Chris@64: // Copyright (c) 2013-2014 Sandstorm Development Group, Inc. and contributors Chris@64: // Licensed under the MIT License: Chris@64: // Chris@64: // Permission is hereby granted, free of charge, to any person obtaining a copy Chris@64: // of this software and associated documentation files (the "Software"), to deal Chris@64: // in the Software without restriction, including without limitation the rights Chris@64: // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell Chris@64: // copies of the Software, and to permit persons to whom the Software is Chris@64: // furnished to do so, subject to the following conditions: Chris@64: // Chris@64: // The above copyright notice and this permission notice shall be included in Chris@64: // all copies or substantial portions of the Software. Chris@64: // Chris@64: // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR Chris@64: // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, Chris@64: // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE Chris@64: // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER Chris@64: // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, Chris@64: // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN Chris@64: // THE SOFTWARE. Chris@64: Chris@64: #ifndef CAPNP_ARENA_H_ Chris@64: #define CAPNP_ARENA_H_ Chris@64: Chris@64: #if defined(__GNUC__) && !defined(CAPNP_HEADER_WARNINGS) Chris@64: #pragma GCC system_header Chris@64: #endif Chris@64: Chris@64: #ifndef CAPNP_PRIVATE Chris@64: #error "This header is only meant to be included by Cap'n Proto's own source code." Chris@64: #endif Chris@64: Chris@64: #include Chris@64: #include Chris@64: #include Chris@64: #include Chris@64: #include Chris@64: #include "common.h" Chris@64: #include "message.h" Chris@64: #include "layout.h" Chris@64: #include Chris@64: Chris@64: #if !CAPNP_LITE Chris@64: #include "capability.h" Chris@64: #endif // !CAPNP_LITE Chris@64: Chris@64: namespace capnp { Chris@64: Chris@64: #if !CAPNP_LITE Chris@64: class ClientHook; Chris@64: #endif // !CAPNP_LITE Chris@64: Chris@64: namespace _ { // private Chris@64: Chris@64: class SegmentReader; Chris@64: class SegmentBuilder; Chris@64: class Arena; Chris@64: class BuilderArena; Chris@64: class ReadLimiter; Chris@64: Chris@64: class Segment; Chris@64: typedef kj::Id SegmentId; Chris@64: Chris@64: class ReadLimiter { Chris@64: // Used to keep track of how much data has been processed from a message, and cut off further Chris@64: // processing if and when a particular limit is reached. This is primarily intended to guard Chris@64: // against maliciously-crafted messages which contain cycles or overlapping structures. Cycles Chris@64: // and overlapping are not permitted by the Cap'n Proto format because in many cases they could Chris@64: // be used to craft a deceptively small message which could consume excessive server resources to Chris@64: // process, perhaps even sending it into an infinite loop. Actually detecting overlaps would be Chris@64: // time-consuming, so instead we just keep track of how many words worth of data structures the Chris@64: // receiver has actually dereferenced and error out if this gets too high. Chris@64: // Chris@64: // This counting takes place as you call getters (for non-primitive values) on the message Chris@64: // readers. If you call the same getter twice, the data it returns may be double-counted. This Chris@64: // should not be a big deal in most cases -- just set the read limit high enough that it will Chris@64: // only trigger in unreasonable cases. Chris@64: // Chris@64: // This class is "safe" to use from multiple threads for its intended use case. Threads may Chris@64: // overwrite each others' changes to the counter, but this is OK because it only means that the Chris@64: // limit is enforced a bit less strictly -- it will still kick in