros Frantzis <alexandros.frantzis@collabora.com>
Assignments to a wl_proxy's queue member are currently not synchronized
with potential reads of that member during event reading/queuing.
Assuming atomic pointer value reads and writes (which is a reasonable
assumption), and using the documented best practices to handle event
queue changes, a queue change should still be safe to perform.
That being said, such implicitly atomic accesses are difficult to assess
for correctness, especially since they do not introduce memory barriers.
To make the code more obviously correct, and handle any potential races
we are not currently aware of, this commit updates wl_proxy_set_queue()
to set the proxy's event queue under the display lock (all other
proxy queue accesses are already done under the display lock).
Signed-off-by: Alexandros Frantzis <alexandros.frantzis@collabora.com>
Suggested-by: Pekka Paalanen <pekka.paalanen@collabora.com>
Document the proper way to deal with event queue changes, in order to
guarantee proper handing of all events which were queued before the
queue change takes effect, especially in multi-threaded setups.
Make a special note about queue changes of newly created proxies,
which require the use of a proxy wrapper for thread safety.
Signed-off-by: Alexandros Frantzis <alexandros.frantzis@collabora.com>
Suggested-by: Pekka Paalanen <pekka.paalanen@collabora.com>
The [spec][1] reads:
> All paths set in these environment variables must be absolute. If an
> implementation encounters a relative path in any of these variables it should
> consider the path invalid and ignore it.
and
> If $XDG_DATA_HOME is either not set or empty, a default equal to
> $HOME/.local/share should be used.
Testing that the path is absolute also entails that is is non-empty.
[1]: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
Signed-off-by: Antonin Décimo <antonin.decimo@gmail.com>
When allocating memory for structs, use zalloc instead of malloc.
This ensures the memory is zero-initialized, and reduces the risk
of forgetting to initialize all struct fields.
Signed-off-by: Simon Ser <contact@emersion.fr>
The client side closure traces have incorrect object ids for new server
generated objects. This is because create_proxies() overwrites the id in
'n' type arguments by storing a pointer to the actual object in the 'o'
field of the union.
Getting back to an id from this pointer requires accessing a structure
that isn't visible outside of wayland-client.c.
Add a function pointer to fish the correct value out of the argument and
pass it to wl_closure_print.
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
This makes wl_display_connect fail immediately instead of
succeeding when the integer provided by WAYLAND_SOCKET does
not refer to a valid file descriptor.
Signed-off-by: Manuel Stoeckl <code@mstoeckl.com>
There's a race when destroying wayland objects in a multi-threaded client.
This occurs because we call:
wl_proxy_marshal(foo);
wl_proxy_destroy(foo);
And each of these functions takes, and releases, the display mutex.
Between the two calls, the display is not locked.
In order to allow atomically marshalling the proxy and destroying the
proxy without releasing the lock, add yet more wl_proxy_marshal_*
functions. This time add flags and jam in all existing warts with the
hope that we can make it future proof this time.
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
Split wl_proxy_destroy into two pieces, wl_proxy_destroy_unlocked which
performs the critical section code with no locking, and wl_proxy_destroy
which locks before calling that.
We'll use the new unlocked variant later in code that already holds the
lock.
There is a slight functional change - an aborting check is now called
with the lock held. This should be harmless as wl_abort() performs
no locking.
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
Specifically, in the log formed when WAYLAND_DEBUG is set, this commit
ensures that floating point numbers are formatted using '.' instead of
the locale-specific decimal separator. As the debug logs are not
otherwise localized for end-users, and may be parsed by scripts, it is
better to have consistent output here.
The 24.8 fixed point numbers are now represented with 8 digits after
the decimal, since this is both exact and simpler to compute.
Signed-off-by: Manuel Stoeckl <code@mstoeckl.com>
Before this patch, setting WAYLAND_DEBUG=1 or WAYLAND_DEBUG=client made
a program log all requests sent and events that it processes. However,
some events received are not processed. This can happen when a Wayland
server sends an event to an object that does not exist, or was recently
destroyed by the client program (either before the event was decoded,
or after being decoded but before being dispatched.)
This commit prints all discarded messages in the debug log, producing
lines like:
[1234567.890] discarded [unknown]@42.[event 0](0 fd, 12 byte)
[1234567.890] discarded wl_callback@3.done(34567)
[1234567.890] discarded [zombie]@13.[event 1](3 fd, 8 byte)
The first indicates an event to an object that does not exist; the
second, an event to an object that was deleted after decoding, but
before dispatch; the third, an event to an object that left a
'zombie' marker behind to indicate which events have associated
file descriptors.
