|
cannam@135
|
1 // Copyright (c) 2013-2016 Sandstorm Development Group, Inc. and contributors
|
|
cannam@135
|
2 // Licensed under the MIT License:
|
|
cannam@135
|
3 //
|
|
cannam@135
|
4 // Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
cannam@135
|
5 // of this software and associated documentation files (the "Software"), to deal
|
|
cannam@135
|
6 // in the Software without restriction, including without limitation the rights
|
|
cannam@135
|
7 // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
cannam@135
|
8 // copies of the Software, and to permit persons to whom the Software is
|
|
cannam@135
|
9 // furnished to do so, subject to the following conditions:
|
|
cannam@135
|
10 //
|
|
cannam@135
|
11 // The above copyright notice and this permission notice shall be included in
|
|
cannam@135
|
12 // all copies or substantial portions of the Software.
|
|
cannam@135
|
13 //
|
|
cannam@135
|
14 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
cannam@135
|
15 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
cannam@135
|
16 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
cannam@135
|
17 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
cannam@135
|
18 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
cannam@135
|
19 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
cannam@135
|
20 // THE SOFTWARE.
|
|
cannam@135
|
21
|
|
cannam@135
|
22 #include <kj/common.h>
|
|
cannam@135
|
23 #include <kj/memory.h>
|
|
cannam@135
|
24 #include <kj/mutex.h>
|
|
cannam@135
|
25 #include <kj/debug.h>
|
|
cannam@135
|
26 #include "common.h"
|
|
cannam@135
|
27 #include "layout.h"
|
|
cannam@135
|
28 #include "any.h"
|
|
cannam@135
|
29
|
|
cannam@135
|
30 #ifndef CAPNP_MESSAGE_H_
|
|
cannam@135
|
31 #define CAPNP_MESSAGE_H_
|
|
cannam@135
|
32
|
|
cannam@135
|
33 #if defined(__GNUC__) && !defined(CAPNP_HEADER_WARNINGS)
|
|
cannam@135
|
34 #pragma GCC system_header
|
|
cannam@135
|
35 #endif
|
|
cannam@135
|
36
|
|
cannam@135
|
37 namespace capnp {
|
|
cannam@135
|
38
|
|
cannam@135
|
39 namespace _ { // private
|
|
cannam@135
|
40 class ReaderArena;
|
|
cannam@135
|
41 class BuilderArena;
|
|
cannam@135
|
42 }
|
|
cannam@135
|
43
|
|
cannam@135
|
44 class StructSchema;
|
|
cannam@135
|
45 class Orphanage;
|
|
cannam@135
|
46 template <typename T>
|
|
cannam@135
|
47 class Orphan;
|
|
cannam@135
|
48
|
|
cannam@135
|
49 // =======================================================================================
|
|
cannam@135
|
50
|
|
cannam@135
|
51 struct ReaderOptions {
|
|
cannam@135
|
52 // Options controlling how data is read.
|
|
cannam@135
|
53
|
|
cannam@135
|
54 uint64_t traversalLimitInWords = 8 * 1024 * 1024;
|
|
cannam@135
|
55 // Limits how many total words of data are allowed to be traversed. Traversal is counted when
|
|
cannam@135
|
56 // a new struct or list builder is obtained, e.g. from a get() accessor. This means that calling
|
|
cannam@135
|
57 // the getter for the same sub-struct multiple times will cause it to be double-counted. Once
|
|
cannam@135
|
58 // the traversal limit is reached, an error will be reported.
|
|
cannam@135
|
59 //
|
|
cannam@135
|
60 // This limit exists for security reasons. It is possible for an attacker to construct a message
|
|
cannam@135
|
61 // in which multiple pointers point at the same location. This is technically invalid, but hard
|
|
cannam@135
|
62 // to detect. Using such a message, an attacker could cause a message which is small on the wire
|
|
cannam@135
|
63 // to appear much larger when actually traversed, possibly exhausting server resources leading to
|
|
cannam@135
|
64 // denial-of-service.
|
|
cannam@135
|
65 //
|
|
cannam@135
|
66 // It makes sense to set a traversal limit that is much larger than the underlying message.
|
|
cannam@135
|
67 // Together with sensible coding practices (e.g. trying to avoid calling sub-object getters
|
|
cannam@135
|
68 // multiple times, which is expensive anyway), this should provide adequate protection without
|
|
cannam@135
|
69 // inconvenience.
|
|
cannam@135
|
70 //
|
|
cannam@135
|
71 // The default limit is 64 MiB. This may or may not be a sensible number for any given use case,
|
|
cannam@135
|
72 // but probably at least prevents easy exploitation while also avoiding causing problems in most
|
|
cannam@135
|
73 // typical cases.