eventually. Chris@64: Chris@64: public: Chris@64: inline explicit ReadLimiter(); // No limit. Chris@64: inline explicit ReadLimiter(WordCount64 limit); // Limit to the given number of words. Chris@64: Chris@64: inline void reset(WordCount64 limit); Chris@64: Chris@64: KJ_ALWAYS_INLINE(bool canRead(WordCount64 amount, Arena* arena)); Chris@64: Chris@64: void unread(WordCount64 amount); Chris@64: // Adds back some words to the limit. Useful when the caller knows they are double-reading Chris@64: // some data. Chris@64: Chris@64: private: Chris@64: volatile uint64_t limit; Chris@64: // Current limit, decremented each time catRead() is called. Volatile because multiple threads Chris@64: // could be trying to modify it at once. (This is not real thread-safety, but good enough for Chris@64: // the purpose of this class. See class comment.) Chris@64: Chris@64: KJ_DISALLOW_COPY(ReadLimiter); Chris@64: }; Chris@64: Chris@64: #if !CAPNP_LITE Chris@64: class BrokenCapFactory { Chris@64: // Callback for constructing broken caps. We use this so that we can avoid arena.c++ having a Chris@64: // link-time dependency on capability code that lives in libcapnp-rpc. Chris@64: Chris@64: public: Chris@64: virtual kj::Own newBrokenCap(kj::StringPtr description) = 0; Chris@64: virtual kj::Own newNullCap() = 0; Chris@64: }; Chris@64: #endif // !CAPNP_LITE Chris@64: Chris@64: class SegmentReader { Chris@64: public: Chris@64: inline SegmentReader(Arena* arena, SegmentId id, const word* ptr, SegmentWordCount size, Chris@64: ReadLimiter* readLimiter); Chris@64: Chris@64: KJ_ALWAYS_INLINE(const word* checkOffset(const word* from, ptrdiff_t offset)); Chris@64: // Adds the given offset to the given pointer, checks that it is still within the bounds of the Chris@64: // segment, then returns it. Note that the "end" pointer of the segment (which technically points Chris@64: // to the word after the last in the segment) is considered in-bounds for this purpose, so you Chris@64: // can't necessarily dereference it. You must call checkObject() next to check that the object Chris@64: // you want to read is entirely in-bounds. Chris@64: // Chris@64: // If `from + offset` is out-of-range, this returns a pointer to the end of the segment. Thus, Chris@64: // any non-zero-sized object will fail `checkObject()`. We do this instead of throwing to save Chris@64: // some code footprint. Chris@64: Chris@64: KJ_ALWAYS_INLINE(bool checkObject(const word* start, WordCountN<31> size)); Chris@64: // Assuming that `start` is in-bounds for this segment (probably checked using `checkOffset()`), Chris@64: // check that `start + size` is also in-bounds, and hence the whole area in-between is valid. Chris@64: Chris@64: KJ_ALWAYS_INLINE(bool amplifiedRead(WordCount virtualAmount)); Chris@64: // Indicates that the reader should pretend that `virtualAmount` additional data was read even Chris@64: // though no actual pointer was traversed. This is used e.g. when reading a struct list pointer Chris@64: // where the element sizes are zero -- the sender could set the list size arbitrarily high and Chris@64: // cause the receiver to iterate over this list even though the message itself is small, so we Chris@64: // need to defend against DoS attacks based on this. Chris@64: Chris@64: inline Arena* getArena(); Chris@64: inline SegmentId getSegmentId(); Chris@64: Chris@64: inline const word* getStartPtr(); Chris@64: inline SegmentWordCount getOffsetTo(const word* ptr); Chris@64: inline SegmentWordCount getSize(); Chris@64: Chris@64: inline kj::ArrayPtr getArray(); Chris@64: Chris@64: inline void unread(WordCount64 amount); Chris@64: // Add back some words to the ReadLimiter. Chris@64: Chris@64: private: Chris@64: Arena* arena; Chris@64: SegmentId id; Chris@64: kj::ArrayPtr ptr; // size guaranteed to fit in SEGMENT_WORD_COUNT_BITS bits Chris@64: