|
|
|
// Protocol Buffers - Google's data interchange format
|
|
|
|
// Copyright 2023 Google LLC. All rights reserved.
|
|
|
|
//
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file or at
|
|
|
|
// https://developers.google.com/open-source/licenses/bsd
|
|
|
|
|
|
|
|
// upb_decode: parsing into a upb_Message using a upb_MiniTable.
|
|
|
|
|
|
|
|
#ifndef UPB_WIRE_DECODE_H_
|
|
|
|
#define UPB_WIRE_DECODE_H_
|
|
|
|
|
|
|
|
#include <stddef.h>
|
|
|
|
#include <stdint.h>
|
|
|
|
|
|
|
|
#include "upb/mem/arena.h"
|
|
|
|
#include "upb/message/message.h"
|
|
|
|
#include "upb/mini_table/extension_registry.h"
|
|
|
|
#include "upb/mini_table/message.h"
|
|
|
|
|
|
|
|
// Must be last.
|
|
|
|
#include "upb/port/def.inc"
|
|
|
|
|
|
|
|
#ifdef __cplusplus
|
|
|
|
extern "C" {
|
|
|
|
#endif
|
|
|
|
|
|
|
|
enum {
|
|
|
|
/* If set, strings will alias the input buffer instead of copying into the
|
|
|
|
* arena. */
|
|
|
|
kUpb_DecodeOption_AliasString = 1,
|
|
|
|
|
|
|
|
/* If set, the parse will return failure if any message is missing any
|
|
|
|
* required fields when the message data ends. The parse will still continue,
|
|
|
|
* and the failure will only be reported at the end.
|
|
|
|
*
|
|
|
|
* IMPORTANT CAVEATS:
|
|
|
|
*
|
|
|
|
* 1. This can throw a false positive failure if an incomplete message is seen
|
|
|
|
* on the wire but is later completed when the sub-message occurs again.
|
|
|
|
* For this reason, a second pass is required to verify a failure, to be
|
|
|
|
* truly robust.
|
|
|
|
*
|
|
|
|
* 2. This can return a false success if you are decoding into a message that
|
|
|
|
* already has some sub-message fields present. If the sub-message does
|
|
|
|
* not occur in the binary payload, we will never visit it and discover the
|
|
|
|
* incomplete sub-message. For this reason, this check is only useful for
|
|
|
|
* implemting ParseFromString() semantics. For MergeFromString(), a
|
|
|
|
* post-parse validation step will always be necessary. */
|
|
|
|
kUpb_DecodeOption_CheckRequired = 2,
|
Added a new dynamic tree shaking model to upb, with the intention of removing the old model once YouTube has migrated.
The `kUpb_DecodeOption_ExperimentalAllowUnlinked` flag to the decoder will enable the new behavior. When that flag is not passed, tree shaking with the old model will still be possible.
"Dynamic tree shaking" in upb is a feature that allows messages to be parsed even if the MiniTables have not been fully linked. Unlinked sub-message fields can be parsed by preserving their data in the unknown fields. If the application later discovers that the message field is actually needed, the MiniTable can be patched to properly link that field, and existing message instances can "promote" the data from the unknown fields to an actual message of the correct type.
Before this change, dynamic tree shaking stored unparsed message data in the unknown fields of the *parent*. In effect, we were treating the field as if it did not exist at all. This meant that parsing an unlinked field did not affect the hasbits or oneof cases of the parent, nor did it create a `upb_Array` or `upb_Map` for array/map fields. Only when a message was linked and promoted did any of these things occur.
While this model had some amount of conceptual simplicity, it caused significant problems with oneofs. When multiple fields inside a single oneof are parsed from the wire, order matters, because later oneof fields must overwrite earlier ones. Dynamic tree shaking can mean that some fields in a oneof are linked while others are not. It is essential that we preserve this ordering semantic even when dynamic tree shaking is being used, but it is difficult to do if the oneof's data can be split between linked fields (which have been reified into parsed field data) and unlinked fields (whose data lives in the unknown fields of the parent).
