This fixes a crash in the case where the last cursor was a client surface
cursor but then transitioned into a server managed xcursor that isn't
available. Because the logic would return early before, we would continue
to reference a texture pointer belonging to a client surface but would
otherwise disassociate with it (we wouldn't clear the cursor if the surface
is destroyed) resulting an an eventual UAF.
Let's just make the cursor invisible if we don't know what to show. It's
compositor policy if they want to show a default.
Co-authored-by: Scott Moreau <oreaus@gmail.com>
Fixes: #3686
If the underlying surface is destroyed, but the client has not yet
destroyed the server decoration object, and then tries to call
request_mode() on it, the compositor will crash, because the
wlr_server_decoration struct has been freed, and the wl_resource's
user_data member has been NULLed out.
Yes, this is certainly an error for the client to do that, but I
shouldn't be able to write a buggy (or malicious) Wayland app that can
take down the entire compositor.
wlr_renderer_read_pixels does not need to be called inside a render
pass; rather, it only needs to have the correct buffer bound to
the renderer. This commit optimizes the implementation of
frame_shm_copy(...) by only binding the source buffer instead of
starting a no-op render pass with it.
These states would be set if output_init is invoked with a enabled state.
This would make frame_pending == true which means wlroots will ignore
any further frame events and the compositor will appear dead.
Up until now, frame/present events were only triggered when the
user submitted a buffer. Change the wlr_output API so that these
events are triggered when any commit is applied on an enabled
output.
Closes: https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3708
It's still not possible to commit while a page flip is pending in DRM,
but we don't need to enforce that here and allowing it through the
common interface can be useful for other backends.
This decouples commits from frame scheduling, which is going to make the
new frame schedulers easier to implement.
When setting a custom mode current_mode will not be reset. That means
that next time the compositor tries to reset back from the custom mode,
it will compare against the stale current_mode and unset
WLR_OUTPUT_STATE_MODE erroneously.
We can just use a regular assignment instead. This is more
type-safe since there is no need to provide the struct size.
The remaining memcpy() calls perform array copies or copies from
void pointers (which may be unaligned).
When a wlr_output add to wlr_output_layout, wlr_cursor will create
wlr_buffer of xcursor for the wlr_output, this behavior depends
wlr_renderer of wlr_output, using assert to ensure renderer is
initialized before wlr_output_layout_add and wlr_cursor_set_buffer/
wlr_cursor_set_xcursor.
Opaque region is a optimization hint, (bugs outstanding) it will not
change the output contents, therefore damage does not need to be submitted.
However, we still need to update the visibility state of the other
nodes in the tree. To do this call scene_update_region() by ourselves
but not `scene_node_update()` which will damage the outputs.
We need to intersect the opaque region with the node size or else we'll
get damage tracking effects with compositors attempting to use
wlr_scene_buffer_set_opaque_region() along with resizing the buffer
at the same time in a certain order.
Consider this: I have a new buffer that I want to commit to my scene buffer
that is smaller than the old one. However, I still have the old opaque
region that is the size of the old larger buffer, so that means that
for the small moment between when we reconfigure the opaque region for the
new buffer the opaque region will be oversized. Scene logic will then
try to apply occluding optimizations outside of the node boundaries
causing damage artifacts.
Add the missing lock_surface_destroy which was removed in dc7686c114
("session-lock: don't remove inert role resource"). Otherwise we never
remove the surface from our internal state, leading to us killing the
locking daemon with a protocol error that is totally our fault.
needs_frame is for backends to trigger frames for reasons that
compositors couldn't see coming. schedule_frame is freaky and I want to
remove it. These protocols aren't backends but in this case they're
close enough, so switch to needs_frame.
CC #3664
Without a round in this case the damage region is translated to truncated coordinates, potentially
misplacing it relative to the actual position of that region in the output buffer.
