Format strings with length modifiers but missing format specifier like "%0"
will read one byte past the array size.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
If we're about to abort, we're already in the signal handler and cannot call
down to the default device cleanup routines (which reset, free, alloc, and
do a bunch of other things).
Add a new DEVICE_ABORT mode to signal a driver's DeviceProc that it must
reset the hardware if needed but do nothing else. An actual HW reset is only
required for some drivers dealing with the HW directly.
This is largely backwards-compatible, hence the input ABI minor bump only.
Drivers we care about either return BadValue on a mode that's not
DEVICE_{INIT|ON|OFF|CLOSE} or print an error and return BadValue. Exception
here is vmmouse, which currently ignores it and would not reset anything.
This should be fixed if the reset is required.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
This is the lazy man's %f support. Print the decimal part of the number,
then append a decimal point, then print the first two digits of the
fractional part. So %f in sigsafe printing is really %.2f.
No boundary checks in place here.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Until we have support for them, ignore any length modifiers so we don't need
to update all callers.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Introduced in 164b38c72f
Reported-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Throw an error into the log file, but continue anyway. And after three
warnings, stop complaining. Not all input drivers will be fixed in time (or
ever) and our printf implementation is vastly inferior, so there is still a
use-case for non-sigsafe logging.
This also adds more linebreaks to the message.
CC: Chase Douglas <chase.douglas@canonical.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
The mouse driver uses %i in some debug messages
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
Also, print out the offending message format. This will hopefully help
developers track down unsafe logging.
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
ErrorF() is not signal safe. Use ErrorSigSafe() whenever an error
message may be logged in signal context.
[whot: edited to "ErrorFSigSafe"]
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
[whot: edited to use varargs, squashed commit below]
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
os: fix vararg length calculation
Make %u and %x sizeof(unsigned int), %p sizeof(void*). This is printf
behaviour and we can't guarantee that void* is uint64_t anyway.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
None of the FILE based functions are signal safe, including fileno(), so
we need to save the file descriptor for when we are in signal context.
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
It is not safe to ever use an arbitrary (possibly user supplied) string as
part of the format for a *sprintf() call.
For example:
1. Name a Bluetooth keyboard "%n%n%n%n%n%n%n%n"
2. Pair it with a computer running X and try to use it
3. X is not happy when trying to do the following in xf86-input-evdev:
xf86IDrvMsg(pInfo, X_CONFIG, "Device: \"%s\"\n", device);
because LogVHdrMessageVerb() has put the %n from the device name
into a format string of the form:
"evdev: %n%n%n%n%n%n%n%n: Device: \"%s\"\n"
Instead, build up a log message in place by appending successive formatted
strings by sncprintf'ing to the end of the previous.
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
The current code will write a timestamps into the logFile whenever
the last message ended with a '\n' - even if the verb for that timestamp
is at too high a level. This timestamp will sit there with no matching
message until the next call to LogVWrite with a valid verb.
In other words, in some cases, timestamps in the X.org.log are for some
completely unrelated message that was previously ignored due to
insufficient verbosity, and not for the message that appears next to it
in the log file.
We keep the current policy which appears to be to only apply timestamps if
a message is actually written to a log file. That is, no timestamps on
stderr, or in the mem buffer. Therefore, the timestamp stringification
is moved to the conditional where it is used.
Since logging uses a fixed length buffer, this patch also forces a '\n'
whenever a buffer is terminated due to a too-long write request. This
allows the newline detection to work even on overflow, and also cleans up
the log a bit in the overflow case.
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
* space->tab
* remove comment that doesn't make any sense
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This is strictly the application of the script 'x-indent-all.sh'
from util/modular. Compared to the patch that Daniel posted in
January, I've added a few indent flags:
-bap
-psl
-T PrivatePtr
-T pmWait
-T _XFUNCPROTOBEGIN
-T _XFUNCPROTOEND
-T _X_EXPORT
The typedefs were needed to make the output of sdksyms.sh match the
previous output, otherwise, the code is formatted badly enough that
sdksyms.sh generates incorrect output.
The generated code was compared with the previous version and found to
be essentially identical -- "assert" line numbers and BUILD_TIME were
the only differences found.
The comparison was done with this script:
dir1=$1
dir2=$2
for dir in $dir1 $dir2; do
(cd $dir && find . -name '*.o' | while read file; do
dir=`dirname $file`
base=`basename $file .o`
dump=$dir/$base.dump
objdump -d $file > $dump
done)
done
find $dir1 -name '*.dump' | while read dump; do
otherdump=`echo $dump | sed "s;$dir1;$dir2;"`
diff -u $dump $otherdump
done
Signed-off-by: Keith Packard <keithp@keithp.com>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
"log.c", line 382: warning: assignment type mismatch:
pointer to char "=" pointer to const char
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
LogVHdrMessageVerb allows a custom header to be inserted in a log message,
between the Log system's MessageType string, and a formatted variable
message body. The custom header can itself be a formatted variable string.
These functions can be used, for example, by driver abstraction layers to
format specific driver messages in a standard format, but do it in a way
that is efficient, obeys the log-layers verbosity settings, and is safe
to use in signal handlers (because they don't call malloc), even for
types besides X_NONE.
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Also, optimize how the type and format strings are combined.
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
Reviewed-by: Guillem Jover <guillem@hadrons.org>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Instead of just closing the log when everything is done, put one more
message in stating that we're actually terminating. Users or scripts that
look at the Xorg.log will then know that a) the server has terminated
properly and b) why the server terminated (to some degree, given that most
real-world errors will be caused by AbortServer()).
