If wl_shm_buffer_get_data() is called on a shm pool that has an external
reference and a pending resize, then the buffer may be outside the pool's
current mapping.
Log a warning if this happens.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
If a compositor is rendering in one thread while dispatching wayland
events in another, a wl_shm_pool_resize() could change the memory
mappings it's rendering from and cause a crash.
Now we defer wl_shm_pool_resize() if the compositor has references on a
pool, and perform the actual resize when it drops those references.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
This is a preliminary step towards deferring shm resize operations until
after the compositor has released all external references on a pool.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
If the client passed a size <= 0 to shm_create_pool, it would
go to err_free, which wouldn't close the fd, and thus leave it opened.
We can also move the size check before the struct wl_shm_pool
malloc, so in case the client passes a wrong size, it won't
do an unnecessary malloc and then free.
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
And insert "client" or "server" into the PROJECT_NAME to know which one we
have.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
This switches the scanner to generate doxygen-compatible tags for the
generated protocol headers, and hooks up the doxygen build to generate server
and client-side API documentation. That documentation is now in
Client/ and Server/, respectively.
GENERATE_HTML is on by default and must be disabled for the xml/man targets to
avoid messing up the new documentation. We disable all three three targets in
the doxyfile (xml and man default to NO anyway) to make it obvious that they
need to be set in the per-target instructions.
Each protocol is a separate doxygen @page, with each interface a @subpage.
Wayland only has one protocol, wayland-protocols will have these nested.
Each protocol page has a list of interfaces and the copyright and description
where available.
All interfaces are grouped by doxygen @defgroup and @ingroups and appear in
"Modules" in the generated output. Each interface subpage has the description
and a link to the actual API doc.
Function, struct and #defines are documented in doxygen style and associated
with the matching interface.
Note that pages and groups have fixed HTML file names and are directly
linkable/bookmark-able.
The @mainpage is a separate file that's included at build time. It doesn't
contain much other than links to where the interesting bits are. It's a static
file though that supports markdown, so we can extend it easily in the future.
For doxygen we need the new options EXTRACT_ALL and OPTIMIZE_OUTPUT_FOR_C so
it scans C code properly. EXTRACT_STATIC is needed since most of the protocol
hooks are static.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Before this patch:
$ scanelf -lpqe ./wayland-scanner
RWX --- --- ./wayland-scanner
That indicates the stack is executable, which is a bad thing for
security. Wayland-scanner does not actually need an executable stack, it
is just an oversight from using an .S file in the sources.
Add a special incantation in dtddata.S to make it not cause the stack to
become executable.
Reported-by: Mart Raudsepp <leio@gentoo.org>
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Tested-by: Mart Raudsepp <leio@gentoo.org>
When configured with --disable-dtd-validation:
CPPAS src/dtddata.o
src/dtddata.S: Assembler messages:
src/dtddata.S:39: Error: file not found: src/wayland.dtd.embed
Makefile:1520: recipe for target 'src/dtddata.o' failed
This is because the variable name used does not match the implicit
variable name in autoconf.
Fix the variable name, making both --disable-dtd-validation and
--enable-dtd-validation to what they should.
Do not try to build dtddata.S if dtd-validation is disabled. It depends
on wayland.dtd.embed which is created by configure only if
dtd-validation is enabled.
If not building dtddata.S, also make sure the extern definitions in
scanner.c are compiled out.
Bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=575212
Reported-by: leio@gentoo.org
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Quentin Glidic <sardemff7+git@sardemff7.net>
Tested-by: Bryce Harrington <bryce@osg.samsung.com>
test if receiving an error on already destroyed object won't
do any harm
Signed-off-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Tested-by: Bryce Harrington <bryce@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
If an error is received on a destroyed object, we'd get NULL passed
to display_handle_error() instead of a pointer to a valid wl_proxy.
The logging is changed to report [unknown interface] and [unknown id]
instead of the actual interface name and id.
The wl_display_get_protocol_error() documentation is updated to handle
the situation. For when the proxy was NULL, the object id 0 and
interface NULL is written.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
[Pekka: changed the error message wording]
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Acked-by: Jonas Ådahl <jadahl@gmail.com>
This reverts commit 88ff135ad4.
The parent interface version may be higher than this interface version,
and the child object should inherit that version.
This check is wrong.
This reverts commit 8125919b0d.
This makes things far more annoying than intended, especially since
the list of default warnings isn't consistent from distro to distro.