The backend is not able to tell whether a surface is being
presented via direct scan-out or not. The backend will set
ZERO_COPY if the buffer submitted via the output commit was
presented in a zero-copy fashion, but will no know whether the
buffer comes from the compositor or the client.
Using "present" is confusing here: the event is emitted when the
buffer is being sampled to be displayed on an output, not when it's
being presented on-screen.
Rename to match the presentation-time terminology.
Now that role objects are stored as resources, we can distinguish
the inert object case from it being destroyed by the client:
- When the resource is destroyed by the client, role_resource == NULL
- When the resource is made inert, role_resource != NULL but its
user_data is NULL
This function takes a pointer to memory with a hardcoded format
and many parameters to describe the pixel buffer.
wlr_output_cursor_set_buffer() can be used instead.
Stop using wlr_output_cursor_set_image() because it's getting
dropped. Instead, use wlr_output_cursor_set_buffer().
This mirrors what wlr_output_cursor_set_image() is doing
under-the-hood.
A saner replacement for wlr_cursor_set_image():
- Takes a wlr_buffer instead of numerous parameters and a hardcoded
format.
- The scale is not used to filter outputs.
- A ref to the buffer is kept to apply it to new outputs.
By adding a sent_feedback bool into the list entry that we can mutate
we no longer need to maintain this `sent_direct_scanout_feedback` variable.
sent_feedback will also be useful for output layers.
This changes the semantics of wlr_output_state. Instead of having
fields with uninitialized memory when missing from the committed
bitflag, all fields are always initialized (and maybe NULL/empty),
just like we do in wlr_surface_state. This reduces the chances of
footguns when reading a field, and removes the need to check for
the committed bitfield everywhere.
A new wlr_output_state_init() function takes care of initializing
the Pixman region.
This increases type safety, makes it more obvious that role_data
must represent the role object, and will allow for automatic
cleanup when the resource is destroyed.
This commit allows to make a role as not represented by an object,
which fixes calling role commit handlers for roles like cursor
surfaces.
Fixes: 099b9de752
If the set_cursor request is used with the same surface, don't call
cursor_output_cursor_reset_image(). That function sends
wl_surface.leave and can cause an infinite feedback loop with some
clients (submitting a LoDPI cursor when the surface leaves an HiDPI
output).
Closes: https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3669
Currently, an icon surface's role_data is set manually to a struct
wlr_drag_icon, which is hacky, incorrect (as role_data is supposed
to be the surface's role object, and drag icons don't have them), and
will be disallowed by future changes.
Based on five calls:
wlr_render_timer_create - creates a timer which can be reused across
frames on the same renderer
wlr_renderer_begin_buffer_pass - now takes a timer so that backends can
record when the rendering starts and finishes
wlr_render_timer_get_time - should be called as late as possible so that
queries can make their way back from the GPU
wlr_render_timer_destroy - self-explanatory
The timer is exposed as an opaque `struct wlr_render_timer` so that
backends can store whatever they want in there.
read advances the file description offset, and requires the client to
ensure that it is reset appropriately before the next gamma ramp
submission. As there is no event to indicate that wlroots finished
processing the new gamma ramp, this can result in a race between the
client seeking in the file and wlroots reading its content.
Use pread with a fixed offset instead.
Fixes: https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3655
According to the protocol text, the popup will be immediately dismissed
when the grab is rejected. Because the grab can't be executed with a
destroyed seat, the popup is dismissed when one is provided.
Many issues here:
- wlr_output_cursor_set_buffer() takes a buffer already scaled for
the output, not a buffer with scale=1.
- wlr_output_cursor.{width,height,hotspot_x,hotspot_y} are in output
buffer coordinates.
- render_cursor_buffer() had hardcoded no-ops for scale and
transform, instead of using the cursor surface's.
Fixes: b64e7e88bf ("output: add output_cursor_set_texture()")
A client might update the cursor with the same wl_surface as
before, but with a different hotspot. Don't ignore such updates.