ReadLimiter* readLimiter; Chris@64: Chris@64: KJ_DISALLOW_COPY(SegmentReader); Chris@64: Chris@64: friend class SegmentBuilder; Chris@64: Chris@64: static void abortCheckObjectFault(); Chris@64: // Called in debug mode in cases that would segfault in opt mode. (Should be impossible!) Chris@64: }; Chris@64: Chris@64: class SegmentBuilder: public SegmentReader { Chris@64: public: Chris@64: inline SegmentBuilder(BuilderArena* arena, SegmentId id, word* ptr, SegmentWordCount size, Chris@64: ReadLimiter* readLimiter, SegmentWordCount wordsUsed = ZERO * WORDS); Chris@64: inline SegmentBuilder(BuilderArena* arena, SegmentId id, const word* ptr, SegmentWordCount size, Chris@64: ReadLimiter* readLimiter); Chris@64: inline SegmentBuilder(BuilderArena* arena, SegmentId id, decltype(nullptr), Chris@64: ReadLimiter* readLimiter); Chris@64: Chris@64: KJ_ALWAYS_INLINE(word* allocate(SegmentWordCount amount)); Chris@64: Chris@64: KJ_ALWAYS_INLINE(void checkWritable()); Chris@64: // Throw an exception if the segment is read-only (meaning it is a reference to external data). Chris@64: Chris@64: KJ_ALWAYS_INLINE(word* getPtrUnchecked(SegmentWordCount offset)); Chris@64: // Get a writable pointer into the segment. Throws an exception if the segment is read-only (i.e. Chris@64: // a reference to external immutable data). Chris@64: Chris@64: inline BuilderArena* getArena(); Chris@64: Chris@64: inline kj::ArrayPtr currentlyAllocated(); Chris@64: Chris@64: inline void reset(); Chris@64: Chris@64: inline bool isWritable() { return !readOnly; } Chris@64: Chris@64: inline void tryTruncate(word* from, word* to); Chris@64: // If `from` points just past the current end of the segment, then move the end back to `to`. Chris@64: // Otherwise, do nothing. Chris@64: Chris@64: inline bool tryExtend(word* from, word* to); Chris@64: // If `from` points just past the current end of the segment, and `to` is within the segment Chris@64: // boundaries, then move the end up to `to` and return true. Otherwise, do nothing and return Chris@64: // false. Chris@64: Chris@64: private: Chris@64: word* pos; Chris@64: // Pointer to a pointer to the current end point of the segment, i.e. the location where the Chris@64: // next object should be allocated. Chris@64: Chris@64: bool readOnly; Chris@64: Chris@64: void throwNotWritable(); Chris@64: Chris@64: KJ_DISALLOW_COPY(SegmentBuilder); Chris@64: }; Chris@64: Chris@64: class Arena { Chris@64: public: Chris@64: virtual ~Arena() noexcept(false); Chris@64: Chris@64: virtual SegmentReader* tryGetSegment(SegmentId id) = 0; Chris@64: // Gets the segment with the given ID, or return nullptr if no such segment exists. Chris@64: Chris@64: virtual void reportReadLimitReached() = 0; Chris@64: // Called to report that the read limit has been reached. See ReadLimiter, below. This invokes Chris@64: // the VALIDATE_INPUT() macro which may throw an exception; if it returns normally, the caller Chris@64: // will need to continue with default values. Chris@64: }; Chris@64: Chris@64: class ReaderArena final: public Arena { Chris@64: public: Chris@64: explicit ReaderArena(MessageReader* message); Chris@64: ~ReaderArena() noexcept(false); Chris@64: KJ_DISALLOW_COPY(ReaderArena); Chris@64: Chris@64: // implements Arena ------------------------------------------------ Chris@64: SegmentReader* tryGetSegment(SegmentId id) override; Chris@64: void reportReadLimitReached() override; Chris@64: Chris@64: private: Chris@64: MessageReader* message; Chris@64: ReadLimiter readLimiter; Chris@64: Chris@64: // Optimize for single-segment messages so that small messages are handled quickly. Chris@64: SegmentReader segment0; Chris@64: Chris@64: typedef std::unordered_map> SegmentMap; Chris@64: kj::MutexGuarded>> moreSegments; Chris@64: // We need to mutex-guard the segment map because we lazily initialize segments when they are Chris@64: // first requested, but a Reader is allowed to be used concurrently in multiple threads. Luckily Chris@64: // this only applies to large messages. Chris@64: // Chris@64: // TODO(perf): Thread-local thing instead? Some kind of lockless map? Or do sharing of data Chris@64: // in a different way, where you have to construct a new MessageReader in each thread (but Chris@64: // possibly backed by the same data)? Chris@64: Chris@64: ReaderArena(MessageReader* message, kj::ArrayPtr firstSegment); Chris@64: ReaderArena(MessageReader* message, const word* firstSegment, SegmentWordCount firstSegmentSize); Chris@64: }; Chris@64: Chris@64: class BuilderArena final: public Arena { Chris@64: // A BuilderArena that does not allow the injection of capabilities. Chris@64: Chris@64: public: Chris@64: explicit BuilderArena(MessageBuilder* message); Chris@64: BuilderArena(MessageBuilder* message, kj::ArrayPtr segments); Chris@64: ~BuilderArena() noexcept(false); Chris@64: KJ_DISALLOW_COPY(BuilderArena); Chris@64: Chris@64: inline SegmentBuilder* getRootSegment() { return &segment0; } Chris@64: Chris@64: kj::ArrayPtr> getSegmentsForOutput(); Chris@64: // Get an array of all the segments, suitable for writing out. This only returns the allocated Chris@64: // portion of each segment, whereas tryGetSegment() returns something that includes Chris@64: // not-yet-allocated space. Chris@64: Chris@64: inline CapTableBuilder* getLocalCapTable() { Chris@64: // Return a CapTableBuilder that merely implements local loopback. That is, you can set Chris@64: // capabilities, then read the same capabilities back, but there is no intent ever to transmit Chris@64: // these capabilities. A MessageBuilder that isn't imbued with some other CapTable uses this Chris@64: // by default. Chris@64: // Chris@64: // TODO(cleanup): It's sort of a hack that this exists. In theory, perhaps, unimbued Chris@64: // MessageBuilders should throw exceptions on any attempt to access capability fields, like Chris@64: // unimbued MessageReaders do. However, lots of code exists which uses MallocMessageBuilder Chris@64: // as a temporary holder for data to be copied in and out (without being serialized), and it Chris@64: // is expected that such data can include capabilities, which is admittedly reasonable. Chris@64: // Therefore, all MessageBuilders must have a cap table by default. Arguably we should Chris@64: // deprecate this usage and instead define a new helper type for this exact purpose. Chris@64: Chris@64: return &localCapTable; Chris@64: } Chris@64: Chris@64: SegmentBuilder* getSegment(SegmentId id); Chris@64: // Get the segment with the given id. Crashes or throws an exception if no such segment exists. Chris@64: Chris@64: struct AllocateResult { Chris@64: SegmentBuilder* segment; Chris@64: word* words; Chris@64: }; Chris@64: Chris@64: AllocateResult allocate(SegmentWordCount amount); Chris@64: // Find a segment with at least the given amount of space available and allocate the space. Chris@64: // Note that allocating directly from a particular segment is much faster, but allocating from Chris@64: // the arena is guaranteed to succeed. Therefore callers should try to allocate from a specific Chris@64: // segment first if there is one, then fall back to the arena. Chris@64: Chris@64: SegmentBuilder* addExternalSegment(kj::ArrayPtr content); Chris@64: // Add a new segment to the arena which points to some existing memory region. The segment is Chris@64: // assumed to be completley full; the arena will never allocate from it. In fact, the segment Chris@64: // is considered read-only. Any attempt to get a Builder pointing into this segment will throw Chris@64: // an exception. Readers are allowed, however. Chris@64: // Chris@64: // This can be used to inject some external data into a message without a copy, e.g. embedding a Chris@64: // large mmap'd