| blob | dde8c183d1931e9512a573dfa6f356b1e967b85a |
1 /*
2 * Copyright © 2010 Codethink Limited
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2 of the licence, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
16 *
17 * Author: Ryan Lortie <desrt@desrt.ca>
18 */
22 #define _XOPEN_SOURCE 600
28 #include <string.h>
29 #include <stdlib.h>
30 #include <errno.h>
31 #include <stdio.h>
32 #include <unistd.h>
33 #include <fcntl.h>
34 #include <sys/mman.h>
38 /* The engine has zero or more sources.
39 *
40 * If it has zero sources then things are very uninteresting. Nothing
41 * is writable, nothing will ever be written and reads will always
42 * return NULL.
43 *
44 * There are two interesting cases when there is a non-zero number of
45 * sources. Writing only ever occurs to the first source, if at all.
46 * Non-first sources are never writable.
47 *
48 * The first source may or may not be writable. In the usual case the
49 * first source is the one in the user's home directory and is writable,
50 * but it may be that the profile was setup for read-only access to
51 * system sources only.
52 *
53 * In the case that the first source is not writable (and therefore
54 * there are no writable sources), is_writable() will always return
55 * FALSE and no writes will ever be performed.
56 *
57 * It's possible to request changes in three ways:
58 *
59 * - synchronous: the D-Bus message is immediately sent to the
60 * dconf service and we block until we receive the reply. The change
61 * signal will follow soon thereafter (when we receive the signal on
62 * D-Bus).
63 *
64 * - asynchronous: typical asynchronous operation: we send the request
65 * and return immediately, notifying using a callback when the
66 * request is completed (and the new value is in the database). The
67 * change signal follows in the same way as with synchronous.
68 *
69 * - fast: we record the value locally and signal the change, returning
70 * immediately, as if the value is already in the database (from the
71 * viewpoint of the local process). We keep note of the new value
72 * locally until the service has confirmed that the write was
73 * successful. If the write fails, we emit a change signal. From
74 * the view of the program it looks like the value was successfully
75 * changed but then quickly changed back again by some external
76 * agent.
77 *
78 * In fast mode we have to do some management of the queue. If we
79 * immediately put all requests "in flight" then we can end up in a
80 * situation where the application writes many values for the same key
81 * and the service is kept (needlessly) busy writing over and over to
82 * the same key for some time after the requests stop coming in.
83 *
84 * If we limit the number of in-flight requests and put the other ones
85 * into a pending queue then we can perform merging of similar changes.
86 * If we notice that an item in the pending queue writes to the same
87 * keys as the newly-added request then we can simply drop the existing
88 * request (since its effect will be nullified by the new request).
89 *
90 * We want to keep the number of in-flight requests low in order to
91 * maximise our chance of dropping pending items, but we probably want
92 * it higher than 1 so that we can pipeline to hide latency.
93 *
94 * In order to minimise complexity, all changes go first to the pending
95 * queue. Changes are dispatched from the pending queue (and moved to
96 * the in-flight queue) when the number of requests in-flight is lower
97 * than the maximum.
98 *
99 * For both 'in_flight' and 'pending' queues we push to the tail and pop
100 * from the head. This puts the first operation on the head and the
101 * most recent operation on the tail.
102 *
103 * Since new operation go first to the pending queue, we find the most
104 * recent operations at the tail of that queue. Since we want to return
105 * the most-recently written value, we therefore scan for values
106 * starting at the tail of the pending queue and ending at the head of
107 * the in-flight queue.
108 *
109 * NB: I tell a lie. Async is not supported yet.
110 *
111 * Notes about threading:
112 *
113 * The engine is oblivious to threads and main contexts.
114 *
115 * What this means is that the engine has no interaction with GMainLoop
116 * and will not schedule idles or anything of the sort. All calls made
117 * by the engine to the client library will be made in response to
118 * incoming method calls, from the same thread as the incoming call.