Fixes: 9c9e3f6263 ("cursor: ignore wlr_cursor_set_surface() with same surface")
This is to allow for compositors that want to be more implicit about
how their scene is organized. Such a compositor may want to walk up
at a certain scene node to find something such as a surface to focus on.
If a modeset contains a render format change, use that instead of
the current one stored in wlr_output.render_format.
This fixes render_bit_depth configuration not being applied without
a second modeset in Sway.
Some formats like sub-sampled YCbCr use a block of bytes to
store the color values for more than one pixel. Update our format
table to be able to handle such formats.
According to the spec the compositor should send scanout modifiers in
their respective device tranches, and all other texture modifiers
in the main tranche. Currently wlroots expects all modifiers to be
present in the last (i.e. "fallback") tranche, this removes that assumption
in the feedback compilation stage so that scanout modifiers for secondary
device can be advertised.
"The full-screen feedback parameters have two tranches: one with the
format/modifier pairs supported by the KMS plane, with the scanout flag
set in the tranche_flags event and with tranche_target_device set to the
KMS scan-out device; the other with the rest of the format/modifier
pairs (supported for texturing, but not for scan-out), without the
scanout flag set in the tranche_flags event, an"
The Wayland, X11 and headless backends don't really care about the
cursor size. We were picking a size identical to the texture size
in that case. This is incorrect for LoDPI cursor textures on HiDPI
outputs: in that case, we need to scale up the cursor texture.
Fixes the cursor being chopped off under the Wayland backend with
scale > 1.
Add a src_box state field. Use the SRC_* KMS props in the DRM
backend, reject the layers in the Wayland backend (for now, we can
support it later via viewporter).
This makes seat_client resources inert when seats and/or input devices are
destroyed, rather than destroying the resources.
When the client calls e.g. wl_keyboard_release(), it's not expecting the
keyboard global to be already destroyed, so this results in an error such
as this:
wl_display@1: error 0: invalid object 22
wlr_output is not well-suited to checking whether direct scan-out
is happening or not. Compositors may want to use their own external
swapchains, for instance.
Additionally, ab7eabac84 ("output: leverage
wlr_output_configure_primary_swapchain()") makes it so
output_basic_test() is called before the output swapchain is
initialized, resulting in false positives.
References: https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3620
This allows callers to set a destination size different from the
buffer size to scale them.
The DRM backend supports this. The Wayland backend doesn't yet
(we'd need to wire up viewporter).
- Simplifies the backends
- Avoids having two ways to do the same thing: previously one could
disable a layer by either omitting it from wlr_output_state.layers,
or by passing a NULL buffer
- We can change our mind in the future: we can allow users to omit
some layers and define a meaning without breaking the API.
References: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4017#note_1783997
When a new client comes in and tries to create a
zwlr_gamma_control_v1 object for an output which already has one,
we were destroying the old object and early-returning. The early
return causes the new object to not be set up properly: it's not
inserted in the list and doesn't get the gamma_size event.
Fix this by destroying the new object, and leave the old object
intact, which is what was the intent I think.
Closes: https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/3605
Replace our current logic to setup the primary swapchain with
wlr_output_configure_primary_swapchain().
- Removes some code, reducing duplication
- Stop overwriting wlr_output.swapchain with a yet-to-be-tested
swapchain: remove the error_destroy_swapchain label.
We've had this struct for a while. It'd be useful for compositors
if they want to manage the swap chains themselves instead of being
forced to use wlr_output's. Some compositors might also want to use
a swapchain without an output.
This is based on previous work [1] [2].
This new API allows compositors to display buffers without needing to
perform rendering operations. This API can be implemented on Wayland
using subsurfaces and on DRM using KMS planes.
Compared to [1], this approach leverages wlr_addon_set to let backends
attach their own private state to layers, removes the pending
state (necessary for interop with wlr_output_commit_state()) and
enum wlr_output_layer_state_field.