|
|
cannam@135
|
74
|
|
cannam@135
|
75 int nestingLimit = 64;
|
|
cannam@135
|
76 // Limits how deeply-nested a message structure can be, e.g. structs containing other structs or
|
|
cannam@135
|
77 // lists of structs.
|
|
cannam@135
|
78 //
|
|
cannam@135
|
79 // Like the traversal limit, this limit exists for security reasons. Since it is common to use
|
|
cannam@135
|
80 // recursive code to traverse recursive data structures, an attacker could easily cause a stack
|
|
cannam@135
|
81 // overflow by sending a very-deeply-nested (or even cyclic) message, without the message even
|
|
cannam@135
|
82 // being very large. The default limit of 64 is probably low enough to prevent any chance of
|
|
cannam@135
|
83 // stack overflow, yet high enough that it is never a problem in practice.
|
|
cannam@135
|
84 };
|
|
cannam@135
|
85
|
|
cannam@135
|
86 class MessageReader {
|
|
cannam@135
|
87 // Abstract interface for an object used to read a Cap'n Proto message. Subclasses of
|
|
cannam@135
|
88 // MessageReader are responsible for reading the raw, flat message content. Callers should
|
|
cannam@135
|
89 // usually call `messageReader.getRoot<MyStructType>()` to get a `MyStructType::Reader`
|
|
cannam@135
|
90 // representing the root of the message, then use that to traverse the message content.
|
|
cannam@135
|
91 //
|
|
cannam@135
|
92 // Some common subclasses of `MessageReader` include `SegmentArrayMessageReader`, whose
|
|
cannam@135
|
93 // constructor accepts pointers to the raw data, and `StreamFdMessageReader` (from
|
|
cannam@135
|
94 // `serialize.h`), which reads the message from a file descriptor. One might implement other
|
|
cannam@135
|
95 // subclasses to handle things like reading from shared memory segments, mmap()ed files, etc.
|
|
cannam@135
|
96
|
|
cannam@135
|
97 public:
|
|
cannam@135
|
98 MessageReader(ReaderOptions options);
|
|
cannam@135
|
99 // It is suggested that subclasses take ReaderOptions as a constructor parameter, but give it a
|
|
cannam@135
|
100 // default value of "ReaderOptions()". The base class constructor doesn't have a default value
|
|
cannam@135
|
101 // in order to remind subclasses that they really need to give the user a way to provide this.
|
|
cannam@135
|
102
|
|
cannam@135
|
103 virtual ~MessageReader() noexcept(false);
|
|
cannam@135
|
104
|
|
cannam@135
|
105 virtual kj::ArrayPtr<const word> getSegment(uint id) = 0;
|
|
cannam@135
|
106 // Gets the segment with the given ID, or returns null if no such segment exists. This method
|
|
cannam@135
|
107 // will be called at most once for each segment ID.
|
|
cannam@135
|
108
|
|
cannam@135
|
109 inline const ReaderOptions& getOptions();
|
|
cannam@135
|
110 // Get the options passed to the constructor.
|
|
cannam@135
|
111
|
|
cannam@135
|
112 template <typename RootType>
|
|
cannam@135
|
113 typename RootType::Reader getRoot();
|
|
cannam@135
|
114 // Get the root struct of the message, interpreting it as the given struct type.
|
|
cannam@135
|
115
|
|
cannam@135
|
116 template <typename RootType, typename SchemaType>
|
|
cannam@135
|
117 typename RootType::Reader getRoot(SchemaType schema);
|
|
cannam@135
|
118 // Dynamically interpret the root struct of the message using the given schema (a StructSchema).
|
|
cannam@135
|
119 // RootType in this case must be DynamicStruct, and you must #include <capnp/dynamic.h> to
|
|
cannam@135
|
120 // use this.
|
|
cannam@135
|
121
|
|
cannam@135
|
122 bool isCanonical();
|
|
cannam@135
|
123 // Returns whether the message encoded in the reader is in canonical form.
|
|
cannam@135
|
124
|
|
cannam@135
|
125 private:
|
|
cannam@135
|
126 ReaderOptions options;
|
|
cannam@135
|
127
|
|
cannam@135
|
128 // Space in which we can construct a ReaderArena. We don't use ReaderArena directly here
|
|
cannam@135
|
129 // because we don't want clients to have to #include arena.h, which itself includes a bunch of
|
|
cannam@135
|
130 // big STL headers. We don't use a pointer to a ReaderArena because that would require an
|
|
cannam@135
|
131 // extra malloc on every message which could be expensive when processing small messages.
