/build/cargo-vendor-dir/regex-automata-0.4.9/src/util/wire.rs
Line | Count | Source |
1 | | /*! |
2 | | Types and routines that support the wire format of finite automata. |
3 | | |
4 | | Currently, this module just exports a few error types and some small helpers |
5 | | for deserializing [dense DFAs](crate::dfa::dense::DFA) using correct alignment. |
6 | | */ |
7 | | |
8 | | /* |
9 | | A collection of helper functions, types and traits for serializing automata. |
10 | | |
11 | | This crate defines its own bespoke serialization mechanism for some structures |
12 | | provided in the public API, namely, DFAs. A bespoke mechanism was developed |
13 | | primarily because structures like automata demand a specific binary format. |
14 | | Attempting to encode their rich structure in an existing serialization |
15 | | format is just not feasible. Moreover, the format for each structure is |
16 | | generally designed such that deserialization is cheap. More specifically, that |
17 | | deserialization can be done in constant time. (The idea being that you can |
18 | | embed it into your binary or mmap it, and then use it immediately.) |
19 | | |
20 | | In order to achieve this, the dense and sparse DFAs in this crate use an |
21 | | in-memory representation that very closely corresponds to its binary serialized |
22 | | form. This pervades and complicates everything, and in some cases, requires |
23 | | dealing with alignment and reasoning about safety. |
24 | | |
25 | | This technique does have major advantages. In particular, it permits doing |
26 | | the potentially costly work of compiling a finite state machine in an offline |
27 | | manner, and then loading it at runtime not only without having to re-compile |
28 | | the regex, but even without the code required to do the compilation. This, for |
29 | | example, permits one to use a pre-compiled DFA not only in environments without |
30 | | Rust's standard library, but also in environments without a heap. |
31 | | |
32 | | In the code below, whenever we insert some kind of padding, it's to enforce a |
33 | | 4-byte alignment, unless otherwise noted. Namely, u32 is the only state ID type |
34 | | supported. (In a previous version of this library, DFAs were generic over the |
35 | | state ID representation.) |
36 | | |
37 | | Also, serialization generally requires the caller to specify endianness, |
38 | | where as deserialization always assumes native endianness (otherwise cheap |
39 | | deserialization would be impossible). This implies that serializing a structure |
40 | | generally requires serializing both its big-endian and little-endian variants, |
41 | | and then loading the correct one based on the target's endianness. |
42 | | */ |
43 | | |
44 | | use core::{cmp, mem::size_of}; |
45 | | |
46 | | #[cfg(feature = "alloc")] |
47 | | use alloc::{vec, vec::Vec}; |
48 | | |
49 | | use crate::util::{ |
50 | | int::Pointer, |
51 | | primitives::{PatternID, PatternIDError, StateID, StateIDError}, |
52 | | }; |
53 | | |
54 | | /// A hack to align a smaller type `B` with a bigger type `T`. |
55 | | /// |
56 | | /// The usual use of this is with `B = [u8]` and `T = u32`. That is, |
57 | | /// it permits aligning a sequence of bytes on a 4-byte boundary. This |
58 | | /// is useful in contexts where one wants to embed a serialized [dense |
59 | | /// DFA](crate::dfa::dense::DFA) into a Rust a program while guaranteeing the |
60 | | /// alignment required for the DFA. |
61 | | /// |
62 | | /// See [`dense::DFA::from_bytes`](crate::dfa::dense::DFA::from_bytes) for an |
63 | | /// example of how to use this type. |
64 | | #[repr(C)] |
65 | | #[derive(Debug)] |
66 | | pub struct AlignAs<B: ?Sized, T> { |
67 | | /// A zero-sized field indicating the alignment we want. |
