1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
|
/*
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef INCLUDE_PERFETTO_PROTOZERO_PROTO_DECODER_H_
#define INCLUDE_PERFETTO_PROTOZERO_PROTO_DECODER_H_
#include <stdint.h>
#include <array>
#include <memory>
#include <vector>
#include "perfetto/base/compiler.h"
#include "perfetto/base/logging.h"
#include "perfetto/protozero/field.h"
#include "perfetto/protozero/proto_utils.h"
namespace protozero {
// A generic protobuf decoder. Doesn't require any knowledge about the proto
// schema. It tokenizes fields, retrieves their ID and type and exposes
// accessors to retrieve its values.
// It does NOT recurse in nested submessages, instead it just computes their
// boundaries, recursion is left to the caller.
// This class is designed to be used in perf-sensitive contexts. It does not
// allocate and does not perform any proto semantic checks (e.g. repeated /
// required / optional). It's supposedly safe wrt out-of-bounds memory accesses
// (see proto_decoder_fuzzer.cc).
// This class serves also as a building block for TypedProtoDecoder, used when
// the schema is known at compile time.
class PERFETTO_EXPORT_COMPONENT ProtoDecoder {
public:
// Creates a ProtoDecoder using the given |buffer| with size |length| bytes.
ProtoDecoder(const void* buffer, size_t length)
: begin_(reinterpret_cast<const uint8_t*>(buffer)),
end_(begin_ + length),
read_ptr_(begin_) {}
ProtoDecoder(const std::string& str) : ProtoDecoder(str.data(), str.size()) {}
ProtoDecoder(const ConstBytes& cb) : ProtoDecoder(cb.data, cb.size) {}
// Reads the next field from the buffer and advances the read cursor. If a
// full field cannot be read, the returned Field will be invalid (i.e.
// field.valid() == false).
Field ReadField();
// Finds the first field with the given id. Doesn't affect the read cursor.
Field FindField(uint32_t field_id);
// Resets the read cursor to the start of the buffer.
void Reset() { read_ptr_ = begin_; }
// Resets the read cursor to the given position (must be within the buffer).
void Reset(const uint8_t* pos) {
PERFETTO_DCHECK(pos >= begin_ && pos < end_);
read_ptr_ = pos;
}
// Returns the position of read cursor, relative to the start of the buffer.
size_t read_offset() const { return static_cast<size_t>(read_ptr_ - begin_); }
size_t bytes_left() const {
PERFETTO_DCHECK(read_ptr_ <= end_);
return static_cast<size_t>(end_ - read_ptr_);
}
const uint8_t* begin() const { return begin_; }
const uint8_t* end() const { return end_; }
protected:
const uint8_t* const begin_;
const uint8_t* const end_;
const uint8_t* read_ptr_ = nullptr;
};
// An iterator-like class used to iterate through repeated fields. Used by
// TypedProtoDecoder. The iteration sequence is a bit counter-intuitive due to
// the fact that fields_[field_id] holds the *last* value of the field, not the
// first, but the remaining storage holds repeated fields in FIFO order.
// Assume that we push the 10,11,12 into a repeated field with ID=1.
//
// Decoder memory layout: [ fields storage ] [ repeated fields storage ]
// 1st iteration: 10
// 2nd iteration: 11 10
// 3rd iteration: 12 10 11
//
// We start the iteration @ fields_[num_fields], which is the start of the
// repeated fields storage, proceed until the end and lastly jump @ fields_[id].
template <typename T>
class RepeatedFieldIterator {
public:
RepeatedFieldIterator(uint32_t field_id,
const Field* begin,
const Field* end,
const Field* last)
: field_id_(field_id), iter_(begin), end_(end), last_(last) {
FindNextMatchingId();
}
// Constructs an invalid iterator.
