for_each_helper tries to calculate a one-past-the-end pointer for its
wl_array input. This is fine when the array has one or more entries, but we
initialize arrays by setting wl_array.data to NULL. Pointer arithmetic is
only defined when both the pointer operand and the result point to the same
allocation, or one-past-the-end of that allocation. As NULL points to no
allocation, no pointer arithmetic can be performed on it, not even adding 0,
even if the result is never dereferenced.
This is caught by clang's ubsan from version 10.
Many tests already hit this case, but I added an explicit test for iterating
over an empty wl_map.
Signed-off-by: Fergus Dall <sidereal@google.com>
Before this patch, setting WAYLAND_DEBUG=1 or WAYLAND_DEBUG=client made
a program log all requests sent and events that it processes. However,
some events received are not processed. This can happen when a Wayland
server sends an event to an object that does not exist, or was recently
destroyed by the client program (either before the event was decoded,
or after being decoded but before being dispatched.)
This commit prints all discarded messages in the debug log, producing
lines like:
[1234567.890] discarded [unknown]@42.[event 0](0 fd, 12 byte)
[1234567.890] discarded wl_callback@3.done(34567)
[1234567.890] discarded [zombie]@13.[event 1](3 fd, 8 byte)
The first indicates an event to an object that does not exist; the
second, an event to an object that was deleted after decoding, but
before dispatch; the third, an event to an object that left a
'zombie' marker behind to indicate which events have associated
file descriptors.
Signed-off-by: Manuel Stoeckl <code@mstoeckl.com>
The problem was found running Weston, with both Weston and Wayland built
with ASan:
../../git/wayland/src/wayland-util.c:150:2: runtime error: null pointer passed as argument 1, which is declared to never be null
../../git/wayland/src/wayland-util.c:150:2: runtime error: null pointer passed as argument 2, which is declared to never be null
This turns out to be caused by copying an empty array into an empty
array.
That seems to be completely valid thing to do, and wl_array_init()
initializes the pointers to NULL and size to zero. Copying initialized
arrays must always be valid.
The error are caused by calling memcpy() with NULL pointers. It doesn't
explode, because also the size is zero.
Fix the problem by calling memcpy() only if size is not zero. This
should keep things like copying an empty array into a non-empty array
work.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
This previously would have caused a memory leak and incorrect
comments.
Signed-off-by: James Legg <lankyleggy@gmail.com>
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
entry may have a description according to the DTD. This is used in
some protocols including xdg-shell.
Fixes the code comment on an enum declaration using the description of
the last enum that had one, adds the descriptions to the comments on
enumerators, and avoids leaking the previously missing descriptions.
Fixes#208
Signed-off-by: James Legg <lankyleggy@gmail.com>
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
I just noticed that libwayland test suite is ASan and UBSan clean, so
let's turn that on in CI to avoid regressing.
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
Catch any API mis-use with an assert. This should abort when the
user calls unreferences the pool more times than it's referenced.
Also change the refcount check to explicitly check for positive
counts. That makes the condition more readable.
Signed-off-by: Simon Ser <contact@emersion.fr>
Currently a null string passed into a non-nullable argument of a message
will decode succesfully, probably resulting in the handler function
crashing. Instead treat it the same way we do non-nullable objects and ids.
Signed-off-by: Fergus Dall <sidereal@google.com>
In these tests, message sizes are inconsistently encoded in either the upper
or lower 16 bits of the second word of the message. Resolve this in favour
of using the upper 16 bits, as this is how messages are supposed to be
encoded, even though that aspect of message decoding isn't being tested
here.
Signed-off-by: Fergus Dall <sidereal@google.com>
Allow wl_buffer objects to be destroyed without having to wait for
wl_buffer.release if the underlying storage isn't going to be
re-used.
The main motivation for this is to avoid glitches when a client is
torn down. When a client disconnects, all of its objects are destroyed
in arbitrary order. However some compositors will still need to
access the destroyed buffer's underlying storage afterwards, e.g. for
visual effects (fade-out) or for atomic layout updates (wait for other
clients to commit a new buffer before hiding the buffer).
It's still incorrect for clients to destroy a wl_buffer and mutate
the underlying storage without waiting for wl_buffer.release.
Signed-off-by: Simon Ser <contact@emersion.fr>
Closes: https://gitlab.freedesktop.org/wayland/wayland/-/issues/185
wl_shm_buffer.pool is never set to NULL. The only time it's set is
in shm_pool_create_buffer, and the pool is guaranteed to be non-NULL
there.
Signed-off-by: Simon Ser <contact@emersion.fr>
If a cursor file contains multiple images for the same size, this
typically indicates an animation. The compositor weston uses
wl_cursor_frame_and_duration to figure out at which time a specific image
should be shown.
The total delay is the sum of all image delays. But if all images have a
delay of 0, the total delay is 0 as well. The code does not check for this
special condition and triggers a floating point exception by eventually
performing a modulo operation with 0.
This, of course, could also happen if the sum of all image delays
triggers an unsigned int overflow. But since a comment in the code
already indicates that it does not try to "fix" handling of weird files,
I would argue that it's "okay" if that happens. At least the program
won't crash.
Proof of Concept:
install -D ~/.icons/poc/cursors
base64 -d > ~/.icons/poc/cursors/left_ptr << EOF
WGN1chAAAAAAAAEAAgAAAAIA/f8BAAAAKAAAAAIA/f8BAAAAKAAAACQAAAACAP3/AQAAAAEAAAAB
AAAAAQAAAAEAAAABAAAAAAAAAAAAAAA=
EOF
cat > /tmp/weston.ini << EOF
[shell]
cursor-theme=poc
EOF
weston -c /tmp/weston.ini
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Change the wl_drm reference to linux-dmabuf. wl_drm is a legacy,
private Mesa protocol that shouldn't be used by regular clients.