To solve this problem, this CL changes the representation for unlinked fields. Instead of being placed in the parent's unknown fields, we create an actual message instance for each unlinked message we parse, but we use a placeholder "empty message" MiniTable as the message's type. All of the message's data will therefore be placed into the "empty message's" unknown fields. But unlike before, this "empty message" is actually present according to the hasbits, oneof case, and `upb_Array`/`upb_Map` of the parent. This means that all of the oneof presence logic works as normal.
Since the MiniTable can be patched at any time, we need a bit in the message instance itself to signal whether a pointer to a sub-message is an "empty message" or not. When dynamic tree shaking is in use, all users must be capable of recognizing an empty message and acting accordingly (promoting, etc) even if the MiniTable itself says that the field is linked.
Because dynamic tree shaking imposes this extra requirement on users, we require that users pass an extra option to the decoder to allow parsing of unlinked sub-messages. Many existing users of upb (Ruby, PHP, Python, etc) will always have fully-linked MiniTables, so there is no reason for them to add extra logic to handle empty messages. By omitting the `kUpb_DecodeOption_ExperimentalAllowUnlinked` option, they will be relieved of the duty to check the tagged pointer that would indicate an empty, unlinked message.
For existing users of dynamic tree shaking, there are three main changes:
1. The APIs in message/promote.h have changed, and users will need to update to the new interfaces.
2. The model for maps has changed slightly. Before, we required that map entries always had their values linked; for dynamic tree shaking to apply to maps, we required that the *entry* was left unlinked, not the entry's value. In the new model, that is reversed: map entries must always be linked, but a map entry's value can be unlinked.
3. The presence model for unlinked fields has changed. Unlinked fields will now register as "present" from the perspective of hasbits, oneof cases, and array/map entries. Users must test the tagged pointer to know if a message is of the correct, linked type or whether it is a placeholder "empty" message. There is a new function `upb_Message_GetTaggedMessagePtr()`, as well as a new accessor `upb_MessageValue.tagged_msg_val` that can be used to read and test the tagged pointer directly.
PiperOrigin-RevId: 535288031
2 years ago
|
|
|
|
|
|
|
/* EXPERIMENTAL:
|
|
|
|
*
|
|
|
|
* If set, the parser will allow parsing of sub-message fields that were not
|
|
|
|
* previously linked using upb_MiniTable_SetSubMessage(). The data will be
|
|
|
|
* parsed into an internal "empty" message type that cannot be accessed
|
|
|
|
* directly, but can be later promoted into the true message type if the
|
|
|
|
* sub-message fields are linked at a later time.
|
|
|
|
*
|
|
|
|
* Users should set this option if they intend to perform dynamic tree shaking
|
|
|
|
* and promoting using the interfaces in message/promote.h. If this option is
|
|
|
|
* enabled, it is important that the resulting messages are only accessed by
|
|
|
|
* code that is aware of promotion rules:
|
|
|
|
*
|
|
|
|
* 1. Message pointers in upb_Message, upb_Array, and upb_Map are represented
|
|
|
|
* by a tagged pointer upb_TaggedMessagePointer. The tag indicates whether
|
|
|
|
* the message uses the internal "empty" type.
|
|
|
|
*
|
|
|
|
* 2. Any code *reading* these message pointers must test whether the "empty"
|
|
|
|
* tag bit is set, using the interfaces in mini_table/types.h. However
|
|
|
|
* writing of message pointers should always use plain upb_Message*, since
|
|
|
|
* users are not allowed to create "empty" messages.
|
|
|
|
*
|
|
|
|
* 3. It is always safe to test whether a field is present or test the array
|
|
|
|
* length; these interfaces will reflect that empty messages are present,
|
|
|
|
* even though their data cannot be accessed without promoting first.
|
|
|
|
*
|
|
|
|
* 4. If a message pointer is indeed tagged as empty, the message may not be
|
|
|
|
* accessed directly, only promoted through the interfaces in
|
|
|
|
* message/promote.h.
|
|
|
|
*
|
|
|
|
* 5. Tagged/empty messages may never be created by the user. They may only
|
|
|
|
* be created by the parser or the message-copying logic in message/copy.h.