|
|
cannam@135
|
132 void* arenaSpace[15 + sizeof(kj::MutexGuarded<void*>) / sizeof(void*)];
|
|
cannam@135
|
133 bool allocatedArena;
|
|
cannam@135
|
134
|
|
cannam@135
|
135 _::ReaderArena* arena() { return reinterpret_cast<_::ReaderArena*>(arenaSpace); }
|
|
cannam@135
|
136 AnyPointer::Reader getRootInternal();
|
|
cannam@135
|
137 };
|
|
cannam@135
|
138
|
|
cannam@135
|
139 class MessageBuilder {
|
|
cannam@135
|
140 // Abstract interface for an object used to allocate and build a message. Subclasses of
|
|
cannam@135
|
141 // MessageBuilder are responsible for allocating the space in which the message will be written.
|
|
cannam@135
|
142 // The most common subclass is `MallocMessageBuilder`, but other subclasses may be used to do
|
|
cannam@135
|
143 // tricky things like allocate messages in shared memory or mmap()ed files.
|
|
cannam@135
|
144 //
|
|
cannam@135
|
145 // Creating a new message ususually means allocating a new MessageBuilder (ideally on the stack)
|
|
cannam@135
|
146 // and then calling `messageBuilder.initRoot<MyStructType>()` to get a `MyStructType::Builder`.
|
|
cannam@135
|
147 // That, in turn, can be used to fill in the message content. When done, you can call
|
|
cannam@135
|
148 // `messageBuilder.getSegmentsForOutput()` to get a list of flat data arrays containing the
|
|
cannam@135
|
149 // message.
|
|
cannam@135
|
150
|
|
cannam@135
|
151 public:
|
|
cannam@135
|
152 MessageBuilder();
|
|
cannam@135
|
153 virtual ~MessageBuilder() noexcept(false);
|
|
cannam@135
|
154 KJ_DISALLOW_COPY(MessageBuilder);
|
|
cannam@135
|
155
|
|
cannam@135
|
156 struct SegmentInit {
|
|
cannam@135
|
157 kj::ArrayPtr<word> space;
|
|
cannam@135
|
158
|
|
cannam@135
|
159 size_t wordsUsed;
|
|
cannam@135
|
160 // Number of words in `space` which are used; the rest are free space in which additional
|
|
cannam@135
|
161 // objects may be allocated.
|
|
cannam@135
|
162 };
|
|
cannam@135
|
163
|
|
cannam@135
|
164 explicit MessageBuilder(kj::ArrayPtr<SegmentInit> segments);
|
|
cannam@135
|
165 // Create a MessageBuilder backed by existing memory. This is an advanced interface that most
|
|
cannam@135
|
166 // people should not use. THIS METHOD IS INSECURE; see below.
|
|
cannam@135
|
167 //
|
|
cannam@135
|
168 // This allows a MessageBuilder to be constructed to modify an in-memory message without first
|
|
cannam@135
|
169 // making a copy of the content. This is especially useful in conjunction with mmap().
|
|
cannam@135
|
170 //
|
|
cannam@135
|
171 // The contents of each segment must outlive the MessageBuilder, but the SegmentInit array itself
|
|
cannam@135
|
172 // only need outlive the constructor.
|
|
cannam@135
|
173 //
|
|
cannam@135
|
174 // SECURITY: Do not use this in conjunction with untrusted data. This constructor assumes that
|
|
cannam@135
|
175 // the input message is valid. This constructor is designed to be used with data you control,
|
|
cannam@135
|
176 // e.g. an mmap'd file which is owned and accessed by only one program. When reading data you
|
|
cannam@135
|
177 // do not trust, you *must* load it into a Reader and then copy into a Builder as a means of
|
|
cannam@135
|
178 // validating the content.
|
|
cannam@135
|
179 //
|
|
cannam@135
|
180 // WARNING: It is NOT safe to initialize a MessageBuilder in this way from memory that is
|
|
cannam@135
|
181 // currently in use by another MessageBuilder or MessageReader. Other readers/builders will
|
|
cannam@135
|
182 // not observe changes to the segment sizes nor newly-allocated segments caused by allocating
|
|
cannam@135
|
183 // new objects in this message.
|
|
cannam@135
|
184
|
|
cannam@135
|
185 virtual kj::ArrayPtr<word> allocateSegment(uint minimumSize) = 0;
|
|
cannam@135
|
186 // Allocates an array of at least the given number of words, throwing an exception or crashing if
|
|
cannam@135
|
187 // this is not possible. It is expected that this method will usually return more space than
|
|
cannam@135
|
188 // requested, and the caller should use that extra space as much as possible before allocating
|
|
cannam@135
|
189 // more. The returned space remains valid at least until the MessageBuilder is destroyed.
|
|
cannam@135
|
190 //
|
|
cannam@135
|
191 // Cap'n Proto will only call this once at a time, so the subclass need not worry about
|
|
cannam@135
|
192 // thread-safety.
|
|
cannam@135
|
193
|
|
cannam@135
|
194 template <typename RootType>
|
|
cannam@135
|
195 typename RootType::Builder initRoot();
|
|
cannam@135
|
196 // Initialize the root struct of the message as the given struct type.