119 *
120 * If dconf_engine_call_handle_reply() or
121 * dconf_engine_handle_dbus_signal() are called from 'exotic' threads
122 * (as will often be the case) then the resulting calls to
123 * dconf_engine_change_notify() will come from the same thread. That's
124 * left for the client library to deal with.
125 *
126 * All that said, the engine is completely threadsafe. The client
127 * library can call any method from any thread at any time -- as long as
128 * it is willing to deal with receiving the change notifies in those
129 * threads.
130 *
131 * Thread-safety is implemented using three locks.
132 *
133 * The first lock (sources_lock) protects the sources. Although the
134 * sources are only ever read from, it is necessary to lock them because
135 * it is not safe to read during a refresh (when the source is being
136 * closed and reopened). Accordingly, sources_lock need only be
137 * acquired when accessing the parts of the sources that are subject to
138 * change as a result of refreshes; the static parts (like bus type,
139 * object path, etc) can be accessed without holding the lock. The
140 * 'sources' array itself (and 'n_sources') are set at construction and
141 * never change after that.
142 *
143 * The second lock (queue_lock) protects the various queues that are
144 * used to implement the "fast" writes described above.
145 *
146 * The third lock (subscription_count_lock) protects the two hash tables
147 * that are used to keep track of the number of subscriptions held by
148 * the client library to each path.
149 *
150 * If sources_lock and queue_lock are held at the same time then then
151 * sources_lock must have been acquired first.
152 *
153 * subscription_count_lock is never held at the same time as
154 * sources_lock or queue_lock
155 */
157 #define MAX_IN_FLIGHT 2
162 struct _DConfEngine
163 {
165 GDestroyNotify free_func;
166 gint ref_count;
171 gint n_sources;
180 /**
181 * establishing and active, are hash tables storing the number
182 * of subscriptions to each path in the two possible states
183 */
184 /* This lock ensures that transactions involving subscription counts are atomic */
185 GMutex subscription_count_lock;
186 /* active on the client side, but awaiting confirmation from the writer */
188 /* active on the client side, and with a D-Bus match rule established */
190 };
192 /* When taking the sources lock we check if any of the databases have
193 * had updates.
194 *
195 * Anything that is accessing the database (even only reading) needs to
196 * be holding the lock (since refreshes could be happening in another
197 * thread), so this makes sense.
198 *
199 * We could probably optimise this to avoid checking some databases in
200 * certain cases (ie: we do not need to check the user's database when
201 * we are only interested in checking writability) but this works well
202 * enough for now and is less prone to errors.
203 *
204 * We could probably change to a reader/writer situation that is only
205 * holding the write lock when actually making changes during a refresh
206 * but the engine is probably only ever really in use by two threads at
207 * a given time (main thread doing reads, DBus worker thread clearing
208 * the queue) so it seems unlikely that lock contention will become an
209 * issue.
210 *
211 * If it does, we can revisit this...
212 */
213 static void
215 {
216 gint i;
223 }
225 static void
227 {
229 }
231 static void
233 {
235 }
237 static void
239 {
241 }
243 /**
244 * Adds the count of subscriptions to @path in @from_table to the
245 * corresponding count in @to_table, creating it if it did not exist.
246 * Removes the count from @from_table.
247 */
248 static void
252 {
255 // Detect overflows
259 {
264 }
265 }
267 /**
268 * Increments the reference count for the subscription to @path, or sets
269 * it to 1 if it didn’t previously exist.
270 * Returns the new reference count.
271 */
272 static guint
275 {
277 // Detect overflows
282 }
284 /**
285 * Decrements the reference count for the subscription to @path, or
286 * removes it if the new value is 0. The count must exist and be greater
287 * than 0.
288 * Returns the new reference count, or 0 if it does not exist.
289 */
290 static guint
293 {
299 else
302 }
304 /**
305 * Returns the reference count for the subscription to @path, or 0 if it
306 * does not exist.
307 */
308 static guint
311 {
313 }
315 /**
316 * Acquires the subscription counts lock, which must be held when
317 * reading or writing to the subscription counts.