68 | | pub _align: [T; 0], |
69 | | /// A possibly non-sized field containing a sequence of bytes. |
70 | | pub bytes: B, |
71 | | } |
72 | | |
73 | | /// An error that occurs when serializing an object from this crate. |
74 | | /// |
75 | | /// Serialization, as used in this crate, universally refers to the process |
76 | | /// of transforming a structure (like a DFA) into a custom binary format |
77 | | /// represented by `&[u8]`. To this end, serialization is generally infallible. |
78 | | /// However, it can fail when caller provided buffer sizes are too small. When |
79 | | /// that occurs, a serialization error is reported. |
80 | | /// |
81 | | /// A `SerializeError` provides no introspection capabilities. Its only |
82 | | /// supported operation is conversion to a human readable error message. |
83 | | /// |
84 | | /// This error type implements the `std::error::Error` trait only when the |
85 | | /// `std` feature is enabled. Otherwise, this type is defined in all |
86 | | /// configurations. |
87 | | #[derive(Debug)] |
88 | | pub struct SerializeError { |
89 | | /// The name of the thing that a buffer is too small for. |
90 | | /// |
91 | | /// Currently, the only kind of serialization error is one that is |
92 | | /// committed by a caller: providing a destination buffer that is too |
93 | | /// small to fit the serialized object. This makes sense conceptually, |
94 | | /// since every valid inhabitant of a type should be serializable. |
95 | | /// |
96 | | /// This is somewhat exposed in the public API of this crate. For example, |
97 | | /// the `to_bytes_{big,little}_endian` APIs return a `Vec<u8>` and are |
98 | | /// guaranteed to never panic or error. This is only possible because the |
99 | | /// implementation guarantees that it will allocate a `Vec<u8>` that is |
100 | | /// big enough. |
101 | | /// |
102 | | /// In summary, if a new serialization error kind needs to be added, then |
103 | | /// it will need careful consideration. |
104 | | what: &'static str, |
105 | | } |
106 | | |
107 | | impl SerializeError { |
108 | 0 | pub(crate) fn buffer_too_small(what: &'static str) -> SerializeError { |
109 | 0 | SerializeError { what } |
110 | 0 | } |
111 | | } |
112 | | |
113 | | impl core::fmt::Display for SerializeError { |
114 | 0 | fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result { |
115 | 0 | write!(f, "destination buffer is too small to write {}", self.what) |
116 | 0 | } |
117 | | } |
118 | | |
119 | | #[cfg(feature = "std")] |
120 | | impl std::error::Error for SerializeError {} |
121 | | |
122 | | /// An error that occurs when deserializing an object defined in this crate. |
123 | | /// |
124 | | /// Serialization, as used in this crate, universally refers to the process |
125 | | /// of transforming a structure (like a DFA) into a custom binary format |
126 | | /// represented by `&[u8]`. Deserialization, then, refers to the process of |
127 | | /// cheaply converting this binary format back to the object's in-memory |
128 | | /// representation as defined in this crate. To the extent possible, |
129 | | /// deserialization will report this error whenever this process fails. |
130 | | /// |
131 | | /// A `DeserializeError` provides no introspection capabilities. Its only |
132 | | /// supported operation is conversion to a human readable error message. |
133 | | /// |
134 | | /// This error type implements the `std::error::Error` trait only when the |
135 | | /// `std` feature is enabled. Otherwise, this type is defined in all |
136 | | /// configurations. |
137 | | #[derive(Debug)] |
138 | | pub struct DeserializeError(DeserializeErrorKind); |
139 | | |
140 | | #[derive(Debug)] |
141 | | enum DeserializeErrorKind { |
142 | | Generic { msg: &'static str }, |