|
|
cannam@135
|
197
|
|
cannam@135
|
198 template <typename Reader>
|
|
cannam@135
|
199 void setRoot(Reader&& value);
|
|
cannam@135
|
200 // Set the root struct to a deep copy of the given struct.
|
|
cannam@135
|
201
|
|
cannam@135
|
202 template <typename RootType>
|
|
cannam@135
|
203 typename RootType::Builder getRoot();
|
|
cannam@135
|
204 // Get the root struct of the message, interpreting it as the given struct type.
|
|
cannam@135
|
205
|
|
cannam@135
|
206 template <typename RootType, typename SchemaType>
|
|
cannam@135
|
207 typename RootType::Builder getRoot(SchemaType schema);
|
|
cannam@135
|
208 // Dynamically interpret the root struct of the message using the given schema (a StructSchema).
|
|
cannam@135
|
209 // RootType in this case must be DynamicStruct, and you must #include <capnp/dynamic.h> to
|
|
cannam@135
|
210 // use this.
|
|
cannam@135
|
211
|
|
cannam@135
|
212 template <typename RootType, typename SchemaType>
|
|
cannam@135
|
213 typename RootType::Builder initRoot(SchemaType schema);
|
|
cannam@135
|
214 // Dynamically init the root struct of the message using the given schema (a StructSchema).
|
|
cannam@135
|
215 // RootType in this case must be DynamicStruct, and you must #include <capnp/dynamic.h> to
|
|
cannam@135
|
216 // use this.
|
|
cannam@135
|
217
|
|
cannam@135
|
218 template <typename T>
|
|
cannam@135
|
219 void adoptRoot(Orphan<T>&& orphan);
|
|
cannam@135
|
220 // Like setRoot() but adopts the orphan without copying.
|
|
cannam@135
|
221
|
|
cannam@135
|
222 kj::ArrayPtr<const kj::ArrayPtr<const word>> getSegmentsForOutput();
|
|
cannam@135
|
223 // Get the raw data that makes up the message.
|
|
cannam@135
|
224
|
|
cannam@135
|
225 Orphanage getOrphanage();
|
|
cannam@135
|
226
|
|
cannam@135
|
227 bool isCanonical();
|
|
cannam@135
|
228 // Check whether the message builder is in canonical form
|
|
cannam@135
|
229
|
|
cannam@135
|
230 private:
|
|
cannam@135
|
231 void* arenaSpace[22];
|
|
cannam@135
|
232 // Space in which we can construct a BuilderArena. We don't use BuilderArena directly here
|
|
cannam@135
|
233 // because we don't want clients to have to #include arena.h, which itself includes a bunch of
|
|
cannam@135
|
234 // big STL headers. We don't use a pointer to a BuilderArena because that would require an
|
|
cannam@135
|
235 // extra malloc on every message which could be expensive when processing small messages.
|
|
cannam@135
|
236
|
|
cannam@135
|
237 bool allocatedArena = false;
|
|
cannam@135
|
238 // We have to initialize the arena lazily because when we do so we want to allocate the root
|
|
cannam@135
|
239 // pointer immediately, and this will allocate a segment, which requires a virtual function
|
|
cannam@135
|
240 // call on the MessageBuilder. We can't do such a call in the constructor since the subclass
|
|
cannam@135
|
241 // isn't constructed yet. This is kind of annoying because it means that getOrphanage() is
|
|
cannam@135
|
242 // not thread-safe, but that shouldn't be a huge deal...
|
|
cannam@135
|
243
|
|
cannam@135
|
244 _::BuilderArena* arena() { return reinterpret_cast<_::BuilderArena*>(arenaSpace); }
|
|
cannam@135
|
245 _::SegmentBuilder* getRootSegment();
|
|
cannam@135
|
246 AnyPointer::Builder getRootInternal();
|
|
cannam@135
|
247 };
|
|
cannam@135
|
248
|
|
cannam@135
|
249 template <typename RootType>
|
|
cannam@135
|
250 typename RootType::Reader readMessageUnchecked(const word* data);
|
|
cannam@135
|
251 // IF THE INPUT IS INVALID, THIS MAY CRASH, CORRUPT MEMORY, CREATE A SECURITY HOLE IN YOUR APP,
|
|
cannam@135
|
252 // MURDER YOUR FIRST-BORN CHILD, AND/OR BRING ABOUT ETERNAL DAMNATION ON ALL OF HUMANITY. DO NOT
|
|
cannam@135
|
253 // USE UNLESS YOU UNDERSTAND THE CONSEQUENCES.
|
|
cannam@135
|
254 //
|
|
cannam@135
|
255 // Given a pointer to a known-valid message located in a single contiguous memory segment,
|
|
cannam@135
|
256 // returns a reader for that message. No bounds-checking will be done while traversing this
|
|
cannam@135
|
257 // message. Use this only if you have already verified that all pointers are valid and in-bounds,
|
|
cannam@135
|
258 // and there are no far pointers in the message.