318 */
319 static void
321 {
323 }
325 /**
326 * Releases the subscription counts lock
327 */
328 static void
330 {
332 }
334 DConfEngine *
336 gpointer user_data,
337 GDestroyNotify free_func)
338 {
358 g_str_equal,
359 g_free,
360 NULL);
362 g_str_equal,
363 g_free,
364 NULL);
367 }
369 void
371 {
372 gint ref_count;
374 again:
378 {
379 gint i;
381 /* We are about to drop the last reference, but there is a chance
382 * that a signal may be happening at this very moment, causing the
383 * engine to gain another reference (due to its position in the
384 * global engine list).
385 *
386 * Acquiring the lock here means that either we will remove this
387 * engine from the list first or we will notice the reference
388 * count has increased (and skip the free).
389 */
392 {
395 }
425 }
429 }
433 {
437 }
439 guint64
441 {
442 guint64 state;
449 }
451 static gboolean
454 {
455 gint i;
457 /* We must check several things:
458 *
459 * - we have at least one source
460 *
461 * - the first source is writable
462 *
463 * - the key is not locked in a non-writable (ie: non-first) source
464 */
471 /* Ignore locks in the first source.
472 *
473 * Either it is writable and therefore ignoring locks is the right
474 * thing to do, or it's non-writable and we caught that case above.
475 */
481 }
483 gboolean
486 {
487 gboolean writable;
494 }
496 gchar **
500 {
504 {
512 {
516 {
518 {
522 {
523 /* It is not currently possible to lock dirs, so we
524 * don't (yet) have to check the other direction.
525 */
528 else
530 }
533 }
534 }
535 }
536 else
544 }
545 else
546 {
548 {
550 }
551 else
552 {
555 }
556 }
559 }
561 static gboolean
565 {
568 /* Tail to head... */
574 }
576 GVariant *
578 DConfReadFlags flags,
581 {
584 gint i;
588 /* There are a number of situations that this function has to deal
589 * with and they interact in unusual ways. We attempt to write the
590 * rules for all cases here:
591 *
592 * With respect to the steady-state condition with no locks:
593 *
594 * This is the case where there are no changes queued, no
595 * read_through and no locks.
596 *
597 * The value returned is the one from the lowest-index source that
598 * contains that value.
599 *
600 * With respect to locks:
601 *
602 * If a lock is present (except in source #0 where it is ignored)
603 * then we will only return a value found in the source where the
604 * lock was present, or a higher-index source (following the normal
605 * rule that sources with lower indexes take priority).
606 *
607 * This statement includes read_through and queued changes. If a
608 * lock is found, we will ignore those.
609 *
610 * With respect to flags:
611 *
612 * If DCONF_READ_USER_VALUE is given then we completely ignore all
613 * locks, returning the user value all the time, even if it is not
614 * visible (because of a lock). This includes any pending value
615 * that is in the read_through or pending queues.
616 *
617 * If DCONF_READ_DEFAULT_VALUE is given then we skip the writable
618 * database and the queues (including read_through, which is
619 * meaningless in this case) and skip directly to the non-writable
620 * databases. This is defined as the value that the user would see
621 * if they were to have just done a reset for that key.
622 *
623 * With respect to read_through and queued changed:
624 *
625 * We only consider read_through and queued changes in the event
626 * that we have a writable source. This will possibly cause us to
627 * ignore read_through and will have no real effect on the queues
628 * (since they will be empty anyway if we have no writable source).
629 *
630 * We only consider read_through and queued changes in the event
631 * that we have not found any locks.
632 *
633 * If there is a non-NULL value found in read_through or the queued
634 * changes then we will return that value.
635 *
636 * If there is a NULL value (ie: a reset) found in read_through or
637 * the queued changes then we will only ignore any value found in
638 * the first source (which must be writable, or else we would not
639 * have been considering read_through and the queues). This is
640 * consistent with the fact that a reset will unset any value found
641 * in this source but will not affect values found in lower sources.
642 *
643 * Put another way: if a non-writable source contains a value for a
644 * particular key then it is impossible for this function to return
645 * NULL.