143 | | BufferTooSmall { what: &'static str }, |
144 | | InvalidUsize { what: &'static str }, |
145 | | VersionMismatch { expected: u32, found: u32 }, |
146 | | EndianMismatch { expected: u32, found: u32 }, |
147 | | AlignmentMismatch { alignment: usize, address: usize }, |
148 | | LabelMismatch { expected: &'static str }, |
149 | | ArithmeticOverflow { what: &'static str }, |
150 | | PatternID { err: PatternIDError, what: &'static str }, |
151 | | StateID { err: StateIDError, what: &'static str }, |
152 | | } |
153 | | |
154 | | impl DeserializeError { |
155 | 0 | pub(crate) fn generic(msg: &'static str) -> DeserializeError { |
156 | 0 | DeserializeError(DeserializeErrorKind::Generic { msg }) |
157 | 0 | } |
158 | | |
159 | 0 | pub(crate) fn buffer_too_small(what: &'static str) -> DeserializeError { |
160 | 0 | DeserializeError(DeserializeErrorKind::BufferTooSmall { what }) |
161 | 0 | } |
162 | | |
163 | 0 | fn invalid_usize(what: &'static str) -> DeserializeError { |
164 | 0 | DeserializeError(DeserializeErrorKind::InvalidUsize { what }) |
165 | 0 | } |
166 | | |
167 | 0 | fn version_mismatch(expected: u32, found: u32) -> DeserializeError { |
168 | 0 | DeserializeError(DeserializeErrorKind::VersionMismatch { |
169 | 0 | expected, |
170 | 0 | found, |
171 | 0 | }) |
172 | 0 | } |
173 | | |
174 | 0 | fn endian_mismatch(expected: u32, found: u32) -> DeserializeError { |
175 | 0 | DeserializeError(DeserializeErrorKind::EndianMismatch { |
176 | 0 | expected, |
177 | 0 | found, |
178 | 0 | }) |
179 | 0 | } |
180 | | |
181 | 0 | fn alignment_mismatch( |
182 | 0 | alignment: usize, |
183 | 0 | address: usize, |
184 | 0 | ) -> DeserializeError { |
185 | 0 | DeserializeError(DeserializeErrorKind::AlignmentMismatch { |
186 | 0 | alignment, |
187 | 0 | address, |
188 | 0 | }) |
189 | 0 | } |
190 | | |
191 | 0 | fn label_mismatch(expected: &'static str) -> DeserializeError { |
192 | 0 | DeserializeError(DeserializeErrorKind::LabelMismatch { expected }) |
193 | 0 | } |
194 | | |
195 | 0 | fn arithmetic_overflow(what: &'static str) -> DeserializeError { |
196 | 0 | DeserializeError(DeserializeErrorKind::ArithmeticOverflow { what }) |
197 | 0 | } |
198 | | |
199 | 0 | fn pattern_id_error( |
200 | 0 | err: PatternIDError, |
201 | 0 | what: &'static str, |
202 | 0 | ) -> DeserializeError { |
203 | 0 | DeserializeError(DeserializeErrorKind::PatternID { err, what }) |
204 | 0 | } |
205 | | |
206 | 0 | pub(crate) fn state_id_error( |
207 | 0 | err: StateIDError, |
208 | 0 | what: &'static str, |
209 | 0 | ) -> DeserializeError { |
210 | 0 | DeserializeError(DeserializeErrorKind::StateID { err, what }) |
211 | 0 | } |
212 | | } |
213 | | |
214 | | #[cfg(feature = "std")] |
215 | | impl std::error::Error for DeserializeError {} |
216 | | |
217 | | impl core::fmt::Display for DeserializeError { |
218 | 0 | fn fmt(&self, f: &mut core::fmt::Formatter) -> core::fmt::Result { |
219 | | use self::DeserializeErrorKind::*; |
220 | | |
221 | 0 | match self.0 { |
222 | 0 | Generic { msg } => write!(f, "{}", msg), |
223 | 0 | BufferTooSmall { what } => { |
224 | 0 | write!(f, "buffer is too small to read {}", what) |
225 | | } |
226 | 0 | InvalidUsize { what } => { |
227 | 0 | write!(f, "{} is too big to fit in a usize", what) |
228 | | } |
229 | 0 | VersionMismatch { expected, found } => write!( |
230 | 0 | f, |
231 | 0 | "unsupported version: \ |
232 | 0 | expected version {} but found version {}", |
233 | 0 | expected, found, |
234 | 0 | ), |
235 | 0 | EndianMismatch { expected, found } => write!( |
236 | 0 | f, |
237 | 0 | "endianness mismatch: expected 0x{:X} but got 0x{:X}. \ |
238 | 0 | (Are you trying to load an object serialized with a \ |
239 | 0 | different endianness?)", |
240 | 0 | expected, found, |