Signed-off-by: Manuel Stoeckl <code@mstoeckl.com>
In wl_proxy_set_queue, passing a wl_event_queue from a completely
unrelated wl_display could lead to object IDs mismatches.
Add an assertion to catch this case. It's always a user bug if this
happens.
Signed-off-by: Simon Ser <contact@emersion.fr>
Add a paragraph about WAYLAND_SOCKET and describe what happens when the display
name is a relative path.
Signed-off-by: Simon Ser <contact@emersion.fr>
Instead, set a fatal display error which will let an application
using libwayland-client shutdown cleanly.
Signed-off-by: Manuel Stoeckl <code@mstoeckl.com>
Once there has been a fatal display error, any new object requests
potentially rely on invalid state. (For example, a failure to read
from the compositor could hide a important event.) The safest way to
handle the new requests is not to make them.
Proxies produced by the request are still created, to ensure that
any code using the library does not crash from an unexpected NULL
pointer.
Signed-off-by: Manuel Stoeckl <code@mstoeckl.com>
If the client binds to a global with an interface mismatch, it may receive an
event from the server with an unknown opcode. See [1].
Instead of crashing, print a more useful debug message and close the connection.
[1]: https://gitlab.freedesktop.org/wayland/wayland/issues/113
Signed-off-by: Simon Ser <simon.ser@intel.com>
When an application and a toolkit share the same Wayland connection,
it will receive events with each others objects. For example if the
toolkit manages a set of surfaces, and the application another set, if
both the toolkit and application listen to pointer focus events,
they'll receive focus events for each others surfaces.
In order for the toolkit and application layers to identify whether a
surface is managed by itself or not, it cannot only rely on retrieving
the proxy user data, without going through all it's own proxy objects
finding whether it's one of them.
By adding the ability to "tag" a proxy object, the toolkit and
application can use the tag to identify what the user data pointer
points to something known.
To create a tag, the recommended way is to define a statically allocated
constant char array containing some descriptive string. The tag will be
the pointer to the non-const pointer to the beginning of the array.
For example, to identify whether a focus event is for a surface managed
by the code in question:
static const char *my_tag = "my tag";
static void
pointer_enter(void *data,
struct wl_pointer *wl_pointer,
uint32_t serial,
struct wl_surface *surface,
wl_fixed_t surface_x,
wl_fixed_t surface_y)
{
struct window *window;
const char * const *tag;
tag = wl_proxy_get_tag((struct wl_proxy *) surface);
if (tag != &my_tag)
return;
window = wl_surface_get_user_data(surface);
...
}
...
static void
init_window_surface(struct window *window)
{
struct wl_surface *surface;
surface = wl_compositor_create_surface(compositor);
wl_surface_set_user_data(surface, window);
wl_proxy_set_tag((struct wl_proxy *) surface,
&my_tag);
}
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Rather than have two versions of the macro with slightly different
interfaces, just use wl_container_of internally.
This also removes use of statement expressions, a GNU C extension.
Signed-off-by: Michael Forney <mforney@mforney.org>
Many languages such as C++ or Rust have an unwinding error-reporting
mechanism. Code in these languages can (and must!) wrap request handling
callbacks in unwind guards to avoid undefined behaviour.
As a consequence such code will detect internal server errors, but have
no way to communicate such failures to the client.
This adds a WL_DISPLAY_ERROR_IMPLEMENTATION error to wl_display so that
such code can notify (and disconnect) clients which hit internal bugs.
While servers can currently abuse other wl_display errors for the same
effect, adding an explicit error code allows clients to tell the
difference between errors which are their fault and errors which are the
server's fault. This is particularly interesting for automated bug
reporting.
v2: Rename error from "internal" to "implementation", in sympathy with
X11's BadImplementation error.
Add more justification in the commit message.
Signed-off-by: Christopher James Halse Rogers <christopher.halse.rogers@canonical.com>
Acked-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.com>
Nothing on the client side uses it since
9fe75537ad which was just before the 0.99
release.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-By: Markus Ongyerth <wl@ongy.net>
previous commit, a9187853d4 added
a trailing { on a line it shouldn't have, and I pushed without
building first.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
commit 239ba39331 which was intended
to stop leaking fds in events for zombie objects didn't notice that
passing 0 to wl_connection_close_fds_in() would still close fds.
Test the fd count before calling.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
We need to close file descriptors sent to zombie proxies to avoid leaking
them, and perhaps more importantly, to prevent them from being dispatched
in events on other objects (since they would previously be left in the
buffer and potentially fed to following events destined for live proxies)
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