New --enable-fatal-warnings ./configure option that just adds -Werror
to GCC_CFLAGS
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
We shouldn't ever create a resource with version less than 1 or
greater than the interface version.
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
We're creating resources with versions up to 4. wl_display isn't version 4,
so this is technically verifying that we can do something we shouldn't.
wl_seat already has versions this high, so switch to that.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Marek Chalupa <mchqwerty@gmail.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
When we are adding padding bytes making our wl_buffer buffer content 4
byte aligned, we are just moving the pointer. Since the buffer is
allocated using plain malloc(), this means our padding bytes are
effectively uninitialized data, which could be anything previously
allocated in the server process. As we'll be sharing this buffer
content with arbitrary clients, we are effectively sharing private
memory with every client, and even though a well behaving client will
discard any such memory, a malicious client may not.
Therefor, to avoid any potential missuse of the uninitialized padding
memory shared between the server and client, initialize the buffer
content to 0, making the padding bytes always 0.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Some copyright strings could result in broken generated header files with
unmatched */
This change:
Runs the loop long enough so the copyright[i] == 0 test can actually
happen. (if there was no \n no copyright text was printed, */ still was)
Prints the opening /* even if there was whitespace at the start of
the very first line.
Only emits a */ if a /* was printed.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Jon A. Cruz <jonc@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Don't just print prefix the errors with "protocol", but the actual file
name, if wayland-scanner was passed with the filename of the protocol
file. If wayland-scanner is reading from stdin, errors will be prefixed
with "<stdin>" instead of "protocol".
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: David Fort <contact@hardening-consulting.com>
Reviewed-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
0 is not a valid version number for registry bind requests, so
let's check for it in registry_bind.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Add a note to the wl_data_device_manager global interface about the
different requirements for operating the objects created from the bound
global.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Carlos Garnacho <carlosg@gnome.org>
This adds an API to get the file descriptor for a client.
The client file descriptor can be used for a wayland compositor to validate
a request from a client if there are any additional information provided from
the client's file descriptor.
For instance, this will be helpful in some linux distributions, in which SELinux
or SMACK is enabled. In those environments, each file (including socket) will have
each security contexts in its inode as xattr member variable. A wayland compositor
can validate a client request by getting the file descriptor of the client and
by checking the security contexts associated with the file descriptor.
Signed-off-by: Sung-Jin Park <input.hacker@gmail.com>
Add a test that confirms that proxy versions are always 0 for display
and correct otherwise.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
This provides a standardized mechanism for tracking protocol object
versions in client code. The wl_display object is created with version 1.
Every time an object is created from within wl_registry_bind, it gets the
bound version. Every other time an object is created, it simply inherits
it's version from the parent object that created it.
(comments and minor reformatting added
by Derek Foreman <derekf@osg.samsung.com>)
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Second trivial commit squashed into this one:
Authored by Derek Foreman <derekf@osg.samsung.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
(it's literally one of code and a lot of comments)
This sets wl_display's version (for proxy version query purposes)
to 0. Any proxy created with unversioned API (this happens when
a client compiled with old headers links against new wayland)
will inherit this 0.
This gives us a way for new libraries linked by old clients to
realize they can't know a proxy's version.
wl_display's version being unqueryable (always returning 0) is
an acceptable side effect, since it's a special object you can't
bind specific versions of anyway.
Second half:
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Jason Ekstrand <jason@jlekstrand.net>
If a client is terminated due to some reason, it should always be
possible to retrieve protocol error associated with the termination.
Test that, while either using the dispatch helpers
(wl_display_dispatch(_queue)() or the prepare read API, it should be
possible to retrieve the error after EPIPE.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Change the API to pass an "void *" argument to the client main
function, allowing the caller to call the same main function with
different input.
A helper (client_create_noarg) is added for when no argument is passed,
and the existing test cases are changed to use this function instead.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
We currently wait for clients in the wl_client destroy signal, which is
called before the client is destructed and the socket is closed. If test
clients rely on being closed due to the socket being closed we'd dead
lock. Avoid this by synchronizing in an idle task that is called after
the client is fully destroyed.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
wl_display_flush() may fail with EAGAIN which means that not all data
waiting in the buffer has been flushed. We later block until there is
data to read, which could mean that we block on input from the
compositor without having sent out all data from the client. Avoid this
by fully flushing the socket before starting to wait.