241 | 0 | ), |
242 | 0 | AlignmentMismatch { alignment, address } => write!( |
243 | 0 | f, |
244 | 0 | "alignment mismatch: slice starts at address \ |
245 | 0 | 0x{:X}, which is not aligned to a {} byte boundary", |
246 | 0 | address, alignment, |
247 | 0 | ), |
248 | 0 | LabelMismatch { expected } => write!( |
249 | 0 | f, |
250 | 0 | "label mismatch: start of serialized object should \ |
251 | 0 | contain a NUL terminated {:?} label, but a different \ |
252 | 0 | label was found", |
253 | 0 | expected, |
254 | 0 | ), |
255 | 0 | ArithmeticOverflow { what } => { |
256 | 0 | write!(f, "arithmetic overflow for {}", what) |
257 | | } |
258 | 0 | PatternID { ref err, what } => { |
259 | 0 | write!(f, "failed to read pattern ID for {}: {}", what, err) |
260 | | } |
261 | 0 | StateID { ref err, what } => { |
262 | 0 | write!(f, "failed to read state ID for {}: {}", what, err) |
263 | | } |
264 | | } |
265 | 0 | } |
266 | | } |
267 | | |
268 | | /// Safely converts a `&[u32]` to `&[StateID]` with zero cost. |
269 | | #[cfg_attr(feature = "perf-inline", inline(always))] |
270 | 0 | pub(crate) fn u32s_to_state_ids(slice: &[u32]) -> &[StateID] { |
271 | 0 | // SAFETY: This is safe because StateID is defined to have the same memory |
272 | 0 | // representation as a u32 (it is repr(transparent)). While not every u32 |
273 | 0 | // is a "valid" StateID, callers are not permitted to rely on the validity |
274 | 0 | // of StateIDs for memory safety. It can only lead to logical errors. (This |
275 | 0 | // is why StateID::new_unchecked is safe.) |
276 | 0 | unsafe { |
277 | 0 | core::slice::from_raw_parts( |
278 | 0 | slice.as_ptr().cast::<StateID>(), |
279 | 0 | slice.len(), |
280 | 0 | ) |
281 | 0 | } |
282 | 0 | } |
283 | | |
284 | | /// Safely converts a `&mut [u32]` to `&mut [StateID]` with zero cost. |
285 | 0 | pub(crate) fn u32s_to_state_ids_mut(slice: &mut [u32]) -> &mut [StateID] { |
286 | 0 | // SAFETY: This is safe because StateID is defined to have the same memory |
287 | 0 | // representation as a u32 (it is repr(transparent)). While not every u32 |
288 | 0 | // is a "valid" StateID, callers are not permitted to rely on the validity |
289 | 0 | // of StateIDs for memory safety. It can only lead to logical errors. (This |
290 | 0 | // is why StateID::new_unchecked is safe.) |
291 | 0 | unsafe { |
292 | 0 | core::slice::from_raw_parts_mut( |
293 | 0 | slice.as_mut_ptr().cast::<StateID>(), |
294 | 0 | slice.len(), |
295 | 0 | ) |
296 | 0 | } |
297 | 0 | } |
298 | | |
299 | | /// Safely converts a `&[u32]` to `&[PatternID]` with zero cost. |
300 | | #[cfg_attr(feature = "perf-inline", inline(always))] |
301 | 0 | pub(crate) fn u32s_to_pattern_ids(slice: &[u32]) -> &[PatternID] { |
302 | 0 | // SAFETY: This is safe because PatternID is defined to have the same |
303 | 0 | // memory representation as a u32 (it is repr(transparent)). While not |
304 | 0 | // every u32 is a "valid" PatternID, callers are not permitted to rely |
305 | 0 | // on the validity of PatternIDs for memory safety. It can only lead to |
306 | 0 | // logical errors. (This is why PatternID::new_unchecked is safe.) |
307 | 0 | unsafe { |
308 | 0 | core::slice::from_raw_parts( |
309 | 0 | slice.as_ptr().cast::<PatternID>(), |
310 | 0 | slice.len(), |
311 | 0 | ) |
312 | 0 | } |
313 | 0 | } |
314 | | |
315 | | /// Checks that the given slice has an alignment that matches `T`. |
316 | | /// |
317 | | /// This is useful for checking that a slice has an appropriate alignment |
318 | | /// before casting it to a &[T]. Note though that alignment is not itself |
319 | | /// sufficient to perform the cast for any `T`. |
320 | 0 | pub(crate) fn check_alignment<T>( |
321 | 0 | slice: &[u8], |
322 | 0 | ) -> Result<(), DeserializeError> { |