646 *
647 * We implement the above rules as follows. We have three state
648 * tracking variables:
649 *
650 * - lock_level: records if and where we found a lock
651 *
652 * - found_key: records if we found the key in any queue
653 *
654 * - value: records the value of the found key (NULL for resets)
655 *
656 * We take these steps:
657 *
658 * 1. check for lockdown. If we find a lock then we prevent any
659 * other sources (including read_through and pending/in-flight)
660 * from affecting the value of the key.
661 *
662 * We record the result of this in the lock_level variable. Zero
663 * means that no locks were found. Non-zero means that a lock was
664 * found in the source with the index given by the variable.
665 *
666 * 2. check the uncommitted changes in the read_through list as the
667 * highest priority. This is only done if we have a writable
668 * source and no locks were found.
669 *
670 * If we found an entry in the read_through then we set
671 * 'found_key' to TRUE and set 'value' to the value that we found
672 * (which will be NULL in the case of finding a reset request).
673 *
674 * 3. check our pending and in-flight "fast" changes (in that order).
675 * This is only done if we have a writable source and no locks
676 * were found. It is also only done if we did not find the key in
677 * the read_through.
678 *
679 * 4. check the first source, if there is one.
680 *
681 * This is only done if 'found_key' is FALSE. If 'found_key' is
682 * TRUE then it means that the first database was writable and we
683 * either found a value that will replace it (value != NULL) or
684 * found a pending reset (value == NULL) that will unset it.
685 *
686 * We only actually do this step if we have a writable first
687 * source and no locks found, otherwise we just let step 5 do all
688 * the checking.
689 *
690 * 5. check the remaining sources.
691 *
692 * We do this until we have value != NULL. Even if found_key was
693 * TRUE, the reset that was requested will not have affected the
694 * lower-level databases.
695 */
697 /* Step 1. Check for locks.
698 *
699 * Note: i > 0 (strictly). Ignore locks for source #0.
700 */
704 {
707 }
709 /* Only do steps 2 to 4 if we have no locks and we have a writable source. */
711 {
714 /* If the user has requested the default value only, then ensure
715 * that we "find" a NULL value here. This is equivalent to the
716 * user having reset the key, which is the definition of this
717 * flag.
718 */
722 /* Step 2. Check read_through. */
726 /* Step 3. Check queued changes if we didn't find it in read_through.
727 *
728 * NB: We may want to optimise this to avoid taking the lock in
729 * the case that we know both queues are empty.
730 */
732 {
735 /* Check the pending queue first because those were submitted
736 * more recently.
737 */
742 }
744 /* Step 4. Check the first source. */
748 /* We already checked source #0 (or ignored it, as appropriate).
749 *
750 * Abuse the lock_level variable to get step 5 to skip this one.
751 */
753 }
755 /* Step 5. Check the remaining sources, until value != NULL. */
758 {
764 }
769 }
771 gchar **
775 {
777 GHashTableIter iter;
779 gint n_items;
780 gpointer key;
781 gint i;
783 /* This function is unreliable in the presence of pending changes.
784 * Here's why:
785 *
786 * Consider the case that we list("/a/") and a pending request has a
787 * reset request recorded for "/a/b/c". The question of if "b/"
788 * should appear in the output rests on if "/a/b/d" also exists.
789 *
790 * Put another way: If "/a/b/c" is the only key in "/a/b/" then
791 * resetting it would mean that "/a/b/" stops existing (and we should
792 * not include it in the output). If there are others keys then it
793 * will continue to exist and we should include it.
794 *
795 * Instead of trying to sort this out, we just ignore the pending
796 * requests and report what the on-disk file says.