|
|
|
|
*/
|
|
|
|
kUpb_DecodeOption_ExperimentalAllowUnlinked = 4,
|
|
|
|
|
|
|
|
/* EXPERIMENTAL:
|
|
|
|
*
|
|
|
|
* If set, decoding will enforce UTF-8 validation for string fields, even for
|
|
|
|
* proto2 or fields with `features.utf8_validation = NONE`. Normally, only
|
|
|
|
* proto3 string fields will be validated for UTF-8. Decoding will return
|
|
|
|
* kUpb_DecodeStatus_BadUtf8 for non-UTF-8 strings, which is the same behavior
|
|
|
|
* as non-UTF-8 proto3 string fields.
|
|
|
|
*/
|
|
|
|
kUpb_DecodeOption_AlwaysValidateUtf8 = 8,
|
|
|
|
};
|
|
|
|
|
|
|
|
UPB_INLINE uint32_t upb_DecodeOptions_MaxDepth(uint16_t depth) {
|
|
|
|
return (uint32_t)depth << 16;
|
|
|
|
}
|
|
|
|
|
|
|
|
UPB_INLINE uint16_t upb_DecodeOptions_GetMaxDepth(uint32_t options) {
|
|
|
|
return options >> 16;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Enforce an upper bound on recursion depth.
|
|
|
|
UPB_INLINE int upb_Decode_LimitDepth(uint32_t decode_options, uint32_t limit) {
|
|
|
|
uint32_t max_depth = upb_DecodeOptions_GetMaxDepth(decode_options);
|
|
|
|
if (max_depth > limit) max_depth = limit;
|
|
|
|
return upb_DecodeOptions_MaxDepth(max_depth) | (decode_options & 0xffff);
|
|
|
|
}
|
|
|
|
|
|
|
|
// LINT.IfChange
|
|
|
|
typedef enum {
|
|
|
|
kUpb_DecodeStatus_Ok = 0,
|
|
|
|
kUpb_DecodeStatus_Malformed = 1, // Wire format was corrupt
|
|
|
|
kUpb_DecodeStatus_OutOfMemory = 2, // Arena alloc failed
|
|
|
|
kUpb_DecodeStatus_BadUtf8 = 3, // String field had bad UTF-8
|
|
|
|
kUpb_DecodeStatus_MaxDepthExceeded =
|
|
|
|
4, // Exceeded upb_DecodeOptions_MaxDepth
|
|
|
|
|
|
|
|
// kUpb_DecodeOption_CheckRequired failed (see above), but the parse otherwise
|
|
|
|
// succeeded.
|
|
|
|
kUpb_DecodeStatus_MissingRequired = 5,
|
Added a new dynamic tree shaking model to upb, with the intention of removing the old model once YouTube has migrated.
The `kUpb_DecodeOption_ExperimentalAllowUnlinked` flag to the decoder will enable the new behavior. When that flag is not passed, tree shaking with the old model will still be possible.
"Dynamic tree shaking" in upb is a feature that allows messages to be parsed even if the MiniTables have not been fully linked. Unlinked sub-message fields can be parsed by preserving their data in the unknown fields. If the application later discovers that the message field is actually needed, the MiniTable can be patched to properly link that field, and existing message instances can "promote" the data from the unknown fields to an actual message of the correct type.
Before this change, dynamic tree shaking stored unparsed message data in the unknown fields of the *parent*. In effect, we were treating the field as if it did not exist at all. This meant that parsing an unlinked field did not affect the hasbits or oneof cases of the parent, nor did it create a `upb_Array` or `upb_Map` for array/map fields. Only when a message was linked and promoted did any of these things occur.
While this model had some amount of conceptual simplicity, it caused significant problems with oneofs. When multiple fields inside a single oneof are parsed from the wire, order matters, because later oneof fields must overwrite earlier ones. Dynamic tree shaking can mean that some fields in a oneof are linked while others are not. It is essential that we preserve this ordering semantic even when dynamic tree shaking is being used, but it is difficult to do if the oneof's data can be split between linked fields (which have been reified into parsed field data) and unlinked fields (whose data lives in the unknown fields of the parent).