Signed-off-by: Simon Ser <contact@emersion.fr>
This allows Meson to properly track dependencies and re-build the scanner when
editing the dtd. We also stop depending on GNU as' .incbin and make the
embedding less obscure.
Signed-off-by: Simon Ser <contact@emersion.fr>
Serial is supposed to contain the latest wl_pointer.enter value received
by clients but it was not even mentioned in the docs, so add it to avoid
misinterpretations.
Signed-off-by: Nick Diego Yamane <nickdiego@igalia.com>
The libXcursor fix for CVE-2013-2003 has never been imported into
wayland, leaving it vulnerable to it.
Changing the argument type to an unsigned type is an effective merge of
Ilja Van Sprundel's commit in libXcursor.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
The user may install cursor themes manually, and the desktop environment
may provide a special directory for storing them. For instance, GTK puts
those themes into ~/.local/share/icons, and many Linux distributions suggest
using that directory for user-specific themes. However, users of
libwayland-cursor cannot load these themes using the API provided by the
library because the latter does not look into that directory.
This patch adds ~/.local/share/icons to the search path, so user-specific
themes can be loaded through the API provided by libwayland-cursor.
Signed-off-by: Alexander Dunaev <adunaev@igalia.com>
Reviewed-by: Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
Reviewed-by: Simon Ser <contact@emersion.fr>
When building for a product, tests are not needed.
Besides, one test requires a C++ compiler, which is not always
available.
So, add an option to configure to disable building tests altogether.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
The fcntl() argument is defined to be an int and not a long. This does not
matter on most architectures since the value is passed in registers, but
it causes issues on big-endian architectures that pass variadic arguments
on the stack.
Signed-off-by: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
Reviewed-by: Simon Ser <contact@emersion.fr>
We can't just unconditionally read the optional arguments (and also read
it as a void* despite actually being an int).
While this happens to work on most architectures because the first few
variadic arguments are passed in registers, this is non-portable and
causes a crash on architectures that set bounds on variadic function
arguments (for example CHERI-enabled architectures). It could also cause
problems on big-endian architectures that pass variadic arguments on the
stack rather than in registers.
For CHERI-MIPS, reading sizeof(void*) causes a read of 16 bytes from the
bounded varargs capability. This always crashes since even calls with the
optional argument only have 4 bytes available.
Signed-off-by: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
Reviewed-by: Simon Ser <contact@emersion.fr>
This code is only required for building wayland-scanner so it should be
scoped accordingly. libxml-2.0 will only be required if both "scanner"
and "dtd_validation" are set to true.
Signed-off-by: Michael Weiss <dev.primeos@gmail.com>
While MAP_FAILED is generally defined to that value, we should not be
relying on implementation details of system headers.
Signed-off-by: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
Reviewed-by: Simon Ser <contact@emersion.fr>
This can be useful if the compositor wants to call wl_global_destroy() with some
delay but it doesn't have the wl_display object associated with the global,
which is needed to get access to the event loop.
Signed-off-by: Vlad Zahorodnii <vlad.zahorodnii@kde.org>
In wl_proxy_set_queue, passing a wl_event_queue from a completely
unrelated wl_display could lead to object IDs mismatches.
Add an assertion to catch this case. It's always a user bug if this
happens.
Signed-off-by: Simon Ser <contact@emersion.fr>
This allows specifying events to be destructors, which is useful for
non-C language bindings. It is unused in wayland-scanner.
Signed-off-by: Tadeo Kondrak <me@tadeo.ca>
This adds 4 new formats.
Signed-off-by: Simon Ser <contact@emersion.fr>
Reviewed-by: Jonas Ådahl <jadahl@gmail.com>
Acked-by: Daniel Stone <daniels@collabora.com>
The compositor should handle absolute paths in WAYLAND_DISPLAY like the clients, ie not
adding the XDG_RUNTIME_DIR prefix if it's an absolute path.
This allows to create the wayland socket in a separate directory for system compositors if
desired. Clients could then directly inherit the environment variable.
Signed-off-by: Loïc Yhuel <loic.yhuel@softathome.com>
These TODO items are outdated (either done or not applicable anymore). Let's
migrate items that we want to keep to GitLab issues.
Signed-off-by: Simon Ser <contact@emersion.fr>
The current wl_output.mode event has several issues when used to advertise
modes that aren't current:
- It's not possible to remove some modes. This is an issue for virtual
outputs and when the kernel prunes some modes because of link limitations.
- wl_output.mode fails to carry metadata such as aspect ratio, which results
in duplicated or missing modes.
- It's not clear, given the current set of protocols, how non-current modes
are useful to clients. Xwayland ignores non-current modes.
GNOME and wlroots already only advertise the current mode because of these
issues.
If a protocol needs the clients to know about all available modes, it should
advertise these modes itself instead of relying on wl_output.mode.
Signed-off-by: Simon Ser <contact@emersion.fr>
Closes: https://gitlab.freedesktop.org/wayland/wayland/-/issues/92
Some clients rely on wl_surface.enter/leave to start/stop their rendering
loop.
There are cases where this doesn't work:
- Some compositors don't send wl_surface.leave when a toplevel is hidden.
For instance Sway doesn't send this event when a toplevel is on an inactive
workspace (but doesn't send wl_surface.frame events).
- Some compositors might still want applications to continue to render even if
away from outputs. For instance a compositor that allows to screen record
individual toplevels might not send a wl_surface.enter event for hidden
toplevels.
Signed-off-by: Simon Ser <contact@emersion.fr>