797 */
804 {
806 gint j;
814 {
816 /* Steal the keys from the list. */
819 /* Free only the list. */
821 }
822 }
832 {
835 }
845 }
848 gpointer handle,
852 struct _DConfEngineCallHandle
853 {
855 DConfEngineCallHandleCallback callback;
857 };
859 static gpointer
861 DConfEngineCallHandleCallback callback,
863 gsize size)
864 {
877 }
881 {
884 else
886 }
888 void
892 {
897 }
899 static void
901 {
904 }
906 /* returns floating */
910 {
915 "interface='ca.desrt.dconf.Writer',"
916 "path='%s',"
919 path);
926 }
929 {
930 DConfEngineCallHandle handle;
932 guint64 state;
933 gint pending;
937 static void
939 gpointer handle,
942 {
945 /* ignore errors */
948 /* more on the way... */
952 {
955 /* Our recorded state does not match the current state. Something
956 * must have changed while our watch requests were on the wire.
957 *
958 * We don't know what changed, so we can just say that potentially
959 * everything under the path being watched changed. This case is
960 * very rare, anyway...
961 */
962 g_debug ("SHM invalidated while establishing subscription to %s - signalling change", ow->path);
964 }
971 // Subscription(s): establishing -> active
978 }
980 void
983 {
987 g_debug ("watch_fast: \"%s\" (establishing: %d, active: %d)", path, num_establishing, num_active);
989 // Subscription: inactive -> active
991 else
992 // Subscription: inactive -> establishing
994 path);
1000 gint i;
1005 /* It's possible (although rare) that the dconf database could change
1006 * while our match rule is on the wire.
1007 *
1008 * Since we returned immediately (suggesting to the user that the
1009 * watch was already established) we could have a race.
1010 *
1011 * To deal with this, we use the current state counter to ensure that nothing
1012 * changes while the watch requests are on the wire.
1013 */
1019 /* We start getting async calls returned as soon as we start dispatching them,
1020 * so we must not touch the 'ow' struct after we send the first one.
1021 */
1032 }
1034 void
1037 {
1041 gint i;
1042 g_debug ("unwatch_fast: \"%s\" (active: %d, establishing: %d)", path, num_active, num_establishing);
1044 // Client code cannot unsubscribe if it is not subscribed
1047 // Subscription: establishing -> inactive
1049 else
1050 // Subscription: active -> inactive
1062 }
1064 static void
1068 {
1069 gint i;
1071 /* We need not hold any locks here because we are only touching static
1072 * things: the number of sources, and static properties of each source
1073 * itself.
1074 *
1075 * This function silently ignores all errors.
1076 */
1079 {
1085 result = dconf_engine_dbus_call_sync_func (engine->sources[i]->bus_type, "org.freedesktop.DBus",
1092 }
1093 }
1095 void
1098 {
1105 }
1107 void
1110 {
1117 }
1120 {
1121 DConfEngineCallHandle handle;
1129 {
1137 }
1139 /* This function promotes changes from the pending queue to the
1140 * in-flight queue by sending the appropriate D-Bus message.
1141 *
1142 * Of course, this is only possible when there are pending items and
1143 * room in the in-flight queue. For this reason, this function gets
1144 * called in two situations:
1145 *
1146 * - an item has been added to the pending queue (due to an API call)
1147 *
1148 * - an item has been removed from the inflight queue (due to a D-Bus
1149 * reply having been received)
1150 *
1151 * It will move a maximum of one item.
1152 */
1155 static void
1158 gpointer origin_tag)
1159 {
1164 dconf_engine_change_notify (engine, prefix, changes, NULL, FALSE, origin_tag, engine->user_data);
1165 }
1167 static void
1169 gpointer handle,
1172 {
1177 /* D-Bus guarantees ordered delivery of messages.
1178 *
1179 * The dconf-service handles requests in-order.
1180 *
1181 * The reply we just received should therefore be at the head of
1182 * our 'in flight' queue.
1183 *
1184 * Due to https://bugs.freedesktop.org/show_bug.cgi?id=59780 it is
1185 * possible that we receive an out-of-sequence error message, however,
1186 * so only assume that messages are in-order for positive replies.
1187 */
1189 {
1194 }
1195 else
1196 {
1197 gboolean found;
1203 }
1205 /* We just popped a change from the in-flight queue, possibly
1206 * making room for another to be added. Check that.
1207 */
1211 /* Deal with the reply we got. */
1213 {
1214 /* The write worked.