323 | 0 | let alignment = core::mem::align_of::<T>(); |
324 | 0 | let address = slice.as_ptr().as_usize(); |
325 | 0 | if address % alignment == 0 { |
326 | 0 | return Ok(()); |
327 | 0 | } |
328 | 0 | Err(DeserializeError::alignment_mismatch(alignment, address)) |
329 | 0 | } |
330 | | |
331 | | /// Reads a possibly empty amount of padding, up to 7 bytes, from the beginning |
332 | | /// of the given slice. All padding bytes must be NUL bytes. |
333 | | /// |
334 | | /// This is useful because it can be theoretically necessary to pad the |
335 | | /// beginning of a serialized object with NUL bytes to ensure that it starts |
336 | | /// at a correctly aligned address. These padding bytes should come immediately |
337 | | /// before the label. |
338 | | /// |
339 | | /// This returns the number of bytes read from the given slice. |
340 | 0 | pub(crate) fn skip_initial_padding(slice: &[u8]) -> usize { |
341 | 0 | let mut nread = 0; |
342 | 0 | while nread < 7 && nread < slice.len() && slice[nread] == 0 { |
343 | 0 | nread += 1; |
344 | 0 | } |
345 | 0 | nread |
346 | 0 | } |
347 | | |
348 | | /// Allocate a byte buffer of the given size, along with some initial padding |
349 | | /// such that `buf[padding..]` has the same alignment as `T`, where the |
350 | | /// alignment of `T` must be at most `8`. In particular, callers should treat |
351 | | /// the first N bytes (second return value) as padding bytes that must not be |
352 | | /// overwritten. In all cases, the following identity holds: |
353 | | /// |
354 | | /// ```ignore |
355 | | /// let (buf, padding) = alloc_aligned_buffer::<StateID>(SIZE); |
356 | | /// assert_eq!(SIZE, buf[padding..].len()); |
357 | | /// ``` |
358 | | /// |
359 | | /// In practice, padding is often zero. |
360 | | /// |
361 | | /// The requirement for `8` as a maximum here is somewhat arbitrary. In |
362 | | /// practice, we never need anything bigger in this crate, and so this function |
363 | | /// does some sanity asserts under the assumption of a max alignment of `8`. |
364 | | #[cfg(feature = "alloc")] |
365 | 0 | pub(crate) fn alloc_aligned_buffer<T>(size: usize) -> (Vec<u8>, usize) { |
366 | 0 | // NOTE: This is a kludge because there's no easy way to allocate a Vec<u8> |
367 | 0 | // with an alignment guaranteed to be greater than 1. We could create a |
368 | 0 | // Vec<u32>, but this cannot be safely transmuted to a Vec<u8> without |
369 | 0 | // concern, since reallocing or dropping the Vec<u8> is UB (different |
370 | 0 | // alignment than the initial allocation). We could define a wrapper type |
371 | 0 | // to manage this for us, but it seems like more machinery than it's worth. |
372 | 0 | let buf = vec![0; size]; |
373 | 0 | let align = core::mem::align_of::<T>(); |
374 | 0 | let address = buf.as_ptr().as_usize(); |
375 | 0 | if address % align == 0 { |
376 | 0 | return (buf, 0); |
377 | 0 | } |
378 | 0 | // Let's try this again. We have to create a totally new alloc with |
379 | 0 | // the maximum amount of bytes we might need. We can't just extend our |
380 | 0 | // pre-existing 'buf' because that might create a new alloc with a |
381 | 0 | // different alignment. |
382 | 0 | let extra = align - 1; |
383 | 0 | let mut buf = vec![0; size + extra]; |
384 | 0 | let address = buf.as_ptr().as_usize(); |
385 | 0 | // The code below handles the case where 'address' is aligned to T, so if |
386 | 0 | // we got lucky and 'address' is now aligned to T (when it previously |
387 | 0 | // wasn't), then we're done. |
388 | 0 | if address % align == 0 { |
389 | 0 | buf.truncate(size); |
390 | 0 | return (buf, 0); |
391 | 0 | } |
392 | 0 | let padding = ((address & !(align - 1)).checked_add(align).unwrap()) |
393 | 0 | .checked_sub(address) |
394 | 0 | .unwrap(); |