|
|
cannam@135
|
259 //
|
|
cannam@135
|
260 // To create a message that can be passed to this function, build a message using a MallocAllocator
|
|
cannam@135
|
261 // whose preferred segment size is larger than the message size. This guarantees that the message
|
|
cannam@135
|
262 // will be allocated as a single segment, meaning getSegmentsForOutput() returns a single word
|
|
cannam@135
|
263 // array. That word array is your message; you may pass a pointer to its first word into
|
|
cannam@135
|
264 // readMessageUnchecked() to read the message.
|
|
cannam@135
|
265 //
|
|
cannam@135
|
266 // This can be particularly handy for embedding messages in generated code: you can
|
|
cannam@135
|
267 // embed the raw bytes (using AlignedData) then make a Reader for it using this. This is the way
|
|
cannam@135
|
268 // default values are embedded in code generated by the Cap'n Proto compiler. E.g., if you have
|
|
cannam@135
|
269 // a message MyMessage, you can read its default value like so:
|
|
cannam@135
|
270 // MyMessage::Reader reader = Message<MyMessage>::readMessageUnchecked(MyMessage::DEFAULT.words);
|
|
cannam@135
|
271 //
|
|
cannam@135
|
272 // To sanitize a message from an untrusted source such that it can be safely passed to
|
|
cannam@135
|
273 // readMessageUnchecked(), use copyToUnchecked().
|
|
cannam@135
|
274
|
|
cannam@135
|
275 template <typename Reader>
|
|
cannam@135
|
276 void copyToUnchecked(Reader&& reader, kj::ArrayPtr<word> uncheckedBuffer);
|
|
cannam@135
|
277 // Copy the content of the given reader into the given buffer, such that it can safely be passed to
|
|
cannam@135
|
278 // readMessageUnchecked(). The buffer's size must be exactly reader.totalSizeInWords() + 1,
|
|
cannam@135
|
279 // otherwise an exception will be thrown. The buffer must be zero'd before calling.
|
|
cannam@135
|
280
|
|
cannam@135
|
281 template <typename RootType>
|
|
cannam@135
|
282 typename RootType::Reader readDataStruct(kj::ArrayPtr<const word> data);
|
|
cannam@135
|
283 // Interprets the given data as a single, data-only struct. Only primitive fields (booleans,
|
|
cannam@135
|
284 // numbers, and enums) will be readable; all pointers will be null. This is useful if you want
|
|
cannam@135
|
285 // to use Cap'n Proto as a language/platform-neutral way to pack some bits.
|
|
cannam@135
|
286 //
|
|
cannam@135
|
287 // The input is a word array rather than a byte array to enforce alignment. If you have a byte
|
|
cannam@135
|
288 // array which you know is word-aligned (or if your platform supports unaligned reads and you don't
|
|
cannam@135
|
289 // mind the performance penalty), then you can use `reinterpret_cast` to convert a byte array into
|
|
cannam@135
|
290 // a word array:
|
|
cannam@135
|
291 //
|
|
cannam@135
|
292 // kj::arrayPtr(reinterpret_cast<const word*>(bytes.begin()),
|
|
cannam@135
|
293 // reinterpret_cast<const word*>(bytes.end()))
|
|
cannam@135
|
294
|
|
cannam@135
|
295 template <typename BuilderType>
|
|
cannam@135
|
296 typename kj::ArrayPtr<const word> writeDataStruct(BuilderType builder);
|
|
cannam@135
|
297 // Given a struct builder, get the underlying data section as a word array, suitable for passing
|
|
cannam@135
|
298 // to `readDataStruct()`.
|
|
cannam@135
|
299 //
|
|
cannam@135
|
300 // Note that you may call `.toBytes()` on the returned value to convert to `ArrayPtr<const byte>`.
|
|
cannam@135
|
301
|
|
cannam@135
|
302 template <typename Type>
|
|
cannam@135
|
303 static typename Type::Reader defaultValue();
|
|
cannam@135
|
304 // Get a default instance of the given struct or list type.
|
|
cannam@135
|
305 //
|
|
cannam@135
|
306 // TODO(cleanup): Find a better home for this function?
|
|
cannam@135
|
307
|
|
cannam@135
|
308 // =======================================================================================
|
|
cannam@135
|
309
|
|
cannam@135
|
310 class SegmentArrayMessageReader: public MessageReader {
|
|
cannam@135
|
311 // A simple MessageReader that reads from an array of word arrays representing all segments.
|
|
cannam@135
|
312 // In particular you can read directly from the output of MessageBuilder::getSegmentsForOutput()
|
|
cannam@135
|
313 // (although it would probably make more sense to call builder.getRoot().asReader() in that case).