Acked-by: Gaetan Nadon <memsize@videotron.ca>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Tested-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Tested-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
access.c:1492:20: error: equality comparison with extraneous parentheses [-Werror,-Wparentheses]
if ((host->family == FamilyServerInterpreted)) {
~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
access.c:1492:20: note: use '=' to turn this equality comparison into an assignment
if ((host->family == FamilyServerInterpreted)) {
^~
=
access.c:1492:20: note: remove extraneous parentheses around the comparison to silence this warning
if ((host->family == FamilyServerInterpreted)) {
~ ^ ~
In file included from xstrans.c:8:
In file included from /usr/X11/include/X11/Xtrans/transport.c:62:
/usr/X11/include/X11/Xtrans/Xtranssock.c:262:5: error: implicit declaration of function 'ErrorF' is invalid in C99
[-Werror,-Wimplicit-function-declaration]
PRMSG (3,"SocketSelectFamily(%s)\n", family, 0, 0);
^
log.c:180:29: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
if (asprintf(&logFileName, fname, display) == -1)
^~~~~
log.c:190:26: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
if ((asprintf(&suffix, backup, display) == -1) ||
^~~~~~
log.c:382:25: error: format string is not a string literal [-Werror,-Wformat-nonliteral]
LogVWrite(verb, tmpBuf, args);
^~~~~~
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Doesn't seem to be any reason to just not pass the error string
as another argument directly to LogVWrite()
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
This patch has been generated by the following Coccinelle semantic patch:
@@
expression E;
@@
- if (E != NULL)
- free(E);
+ free(E);
Signed-off-by: Cyril Brulebois <kibi@debian.org>
Reviewed-by: Matt Turner <mattst88@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Use the values from xproto rather than duplicating the effort
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
The only remaining X-functions used in server are XNF*, the rest is converted to
plain alloc/calloc/realloc/free/strdup.
X* functions are still exported from server and x* macros are still defined in
header file, so both ABI and API are not affected by this change.
Signed-off-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Xext/xf86bigfont.c contains three non-static functions which are called
elsewhere in the server. This creates a new header containing these
declarations in order to fix several warnings:
xf86bigfont.c:285: warning: no previous prototype for `XF86BigfontFreeFontShm'
dixfonts.c:502: warning: implicit declaration of function `XF86BigfontFreeFontS$
dixfonts.c:502: warning: nested extern declaration of `XF86BigfontFreeFontShm'
log.c:436: warning: implicit declaration of function `XF86BigfontCleanup'
log.c:436: warning: nested extern declaration of `XF86BigfontCleanup'
Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
The problem fixed by this patch can be reproduced on Linux with the
following steps.
- Access NULL pointer intentionally in ProcessOtherEvent on key press.
- Instead of saving core dump to a file, write it into a pipe.
echo "|/usr/sbin/my-core-dumper" > /proc/sys/kernel/core_pattern
- Dump the core by pressing a key.
While the core is being dumped into the pipe, the smart schedule timer
will cause a pending SIGALRM. Linux kernel stops writing data to the
pipe when there are pending signals. This causes the core dump to be
truncated. On my system I'm expecting a 6 MB dump but the size will be
60 kB instead. The problem is solved if we block the SIGALRM caused by
expired smart schedule timer.
I haven't been able to reproduce this problem in the following cases.
- Save core dump to a file instead of a pipe.
- kill -SEGV `pidof Xorg`
- Press a key to dump core while gdb is attached to Xorg.
- Give option -dumbSched to Xorg.
Also note that the fix works only when NoTrapSignals has the default
value FALSE. The problem can still be reproduced if error signals
aren't trapped. In addition to pending SIGALRM, there is a similar
problem with pending SIGIO from the keyboard driver during core dump.
Signed-off-by: Rami Ylimaki <ext-rami.ylimaki@nokia.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Add timestamps in seconds derived from clock_monotonic to the log
file.
Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
FWIW default log verbosity is 0, so this will affect only if one start the
server with a different -verbose argument.
Signed-off-by: Tiago Vignatti <tiago.vignatti@nokia.com>
Acked-by: Rami Ylimaki <ext-rami.ylimaki@nokia.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
LogVWrite is limited to a buffer size of 1024, so we don't loose anything here
by truncating. This way we can use LogVMessageVerb (and xf86Msg and friends)
during signal handlers with the normal message types.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Acked-by: Alan Coopersmith <alan.coopersmith@sun.com>
Save in a few special cases, _X_EXPORT should not be used in C source
files. Instead, it should be used in headers, and the proper C source
include that header. Some special cases are symbols that need to be
shared between modules, but not expected to be used by external drivers,
and symbols that are accessible via LoaderSymbol/dlopen.
This patch also adds conditionally some new sdk header files, depending
on extensions enabled. These files were added to match pattern for
other extensions/modules, that is, have the headers "deciding" symbol
visibility in the sdk. These headers are:
o Xext/panoramiXsrv.h, Xext/panoramiX.h
o fbpict.h (unconditionally)
o vidmodeproc.h
o mioverlay.h (unconditionally, used only by xaa)
o xfixes.h (unconditionally, symbols required by dri2)
LoaderSymbol and similar functions now don't have different prototypes,
in loaderProcs.h and xf86Module.h, so that both headers can be included,
without the need of defining IN_LOADER.
xf86NewInputDevice() device prototype readded to xf86Xinput.h, but
not exported (and with a comment about it).