cannam@134: // Copyright (c) 2013-2014 Sandstorm Development Group, Inc. and contributors cannam@134: // Licensed under the MIT License: cannam@134: // cannam@134: // Permission is hereby granted, free of charge, to any person obtaining a copy cannam@134: // of this software and associated documentation files (the "Software"), to deal cannam@134: // in the Software without restriction, including without limitation the rights cannam@134: // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell cannam@134: // copies of the Software, and to permit persons to whom the Software is cannam@134: // furnished to do so, subject to the following conditions: cannam@134: // cannam@134: // The above copyright notice and this permission notice shall be included in cannam@134: // all copies or substantial portions of the Software. cannam@134: // cannam@134: // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR cannam@134: // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, cannam@134: // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE cannam@134: // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER cannam@134: // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, cannam@134: // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN cannam@134: // THE SOFTWARE. cannam@134: cannam@134: #ifndef CAPNP_ARENA_H_ cannam@134: #define CAPNP_ARENA_H_ cannam@134: cannam@134: #if defined(__GNUC__) && !defined(CAPNP_HEADER_WARNINGS) cannam@134: #pragma GCC system_header cannam@134: #endif cannam@134: cannam@134: #ifndef CAPNP_PRIVATE cannam@134: #error "This header is only meant to be included by Cap'n Proto's own source code." cannam@134: #endif cannam@134: cannam@134: #include cannam@134: #include cannam@134: #include cannam@134: #include cannam@134: #include "common.h" cannam@134: #include "message.h" cannam@134: #include "layout.h" cannam@134: #include cannam@134: cannam@134: #if !CAPNP_LITE cannam@134: #include "capability.h" cannam@134: #endif // !CAPNP_LITE cannam@134: cannam@134: namespace capnp { cannam@134: cannam@134: #if !CAPNP_LITE cannam@134: class ClientHook; cannam@134: #endif // !CAPNP_LITE cannam@134: cannam@134: namespace _ { // private cannam@134: cannam@134: class SegmentReader; cannam@134: class SegmentBuilder; cannam@134: class Arena; cannam@134: class BuilderArena; cannam@134: class ReadLimiter; cannam@134: cannam@134: class Segment; cannam@134: typedef kj::Id SegmentId; cannam@134: cannam@134: class ReadLimiter { cannam@134: // Used to keep track of how much data has been processed from a message, and cut off further cannam@134: // processing if and when a particular limit is reached. This is primarily intended to guard cannam@134: // against maliciously-crafted messages which contain cycles or overlapping structures. Cycles cannam@134: // and overlapping are not permitted by the Cap'n Proto format because in many cases they could cannam@134: // be used to craft a deceptively small message which could consume excessive server resources to cannam@134: // process, perhaps even sending it into an infinite loop. Actually detecting overlaps would be cannam@134: // time-consuming, so instead we just keep track of how many words worth of data structures the cannam@134: // receiver has actually dereferenced and error out if this gets too high. cannam@134: // cannam@134: // This counting takes place as you call getters (for non-primitive values) on the message cannam@134: // readers. If you call the same getter twice, the data it returns may be double-counted. This cannam@134: // should not be a big deal in most cases -- just set the read limit high enough that it will cannam@134: // only trigger in unreasonable cases. cannam@134: // cannam@134: // This class is "safe" to use from multiple threads for its intended use case. Threads may cannam@134: // overwrite each others' changes to the counter, but this is OK because it only means that the cannam@134: // limit is enforced a bit less strictly -- it will still kick in eventually. cannam@134: cannam@134: public: cannam@134: inline explicit ReadLimiter(); // No limit. cannam@134: inline explicit ReadLimiter(WordCount64 limit); // Limit to the given number of words. cannam@134: cannam@134: inline void reset(WordCount64 limit); cannam@134: cannam@134: KJ_ALWAYS_INLINE(bool canRead(WordCount