1215 *
1216 * We already sent a change notification for this item when we
1217 * added it to the pending queue and we don't want to send another
1218 * one again. At the same time, it's very likely that we're just
1219 * about to receive a change signal from the service.
1220 *
1221 * The tag sent as part of the reply to the Change call will be
1222 * the same tag as on the change notification signal. Record that
1223 * tag so that we can ignore the signal when it comes.
1224 *
1225 * last_handled is only ever touched from the worker thread
1226 */
1229 }
1232 {
1233 /* Some kind of unexpected failure occurred while attempting to
1234 * commit the change.
1235 *
1236 * There's not much we can do here except to drop our local copy
1237 * of the change (and notify that it is gone) and print the error
1238 * message as a warning.
1239 */
1242 }
1246 }
1248 static void
1250 {
1251 if (!g_queue_is_empty (&engine->pending) && g_queue_get_length (&engine->in_flight) < MAX_IN_FLIGHT)
1252 {
1270 }
1273 {
1274 /* The in-flight queue should not be empty if we have changes
1275 * pending...
1276 */
1280 }
1281 }
1283 static gboolean
1286 gpointer user_data)
1287 {
1290 /* Resets absolutely always succeed -- even in the case that there is
1291 * not even a writable database.
1292 */
1294 }
1296 static gboolean
1300 {
1306 {
1310 }
1315 }
1317 gboolean
1320 gpointer origin_tag,
1322 {
1333 /* Check for duplicates in the pending queue.
1334 *
1335 * Note: order doesn't really matter here since "similarity" is an
1336 * equivalence class and we've ensured that there are no pairwise
1337 * similar changes in the queue already (ie: at most we will have only
1338 * one similar item to the one we are adding).
1339 */
1343 {
1347 {
1348 /* We found a similar item in the queue.
1349 *
1350 * We want to drop the one that's in the queue already since
1351 * we want our new (more recent) change to take precedence.
1352 *
1353 * The pending queue owned the changeset, so free it.
1354 */
1358 /* There will only have been one, so stop looking. */
1360 }
1361 }
1363 /* No matter what we're going to queue up this change, so put it in
1364 * the pending queue now.
1365 *
1366 * There may be room in the in_flight queue, so we try to manage the
1367 * queue right away in order to try to promote it there (which causes
1368 * the D-Bus message to actually be sent).
1369 *
1370 * The change might get tossed before being sent if the loop above
1371 * finds it on a future call.
1372 */
1378 /* Emit the signal after dropping the lock to avoid deadlock on re-entry. */
1382 }
1384 gboolean
1389 {
1394 {
1399 }
1406 /* we know that we have at least one source because we checked writability */
1417 /* g_variant_get() is okay with NULL tag */
1422 }
1424 static gboolean
1426 GBusType bus_type,
1429 {
1430 gint i;
1433 {
1438 }
1441 }
1443 void
1449 {
1451 {
1462 /* Reject junk */
1464 /* No changes? Do nothing. */
1468 {
1469 /* If the prefix is a key then the changes must be ['']. */
1472 }
1474 {
1475 /* If the prefix is a dir then we can have changes within that
1476 * dir, but they must be rel paths.
1477 *
1478 * ie:
1479 *
1480 * ('/a/', ['b', 'c/']) == ['/a/b', '/a/c/']
1481 */
1482 gint i;
1487 }
1488 else
1489 /* Not a key or a dir? */
1497 {
1500 /* It's possible that this incoming change notify is for a
1501 * change that we already announced to the client when we
1502 * placed it in the pending queue.
1503 *
1504 * Check last_handled to determine if we should ignore it.
1505 */
1513 }
1515 junk:
1517 }
1520 {
1530 /* Rejecting junk here is relatively straightforward */
1539 {
1548 }
1549 }
1550 }
1552 gboolean
1554 {
1555 gboolean has;
1557 /* The in-flight queue will never be empty unless the pending queue is
1558 * also empty, so we only really need to check one of them...
1559 */
1565 }
1567 void
1569 {
1575 }