Fixes heap-use-after-free:
==32046==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000064d20 at pc 0x55571ce4d303 bp 0x7fff545c64c0 sp 0x7fff545c64b0
WRITE of size 8 at 0x615000064d20 thread T0
#0 0x55571ce4d302 in xdg_decoration_handle_destroy ../sway/xdg_decoration.c:13
#1 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
#2 0x7f64009d3c46 in toplevel_decoration_handle_resource_destroy ../types/wlr_xdg_decoration_v1.c:65
#3 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
#4 0x7f6400a19fed in wl_resource_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7fed)
#5 0x7f64009d3d1f in toplevel_decoration_handle_surface_destroy ../types/wlr_xdg_decoration_v1.c:82
#6 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
#7 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
#8 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
#9 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
#10 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
#11 0x7f6400a1e211 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc211)
#12 0x7f6400a1e6fe (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0xc6fe)
#13 0x7f6400a1a0ec in wl_client_destroy (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x80ec)
#14 0x7f6400a1a1c4 (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x81c4)
#15 0x7f6400a1b941 in wl_event_loop_dispatch (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x9941)
#16 0x7f6400a1a569 in wl_display_run (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x8569)
#17 0x55571ce4c7fd in server_run ../sway/server.c:214
#18 0x55571ce4ad59 in main ../sway/main.c:405
#19 0x7f640071109a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#20 0x55571ce2cfa9 in _start (/usr/local/bin/sway+0x35fa9)
0x615000064d20 is located 32 bytes inside of 504-byte region [0x615000064d00,0x615000064ef8)
freed by thread T0 here:
#0 0x7f6401531b70 in free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedb70)
#1 0x55571ce6c72b in destroy ../sway/desktop/xdg_shell.c:252
#2 0x55571cee3f7b in view_destroy ../sway/tree/view.c:60
#3 0x55571cee4090 in view_begin_destroy ../sway/tree/view.c:73
#4 0x55571ce6dd95 in handle_destroy ../sway/desktop/xdg_shell.c:464
#5 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
#6 0x7f64009b059c in reset_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:453
#7 0x7f64009b0688 in destroy_xdg_surface ../types/xdg_shell/wlr_xdg_surface.c:483
#8 0x7f64009af08c in xdg_client_handle_resource_destroy ../types/xdg_shell/wlr_xdg_shell.c:71
#9 0x7f6400a19f8d (/usr/lib/x86_64-linux-gnu/libwayland-server.so.0+0x7f8d)
previously allocated by thread T0 here:
#0 0x7f6401532138 in calloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xee138)
#1 0x55571ce6df39 in handle_xdg_shell_surface ../sway/desktop/xdg_shell.c:485
#2 0x7f64009d6f36 in wlr_signal_emit_safe ../util/signal.c:29
#3 0x7f64009b0167 in handle_xdg_surface_commit ../types/xdg_shell/wlr_xdg_surface.c:350
#4 0x7f64009ce2a5 in surface_commit_pending ../types/wlr_surface.c:372
#5 0x7f64009ce523 in surface_commit ../types/wlr_surface.c:444
#6 0x7f63ff63ddad in ffi_call_unix64 (/usr/lib/x86_64-linux-gnu/libffi.so.6+0x5dad)
Fixes#3759
This makes it so running `move [to] scratchpad` on a container already
in the scratchpad does not return an error. To match i3's behavior, a
visible scratchpad container will be hidden and a hidden scratchpad
container will be treated as a noop.
This modifies the places where output_get_active_workspace is called to
handle a NULL result. Some places already handled it and did not need a
change, some just have guard off code blocks, others return errors, and
some have sway_asserts since the case should never happen. A lot of this
is probably just safety precautions since they probably will never be
called when `output_get_active_workspace` is not fully configured with a
workspace.
If an output's node was dirty and the transaction was committed before a
workspace was moved to or created for the output, the instruction would
have a bad value for `state->active_workspace` due to a missing
length check in `output_get_active_workspace`. If there was no focus on
the output, the first workspace was being returned. If the workspace
list was currently empty, the value was either garbage, or in the case of
an output being disabled and re-enabled, a workspace that may have been
previously freed. This just adds the length check to avoid returning out
of bounds value.
Fixes memory leaks in the form of:
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f5f7c2f4f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
#1 0x563c799569f2 in ipc_recv_response ../common/ipc-client.c:94
#2 0x563c79957062 in ipc_single_command ../common/ipc-client.c:138
#3 0x563c798a56cc in run_as_ipc_client ../sway/main.c:127
#4 0x563c798a6a3a in main ../sway/main.c:349
#5 0x7f5f7b4d609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
Fixes memory leaks in the form of:
Direct leak of 20 byte(s) in 1 object(s) allocated from:
#0 0x7f5f7c2f4f30 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xedf30)
#1 0x563c7995b36a in join_args ../common/stringop.c:268
#2 0x563c798a6a1a in main ../sway/main.c:348
#3 0x7f5f7b4d609a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
This calls `workspace_consider_destroy` on the workspace that was
visible on an output that a workspace was just evacuated to. This
prevents having hidden empty workspaces.