amount, Arena* arena)); cannam@134: cannam@134: void unread(WordCount64 amount); cannam@134: // Adds back some words to the limit. Useful when the caller knows they are double-reading cannam@134: // some data. cannam@134: cannam@134: private: cannam@134: volatile uint64_t limit; cannam@134: // Current limit, decremented each time catRead() is called. Volatile because multiple threads cannam@134: // could be trying to modify it at once. (This is not real thread-safety, but good enough for cannam@134: // the purpose of this class. See class comment.) cannam@134: cannam@134: KJ_DISALLOW_COPY(ReadLimiter); cannam@134: }; cannam@134: cannam@134: #if !CAPNP_LITE cannam@134: class BrokenCapFactory { cannam@134: // Callback for constructing broken caps. We use this so that we can avoid arena.c++ having a cannam@134: // link-time dependency on capability code that lives in libcapnp-rpc. cannam@134: cannam@134: public: cannam@134: virtual kj::Own newBrokenCap(kj::StringPtr description) = 0; cannam@134: virtual kj::Own newNullCap() = 0; cannam@134: }; cannam@134: #endif // !CAPNP_LITE cannam@134: cannam@134: class SegmentReader { cannam@134: public: cannam@134: inline SegmentReader(Arena* arena, SegmentId id, kj::ArrayPtr ptr, cannam@134: ReadLimiter* readLimiter); cannam@134: cannam@134: KJ_ALWAYS_INLINE(bool containsInterval(const void* from, const void* to)); cannam@134: cannam@134: KJ_ALWAYS_INLINE(bool amplifiedRead(WordCount virtualAmount)); cannam@134: // Indicates that the reader should pretend that `virtualAmount` additional data was read even cannam@134: // though no actual pointer was traversed. This is used e.g. when reading a struct list pointer cannam@134: // where the element sizes are zero -- the sender could set the list size arbitrarily high and cannam@134: // cause the receiver to iterate over this list even though the message itself is small, so we cannam@134: // need to defend against DoS attacks based on this. cannam@134: cannam@134: inline Arena* getArena(); cannam@134: inline SegmentId getSegmentId(); cannam@134: cannam@134: inline const word* getStartPtr(); cannam@134: inline WordCount getOffsetTo(const word* ptr); cannam@134: inline WordCount getSize(); cannam@134: cannam@134: inline kj::ArrayPtr getArray(); cannam@134: cannam@134: inline void unread(WordCount64 amount); cannam@134: // Add back some words to the ReadLimiter. cannam@134: cannam@134: private: cannam@134: Arena* arena; cannam@134: SegmentId id; cannam@134: kj::ArrayPtr ptr; cannam@134: ReadLimiter* readLimiter; cannam@134: cannam@134: KJ_DISALLOW_COPY(SegmentReader); cannam@134: cannam@134: friend class SegmentBuilder; cannam@134: }; cannam@134: cannam@134: class SegmentBuilder: public SegmentReader { cannam@134: public: cannam@134: inline SegmentBuilder(BuilderArena* arena, SegmentId id, kj::ArrayPtr ptr, cannam@134: ReadLimiter* readLimiter, size_t wordsUsed = 0); cannam@134: inline SegmentBuilder(BuilderArena* arena, SegmentId id, kj::ArrayPtr ptr, cannam@134: ReadLimiter* readLimiter); cannam@134: inline SegmentBuilder(BuilderArena* arena, SegmentId id, decltype(nullptr), cannam@134: ReadLimiter* readLimiter); cannam@134: cannam@134: KJ_ALWAYS_INLINE(word* allocate(WordCount amount)); cannam@134: cannam@134: KJ_ALWAYS_INLINE(void checkWritable()); cannam@134: // Throw an exception if the segment is read-only (meaning it is a reference to external data). cannam@134: cannam@134: KJ_ALWAYS_INLINE(word* getPtrUnchecked(WordCount offset)); cannam@134: // Get a writable pointer into the segment. Throws an exception if the segment is read-only (i.e. cannam@134: // a reference to external immutable data). cannam@134: cannam@134: inline BuilderArena* getArena(); cannam@134: cannam@134: inline kj::ArrayPtr currentlyAllocated(); cannam@134: cannam@134: inline void reset(); cannam@134: cannam@134: inline bool isWritable() { return !readOnly; } cannam@134: cannam@134: inline void tryTruncate(word* from, word* to); cannam@134: // If `from` points just past the current end of the segment, then move the end back to `to`. cannam@134: // Otherwise, do nothing. cannam@134: cannam@134: inline bool tryExtend(word* from, word* to); cannam@134: // If `from` points just past the current end of the segment, and `to` is within the segment cannam@134: // boundaries, then move the end up to `to` and