RepeatedFieldIterator()
: field_id_(0u), iter_(nullptr), end_(nullptr), last_(nullptr) {}
explicit operator bool() const { return iter_ != end_; }
const Field& field() const { return *iter_; }
T operator*() const {
T val{};
iter_->get(&val);
return val;
}
const Field* operator->() const { return iter_; }
RepeatedFieldIterator& operator++() {
PERFETTO_DCHECK(iter_ != end_);
if (iter_ == last_) {
iter_ = end_;
return *this;
}
++iter_;
FindNextMatchingId();
return *this;
}
RepeatedFieldIterator operator++(int) {
PERFETTO_DCHECK(iter_ != end_);
RepeatedFieldIterator it(*this);
++(*this);
return it;
}
private:
void FindNextMatchingId() {
PERFETTO_DCHECK(iter_ != last_);
for (; iter_ != end_; ++iter_) {
if (iter_->id() == field_id_)
return;
}
iter_ = last_->valid() ? last_ : end_;
}
uint32_t field_id_;
// Initially points to the beginning of the repeated field storage, then is
// incremented as we call operator++().
const Field* iter_;
// Always points to fields_[size_], i.e. past the end of the storage.
const Field* end_;
// Always points to fields_[field_id].
const Field* last_;
};
// As RepeatedFieldIterator, but allows iterating over a packed repeated field
// (which will be initially stored as a single length-delimited field).
// See |GetPackedRepeatedField| for details.
//
// Assumes little endianness, and that the input buffers are well formed -
// containing an exact multiple of encoded elements.
template <proto_utils::ProtoWireType wire_type, typename CppType>
class PackedRepeatedFieldIterator {
public:
PackedRepeatedFieldIterator(const uint8_t* data_begin,
size_t size,
bool* parse_error_ptr)
: data_end_(data_begin ? data_begin + size : nullptr),
read_ptr_(data_begin),
parse_error_(parse_error_ptr) {
using proto_utils::ProtoWireType;
static_assert(wire_type == ProtoWireType::kVarInt ||
wire_type == ProtoWireType::kFixed32 ||
wire_type == ProtoWireType::kFixed64,
"invalid type");
PERFETTO_DCHECK(parse_error_ptr);
// Either the field is unset (and there are no data pointer), or the field
// is set with a zero length payload. Mark the iterator as invalid in both
// cases.
if (size == 0) {
curr_value_valid_ = false;
return;
}
if ((wire_type == ProtoWireType::kFixed32 && (size % 4) != 0) ||
(wire_type == ProtoWireType::kFixed64 && (size % 8) != 0)) {
*parse_error_ = true;
curr_value_valid_ = false;
return;
}
++(*this);
}
const CppType operator*() const { return curr_value_; }
explicit operator bool() const { return curr_value_valid_; }
PackedRepeatedFieldIterator& operator++() {
using proto_utils::ProtoWireType;
if (PERFETTO_UNLIKELY(!curr_value_valid_))
return *this;
if (PERFETTO_UNLIKELY(read_ptr_ == data_end_)) {
curr_value_valid_ = false;
return *this;
}
if (wire_type == ProtoWireType::kVarInt) {
uint64_t new_value = 0;
const uint8_t* new_pos =
proto_utils::ParseVarInt(read_ptr_, data_end_, &new_value);
if (PERFETTO_UNLIKELY(new_pos == read_ptr_)) {
// Failed to decode the varint (probably incomplete buffer).
*parse_error_ = true;
curr_value_valid_ = false;
} else {
read_ptr_ = new_pos;
curr_value_ = static_cast<CppType>(new_value);
}
} else { // kFixed32 or kFixed64
constexpr size_t kStep = wire_type == ProtoWireType::kFixed32 ? 4 : 8;
// NB: the raw buffer is not guaranteed to be aligned, so neither are
// these copies.
memcpy(&curr_value_, read_ptr_, sizeof(CppType));
read_ptr_ += kStep;
}
return *this;
}
PackedRepeatedFieldIterator operator++(int) {
PackedRepeatedFieldIterator it(*this);
++(*this);
return it;
}
private:
// Might be null if the backing proto field isn't set.
const uint8_t* const data_end_;
// The iterator looks ahead by an element, so |curr_value| holds the value
// to be returned when the caller dereferences the iterator, and |read_ptr_|
// points at the start of the next element to be decoded.
// |read_ptr_| might be null if the backing proto field isn't set.
const uint8_t* read_ptr_;
CppType curr_value_ = {};
// Set to false once we've exhausted the iterator, or encountered an error.
bool curr_value_valid_ = true;
// Where to set parsing errors, supplied by the caller.
bool* const parse_error_;
};
// This decoder loads all fields upfront, without recursing in nested messages.
// It is used as a base class for typed decoders generated by the pbzero plugin.
