Merge topic branch t/overflow into master This series implements a new memory allocation API which checks for overflows. The first part of the series just renames the main allocation functions. Later patches in the series implement allocators which take two size_t arguments (like calloc(3)) and check whether the multiplication overflows by employing the __builtin_mul_overflow() primitive supported by gcc and clang. This requires us to bump the lowest supported gcc and clang version. * refs/heads/t/overflow: build: Compile with -ftrapv. string: Introduce arr_zalloc(). string: Introduce arr_alloc(). string: Introduce arr_realloc() and check for integer overflow. string: Rename para_calloc() -> zalloc(). string: Rename para_malloc() -> alloc(). string: Overhaul para_strdup().
Merge branch 'refs/heads/t/ll' Two little cleanups related to the logging facility and two commits which add the ll command to para_server and para_audiod. The merge resulted in a conflict in afs.c due to the earlier merge of the poll topic branch which replaced all calls to select() by calls to poll(). The implementation of the ll server command introduced a new caller of select(), afs_select(), which needs to be replaced by afs_poll() to resolve the conflict. * refs/heads/t/ll: New server command: ll to change the log level at runtime. New audiod command: ll to change the log level at runtime. daemon: Kill get_loglevel_by_name(). server/audiod: Don't parse loglevel argument unnecessarily.
Switch from select(2) to poll(2). The select(2) API is kind of obsolete because it does not work for file descriptors greater or equal than 1024, The general advice is to switch to poll(2), which offers equivalent functionality and does not suffer from this restriction. This patch implements this switch. The fd sets of select(2) have one nice feature: One can determine in O(1) time whether the bit for a given fd is turned on in an fd set. For poll(2), the monitored file descriptors are organized in an array of struct pollfd. Without information about the given fd's index in the pollfd array, one can only perform a linear search which requires O(n) time, with n being the number of fds being watched. Since this would have to be done for each fd, the running time becomes quadratic in the number of monitored fds, which is bad. Keeping the pollfd array sorted would reduce that to n * log(n) at the cost of additional work at insert time. This patch implements a different approach. The scheduler now maintains an additional array of unsigned integers which map fds to indices into the pollfd array. This new index array is transparent to the individual tasks, which still simply pass one or more fds from their ->pre_monitor() method to the scheduler. The length of the index array equals the highest fd given. This might become prohibitive in theory, but should not be an issue for the time being. Care needs to be taken in order to deal with callers which ask for the readiness of an fd without having called sched_monitor_readfd() or sched_monitor_writefd() in the ->pre_monitor() step. Before the patch, thanks to the FD_ZERO() call at the beginning of each iteration of the scheduler's main loop, both sched_read_ok() and sched_write_ok() returned false for fds which were not asked to be watched. We need to keep it this way for a seamless transition. We achieve this by replacing the FD_ZERO() call by a memset(3) call which fills the index array with 0xff bytes. Both sched_read_ok() and sched_write_ok() call the new get_revents() helper, where we check the fd argument against the allocation sizes of the two arrays. If either function is called with an fd that was not asked to be monitored in the ->pre_monitor() step, the checks notice that the index of this fd, 0xffffffff, is larger than the highest open fd and we return "not ready for I/O". Another issue is the case where the same file descriptor is submitted twice in ->pre_monitor() to check for readiness with respect to both reading and writing. The code in client_comon.c currently does that. To keep it working, the scheduler needs to detect this case and re-use the existing slot in both arrays.
Rename ->{pre,post}_select methods to ->{pre,post}_monitor. The word "monitor" is neutral and continues to be correct after the switch from select(2) to poll(2). Pure rename, nothing to see here.
Hide implementation of para_fd_set(). This preparatory patch for replacing select() renames para_fd_set() to sched_fd_set(), moves it to sched.c and makes it static. All users are modified to call either of the two new public functions sched_monitor_{read,write}fd() which take a pointer to struct sched rather than an fd set pointer.
send: Avoid select-specific arguments in {pre,post}_select(). Just pass a pointer to struct sched instead of the fd sets. Since two of the prototypes declared in send.h now refer to this structure, sched.h must be included before send.h. The udp sender implements neither ->pre_select() nor ->post_select(), so we only need to fix the order in which send.h and sched.h are included.
net: Drop fd_set parameter from para_accept(). As for read_nonblock(), the parameter is dispensable because it is only used for an optimization to avoid a system call. Get rid of it because it hinders the conversion from select(2) to poll(2).
fd: Drop fd_set parameter from read_nonblock() and friends. This parameter is not necessary because its only purpose is to avoid the readv(2) system call in case it would likely return EAGAIN because we just called select(2) which reported that there is no data to read. Since the parameter is an obstacle for the conversion of the code base from select(2) to poll(2), get rid of it for the time being. If needed we can add back an equivalent optimization which checks for POLLIN after the conversion.
sched: Use integer value for select timeout. This modifies the public struct sched so that users pass in the default timeout as an integer value in milliseconds rather than a struct timeval. This simplifies the code a little and eases the transition from select(2) to poll(2) because poll(2) also takes a plain integer for the timeout. Since para_select() of fd.c now calls ms2tv() to convert the timeout back to a struct timeval, all executables which link with fd.o must also link with time.o. This was not the case for para_mixer and para_audioc, so configure.ac needs to be adjusted accordingly.