|
|
cannam@135
|
314
|
|
cannam@135
|
315 public:
|
|
cannam@135
|
316 SegmentArrayMessageReader(kj::ArrayPtr<const kj::ArrayPtr<const word>> segments,
|
|
cannam@135
|
317 ReaderOptions options = ReaderOptions());
|
|
cannam@135
|
318 // Creates a message pointing at the given segment array, without taking ownership of the
|
|
cannam@135
|
319 // segments. All arrays passed in must remain valid until the MessageReader is destroyed.
|
|
cannam@135
|
320
|
|
cannam@135
|
321 KJ_DISALLOW_COPY(SegmentArrayMessageReader);
|
|
cannam@135
|
322 ~SegmentArrayMessageReader() noexcept(false);
|
|
cannam@135
|
323
|
|
cannam@135
|
324 virtual kj::ArrayPtr<const word> getSegment(uint id) override;
|
|
cannam@135
|
325
|
|
cannam@135
|
326 private:
|
|
cannam@135
|
327 kj::ArrayPtr<const kj::ArrayPtr<const word>> segments;
|
|
cannam@135
|
328 };
|
|
cannam@135
|
329
|
|
cannam@135
|
330 enum class AllocationStrategy: uint8_t {
|
|
cannam@135
|
331 FIXED_SIZE,
|
|
cannam@135
|
332 // The builder will prefer to allocate the same amount of space for each segment with no
|
|
cannam@135
|
333 // heuristic growth. It will still allocate larger segments when the preferred size is too small
|
|
cannam@135
|
334 // for some single object. This mode is generally not recommended, but can be particularly useful
|
|
cannam@135
|
335 // for testing in order to force a message to allocate a predictable number of segments. Note
|
|
cannam@135
|
336 // that you can force every single object in the message to be located in a separate segment by
|
|
cannam@135
|
337 // using this mode with firstSegmentWords = 0.
|
|
cannam@135
|
338
|
|
cannam@135
|
339 GROW_HEURISTICALLY
|
|
cannam@135
|
340 // The builder will heuristically decide how much space to allocate for each segment. Each
|
|
cannam@135
|
341 // allocated segment will be progressively larger than the previous segments on the assumption
|
|
cannam@135
|
342 // that message sizes are exponentially distributed. The total number of segments that will be
|
|
cannam@135
|
343 // allocated for a message of size n is O(log n).
|
|
cannam@135
|
344 };
|
|
cannam@135
|
345
|
|
cannam@135
|
346 constexpr uint SUGGESTED_FIRST_SEGMENT_WORDS = 1024;
|
|
cannam@135
|
347 constexpr AllocationStrategy SUGGESTED_ALLOCATION_STRATEGY = AllocationStrategy::GROW_HEURISTICALLY;
|
|
cannam@135
|
348
|
|
cannam@135
|
349 class MallocMessageBuilder: public MessageBuilder {
|
|
cannam@135
|
350 // A simple MessageBuilder that uses malloc() (actually, calloc()) to allocate segments. This
|
|
cannam@135
|
351 // implementation should be reasonable for any case that doesn't require writing the message to
|
|
cannam@135
|
352 // a specific location in memory.
|
|
cannam@135
|
353
|
|
cannam@135
|
354 public:
|
|
cannam@135
|
355 explicit MallocMessageBuilder(uint firstSegmentWords = SUGGESTED_FIRST_SEGMENT_WORDS,
|
|
cannam@135
|
356 AllocationStrategy allocationStrategy = SUGGESTED_ALLOCATION_STRATEGY);
|
|
cannam@135
|
357 // Creates a BuilderContext which allocates at least the given number of words for the first
|
|
cannam@135
|
358 // segment, and then uses the given strategy to decide how much to allocate for subsequent
|
|
cannam@135
|
359 // segments. When choosing a value for firstSegmentWords, consider that:
|
|
cannam@135
|
360 // 1) Reading and writing messages gets slower when multiple segments are involved, so it's good
|
|
cannam@135
|
361 // if most messages fit in a single segment.
|
|
cannam@135
|
362 // 2) Unused bytes will not be written to the wire, so generally it is not a big deal to allocate
|
|
cannam@135
|
363 // more space than you need. It only becomes problematic if you are allocating many messages
|
|
cannam@135
|
364 // in parallel and thus use lots of memory, or if you allocate so much extra space that just
|
|
cannam@135
|
365 // zeroing it out becomes a bottleneck.
|
|
cannam@135
|
366 // The defaults have been chosen to be reasonable for most people, so don't change them unless you
|
|
cannam@135
|
367 // have reason to believe you need to.