// The split between TypedProtoDecoderBase and TypedProtoDecoder<> is to have
// unique definition of functions like ParseAllFields() and ExpandHeapStorage().
// The storage (either on-stack or on-heap) for this class is organized as
// follows:
// |-------------------------- fields_ ----------------------|
// [ field 0 (invalid) ] [ fields 1 .. N ] [ repeated fields ]
// ^ ^
// num_fields_ size_
// Note that if a message has high field numbers, upon creation |size_| can be
// < |num_fields_| (until a heap expansion is hit while inserting).
class PERFETTO_EXPORT_COMPONENT TypedProtoDecoderBase : public ProtoDecoder {
public:
// If the field |id| is known at compile time, prefer the templated
// specialization at<kFieldNumber>().
const Field& Get(uint32_t id) const {
if (PERFETTO_LIKELY(id < num_fields_ && id < size_))
return fields_[id];
// If id >= num_fields_, the field id is invalid (was not known in the
// .proto) and we return the 0th field, which is always !valid().
// If id >= size_ and <= num_fields, the id is valid but the field has not
// been seen while decoding (hence the stack storage has not been expanded)
// so we return the 0th invalid field.
return fields_[0];
}
// Returns an object that allows to iterate over all instances of a repeated
// field given its id. Example usage:
// for (auto it = decoder.GetRepeated<int32_t>(N); it; ++it) { ... }
template <typename T>
RepeatedFieldIterator<T> GetRepeated(uint32_t field_id) const {
const Field* repeated_begin;
// The storage for repeated fields starts after the slot for the highest
// field id (refer to the diagram in the class-level comment). However, if
// a message has more than INITIAL_STACK_CAPACITY field there will be no
// slots available for the repeated fields (if ExpandHeapStorage() was not
// called). Imagine a message that has highest field id = 102 and that is
// still using the stack:
// [ F0 ] [ F1 ] ... [ F100 ] [ F101 ] [ F1012] [ repeated fields ]
// ^ num_fields_
// ^ size (== capacity)
if (PERFETTO_LIKELY(num_fields_ < size_)) {
repeated_begin = &fields_[num_fields_];
} else {
// This is the case of not having any storage space for repeated fields.
// This makes it so begin == end, so the iterator will just skip @ last.
repeated_begin = &fields_[size_];
}
const Field* repeated_end = &fields_[size_];
const Field* last = &Get(field_id);
return RepeatedFieldIterator<T>(field_id, repeated_begin, repeated_end,
last);
}
// Returns an objects that allows to iterate over all entries of a packed
// repeated field given its id and type. The |wire_type| is necessary for
// decoding the packed field, the |cpp_type| is for convenience & stronger
// typing.
//
// The caller must also supply a pointer to a bool that is set to true if the
// packed buffer is found to be malformed while iterating (so you need to
// exhaust the iterator if you want to check the full extent of the buffer).
//
// Note that unlike standard protobuf parsers, protozero does not allow
// treating of packed repeated fields as non-packed and vice-versa (therefore
// not making the packed option forwards and backwards compatible). So
// the caller needs to use the right accessor for correct results.
template <proto_utils::ProtoWireType wire_type, typename cpp_type>
PackedRepeatedFieldIterator<wire_type, cpp_type> GetPackedRepeated(
uint32_t field_id,
bool* parse_error_location) const {
const Field& field = Get(field_id);
if (field.valid()) {
return PackedRepeatedFieldIterator<wire_type, cpp_type>(
field.data(), field.size(), parse_error_location);
}
return PackedRepeatedFieldIterator<wire_type, cpp_type>(
nullptr, 0, parse_error_location);
}
protected:
TypedProtoDecoderBase(Field* storage,
uint32_t num_fields,
uint32_t capacity,
const uint8_t* buffer,
size_t length)
: ProtoDecoder(buffer, length),
fields_(storage),
num_fields_(num_fields),
// The reason for "capacity -1" is to avoid hitting the expansion path
// in TypedProtoDecoderBase::ParseAllFields() when we are just setting
// fields < INITIAL_STACK_CAPACITY (which is the most common case).
size_(std::min(num_fields, capacity - 1)),
capacity_(capacity) {
// The reason why Field needs to be trivially de/constructible is to avoid
// implicit initializers on all the ~1000 entries. We need it to initialize
// only on the first |max_field_id| fields, the remaining capacity doesn't
// require initialization.