return true. Otherwise, do nothing and return cannam@134: // false. cannam@134: cannam@134: private: cannam@134: word* pos; cannam@134: // Pointer to a pointer to the current end point of the segment, i.e. the location where the cannam@134: // next object should be allocated. cannam@134: cannam@134: bool readOnly; cannam@134: cannam@134: void throwNotWritable(); cannam@134: cannam@134: KJ_DISALLOW_COPY(SegmentBuilder); cannam@134: }; cannam@134: cannam@134: class Arena { cannam@134: public: cannam@134: virtual ~Arena() noexcept(false); cannam@134: cannam@134: virtual SegmentReader* tryGetSegment(SegmentId id) = 0; cannam@134: // Gets the segment with the given ID, or return nullptr if no such segment exists. cannam@134: cannam@134: virtual void reportReadLimitReached() = 0; cannam@134: // Called to report that the read limit has been reached. See ReadLimiter, below. This invokes cannam@134: // the VALIDATE_INPUT() macro which may throw an exception; if it returns normally, the caller cannam@134: // will need to continue with default values. cannam@134: }; cannam@134: cannam@134: class ReaderArena final: public Arena { cannam@134: public: cannam@134: ReaderArena(MessageReader* message); cannam@134: ~ReaderArena() noexcept(false); cannam@134: KJ_DISALLOW_COPY(ReaderArena); cannam@134: cannam@134: // implements Arena ------------------------------------------------ cannam@134: SegmentReader* tryGetSegment(SegmentId id) override; cannam@134: void reportReadLimitReached() override; cannam@134: cannam@134: private: cannam@134: MessageReader* message; cannam@134: ReadLimiter readLimiter; cannam@134: cannam@134: // Optimize for single-segment messages so that small messages are handled quickly. cannam@134: SegmentReader segment0; cannam@134: cannam@134: typedef std::unordered_map> SegmentMap; cannam@134: kj::MutexGuarded>> moreSegments; cannam@134: // We need to mutex-guard the segment map because we lazily initialize segments when they are cannam@134: // first requested, but a Reader is allowed to be used concurrently in multiple threads. Luckily cannam@134: // this only applies to large messages. cannam@134: // cannam@134: // TODO(perf): Thread-local thing instead? Some kind of lockless map? Or do sharing of data cannam@134: // in a different way, where you have to construct a new MessageReader in each thread (but cannam@134: // possibly backed by the same data)? cannam@134: }; cannam@134: cannam@134: class BuilderArena final: public Arena { cannam@134: // A BuilderArena that does not allow the injection of capabilities. cannam@134: cannam@134: public: cannam@134: explicit BuilderArena(MessageBuilder* message); cannam@134: BuilderArena(MessageBuilder* message, kj::ArrayPtr segments); cannam@134: ~BuilderArena() noexcept(false); cannam@134: KJ_DISALLOW_COPY(BuilderArena); cannam@134: cannam@134: inline SegmentBuilder* getRootSegment() { return &segment0; } cannam@134: cannam@134: kj::ArrayPtr> getSegmentsForOutput(); cannam@134: // Get an array of all the segments, suitable for writing out. This only returns the allocated cannam@134: // portion of each segment, whereas tryGetSegment() returns something that includes cannam@134: // not-yet-allocated space. cannam@134: cannam@134: inline CapTableBuilder* getLocalCapTable() { cannam@134: // Return a CapTableBuilder that merely implements local loopback. That is, you can set cannam@134: // capabilities, then read the same capabilities back, but there is no intent ever to transmit cannam@134: // these capabilities. A MessageBuilder that isn't imbued with some other CapTable uses this cannam@134: // by default. cannam@134: // cannam@134: // TODO(cleanup): It's sort of a hack that this exists. In theory, perhaps, unimbued cannam@134: // MessageBuilders should throw exceptions on any attempt to access capability fields, like cannam@134: // unimbued MessageReaders do. However, lots of code exists which uses MallocMessageBuilder cannam@134: // as a temporary holder for data to be copied in and out (without being serialized), and it cannam@134: // is expected that such data can include capabilities, which is admittedly reasonable. cannam@134: // Therefore, all MessageBuilders must have a cap table by default. Arguably we should cannam@134: // deprecate this usage and instead define a new helper type for this exact