This commit also changes the array length of the struct pollfd array
from 2 to 1, as only one element was ever used.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Instead of doing things that do the equivalent of using
wl_display_prepare_read() and friends, just use the public API. The
only semantical difference is that we will now unlock and lock the mutex
more times compared to before.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
If flushing hits EPIPE it should not make it a fatal error since it
would make it impossible to process the rest of the data available in
the buffer. Instead, let reading the socket make EPIPE fatal, letting
the client have the possibility to process the last messages including
any error causing the termination.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
There was documentation about how to integrate the display server file
descriptor in the documentation about wl_display_dispatch_pending().
This is not the right place to put it, and it also had incorrect usage
of the API (calling wl_display_dispatch_queue() on input on an unrelated
fd) as an example.
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Daniel Stone <daniels@collabora.com>
The current documentation about wl_display_dispatch() states one may not
mix wl_display_dispatch(_queue)() with wl_display_prepare_read() and
friends, but this is a misconception about how
wl_display_dispatch(_queue)() works. The fact is that the dispatch
functions does the equivalent of what the preparation API does
internally, and it is safe to use together.
What is not safe is to dispatch using the wl_display_dispatch(_queue)()
functions while being prepared to read using wl_display_read_events().
This patch rewrites the documentation to correctly state when the
various API's are thread safe and how they may not be used.
https://bugs.freedesktop.org/show_bug.cgi?id=91767
Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
These 2 requests have been added:
- wl_data_source.set_actions: Notifies the compositor of the available
actions on the data source.
- wl_data_offer.set_actions: Notifies the compositor of the available
actions on the destination side, plus the preferred action.
Out of the data from these requests, the compositor can determine the action
both parts agree on (and let the user play a role through eg. keyboard
modifiers). The chosen option will be notified to both parties
through the following two requests:
- wl_data_source.action
- wl_data_offer.action
In addition, the destination side can peek the source side actions through
wl_data_offer.source_actions.
Compared to the XDND protocol, there's two notable changes:
- XDND lets the source suggest an action, whereas wl_data_device lets
the destination prefer a given action. The difference is subtle here,
it comes off as convenience because it is the drag destination which
receives the motion events (unlike in X) and can perform action updates.
The drag destination seems also in a better position to update the
preferred action based on things like the data being transferred, the
place being dropped, and whether the drag is client-local.
- That same source-side preferred action is used in XDND to convey the
modifier-induced action to the drag destination, which would then ack
it, or reply with another action that's accepted (or none), this makes
the XdndPosition/XdndStatus messaging very verbose, and synchronous
because the drag source always needs to know the latest status/action
for every position+action sent.
Here it's the compositor which takes care of modifiers and matching
available/accepted actions, this allows for the signaling to happen
only whenever the actions/modifiers change for real.
Roughly based on previous work by Giulio Camuffo <giuliocamuffo@gmail.com>
Changes since v10:
- Narrow down the situations where wl_data_source/offer.accept requests
are supposed to happen.
Changes since v9:
- Deferred the protocol errors to .finish after some IRC chat with Jonas,
added further errors if actions API is used on selection sources/offers.
Changes since v8:
- Defined further the expected behavior on "ask", described the protocol
errors that may happen. Fix more spaces vs tabs issues.
Changes since v7:
- Misc changes after updating the progress notification patch.
Changes since v6:
- Further explanations on wl_data_source/offer.set_actions, including a
description of "ask" actions. Added protocol errors for unknown action
values.
Changes since v5:
- Applied rewording suggestions from Jonas Ådahl. Dropped slot reservation
scheme for actions. Fixed indentation and other minor formatting issues.
Changes since v4:
- Minor rewording.
Changes since v3:
- Splitted from DnD progress notification changes.
- Further rationales in commit log.
Changes since v2:
- Renamed notify_actions to set_actions on both sides, seems more consistent
with the rest of the protocol.
- Spelled out better which events may be triggered on the compositor side
by the requests, the circumstances in which events are emitted, and
what are events useful for in clients.
- Defined a minimal common ground wrt compositor-side action picking and
keybindings.
- Acknowledge the possibility of compositor/toolkit defined actions, even
though none are used at the moment.
Changes since v1:
- Added wl_data_offer.source_actions to let know of the actions offered
by a data source.
- Renamed wl_data_source.finished to "drag_finished" for clarity
- Improved wording as suggested by Bryce
Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
Reviewed-by: Michael Catanzaro <mcatanzaro@igalia.com>
Reviewed-by: Mike Blumenkrantz <zmike@samsung.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Currently, there's no means for the DnD origin to know whether the
destination is actually finished with the DnD transaction, short of
finalizing it after the first transfer finishes, or leaking it forever.