|
|
cannam@135
|
368
|
|
cannam@135
|
369 explicit MallocMessageBuilder(kj::ArrayPtr<word> firstSegment,
|
|
cannam@135
|
370 AllocationStrategy allocationStrategy = SUGGESTED_ALLOCATION_STRATEGY);
|
|
cannam@135
|
371 // This version always returns the given array for the first segment, and then proceeds with the
|
|
cannam@135
|
372 // allocation strategy. This is useful for optimization when building lots of small messages in
|
|
cannam@135
|
373 // a tight loop: you can reuse the space for the first segment.
|
|
cannam@135
|
374 //
|
|
cannam@135
|
375 // firstSegment MUST be zero-initialized. MallocMessageBuilder's destructor will write new zeros
|
|
cannam@135
|
376 // over any space that was used so that it can be reused.
|
|
cannam@135
|
377
|
|
cannam@135
|
378 KJ_DISALLOW_COPY(MallocMessageBuilder);
|
|
cannam@135
|
379 virtual ~MallocMessageBuilder() noexcept(false);
|
|
cannam@135
|
380
|
|
cannam@135
|
381 virtual kj::ArrayPtr<word> allocateSegment(uint minimumSize) override;
|
|
cannam@135
|
382
|
|
cannam@135
|
383 private:
|
|
cannam@135
|
384 uint nextSize;
|
|
cannam@135
|
385 AllocationStrategy allocationStrategy;
|
|
cannam@135
|
386
|
|
cannam@135
|
387 bool ownFirstSegment;
|
|
cannam@135
|
388 bool returnedFirstSegment;
|
|
cannam@135
|
389
|
|
cannam@135
|
390 void* firstSegment;
|
|
cannam@135
|
391
|
|
cannam@135
|
392 struct MoreSegments;
|
|
cannam@135
|
393 kj::Maybe<kj::Own<MoreSegments>> moreSegments;
|
|
cannam@135
|
394 };
|
|
cannam@135
|
395
|
|
cannam@135
|
396 class FlatMessageBuilder: public MessageBuilder {
|
|
cannam@135
|
397 // THIS IS NOT THE CLASS YOU'RE LOOKING FOR.
|
|
cannam@135
|
398 //
|
|
cannam@135
|
399 // If you want to write a message into already-existing scratch space, use `MallocMessageBuilder`
|
|
cannam@135
|
400 // and pass the scratch space to its constructor. It will then only fall back to malloc() if
|
|
cannam@135
|
401 // the scratch space is not large enough.
|
|
cannam@135
|
402 //
|
|
cannam@135
|
403 // Do NOT use this class unless you really know what you're doing. This class is problematic
|
|
cannam@135
|
404 // because it requires advance knowledge of the size of your message, which is usually impossible
|
|
cannam@135
|
405 // to determine without actually building the message. The class was created primarily to
|
|
cannam@135
|
406 // implement `copyToUnchecked()`, which itself exists only to support other internal parts of
|
|
cannam@135
|
407 // the Cap'n Proto implementation.
|
|
cannam@135
|
408
|
|
cannam@135
|
409 public:
|
|
cannam@135
|
410 explicit FlatMessageBuilder(kj::ArrayPtr<word> array);
|
|
cannam@135
|
411 KJ_DISALLOW_COPY(FlatMessageBuilder);
|
|
cannam@135
|
412 virtual ~FlatMessageBuilder() noexcept(false);
|
|
cannam@135
|
413
|
|
cannam@135
|
414 void requireFilled();
|
|
cannam@135
|
415 // Throws an exception if the flat array is not exactly full.