395 | 0 | assert!(padding <= 7, "padding of {} is bigger than 7", padding); |
396 | 0 | assert!( |
397 | 0 | padding <= extra, |
398 | 0 | "padding of {} is bigger than extra {} bytes", |
399 | | padding, |
400 | | extra |
401 | | ); |
402 | 0 | buf.truncate(size + padding); |
403 | 0 | assert_eq!(size + padding, buf.len()); |
404 | 0 | assert_eq!( |
405 | 0 | 0, |
406 | 0 | buf[padding..].as_ptr().as_usize() % align, |
407 | 0 | "expected end of initial padding to be aligned to {}", |
408 | | align, |
409 | | ); |
410 | 0 | (buf, padding) |
411 | 0 | } |
412 | | |
413 | | /// Reads a NUL terminated label starting at the beginning of the given slice. |
414 | | /// |
415 | | /// If a NUL terminated label could not be found, then an error is returned. |
416 | | /// Similarly, if a label is found but doesn't match the expected label, then |
417 | | /// an error is returned. |
418 | | /// |
419 | | /// Upon success, the total number of bytes read (including padding bytes) is |
420 | | /// returned. |
421 | 0 | pub(crate) fn read_label( |
422 | 0 | slice: &[u8], |
423 | 0 | expected_label: &'static str, |
424 | 0 | ) -> Result<usize, DeserializeError> { |
425 | 0 | // Set an upper bound on how many bytes we scan for a NUL. Since no label |
426 | 0 | // in this crate is longer than 256 bytes, if we can't find one within that |
427 | 0 | // range, then we have corrupted data. |
428 | 0 | let first_nul = |
429 | 0 | slice[..cmp::min(slice.len(), 256)].iter().position(|&b| b == 0); |
430 | 0 | let first_nul = match first_nul { |
431 | 0 | Some(first_nul) => first_nul, |
432 | | None => { |
433 | 0 | return Err(DeserializeError::generic( |
434 | 0 | "could not find NUL terminated label \ |
435 | 0 | at start of serialized object", |
436 | 0 | )); |
437 | | } |
438 | | }; |
439 | 0 | let len = first_nul + padding_len(first_nul); |
440 | 0 | if slice.len() < len { |
441 | 0 | return Err(DeserializeError::generic( |
442 | 0 | "could not find properly sized label at start of serialized object" |
443 | 0 | )); |
444 | 0 | } |
445 | 0 | if expected_label.as_bytes() != &slice[..first_nul] { |
446 | 0 | return Err(DeserializeError::label_mismatch(expected_label)); |
447 | 0 | } |
448 | 0 | Ok(len) |
449 | 0 | } |
450 | | |
451 | | /// Writes the given label to the buffer as a NUL terminated string. The label |
452 | | /// given must not contain NUL, otherwise this will panic. Similarly, the label |
453 | | /// must not be longer than 255 bytes, otherwise this will panic. |
454 | | /// |
455 | | /// Additional NUL bytes are written as necessary to ensure that the number of |
456 | | /// bytes written is always a multiple of 4. |
457 | | /// |
458 | | /// Upon success, the total number of bytes written (including padding) is |
459 | | /// returned. |
460 | 0 | pub(crate) fn write_label( |
461 | 0 | label: &str, |
462 | 0 | dst: &mut [u8], |
463 | 0 | ) -> Result<usize, SerializeError> { |
464 | 0 | let nwrite = write_label_len(label); |
465 | 0 | if dst.len() < nwrite { |
466 | 0 | return Err(SerializeError::buffer_too_small("label")); |
467 | 0 | } |
468 | 0 | dst[..label.len()].copy_from_slice(label.as_bytes()); |
469 | 0 | for i in 0..(nwrite - label.len()) { |
470 | 0 | dst[label.len() + i] = 0; |
471 | 0 | } |
472 | 0 | assert_eq!(nwrite % 4, 0); |
473 | 0 | Ok(nwrite) |
474 | 0 | } |
475 | | |
476 | | /// Returns the total number of bytes (including padding) that would be written |
477 | | /// for the given label. This panics if the given label contains a NUL byte or |
478 | | /// is longer than 255 bytes. (The size restriction exists so that searching |
479 | | /// for a label during deserialization can be done in small bounded space.) |
480 | 0 | pub(crate) fn write_label_len(label: &str) -> usize { |