But this poses other interoperation problems, drag destinations might
be requesting several mimetypes at once, might be just poking to find
out the most suitable format, might want to defer the action to a popup,
might be poking contents early before the selection was dropped...
In addition, data_source.cancelled is suitable for the situations where
the DnD operation fails (not on a drop target, no matching mimetypes,
etc..), but seems undocumented for that use (and unused in weston's DnD).
In order to improve the situation, the drag source should be notified
of all stages of DnD. In addition to documenting the "cancelled" event
for DnD purposes, The following 2 events have been added:
- wl_data_source.dnd_drop_performed: Happens when the operation has been
physically finished (eg. the button is released), it could be the right
place to reset the pointer cursor back and undo any other state resulting
from the initial button press.
- wl_data_source.dnd_finished: Happens when the destination side destroys
the wl_data_offer, at this point the source can just forget all data
related to the DnD selection as well, plus optionally deleting the data
on move operations.
Changes since v6:
- Turned wl_data_offer.finish calls with 0/NULL state/mimetype an
error, made it explicit that it will only result in
wl_data_offer.dnd_finished being sent if successful.
Changes since v5:
- Further rewording of wl_data_offer.finish and wl_data_offer.accept.
Added error for untimely wl_data_offer.finish requests.
Changes since v4:
- Applied rewording suggestions from Jonas Ådahl. Added new
wl_data_offer.finish request to allow explicit finalization on the
destination side.
Changes since v3:
- Renamed dnd_performed to a more descriptive dnd_drop_performed,
documented backwards compatible behavior on wl_data_offer.accept and
wl_data_source.cancelled.
Changes since v2:
- Minor rewording.
Changes since v1:
- Renamed events to have a common "dnd" namespace. Made dnd_performed to
happen invariably, data_device.cancelled may still happen afterwards.
Signed-off-by: Carlos Garnacho <carlosg@gnome.org>
Reviewed-by: Michael Catanzaro <mcatanzaro@igalia.com>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Mike Blumenkrantz <zmike@samsung.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
The gratuitous %m jammed onto the end of the string prints errno
concatenated with the word "version".
I've removed the %m, and printed some additional information about the
failure.
Also, reversed the order of the expressions in the conditional to
make it match the english in the log message.
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
The frame event groups separate pointer events together. The primary use-case
for this at the moment is diagonal scrolling - a vertical/horizontal scroll
event can be grouped together to calculate the correct motion vector.
Frame events group all wl_pointer events. An example sequence of motion events
followed by a diagonal scroll followed by a button event is:
wl_pointer.motion
wl_pointer.frame
wl_pointer.motion
wl_pointer.frame
wl_pointer.axis
wl_pointer.axis
wl_pointer.frame
wl_pointer.button
wl_pointer.frame
In the future, other extensions may insert additional information about an
event into the frame. For example, an extension may add information about the
physical device that generated an event into the frame. For this reason,
enter/leave events are grouped by a frame event too.
The axis_source event determines how an axis event was generated. That enables
clients to judge when to use kinetic scrolling. Only one axis_source event is
allowed per frame and applies to all events in this frame.
The axis_stop event notifies a client about the termination of a scroll
sequence, likewise needed to calculate kinetic scrolling parameters.
Multiple axis_stop events within the same frame indicate that scrolling has
stopped in all these axis at the same time.
The axis_discrete event provides the wheel click count. Previously the axis
value was some hardcoded number (10), with the discrete steps this enables a
client to differ between line-based scrolling on a mouse wheel and smooth
scrolling with a touchpad. The axis_discrete event carries the axis
information and the discrete value and can occur at any time in the frame
provided it is ordered before the matching axis event. Specifically, this
sequence is valid:
wl_pointer.axis_source
wl_pointer.axis_discrete (vert)
wl_pointer.axis_discrete (horiz)
wl_pointer.axis (horiz)
wl_pointer.axis (vert)
wl_pointer.frame
Enter and leave event also trigger wl_pointer.frame events, where possible the
compositor should group leave and subsequent enter into the same frame. This
indicates to the client that the pointer has moved between surfaces and may
allow a client to shortcut code otherwise triggerd by the leave or enter
events.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Carlos Garnacho <carlosg@gnome.org>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
