Browser only uses LaunchServer for one thing: to open the user's
downloads directory after a download is finished.
Eventually I'd like to move this functionality to a separate download
manager service, but for now, let's at least lock down what Browser is
able to ask LaunchServer to do. :^)
Clients of LaunchServer can now provide a list of allowed handlers,
optionally with a specific set of URLs. The list can be sealed to
prevent future additions to it.
If LaunchServer receives a request to open something not on the allowed
handlers list, it will disconnect the client immediately.
The main idea here is to allow otherwise restricted programs to launch
specific things, e.g "Help" to open their manual, or "Browser" to load
the SerenityOS home page. :^)
- Now sorted
- Add a "layout" property to GUI::Widget and GUI::Frame
- Only complete Layouts for the values of "layout"
- Don't suggest anything if the only suggestion is what the user has
already typed
This gets a lot of unecessary includes out of Widget.cpp. Doing this
didn't work before, but improvements in the C library and using dynamic
libraries have likely un-broken it :^).
Also, move the registration global object to an anonymous namespace. No
reason it has to be an extern symbol.
...as well as the few remaining references to set_foreground_color().
These properties are not being used for rendering anymore, presumably
because they completely mess up theming - assigning random white and
gray backgrounds just doesn't work with dark themes.
I've chosen to not replace most of the few remaining uses of this
broken functionality with custom palette colors (the closest
replacement is background_role) for now (except for Minesweeper where
squares with mines are painted red again now), as no one has actually
complained about them being broken, so it must look somewhat decent
(some just look right anyway). :^)
Examples of this are the taskbar buttons, which apparently had a
DarkGray foreground color for minimized windows once - this has since
been replaced with bold/regular font. Another one is the Profiler's
ProfileTimelineWidget, which is supposed to have a white background -
which it didn't have for quite some time, it's grey now (with the
default theme, that is). Doesn't look bad either.
Previously notifications were (partially) drawn outside the screen rect if
they were created before changing the screen resolution to smaller
dimensions. This prevented the user from dismissing the notification as the
close button was no longer clickable.
If a TLB flush request is broadcast to other processors and the addresses
to flush are user mode addresses, we can ignore such a request on the
target processor if the page directory currently in use doesn't match
the addresses to be flushed. We still need to broadcast to all processors
in that case because the other processors may switch to that same page
directory at any time.
If we remap pages (e.g. lazy allocation) inside a VMObject that is
shared among more than one region, broadcast it to any other region
that may be mapping the same page.
Lazily committed shared memory was not working in situations where one
process would write to the memory and another would only read from it.
Since the reading process would never cause a write fault in the shared
region, we'd never notice that the writing process had added real
physical pages to the VMObject. This happened because the lazily
committed pages were marked "present" in the page table.
This patch solves the issue by always allocating shared memory up front
and not trying to be clever about it.
Before this change, we would sometimes map a region into the address
space with !is_shared(), and then moments later call set_shared(true).
I found this very confusing while debugging, so this patch makes us pass
the initial shared flag to the Region constructor, ensuring that it's in
the correct state by the time we first map the region.
We were jumping through some pretty wasteful hoops in the resize event
handler of OOPWV by first creating a bitmap and then immediately
creating a new (shareable) clone of that bitmap. Now we go straight
to the shareable bitmap instead.
Previously we had a static stack check cookie value for LibC.
Now we randomize the cookie value on LibC initialization, this should
help make the stack check more difficult to attack (still possible just
a bigger pain). This should also help to catch more bugs.
Insert stack canaries to find stack corruptions in the kernel.
It looks like this was enabled in the past (842716a) but appears to have been
lost during the CMake conversion.
The `-fstack-protector-strong` variant was chosen because it catches more issues
than `-fstack-protector`, but doesn't have substantial performance impact like
`-fstack-protector-all`.
This fixes a kernel crash that occured when calling ptrace with PT_PEEK
on non paged-in memory.
The crash occurred because we were holding the scheduler lock while
trying to read from the disk's block device, which we do not allow.
Fixes#4740
This makes it a bit more useful, as the user doesn't have to explicitly
ask for completion, it just provides completions, and tries really hard
to avoid suggesting things where they're not expected, for instance:
(cursor positions denoted as pipes)
```
@G | {|
foo: bar |
foo |
}
```
The user does not expect any suggestions in any of those cursor positions,
so provide no suggestions for such cases. This prevents the automatic autocomplete
getting in the way of the user, esp. when they try to press return fully
expecting to go to a new line.
This aims to be a "smart" autocomplete that tries to present the user
with useful suggestions without being in the way (too much).
Here is its current configuration:
- Show suggestions 800ms after something is inserted in the editor
- if something else is inserted in that period, reset it back to 800ms
to allow the user to type uninterrupted
- cancel any shown autocomplete (and the timer) on external changes
(paste, cut, etc)
We need to allocate all pages for the profiler right away so that
we don't trigger page faults in the timer interrupt handler to
allocate them.
Fixes#4734
Modify the user mode runtime to insert stack canaries to find stack corruptions.
The `-fstack-protector-strong` variant was chosen because it catches more
issues than vanilla `-fstack-protector`, but doesn't have substantial
performance impact like `-fstack-protector-all`.
Details:
-fstack-protector enables stack protection for vulnerable functions that contain:
* A character array larger than 8 bytes.
* An 8-bit integer array larger than 8 bytes.
* A call to alloca() with either a variable size or a constant size bigger than 8 bytes.
-fstack-protector-strong enables stack protection for vulnerable functions that contain:
* An array of any size and type.
* A call to alloca().
* A local variable that has its address taken.
Example of it catching corrupting in the `stack-smash` test:
```
courage ~ $ ./user/Tests/LibC/stack-smash
[+] Starting the stack smash ...
Error: Stack protector failure, stack smashing detected!
Shell: Job 1 (/usr/Tests/LibC/stack-smash) Aborted
```
Empty boxes should be fully collapsed, but a box with border and/or
padding is not empty.
This fixes an issue where <hr> elements were getting weirdly collapsed
since they have zero content height (but some border height.)