This changes `workspace_next_name` to use the next available number as
the workspace name instead of the number of outputs. This fixes the case
where a number that is already in use could be returned. The workspace
numbers in use have no relation to the number of outputs so it makes
more sense to use the lowest available number
This documents the wildcard character for both inputs and seats. There
is also a tip added on trying the wildcard to verify a setting if the
identifier does not appear to be working.
This fixes the issue of the display freezing on reload with
wlroots#1545.
On master, all output configs are applied on reload. This may cause an
output to have its config applied up to three times, instead of just
once. The three cases are: output name, output identifier, and wildcard.
Not only is this inefficient, but it can cause swaybg to be spawned and
immediately killed.
However, swaybg requires two roundtrips of wl_display (to obtain needed
globals) before it enters its normal event loop. Modesetting will
roundtrip the wl_display. Without modesetting, waitpid for killing
swaybg could block infinitely due to swaybg being blocked by
wl_display_roundtrip.
This only configured an output once. It either uses the wildcard config
or creates an empty wildcard config and applies that. This also fixes a
bug where an output would not be reset when there is no output config to
apply to it.
On the DRM backend, if an output is dpms'd off and a different output is
hotplugged, the CRTC for the output is reclaimed. When modesetting an
output without a CRTC, a CRTC will not be given to an output that is not
desired to be enabled. This splits setting the dpms state in
apply_output_config. If the output should be dpms on, the it is enabled
before attempting to modeset. Otherwise, it is dpms'd off after setting
everything else.
This also adds DPMS_ON to the default output configs.
In seatop_move_tiling, it is possible to cause a stack overflow by
dragging a container into one of its descendants. This disables the
ability to move into a descendant.
This allows the focused inactive tree node and visible workspaces to be
changed while a surface layer has focus. The layer temporarily loses
focus, the tree focus changes, and the layer gets refocused.
When moving a descendant of a tabbed or stacked container, it is possible
for the target node to be the node being moved. This causes a segfault in
`handle_finish` since the node will be detached and then attempted to be
attached to it own parent, which is NULL due to the detach. In this
case, the target node should not be set to the node being moved, but the
parent of the node. This also allows for a descendant of a tabbed or
stacked container to be dragged out of the tabs/stacks and to be a
sibling of the tabbbed/stacked container, which was not previously
possible.
It is possible for `wlr_surface_is_subsurface` to return true, but
`wlr_surface_from_wlr_surface` to be NULL. This adds a NULL check to the
value returned by `wlr_surface_from_wlr_surface` and breaks out of the
while loop in `subsurface_get_root_coords`.
In handle_cursor_motion, the timestamp passed to
`wlr_relative_pointer_manager_v1_send_relative_motion` should be
microseconds (not milliseconds) according to relative-pointer-v1 spec.
When a layer surface is focused, `seat_get_focused_workspace` will be
NULL. This changes `workspace_get_initial_output` to use output of the
focus inactive. If the focus inactive is also NULL, then either the
first output or the noop output will be used as fallbacks.
This aborts sway and displays an error message about XDG_RUNTIME_DIR
not being set without initializing the wl_display or logging any other
information.
This fixes a few misc memory leaks reported by asan:
- Items of `config->config_chain` are now freed instead of just the list
itself
- `bar->swaybar_command` is now freed
- The result returned by a seat subcommand is now returned instead of
leaked
If the active xkb_layout does not have a name, use `NULL` instead of
`json_object_new_string(NULL)`. This also makes it so swaymsg will pretty
print this as `(unnamed)`.
If `repeat_rate` or `repeat_delay` is set without the other being set,
the default was being used for both. This changes the logic to respect
the value given and use the default for the other when only one is set.
If the bar was set to "invisible" and subsequently "toggle" was send twice, the
new mode was never set and the bar->mode was double freed.
Fix this by not requiring the bar->mode to be "hide" and instead show it
unconditionally, because it was either hidden or invisible.
Fixes#3637
It is possible to make the title bars have a zero pixel height while
stacked, by using a blank font and no padding. This causes a division by
zero when attempting to calculate the child index in
container_at_stacked, which then results in a segfault when attempting
to access the child at that bad index (INT_MIN). This just skips the
check to see if the cursor is over a title bar of a child of a stacked
container when the title bar height is zero since there will be no title
bars.
sway-bar(5) documents `modifier none`, which comes from i3. This
implements the functionality for `modifier none` since it was not
previously implemented. The bar modifier toggles visibility of the bar
when the bar mode is set to hide. When the bar modifier is set to
`none`, the ability to toggle visibility of the bar will be disabled.
Since a tablet tool provides the WL_SEAT_CAPABILITY_POINTER capability,
sway will attempt to use the xcursor manager to set a cursor image. If
the tablet tool was the first (and possibly only) device to provide the
capability for the seat, the xcursor manager was not being configured
before attempting to set a cursor image. This was due to
`seat_configure_xcursor` only being called in `seat_configure_pointer`.
Since the xcursor manager was NULL in this case, it would cause a
segfault when attempting to set a cursor image. This adds a call to
`seat_configure_xcursor` in `seat_configure_tablet_tool` to ensure that
the seat has a xcursor manager.