[1]: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/1985
[2]: https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/3447
options->scanout_primary_output indicates an output on which scanout is desirable.
Set the missing SCANOUT flag.
Fixes: 0c966f102c ("linux-dmabuf-v1: add wlr_linux_dmabuf_feedback_v1_init_with_options()")
This patch allows surfaces without keyboard focus
but with pointer focus to receive valid tokens.
This can be relevant for applications using an older version of
the layershell protocol which only provided the choice between
no keyboard focus and exclusive keyboard focus.
In output_ensure_buffer() we create a swapchain and attach an empty
buffer to the output if necessary. We do that during the first commit.
This is fine when the first commit enables the output, however this breaks
when the first commit disables the output. A commit which disables an
output and has a buffer attached is invalid (see output_basic_test()), and
makes the DRM backend crash:
00:00:00.780 [wlr] [backend/drm/drm.c:622] connector eDP-1: Turning off
../subprojects/wlroots/backend/drm/drm.c:652:44: runtime error: member access within null pointer of type 'struct wlr_drm_crtc'
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2524==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f22e894afc1 bp 0x7ffe1d57c550 sp 0x7ffe1d57c420 T0)
==2524==The signal is caused by a READ memory access.
==2524==Hint: address points to the zero page.
#0 0x7f22e894afc1 in drm_connector_commit_state ../subprojects/wlroots/backend/drm/drm.c:652
#1 0x7f22e894b1f5 in drm_connector_commit ../subprojects/wlroots/backend/drm/drm.c:674
#2 0x7f22e89e8da9 in wlr_output_commit_state ../subprojects/wlroots/types/output/output.c:756
#3 0x555ab325624d in apply_output_config ../sway/config/output.c:517
#4 0x555ab31a1aa1 in handle_new_output ../sway/desktop/output.c:974
#5 0x7f22e9272f6d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x9f6d)
#6 0x7f22e899b012 in new_output_reemit ../subprojects/wlroots/backend/multi/backend.c:161
#7 0x7f22e9272f6d in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x9f6d)
#8 0x7f22e895a153 in scan_drm_connectors ../subprojects/wlroots/backend/drm/drm.c:1488
#9 0x7f22e893c2e4 in backend_start ../subprojects/wlroots/backend/drm/backend.c:24
#10 0x7f22e892ed00 in wlr_backend_start ../subprojects/wlroots/backend/backend.c:56
#11 0x7f22e8999b83 in multi_backend_start ../subprojects/wlroots/backend/multi/backend.c:31
#12 0x7f22e892ed00 in wlr_backend_start ../subprojects/wlroots/backend/backend.c:56
#13 0x555ab317d5cc in server_start ../sway/server.c:316
#14 0x555ab317748d in main ../sway/main.c:400
#15 0x7f22e783c28f (/usr/lib/libc.so.6+0x2328f)
#16 0x7f22e783c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349)
#17 0x555ab3134c84 in _start (/home/simon/src/sway/build/sway/sway+0x377c84)
Fixes: 3be6658ee7 ("output: allocate swapchain on first commit")
Closes: https://github.com/swaywm/sway/issues/7373
When a client attaches a NULL buffer to its wl_surface, it's
unmapped. This resets the xdg_surface in its initial state. An
extra NULL commit makes the compositor send an initial configure
event.
Note, wlr_xdg_toplevel.added is separate from wlr_xdg_surface.added.
Closes: https://github.com/swaywm/sway/issues/7397
The invalid_destroy and invalid_unlock protocol errors aren't currently
sent by wlroots and instead left up to the compositor. However, we can
handle these as well without much additional complexity.
This also adds a missing wl_resource_destroy() call if the lock is inert
in lock_handle_unlock_and_destroy().
wlroots uses "// private state" comments to denote structure fields
which shouldn't be accessed by compositors, so let's drop
wlr_output_layout_output_state and inline its fields into
wlr_output_layout_output; this also simplifies layout output creation.
