This fixes a heap-use-after-free when the session is destroyed before
the backend during wl_display_destroy:
==1085==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000000180 at pc 0x7f88e3590c2d bp 0x7ffdc4e33f90 sp 0x7ffdc4e33f80
READ of size 8 at 0x614000000180 thread T0
#0 0x7f88e3590c2c in find_device ../subprojects/wlroots/backend/session/session.c:192
#1 0x7f88e3590e85 in wlr_session_close_file ../subprojects/wlroots/backend/session/session.c:204
#2 0x7f88e357b80c in libinput_close_restricted ../subprojects/wlroots/backend/libinput/backend.c:24
#3 0x7f88e21af274 (/lib64/libinput.so.10+0x28274)
#4 0x7f88e21aff1d (/lib64/libinput.so.10+0x28f1d)
#5 0x7f88e219ddac (/lib64/libinput.so.10+0x16dac)
#6 0x7f88e21b415d in libinput_unref (/lib64/libinput.so.10+0x2d15d)
#7 0x7f88e357c9d6 in backend_destroy ../subprojects/wlroots/backend/libinput/backend.c:130
#8 0x7f88e3545a09 in wlr_backend_destroy ../subprojects/wlroots/backend/backend.c:50
#9 0x7f88e358981a in multi_backend_destroy ../subprojects/wlroots/backend/multi/backend.c:54
#10 0x7f88e358a059 in handle_display_destroy ../subprojects/wlroots/backend/multi/backend.c:107
#11 0x7f88e314acde (/lib64/libwayland-server.so.0+0x8cde)
#12 0x7f88e314b466 in wl_display_destroy (/lib64/libwayland-server.so.0+0x9466)
#13 0x559fefb52385 in main ../main.c:67
#14 0x7f88e2639152 in __libc_start_main (/lib64/libc.so.6+0x27152)
#15 0x559fefb4297d in _start (/home/simon/src/glider/build/glider+0x2297d)
0x614000000180 is located 320 bytes inside of 416-byte region [0x614000000040,0x6140000001e0)
freed by thread T0 here:
#0 0x7f88e3d0a6b0 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x7f88e35b51fb in logind_session_destroy ../subprojects/wlroots/backend/session/logind.c:270
#2 0x7f88e35905a4 in wlr_session_destroy ../subprojects/wlroots/backend/session/session.c:156
#3 0x7f88e358f440 in handle_display_destroy ../subprojects/wlroots/backend/session/session.c:65
#4 0x7f88e314acde (/lib64/libwayland-server.so.0+0x8cde)
previously allocated by thread T0 here:
#0 0x7f88e3d0acd8 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x7f88e35b911c in logind_session_create ../subprojects/wlroots/backend/session/logind.c:746
#2 0x7f88e358f6b4 in wlr_session_create ../subprojects/wlroots/backend/session/session.c:91
#3 0x559fefb51ea6 in main ../main.c:20
#4 0x7f88e2639152 in __libc_start_main (/lib64/libc.so.6+0x27152)
This requires functions without a prototype definition to be static.
This allows to detect dead code, export less symbols and put shared
functions in headers.
libinput_event_touch_get_slot always returns -1 for single touch devices. Using
libinput_event_touch_get_seat_slot instead ensures that they are assigned actual
slot ids.
Also, this is what Weston does, so this change yields a more consistent
behaviour between different compositors.
Frame events group logically connected pointer events. It makes sense to make
the backend responsible for sending frame events, since once the events are
split (ie. once the frame events are stripped) it's not easy to figure out
which events belongs to which frame again.
This is also how Weston handles frame events.
Fixes https://github.com/swaywm/wlroots/issues/1468
A few pedantic changes and unused variables (1-4), and genuine bugs (5,
6).
The reports with the corresponding files and lines numbers are as
follows.
1. backend/libinput/tablet_pad.c@31,44,57
"Allocator sizeof operand mismatch"
"Result of 'calloc' is converted to a pointer of type 'unsigned int',
which is incompatible with sizeof operand type 'int'"
2. types/tablet_v2/wlr_tablet_v2_pad.c@371
"Allocator sizeof operand mismatch"
"Result of 'calloc' is converted to a pointer of type 'uint32_t', which
is incompatible with sizeof operand type 'int'"
3. types/wlr_cursor.c@335
"Dead initialization"
"Value stored to 'dx'/'dy' during its initialization is never read"
4. rootston/xdg_shell.c@510
"Dead initialization"
"Value stored to 'desktop' during its initialization is never read"
5. types/tablet_v2/wlr_tablet_v2_pad.c@475
"Dereference of null pointer"
"Access to field 'strips' results in a dereference of a null pointer
(loaded from field 'current_client')"
The boolean logic was incorrect (c.f. the check in the following
function).
6. examples/idle.c@163,174,182
"Uninitialized argument value"
"1st function call argument is an uninitialized value"
If close_timeout != 0, but simulate_activity_timeout >= close_timeout,
the program would segfault at pthread_cancel(t1).
The previous naming was based on the input-device capability names from
libinput.
With code that uses the libinput_tablet_tool and mapping into tablet-v2,
this is confusing, so the name is changed to follow the names used in
the protocol.
This adds the management code to manage tablet tools lifetimes from
libinput.
It follows the suggestion made in the tablet-unstable-v2.xml to destroy
tablet_tools once all tablets that it got into contact with were removed
from the system. This is implemented via a refcount.
If a tool is *not* unique, it will be destroyed on proximity out. This
is libinput specific and mentioned in libinput docs that tools will not
be found again, so we shouldn't keep a reference to them.
Also they can't be on other tablets as well, because they cannot be
tracked.
The naming in this commit is a bit off (to not break things).
The wlr names stay the same, tablet_tool is the libinput_device with
capaiblity LIBINPUT_DEVICE_CAP_TABLET_TOOL which is more akin to
"tablet" in the tablet-unstable-v2 protocol.
The struct that corresponds to the tablet_tool in tablet-unstable-v2 is
called tablet_tool_tool, a rename should be done at some point in the
future.
The backend destroy signal is emitted before the output_remove
signal is. When the destroy signal is emitted listeners remove
their output_remove listener, so the output_remove signal is never
received and listeners have an invalid output pointer.
The correct way to solve this would be to remove the output_remove
signal completely and use the wlr_output.events.destroy signal
instead. This isn't yet possible because wl_signal_emit is unsafe
and listeners cannot be removed in listeners.
We now use doubles until the last minute, which makes it so we can move
the pointer more precisely. This also includes a fix for tablet tools,
which move absolutely and sometimes do not update the X or Y axis.
In pointer.c, some axis event was emitted even if the event pointer did not have
current axis.
In X11 backend pointer scroll events seem to be composed of both BUTTON_PRESS
and BUTTON_RELEASE. Therefore we should skip one of them (RELEASE) to avoid
event duplication.
This runs through events pending at init on initialization so we can
tell if some devices are available.
Note that with the way wlr_device_lists is managed, this checks that
there is at least one device we handle - it doesn't have to be a
keyboard, but there is at least a mouse or tablet_pad or something
that we care about.
Instead of failing inconditionally it might be better to leave the
decision to the user, e.g. add a "backend_has_devices" function to
call later.
(Tested by moving /dev/input off)
Fixes#24.
- 'libinput' (backend's) to libinput_context
- 'device' (libinput_device) to libinput_dev
- 'dev' (wlr_device) to wlr_dev
- 'devices' lists tangling of libinput devices to wlr_devices
- 'devices' list of wlr_devices in backend state to wlr_device_lists