481 | 0 | if label.len() > 255 { |
482 | 0 | panic!("label must not be longer than 255 bytes"); |
483 | 0 | } |
484 | 0 | if label.as_bytes().iter().position(|&b| b == 0).is_some() { |
485 | 0 | panic!("label must not contain NUL bytes"); |
486 | 0 | } |
487 | 0 | let label_len = label.len() + 1; // +1 for the NUL terminator |
488 | 0 | label_len + padding_len(label_len) |
489 | 0 | } |
490 | | |
491 | | /// Reads the endianness check from the beginning of the given slice and |
492 | | /// confirms that the endianness of the serialized object matches the expected |
493 | | /// endianness. If the slice is too small or if the endianness check fails, |
494 | | /// this returns an error. |
495 | | /// |
496 | | /// Upon success, the total number of bytes read is returned. |
497 | 0 | pub(crate) fn read_endianness_check( |
498 | 0 | slice: &[u8], |
499 | 0 | ) -> Result<usize, DeserializeError> { |
500 | 0 | let (n, nr) = try_read_u32(slice, "endianness check")?; |
501 | 0 | assert_eq!(nr, write_endianness_check_len()); |
502 | 0 | if n != 0xFEFF { |
503 | 0 | return Err(DeserializeError::endian_mismatch(0xFEFF, n)); |
504 | 0 | } |
505 | 0 | Ok(nr) |
506 | 0 | } |
507 | | |
508 | | /// Writes 0xFEFF as an integer using the given endianness. |
509 | | /// |
510 | | /// This is useful for writing into the header of a serialized object. It can |
511 | | /// be read during deserialization as a sanity check to ensure the proper |
512 | | /// endianness is used. |
513 | | /// |
514 | | /// Upon success, the total number of bytes written is returned. |
515 | 0 | pub(crate) fn write_endianness_check<E: Endian>( |
516 | 0 | dst: &mut [u8], |
517 | 0 | ) -> Result<usize, SerializeError> { |
518 | 0 | let nwrite = write_endianness_check_len(); |
519 | 0 | if dst.len() < nwrite { |
520 | 0 | return Err(SerializeError::buffer_too_small("endianness check")); |
521 | 0 | } |
522 | 0 | E::write_u32(0xFEFF, dst); |
523 | 0 | Ok(nwrite) |
524 | 0 | } |
525 | | |
526 | | /// Returns the number of bytes written by the endianness check. |
527 | 0 | pub(crate) fn write_endianness_check_len() -> usize { |
528 | 0 | size_of::<u32>() |
529 | 0 | } |
530 | | |
531 | | /// Reads a version number from the beginning of the given slice and confirms |
532 | | /// that is matches the expected version number given. If the slice is too |
533 | | /// small or if the version numbers aren't equivalent, this returns an error. |
534 | | /// |
535 | | /// Upon success, the total number of bytes read is returned. |
536 | | /// |
537 | | /// N.B. Currently, we require that the version number is exactly equivalent. |
538 | | /// In the future, if we bump the version number without a semver bump, then |
539 | | /// we'll need to relax this a bit and support older versions. |
540 | 0 | pub(crate) fn read_version( |
541 | 0 | slice: &[u8], |
542 | 0 | expected_version: u32, |
543 | 0 | ) -> Result<usize, DeserializeError> { |
544 | 0 | let (n, nr) = try_read_u32(slice, "version")?; |
545 | 0 | assert_eq!(nr, write_version_len()); |
546 | 0 | if n != expected_version { |
547 | 0 | return Err(DeserializeError::version_mismatch(expected_version, n)); |
548 | 0 | } |
549 | 0 | Ok(nr) |
550 | 0 | } |
551 | | |
552 | | /// Writes the given version number to the beginning of the given slice. |
553 | | /// |
554 | | /// This is useful for writing into the header of a serialized object. It can |
555 | | /// be read during deserialization as a sanity check to ensure that the library |
556 | | /// code supports the format of the serialized object. |
557 | | /// |
558 | | /// Upon success, the total number of bytes written is returned. |
559 | 0 | pub(crate) fn write_version<E: Endian>( |
560 | 0 | version: u32, |
561 | 0 | dst: &mut [u8], |