purpose. cannam@134: cannam@134: return &localCapTable; cannam@134: } cannam@134: cannam@134: SegmentBuilder* getSegment(SegmentId id); cannam@134: // Get the segment with the given id. Crashes or throws an exception if no such segment exists. cannam@134: cannam@134: struct AllocateResult { cannam@134: SegmentBuilder* segment; cannam@134: word* words; cannam@134: }; cannam@134: cannam@134: AllocateResult allocate(WordCount amount); cannam@134: // Find a segment with at least the given amount of space available and allocate the space. cannam@134: // Note that allocating directly from a particular segment is much faster, but allocating from cannam@134: // the arena is guaranteed to succeed. Therefore callers should try to allocate from a specific cannam@134: // segment first if there is one, then fall back to the arena. cannam@134: cannam@134: SegmentBuilder* addExternalSegment(kj::ArrayPtr content); cannam@134: // Add a new segment to the arena which points to some existing memory region. The segment is cannam@134: // assumed to be completley full; the arena will never allocate from it. In fact, the segment cannam@134: // is considered read-only. Any attempt to get a Builder pointing into this segment will throw cannam@134: // an exception. Readers are allowed, however. cannam@134: // cannam@134: // This can be used to inject some external data into a message without a copy, e.g. embedding a cannam@134: // large mmap'd file into a message as `Data` without forcing that data to actually be read in cannam@134: // from disk (until the message itself is written out). `Orphanage` provides the public API for cannam@134: // this feature. cannam@134: cannam@134: // implements Arena ------------------------------------------------ cannam@134: SegmentReader* tryGetSegment(SegmentId id) override; cannam@134: void reportReadLimitReached() override; cannam@134: cannam@134: private: cannam@134: MessageBuilder* message; cannam@134: ReadLimiter dummyLimiter; cannam@134: cannam@134: class LocalCapTable: public CapTableBuilder { cannam@134: #if !CAPNP_LITE cannam@134: public: cannam@134: kj::Maybe> extractCap(uint index) override; cannam@134: uint injectCap(kj::Own&& cap) override; cannam@134: void dropCap(uint index) override; cannam@134: cannam@134: private: cannam@134: kj::Vector>> capTable; cannam@134: #endif // ! CAPNP_LITE cannam@134: }; cannam@134: cannam@134: LocalCapTable localCapTable; cannam@134: cannam@134: SegmentBuilder segment0; cannam@134: kj::ArrayPtr segment0ForOutput; cannam@134: cannam@134: struct MultiSegmentState { cannam@134: kj::Vector> builders; cannam@134: kj::Vector> forOutput; cannam@134: }; cannam@134: kj::Maybe> moreSegments; cannam@134: cannam@134: SegmentBuilder* segmentWithSpace = nullptr; cannam@134: // When allocating, look for space in this segment first before resorting to allocating a new cannam@134: // segment. This is not necessarily the last segment because addExternalSegment() may add a cannam@134: // segment that is already-full, in which case we don't update this pointer. cannam@134: cannam@134: template // Can be `word` or `const word`. cannam@134: SegmentBuilder* addSegmentInternal(kj::ArrayPtr content); cannam@134: }; cannam@134: cannam@134: // ======================================================================================= cannam@134: cannam@134: inline ReadLimiter::ReadLimiter() cannam@134: : limit(kj::maxValue) {} cannam@134: cannam@134: inline ReadLimiter::ReadLimiter(WordCount64 limit): limit(limit / WORDS) {} cannam@134: cannam@134: inline void ReadLimiter::reset(WordCount64 limit) { this->limit = limit / WORDS; } cannam@134: cannam@134: inline bool ReadLimiter::canRead(WordCount amount, Arena* arena) { cannam@134: // Be careful not to store an underflowed value into `limit`, even if multiple threads are cannam@134: // decrementing it. cannam@134: uint64_t current = limit; cannam@134: if (KJ_UNLIKELY(amount / WORDS > current)) { cannam@134: arena->reportReadLimitReached(); cannam@134: return false; cannam@134: } else { cannam@134: limit = current - amount / WORDS; cannam@134: return true; cannam@134: } cannam@134: } cannam@134: cannam@134: // ------------------------------------------------------------------- cannam@134: cannam@134: inline SegmentReader::SegmentReader(Arena* arena, SegmentId id, kj::ArrayPtr