string: Rename para_malloc() -> alloc(). Just because it's shorter and matches the naming of the new allocators we are about to introduce. The bulk of this patch was created with sed -i 's/para_malloc/alloc/g' *.c *.h yy/mp.y
New server command: ll to change the log level at runtime. This makes use of the infrastructure introduced in the previous patch. However, the implementation of the ll command for para_server is more involved than its audiod counterpart because in the server case we have to tell two different processes (server and afs) to change their log level while the calling process, the command handler, does not need to set the loglevel because it is about to exit anyway. For the inter-process communication we introduce a new field in the mmd shared memory area so that command handlers can read the current value or set a new value. The log level propagates from there via daemon_set_loglevel() to the server and afs processes during each iteration of the scheduler loop where para_log() will pick it up to set the log level threshold for subsequent log events. The si command handler currently refers to the argument of the --loglevel server option to include the log level in its output. With dynamic log levels this no longer works because it always prints the value from the command line or the config file rather than the run time log level. Since the new ll command also prints the loglevel when it is executed with no arguments, we simply remove this line from the si output and hope that nobody cares. The si command handler was the last user of the ENUM_STRING_VAL macro in command.c. Removing the macro also allows us to make CMD_PTR local to server.c and to remove the lopsub definitions of the server suite from command.c. However, we still include the lopsub definitions of the server *command* suite (server_cmd.lsg.h) of course. We let any authenticated user run the command with no arguments to report the current loglevel but require full privileges to change the loglevel. Thus, the check for sufficient privileges needs to be performed in the command handler.
server/audiod: Don't parse loglevel argument unnecessarily. Currently the severity string (debug, info, etc.) given to --loglevel is parsed twice: Once by lopsub, which returns the loglevel as the index into the array of severity strings. We turn this index into a string and pass the string to daemon_set_loglevel() which parses the string again to turn it back into a log level value (which happens to coincide with the index value). Clean this up by letting daemon_set_loglevel() receive a log level value rather than a severity string. This also allows us to remove the now unused ENUM_STRING_VAL() macro from audiod.c.
server: Early vss shutdown for command handlers. Command must communicate with the vss through the shared memory area (mmd). Deallocating all resources early in the command handler makes the code more robust and saves some memory.
Merge branch 'maint' To get the single fix that was just merged to maint. * maint: server: Fix memory leak at exit.
server: Fix memory leak at exit. If command_post_select() returns failure because of a notification we leak the array of listening fds. No big deal, but worth to fix anyway.
web: Remove selected APIs page. This list was outdated and not well maintained. Change the link on the documentation page to point to the list of files instead.
server: Wait for command handler exit also when afs dies. When para_server is running in foreground mode in a terminal session, and gets signalled by hitting CTRL+C, it is unspecified whether the server or the afs process receive the resulting SIGINT first. It may even happen that the afs process dies first, and that the server sees the resulting SIGCHLD *before* the SIGINT. In this case we currently don't wait for the command handlers to exit but proceed right away with the shutdown, closing the signal pipe and destroying the shared memory area which contains the mmd structure. This leads to error messages on shutdown such as Sep 21 12:38:18 (5) (29166) para_semop: semaphore set 12648470 was removed Sep 21 12:38:18 (6) (29166) para_semop: fatal semop error Invalid argument: pid 29166 Sep 21 12:38:18 (6) (29161) generic_signal_handler: Bad file descriptor Sep 21 12:38:18 (6) (29164) para_semop: fatal semop error Invalid argument: pid 29164 Sep 21 12:38:18 (6) (29165) command_handler_sighandler: terminating on signal 15 Sep 21 12:38:18 (6) (29165) para_semop: fatal semop error Invalid argument: pid 29165 This commit avoids the issue by letting the server wait for all its children also in the SIGCHILD case when we exit because the afs process has terminated.
server.c: Fix double "the" in comment. Found by the vim spell checker.
afh: Constify definition of audio format handlers. The audio_format_handler structure contains only pointers, and the ->init method of each instance initializes these pointers to constant values. The ->init() method is thus useless at best, and it prevents the structures from being declared constant. This patch removes ->init() of struct audio_format_handler and the public afh_init() which iterates over all audio formats to call each ->init() method. The audio format handlers are modified to define an instance of the structure rather than an init function which fills the fields of the given structure. The structure can be declared constant, but not static because afh_common.c needs a way to refer to it. We rely on weak symbols to deal with audio format handlers which are not compiled in. The codec-independent code in afh_common.c defines a weak instance of the audio_format_handler structure for each audio format. The command handlers which are compiled in override the weak symbol with their own definition. The afh receiver used to define afh_init() as its (receiver!) init function, which no longer exists. Since receiver init functions are optional, we don't need to supply a replacement. However, play.c calls ->init() of the afh_receiver unconditionally. This call needs to be removed to avoid a null pointer dereference.
Check for abstract sockets only once. In net.c there is a static variable which is supposed to cache whether the abstract local socket namespace is supported. This variable is pointless because it is only ever set by command handlers, which exit after the command completed. Hence the command handler process of each subsequent afs command checks again. To make the caching work as intended we must initialize the variable in the *parent* process. The parent process, however, does not create any local sockets. This patch changes init_unix_addr() to initialize the variable without creating a socket when NULL is passed as the name parameter. The server process passes NULL to initialize the static variable while command handlers pass non NULL.