static_assert(std::is_trivially_constructible<Field>::value &&
std::is_trivially_destructible<Field>::value &&
std::is_trivial<Field>::value,
"Field must be a trivial aggregate type");
memset(fields_, 0, sizeof(Field) * capacity_);
PERFETTO_DCHECK(capacity > 0);
}
void ParseAllFields();
// Called when the default on-stack storage is exhausted and new repeated
// fields need to be pushed.
void ExpandHeapStorage();
// Used only in presence of a large number of repeated fields, when the
// default on-stack storage is exhausted.
std::unique_ptr<Field[]> heap_storage_;
// Points to the storage, either on-stack (default, provided by the template
// specialization) or |heap_storage_| after ExpandHeapStorage() is called, in
// case of a large number of repeated fields.
Field* fields_;
// Number of known fields, without accounting repeated storage. This is equal
// to MAX_FIELD_ID + 1 (to account for the invalid 0th field). It never
// changes after construction.
// This is unrelated with |size_| and |capacity_|. If the highest field id of
// a proto message is 131, |num_fields_| will be = 132 but, on initialization,
// |size_| = |capacity_| = 100 (INITIAL_STACK_CAPACITY).
// One cannot generally assume that |fields_| has enough storage to
// dereference every field. That is only true:
// - For field ids < INITIAL_STACK_CAPACITY.
// - After the first call to ExpandHeapStorage().
uint32_t num_fields_;
// Number of active |fields_| entries. This is initially equal to
// min(num_fields_, INITIAL_STACK_CAPACITY - 1) and after ExpandHeapStorage()
// becomes == |num_fields_|. If the message has non-packed repeated fields, it
// can grow further, up to |capacity_|.
// |size_| is always <= |capacity_|. But |num_fields_| can be > |size_|.
uint32_t size_;
// Initially equal to kFieldsCapacity of the TypedProtoDecoder
// specialization. Can grow when falling back on heap-based storage, in which
// case it represents the size (#fields with each entry of a repeated field
// counted individually) of the |heap_storage_| array.
uint32_t capacity_;
};
// This constant is a tradeoff between having a larger stack frame and being
// able to decode field IDs up to N (or N - num_fields repeated fields) without
// falling back on the heap.
#define PROTOZERO_DECODER_INITIAL_STACK_CAPACITY 100
// Template class instantiated by the auto-generated decoder classes declared in
// xxx.pbzero.h files.
template <int MAX_FIELD_ID, bool HAS_NONPACKED_REPEATED_FIELDS>
class TypedProtoDecoder : public TypedProtoDecoderBase {
public:
TypedProtoDecoder(const uint8_t* buffer, size_t length)
: TypedProtoDecoderBase(on_stack_storage_,
/*num_fields=*/MAX_FIELD_ID + 1,
PROTOZERO_DECODER_INITIAL_STACK_CAPACITY,
buffer,
length) {
TypedProtoDecoderBase::ParseAllFields();
}
template <uint32_t FIELD_ID>
const Field& at() const {
static_assert(FIELD_ID <= MAX_FIELD_ID, "FIELD_ID > MAX_FIELD_ID");
// If the field id is < the on-stack capacity, it's safe to always
// dereference |fields_|, whether it's still using the stack or it fell
// back on the heap. Because both terms of the if () are known at compile
// time, the compiler elides the branch for ids < INITIAL_STACK_CAPACITY.
if (FIELD_ID < PROTOZERO_DECODER_INITIAL_STACK_CAPACITY) {
return fields_[FIELD_ID];
} else {
// Otherwise use the slowpath Get() which will do a runtime check.
return Get(FIELD_ID);
}
}
TypedProtoDecoder(TypedProtoDecoder&& other) noexcept
: TypedProtoDecoderBase(std::move(other)) {
// If the moved-from decoder was using on-stack storage, we need to update
// our pointer to point to this decoder's on-stack storage.
if (fields_ == other.on_stack_storage_) {
fields_ = on_stack_storage_;
memcpy(on_stack_storage_, other.on_stack_storage_,
sizeof(on_stack_storage_));
}
}
private:
Field on_stack_storage_[PROTOZERO_DECODER_INITIAL_STACK_CAPACITY];
};
} // namespace protozero
#endif // INCLUDE_PERFETTO_PROTOZERO_PROTO_DECODER_H_
|