|
|
cannam@135
|
416
|
|
cannam@135
|
417 virtual kj::ArrayPtr<word> allocateSegment(uint minimumSize) override;
|
|
cannam@135
|
418
|
|
cannam@135
|
419 private:
|
|
cannam@135
|
420 kj::ArrayPtr<word> array;
|
|
cannam@135
|
421 bool allocated;
|
|
cannam@135
|
422 };
|
|
cannam@135
|
423
|
|
cannam@135
|
424 // =======================================================================================
|
|
cannam@135
|
425 // implementation details
|
|
cannam@135
|
426
|
|
cannam@135
|
427 inline const ReaderOptions& MessageReader::getOptions() {
|
|
cannam@135
|
428 return options;
|
|
cannam@135
|
429 }
|
|
cannam@135
|
430
|
|
cannam@135
|
431 template <typename RootType>
|
|
cannam@135
|
432 inline typename RootType::Reader MessageReader::getRoot() {
|
|
cannam@135
|
433 return getRootInternal().getAs<RootType>();
|
|
cannam@135
|
434 }
|
|
cannam@135
|
435
|
|
cannam@135
|
436 template <typename RootType>
|
|
cannam@135
|
437 inline typename RootType::Builder MessageBuilder::initRoot() {
|
|
cannam@135
|
438 return getRootInternal().initAs<RootType>();
|
|
cannam@135
|
439 }
|
|
cannam@135
|
440
|
|
cannam@135
|
441 template <typename Reader>
|
|
cannam@135
|
442 inline void MessageBuilder::setRoot(Reader&& value) {
|
|
cannam@135
|
443 getRootInternal().setAs<FromReader<Reader>>(value);
|
|
cannam@135
|
444 }
|
|
cannam@135
|
445
|
|
cannam@135
|
446 template <typename RootType>
|
|
cannam@135
|
447 inline typename RootType::Builder MessageBuilder::getRoot() {
|
|
cannam@135
|
448 return getRootInternal().getAs<RootType>();
|
|
cannam@135
|
449 }
|
|
cannam@135
|
450
|
|
cannam@135
|
451 template <typename T>
|
|
cannam@135
|
452 void MessageBuilder::adoptRoot(Orphan<T>&& orphan) {
|
|
cannam@135
|
453 return getRootInternal().adopt(kj::mv(orphan));
|
|
cannam@135
|
454 }
|
|
cannam@135
|
455
|
|
cannam@135
|
456 template <typename RootType, typename SchemaType>
|
|
cannam@135
|
457 typename RootType::Reader MessageReader::getRoot(SchemaType schema) {
|
|
cannam@135
|
458 return getRootInternal().getAs<RootType>(schema);
|
|
cannam@135
|
459 }
|
|
cannam@135
|
460
|
|
cannam@135
|
461 template <typename RootType, typename SchemaType>
|
|
cannam@135
|
462 typename RootType::Builder MessageBuilder::getRoot(SchemaType schema) {
|
|
cannam@135
|
463 return getRootInternal().getAs<RootType>(schema);
|
|
cannam@135
|
464 }
|
|
cannam@135
|
465
|
|
cannam@135
|
466 template <typename RootType, typename SchemaType>
|
|
cannam@135
|
467 typename RootType::Builder MessageBuilder::initRoot(SchemaType schema) {
|
|
cannam@135
|
468 return getRootInternal().initAs<RootType>(schema);
|
|
cannam@135
|
469 }
|
|
cannam@135
|
470
|
|
cannam@135
|
471 template <typename RootType>
|
|
cannam@135
|
472 typename RootType::Reader readMessageUnchecked(const word* data) {
|
|
cannam@135
|
473 return AnyPointer::Reader(_::PointerReader::getRootUnchecked(data)).getAs<RootType>();
|
|
cannam@135
|
474 }
|
|
cannam@135
|
475
|
|
cannam@135
|
476 template <typename Reader>
|
|
cannam@135
|
477 void copyToUnchecked(Reader&& reader, kj::ArrayPtr<word> uncheckedBuffer) {
|
|
cannam@135
|
478 FlatMessageBuilder builder(uncheckedBuffer);
|
|
cannam@135
|
479 builder.setRoot(kj::fwd<Reader>(reader));
|
|
cannam@135
|
480 builder.requireFilled();
|
|
cannam@135
|
481 }
|
|
cannam@135
|
482
|
|
cannam@135
|
483 template <typename RootType>
|
|
cannam@135
|
484 typename RootType::Reader readDataStruct(kj::ArrayPtr<const word> data) {
|
|
cannam@135
|
485 return typename RootType::Reader(_::StructReader(data));
|
|
cannam@135
|
486 }
|
|
cannam@135
|
487
|
|
cannam@135
|
488 template <typename BuilderType>
|
|
cannam@135
|
489 typename kj::ArrayPtr<const word> writeDataStruct(BuilderType builder) {
|
|
cannam@135
|
490 auto bytes = _::PointerHelpers<FromBuilder<BuilderType>>::getInternalBuilder(kj::mv(builder))
|
|
cannam@135
|
491 .getDataSectionAsBlob();
|
|
cannam@135
|
492 return kj::arrayPtr(reinterpret_cast<word*>(bytes.begin()),
|
|
cannam@135
|
493 reinterpret_cast<word*>(bytes.end()));
|
|
cannam@135
|
494 }
|
|
cannam@135
|
495
|
|
cannam@135
|
496 template <typename Type>
|
|
cannam@135
|
497 static typename Type::Reader defaultValue() {
|
|
cannam@135
|
498 return typename Type::Reader(_::StructReader());
|
|
cannam@135
|
499 }
|
|
cannam@135
|
500
|
|
cannam@135
|
501 template <typename T>
|
|
cannam@135
|
502 kj::Array<word> canonicalize(T&& reader) {
|
|
cannam@135
|
503 return _::PointerHelpers<FromReader<T>>::getInternalReader(reader).canonicalize();
|
|
cannam@135
|
504 }
|
|
cannam@135
|
505
|
|
cannam@135
|
506 } // namespace capnp
|
|
cannam@135
|
507
|
|
cannam@135
|
508 #endif // CAPNP_MESSAGE_H_
|