file into a message as `Data` without forcing that data to actually be read in Chris@64: // from disk (until the message itself is written out). `Orphanage` provides the public API for Chris@64: // this feature. Chris@64: Chris@64: // implements Arena ------------------------------------------------ Chris@64: SegmentReader* tryGetSegment(SegmentId id) override; Chris@64: void reportReadLimitReached() override; Chris@64: Chris@64: private: Chris@64: MessageBuilder* message; Chris@64: ReadLimiter dummyLimiter; Chris@64: Chris@64: class LocalCapTable: public CapTableBuilder { Chris@64: #if !CAPNP_LITE Chris@64: public: Chris@64: kj::Maybe> extractCap(uint index) override; Chris@64: uint injectCap(kj::Own&& cap) override; Chris@64: void dropCap(uint index) override; Chris@64: Chris@64: private: Chris@64: kj::Vector>> capTable; Chris@64: #endif // ! CAPNP_LITE Chris@64: }; Chris@64: Chris@64: LocalCapTable localCapTable; Chris@64: Chris@64: SegmentBuilder segment0; Chris@64: kj::ArrayPtr segment0ForOutput; Chris@64: Chris@64: struct MultiSegmentState { Chris@64: kj::Vector> builders; Chris@64: kj::Vector> forOutput; Chris@64: }; Chris@64: kj::Maybe> moreSegments; Chris@64: Chris@64: SegmentBuilder* segmentWithSpace = nullptr; Chris@64: // When allocating, look for space in this segment first before resorting to allocating a new Chris@64: // segment. This is not necessarily the last segment because addExternalSegment() may add a Chris@64: // segment that is already-full, in which case we don't update this pointer. Chris@64: Chris@64: template // Can be `word` or `const word`. Chris@64: SegmentBuilder* addSegmentInternal(kj::ArrayPtr content); Chris@64: }; Chris@64: Chris@64: // ======================================================================================= Chris@64: Chris@64: inline ReadLimiter::ReadLimiter() Chris@64: : limit(kj::maxValue) {} Chris@64: Chris@64: inline ReadLimiter::ReadLimiter(WordCount64 limit): limit(unbound(limit / WORDS)) {} Chris@64: Chris@64: inline void ReadLimiter::reset(WordCount64 limit) { this->limit = unbound(limit / WORDS); } Chris@64: Chris@64: inline bool ReadLimiter::canRead(WordCount64 amount, Arena* arena) { Chris@64: // Be careful not to store an underflowed value into `limit`, even if multiple threads are Chris@64: // decrementing it. Chris@64: uint64_t current = limit; Chris@64: if (KJ_UNLIKELY(unbound(amount / WORDS) > current)) { Chris@64: arena->reportReadLimitReached(); Chris@64: return false; Chris@64: } else { Chris@64: limit = current - unbound(amount / WORDS); Chris@64: return true; Chris@64: } Chris@64: } Chris@64: Chris@64: // ------------------------------------------------------------------- Chris@64: Chris@64: inline SegmentReader::SegmentReader(Arena* arena, SegmentId id, const word* ptr, Chris@64: SegmentWordCount size, ReadLimiter* readLimiter) Chris@64: : arena(arena), id(id), ptr(kj::arrayPtr(ptr, unbound(size / WORDS))), Chris@64: readLimiter(readLimiter) {} Chris@64: Chris@64: inline const word* SegmentReader::checkOffset(const word* from, ptrdiff_t offset) { Chris@64: ptrdiff_t min = ptr.begin() - from; Chris@64: ptrdiff_t max = ptr.end() - from; Chris@64: if (offset >= min && offset <= max) { Chris@64: return from + offset; Chris@64: } else { Chris@64: return ptr.end(); Chris@64: } Chris@64: } Chris@64: Chris@64: inline bool SegmentReader::checkObject(const word* start, WordCountN<31> size) { Chris@64: auto startOffset = intervalLength(ptr.begin(), start, MAX_SEGMENT_WORDS); Chris@64: #ifdef KJ_DEBUG Chris@64: if (startOffset > bounded(ptr.size()) * WORDS) { Chris@64: abortCheckObjectFault(); Chris@64: } Chris@64: #endif Chris@64: return startOffset + size <= bounded(ptr.size()) * WORDS && Chris@64: readLimiter->canRead(size, arena); Chris@64: } Chris@64: Chris@64: inline bool SegmentReader::amplifiedRead(WordCount