With the Vulkan renderer we don't support implicit modifiers.
However wl_drm only supports implicit modifiers.
Stop advertising wl_drm formats when implicit modifiers are
unsupported.
Query the formats at init time, then forget about the renderer.
This will allow wl_drm to be created with a list of formats instead
of a renderer, and will behave better after a GPU reset.
The backend no longer changes the output state behind the
compositor's back. Instead, compositors can listen to the "commit"
event and check for WLR_OUTPUT_STATE_ENABLED/WLR_OUTPUT_STATE_MODE.
Closes: https://gitlab.freedesktop.org/wlroots/wlroots/-/issues/2300
Some compositors may want to use the linux-dmabuf-v1 implementation
with a completely custom renderer. Add a function to create the
global with a default feedback.
...when only one edge is anchored.
The layer-shell protocol specifies that a positive exclusive-zone value is
'meaningful' if the surface is anchored to either:
1. one edge
2. one edge and both perpendicular edges.
For example, if you wish to position a layer-shell client along the top
edge and make it exclusive, you should be able to either set anchor=TOP or
anchor=TOP|LEFT|RIGHT. It appears that many panels/bars use the latter
approach (anchor to an edge and also both perpendicular edges) which is
probably why this has not been reported previously.
This patch adds support for the first case and thereby makes exclusive
zone behaviour consistent with the protocol and also with sway's extant
layer-shell implementation.
Now, it is checked whether an output pixel corresponds to an integer
number of buffer pixels; if it doesn't, the region is altered to take
this into account.
This allows the backend to have access to the frame damage, as
reported by the scanned-out client. Some KMS drivers can make use
of it (e.g. for PSR, or optimized USB transfers in the GUD driver),
and the Wayland/X11 backends forward it to the parent compositor.
This is a first step towards moving texture uploading out of
wlr_compositor.
This commit allows compositors to opt-out of the texture uploading
by passing a NULL wlr_renderer. An immediate user of this is
gamescope, which currently implements a stub wlr_renderer just to
make wlr_compositor happy.
Fixes
In file included from /usr/include/wayland-server-core.h:32,
from ../types/seat/wlr_seat_pointer.c:6:
In function 'wl_fixed_from_double',
inlined from 'wlr_seat_pointer_send_axis' at ../types/seat/wlr_seat_pointer.c:367:6:
/usr/include/wayland-util.h:641:17: error: 'low_res_value' may be used uninitialized [-Werror=maybe-uninitialized]
641 | u.d = d + (3LL << (51 - 8));
| ~~^~~~~~~~~~~~~~~~~~~
../types/seat/wlr_seat_pointer.c: In function 'wlr_seat_pointer_send_axis':
../types/seat/wlr_seat_pointer.c:329:16: note: 'low_res_value' was declared here
329 | double low_res_value;
| ^~~~~~~~~~~~~
Use a basic linked list to store the currently active mappings.
Note that we don't actually need to implement a full lock-free
atomic linked list here. The signal handler will never write to
the list, it will only read it. Only the main thread will write.
We need to always expose a consistent view of the list to the
signal handler (the main thread might be interrupted at any point
by the signal handler).
This is a re-implementation of wl_shm. The motivations for using
this over the one shipped in libwayland are:
- Properly handle SIGBUS when accessing a wl_buffer's underlying
data after the wl_buffer protocol object has been destroyed.
With the current code, we just crash if the client does that
and then shrinks the backing file.
- No need to fight the wl_shm_buffer API anymore. This was awkward
because we weren't notified when clients created a wl_shm buffer,
and this doesn't play well with our wlr_buffer abstraction.
- Access to the underlying FD. This makes it possible to forward
the wl_shm buffer to a parent compositor with the Wayland/X11
backends.
- Better stride checks. We can use our format table to ensure that
the stride is consistent with the bpp and width.