ptr, cannam@134: ReadLimiter* readLimiter) cannam@134: : arena(arena), id(id), ptr(ptr), readLimiter(readLimiter) {} cannam@134: cannam@134: inline bool SegmentReader::containsInterval(const void* from, const void* to) { cannam@134: return from >= this->ptr.begin() && to <= this->ptr.end() && from <= to && cannam@134: readLimiter->canRead( cannam@134: intervalLength(reinterpret_cast(from), cannam@134: reinterpret_cast(to)) / BYTES_PER_WORD, cannam@134: arena); cannam@134: } cannam@134: cannam@134: inline bool SegmentReader::amplifiedRead(WordCount virtualAmount) { cannam@134: return readLimiter->canRead(virtualAmount, arena); cannam@134: } cannam@134: cannam@134: inline Arena* SegmentReader::getArena() { return arena; } cannam@134: inline SegmentId SegmentReader::getSegmentId() { return id; } cannam@134: inline const word* SegmentReader::getStartPtr() { return ptr.begin(); } cannam@134: inline WordCount SegmentReader::getOffsetTo(const word* ptr) { cannam@134: return intervalLength(this->ptr.begin(), ptr); cannam@134: } cannam@134: inline WordCount SegmentReader::getSize() { return ptr.size() * WORDS; } cannam@134: inline kj::ArrayPtr SegmentReader::getArray() { return ptr; } cannam@134: inline void SegmentReader::unread(WordCount64 amount) { readLimiter->unread(amount); } cannam@134: cannam@134: // ------------------------------------------------------------------- cannam@134: cannam@134: inline SegmentBuilder::SegmentBuilder( cannam@134: BuilderArena* arena, SegmentId id, kj::ArrayPtr ptr, ReadLimiter* readLimiter, cannam@134: size_t wordsUsed) cannam@134: : SegmentReader(arena, id, ptr, readLimiter), pos(ptr.begin() + wordsUsed), readOnly(false) {} cannam@134: inline SegmentBuilder::SegmentBuilder( cannam@134: BuilderArena* arena, SegmentId id, kj::ArrayPtr ptr, ReadLimiter* readLimiter) cannam@134: : SegmentReader(arena, id, ptr, readLimiter), cannam@134: // const_cast is safe here because the member won't ever be dereferenced because it appears cannam@134: // to point to the end of the segment anyway. cannam@134: pos(const_cast(ptr.end())), cannam@134: readOnly(true) {} cannam@134: inline SegmentBuilder::SegmentBuilder(BuilderArena* arena, SegmentId id, decltype(nullptr), cannam@134: ReadLimiter* readLimiter) cannam@134: : SegmentReader(arena, id, nullptr, readLimiter), pos(nullptr), readOnly(false) {} cannam@134: cannam@134: inline word* SegmentBuilder::allocate(WordCount amount) { cannam@134: if (intervalLength(pos, ptr.end()) < amount) { cannam@134: // Not enough space in the segment for this allocation. cannam@134: return nullptr; cannam@134: } else { cannam@134: // Success. cannam@134: word* result = pos; cannam@134: pos = pos + amount; cannam@134: return result; cannam@134: } cannam@134: } cannam@134: cannam@134: inline void SegmentBuilder::checkWritable() { cannam@134: if (KJ_UNLIKELY(readOnly)) throwNotWritable(); cannam@134: } cannam@134: cannam@134: inline word* SegmentBuilder::getPtrUnchecked(WordCount offset) { cannam@134: return const_cast(ptr.begin() + offset); cannam@134: } cannam@134: cannam@134: inline BuilderArena* SegmentBuilder::getArena() { cannam@134: // Down-cast safe because SegmentBuilder's constructor always initializes its SegmentReader base cannam@134: // class with an Arena pointer that actually points to a BuilderArena. cannam@134: return static_cast(arena); cannam@134: } cannam@134: cannam@134: inline kj::ArrayPtr SegmentBuilder::currentlyAllocated() { cannam@134: return kj::arrayPtr(ptr.begin(), pos - ptr.begin()); cannam@134: } cannam@134: cannam@134: inline void SegmentBuilder::reset() { cannam@134: word* start = getPtrUnchecked(0 * WORDS); cannam@134: memset(start, 0, (pos - start) * sizeof(word)); cannam@134: pos = start; cannam@134: } cannam@134: cannam@134: inline void SegmentBuilder::tryTruncate(word* from, word* to) { cannam@134: if (pos == from) pos = to; cannam@134: } cannam@134: cannam@134: inline bool SegmentBuilder::tryExtend(word* from, word* to) { cannam@134: // Careful about overflow. cannam@134: if (pos == from && to <= ptr.end() && to >= from) { cannam@134: pos = to; cannam@134: return true; cannam@134: } else { cannam@134: return false; cannam@134: } cannam@134: } cannam@134: cannam@134: } // namespace _ (private) cannam@134: } // namespace capnp cannam@134: cannam@134: #endif // CAPNP_ARENA_H_