virtualAmount) { Chris@64: return readLimiter->canRead(virtualAmount, arena); Chris@64: } Chris@64: Chris@64: inline Arena* SegmentReader::getArena() { return arena; } Chris@64: inline SegmentId SegmentReader::getSegmentId() { return id; } Chris@64: inline const word* SegmentReader::getStartPtr() { return ptr.begin(); } Chris@64: inline SegmentWordCount SegmentReader::getOffsetTo(const word* ptr) { Chris@64: KJ_IREQUIRE(this->ptr.begin() <= ptr && ptr <= this->ptr.end()); Chris@64: return intervalLength(this->ptr.begin(), ptr, MAX_SEGMENT_WORDS); Chris@64: } Chris@64: inline SegmentWordCount SegmentReader::getSize() { Chris@64: return assumeBits(ptr.size()) * WORDS; Chris@64: } Chris@64: inline kj::ArrayPtr SegmentReader::getArray() { return ptr; } Chris@64: inline void SegmentReader::unread(WordCount64 amount) { readLimiter->unread(amount); } Chris@64: Chris@64: // ------------------------------------------------------------------- Chris@64: Chris@64: inline SegmentBuilder::SegmentBuilder( Chris@64: BuilderArena* arena, SegmentId id, word* ptr, SegmentWordCount size, Chris@64: ReadLimiter* readLimiter, SegmentWordCount wordsUsed) Chris@64: : SegmentReader(arena, id, ptr, size, readLimiter), Chris@64: pos(ptr + wordsUsed), readOnly(false) {} Chris@64: inline SegmentBuilder::SegmentBuilder( Chris@64: BuilderArena* arena, SegmentId id, const word* ptr, SegmentWordCount size, Chris@64: ReadLimiter* readLimiter) Chris@64: : SegmentReader(arena, id, ptr, size, readLimiter), Chris@64: // const_cast is safe here because the member won't ever be dereferenced because it appears Chris@64: // to point to the end of the segment anyway. Chris@64: pos(const_cast(ptr + size)), readOnly(true) {} Chris@64: inline SegmentBuilder::SegmentBuilder(BuilderArena* arena, SegmentId id, decltype(nullptr), Chris@64: ReadLimiter* readLimiter) Chris@64: : SegmentReader(arena, id, nullptr, ZERO * WORDS, readLimiter), Chris@64: pos(nullptr), readOnly(false) {} Chris@64: Chris@64: inline word* SegmentBuilder::allocate(SegmentWordCount amount) { Chris@64: if (intervalLength(pos, ptr.end(), MAX_SEGMENT_WORDS) < amount) { Chris@64: // Not enough space in the segment for this allocation. Chris@64: return nullptr; Chris@64: } else { Chris@64: // Success. Chris@64: word* result = pos; Chris@64: pos = pos + amount; Chris@64: return result; Chris@64: } Chris@64: } Chris@64: Chris@64: inline void SegmentBuilder::checkWritable() { Chris@64: if (KJ_UNLIKELY(readOnly)) throwNotWritable(); Chris@64: } Chris@64: Chris@64: inline word* SegmentBuilder::getPtrUnchecked(SegmentWordCount offset) { Chris@64: return const_cast(ptr.begin() + offset); Chris@64: } Chris@64: Chris@64: inline BuilderArena* SegmentBuilder::getArena() { Chris@64: // Down-cast safe because SegmentBuilder's constructor always initializes its SegmentReader base Chris@64: // class with an Arena pointer that actually points to a BuilderArena. Chris@64: return static_cast(arena); Chris@64: } Chris@64: Chris@64: inline kj::ArrayPtr SegmentBuilder::currentlyAllocated() { Chris@64: return kj::arrayPtr(ptr.begin(), pos - ptr.begin()); Chris@64: } Chris@64: Chris@64: inline void SegmentBuilder::reset() { Chris@64: word* start = getPtrUnchecked(ZERO * WORDS); Chris@64: memset(start, 0, (pos - start) * sizeof(word)); Chris@64: pos = start; Chris@64: } Chris@64: Chris@64: inline void SegmentBuilder::tryTruncate(word* from, word* to) { Chris@64: if (pos == from) pos = to; Chris@64: } Chris@64: Chris@64: inline bool SegmentBuilder::tryExtend(word* from, word* to) { Chris@64: // Careful about overflow. Chris@64: if (pos == from && to <= ptr.end() && to >= from) { Chris@64: pos = to; Chris@64: return true; Chris@64: } else { Chris@64: return false; Chris@64: } Chris@64: } Chris@64: Chris@64: } // namespace _ (private) Chris@64: } // namespace capnp Chris@64: Chris@64: #endif // CAPNP_ARENA_H_