To solve this problem, this CL changes the representation for unlinked fields. Instead of being placed in the parent's unknown fields, we create an actual message instance for each unlinked message we parse, but we use a placeholder "empty message" MiniTable as the message's type. All of the message's data will therefore be placed into the "empty message's" unknown fields. But unlike before, this "empty message" is actually present according to the hasbits, oneof case, and `upb_Array`/`upb_Map` of the parent. This means that all of the oneof presence logic works as normal.
Since the MiniTable can be patched at any time, we need a bit in the message instance itself to signal whether a pointer to a sub-message is an "empty message" or not. When dynamic tree shaking is in use, all users must be capable of recognizing an empty message and acting accordingly (promoting, etc) even if the MiniTable itself says that the field is linked.
Because dynamic tree shaking imposes this extra requirement on users, we require that users pass an extra option to the decoder to allow parsing of unlinked sub-messages. Many existing users of upb (Ruby, PHP, Python, etc) will always have fully-linked MiniTables, so there is no reason for them to add extra logic to handle empty messages. By omitting the `kUpb_DecodeOption_ExperimentalAllowUnlinked` option, they will be relieved of the duty to check the tagged pointer that would indicate an empty, unlinked message.
For existing users of dynamic tree shaking, there are three main changes:
1. The APIs in message/promote.h have changed, and users will need to update to the new interfaces.
2. The model for maps has changed slightly. Before, we required that map entries always had their values linked; for dynamic tree shaking to apply to maps, we required that the *entry* was left unlinked, not the entry's value. In the new model, that is reversed: map entries must always be linked, but a map entry's value can be unlinked.
3. The presence model for unlinked fields has changed. Unlinked fields will now register as "present" from the perspective of hasbits, oneof cases, and array/map entries. Users must test the tagged pointer to know if a message is of the correct, linked type or whether it is a placeholder "empty" message. There is a new function `upb_Message_GetTaggedMessagePtr()`, as well as a new accessor `upb_MessageValue.tagged_msg_val` that can be used to read and test the tagged pointer directly.
PiperOrigin-RevId: 535288031
2 years ago
|
|
|
|
|
|
|
// Unlinked sub-message field was present, but
|
|
|
|
// kUpb_DecodeOptions_ExperimentalAllowUnlinked was not specified in the list
|
|
|
|
// of options.
|
|
|
|
kUpb_DecodeStatus_UnlinkedSubMessage = 6,
|
|
|
|
} upb_DecodeStatus;
|
|
|
|
// LINT.ThenChange(//depot/google3/third_party/protobuf/rust/upb.rs:decode_status)
|
|
|
|
|
|
|
|
UPB_API upb_DecodeStatus upb_Decode(const char* buf, size_t size,
|
|
|
|
upb_Message* msg, const upb_MiniTable* mt,
|
|
|
|
const upb_ExtensionRegistry* extreg,
|
|
|
|
int options, upb_Arena* arena);
|
|
|
|
|
|
|
|
// Same as upb_Decode but with a varint-encoded length prepended.
|
|
|
|
// On success 'num_bytes_read' will be set to the how many bytes were read,
|
|
|
|
// on failure the contents of num_bytes_read is undefined.
|
|
|
|
UPB_API upb_DecodeStatus upb_DecodeLengthPrefixed(
|
|
|
|
const char* buf, size_t size, upb_Message* msg, size_t* num_bytes_read,
|
|
|
|
const upb_MiniTable* mt, const upb_ExtensionRegistry* extreg, int options,
|
|
|
|
upb_Arena* arena);
|
|
|
|
|
|
|
|
// Utility function for wrapper languages to get an error string from a
|
|
|
|
// upb_DecodeStatus.
|
|
|
|
UPB_API const char* upb_DecodeStatus_String(upb_DecodeStatus status);
|
|
|
|
#ifdef __cplusplus
|
|
|
|
} /* extern "C" */
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include "upb/port/undef.inc"
|
|
|
|
|
|
|
|
#endif /* UPB_WIRE_DECODE_H_ */
|