Since `load_include_config` compares against the realpath of a config
file when checking if a config has already been added, the main config's
realpath has to be added to the config_chain.
However, includes from the main config should be processed relative to
the path given to allow for symbolic links. This stores the realpath in
`config->config_chain`, but uses the given path for all other
operations.
When both options and positional arguments are given, sway would print
the error `Don't use options with the IPC client`. Over the past
several months, it seems like users are including this error message in
issues instead of a debug log due to not understanding that the error
message means there is an issue with their command.
This makes the error message more verbose and will hopefully make it so
more users understand that the message is not a bug in sway, but with
the command used.
Since `load_include_config` compares against the realpath of a config
file when checking if a config has already been added, the main config's
realpath has to be added to the config_chain.
wlr_xdg_popup_destroy will destroy popups, so we need to walk the tree
carefully. It's enough to just destroy all direct children, since destroying
the parent will also destroy all children.
If output_cmd_background is given a valid mode as the first argument,
then there is no file given and an error should be returned.
join_args should not be called with an argc of zero since it sets the
last character to the null terminator. With an argc of zero, the length
is zero causing a heap buffer overflow when setting the byte before the
start of argv to '\0'. This probably will not ever generate a segfault,
but may cause data corruption to whatever is directly before it in
memory. To make other such cases easier to detect, this also adds a
sway_assert in join_args when argc is zero.
This fixes a double free in cmd_workspace_gaps when the amount given is
invalid. The end pointer from strtol is part of the argument and should
not be freed. Freeing the end pointer could result in a double free or
bad free depending on whether or not the end pointer was at the start of
the argument
This removes quote stripping for `exec_always` in `execute_command`.
Since `exec_always` commands will be deferred in the config and
processed by `execute_command`, the quotes need to be left intact
like they are for `exec`.
This fixes the failure condition for the wordexp call in
load_include_configs. The only success value is zero. Since the error
codes are positive, having the check be less than zero was causing
segfaults on failure when accessing the words.
If a seat does not exist in seat_cmd_cursor, do not create it. A seat
without any attachments is useless since it will have no capabilities.
This changes `input_manager_get_seat` to have an additional argument
that dictates whether or not to create the seat if it does not exist.
This allows for `-` (hyphen) to be used as an alias for the current seat
while sway is running. This alias was chosen since it is unlikely to
interfere with any desirable seat identifier
This changes the `pointer_constraint` command to be a subcommand of seat
to allow for per-seat settings. The current implementation that is not a
seat subcommand will only operate on the current seat and will segfault
in the config due to `config->handler_context.seat` only being set at
runtime.
This also allows for the wildcard identifier to be used to alter the
pointer constraint settings on all seats and allows for the setting to
be merged with the rest of the seat config.
Updates sway.5 to include information on the usage of the `--whole-window` option in the context of the `bindsym` command, which modifies mouse bindings to allow them to operate over the whole window instead of just the titlebar. Also includes the disclaimer about mouse bindings only working over the title bar.
Also fixes the escaping of the `BTN_LEFT` and `BTN_RIGHT` key mention.
Add notes on --border and --exclude-titlebar
Update the flags for bindcode command.
This cleans up the log when sway fails to read a config file. The
following changes have been made:
- A missing error message has been added to the log when the config file
is a directory instead of a regular file
- In main, `goto` statements have been added after the `sway_terminate`
calls instead of wrapping every block in `if (!terminate_request)`
- Unnecessary NULL-checks around calls to free in `main` have been
removed
- Deferred command execution has been extracted to a separate function
and the `Running deferred commands` log message will not be shown when
there are no deferred commands.
Add a sentence to sway-output.5.scd to highlight that the cursor can
only be moved between immediately adjacent outputs.
References issue #3529
Signed-off-by: Peter Grayson <pete@jpgrayson.net>
Don't access xdg_surface->toplevel if xdg_surface->role is equal to
WLR_XDG_SURFACE_ROLE_NONE, since this could lead to crash. The same
checks are added for xdg_surface_v6.
Fixes#3311
Just a convenience function that improves readability of the code.
Other things worth noting:
* container_get_siblings and container_sibling_index no longer use the
const keyword
* container_handle_fullscreen_reparent is only ever called after
attaching the container to a workspace, so its con->workspace check has
been changed to an assertion
The goal here is to center fullscreen views when they are both too small
for the output and refuse to resize to the output's dimensions. It has
the side effect of also centering the view when it's too small for its
container.
Example clients that have this behaviour are emersion's hello-wayland
and weston.
It works by introducing surface_{x,y,width,height} properties to the
container struct. The x and y represent layout-local coordinates where
the surface will be rendered. The width and height are only used to
track the surface's previous dimensions so we can detect when the client
has resized it and recenter and apply damage accordingly.
The new surface properties are calculated when a transaction is applied,
as well as when a view resizes itself unexpectedly. The latter is done
in view_update_size. This function was previously restricted to views
which are floating, but can now be called for any views.
For views which refuse to resize *smaller* than a particular size, such
as gnome-calculator, the surface is still anchored to the top left as
per the current behaviour.