562 | 0 | ) -> Result<usize, SerializeError> { |
563 | 0 | let nwrite = write_version_len(); |
564 | 0 | if dst.len() < nwrite { |
565 | 0 | return Err(SerializeError::buffer_too_small("version number")); |
566 | 0 | } |
567 | 0 | E::write_u32(version, dst); |
568 | 0 | Ok(nwrite) |
569 | 0 | } |
570 | | |
571 | | /// Returns the number of bytes written by writing the version number. |
572 | 0 | pub(crate) fn write_version_len() -> usize { |
573 | 0 | size_of::<u32>() |
574 | 0 | } |
575 | | |
576 | | /// Reads a pattern ID from the given slice. If the slice has insufficient |
577 | | /// length, then this panics. If the deserialized integer exceeds the pattern |
578 | | /// ID limit for the current target, then this returns an error. |
579 | | /// |
580 | | /// Upon success, this also returns the number of bytes read. |
581 | 0 | pub(crate) fn read_pattern_id( |
582 | 0 | slice: &[u8], |
583 | 0 | what: &'static str, |
584 | 0 | ) -> Result<(PatternID, usize), DeserializeError> { |
585 | 0 | let bytes: [u8; PatternID::SIZE] = |
586 | 0 | slice[..PatternID::SIZE].try_into().unwrap(); |
587 | 0 | let pid = PatternID::from_ne_bytes(bytes) |
588 | 0 | .map_err(|err| DeserializeError::pattern_id_error(err, what))?; |
589 | 0 | Ok((pid, PatternID::SIZE)) |
590 | 0 | } |
591 | | |
592 | | /// Reads a pattern ID from the given slice. If the slice has insufficient |
593 | | /// length, then this panics. Otherwise, the deserialized integer is assumed |
594 | | /// to be a valid pattern ID. |
595 | | /// |
596 | | /// This also returns the number of bytes read. |
597 | 0 | pub(crate) fn read_pattern_id_unchecked(slice: &[u8]) -> (PatternID, usize) { |
598 | 0 | let pid = PatternID::from_ne_bytes_unchecked( |
599 | 0 | slice[..PatternID::SIZE].try_into().unwrap(), |
600 | 0 | ); |
601 | 0 | (pid, PatternID::SIZE) |
602 | 0 | } |
603 | | |
604 | | /// Write the given pattern ID to the beginning of the given slice of bytes |
605 | | /// using the specified endianness. The given slice must have length at least |
606 | | /// `PatternID::SIZE`, or else this panics. Upon success, the total number of |
607 | | /// bytes written is returned. |
608 | 0 | pub(crate) fn write_pattern_id<E: Endian>( |
609 | 0 | pid: PatternID, |
610 | 0 | dst: &mut [u8], |
611 | 0 | ) -> usize { |
612 | 0 | E::write_u32(pid.as_u32(), dst); |
613 | 0 | PatternID::SIZE |
614 | 0 | } |
615 | | |
616 | | /// Attempts to read a state ID from the given slice. If the slice has an |
617 | | /// insufficient number of bytes or if the state ID exceeds the limit for |
618 | | /// the current target, then this returns an error. |
619 | | /// |
620 | | /// Upon success, this also returns the number of bytes read. |
621 | 0 | pub(crate) fn try_read_state_id( |
622 | 0 | slice: &[u8], |
623 | 0 | what: &'static str, |
624 | 0 | ) -> Result<(StateID, usize), DeserializeError> { |
625 | 0 | if slice.len() < StateID::SIZE { |
626 | 0 | return Err(DeserializeError::buffer_too_small(what)); |
627 | 0 | } |
628 | 0 | read_state_id(slice, what) |
629 | 0 | } |
630 | | |
631 | | /// Reads a state ID from the given slice. If the slice has insufficient |
632 | | /// length, then this panics. If the deserialized integer exceeds the state ID |
633 | | /// limit for the current target, then this returns an error. |
634 | | /// |
635 | | /// Upon success, this also returns the number of bytes read. |
636 | 0 | pub(crate) fn read_state_id( |
637 | 0 | slice: &[u8], |
638 | 0 | what: &'static str, |
639 | 0 | ) -> Result<(StateID, usize), DeserializeError> { |
640 | 0 | let bytes: [u8; StateID::SIZE] = |
641 | 0 | slice[..StateID::SIZE].try_into().unwrap(); |
642 | 0 | let sid = StateID::from_ne_bytes(bytes) |
643 | 0 | .map_err(|err| DeserializeError::state_id_error(err, what))?; |
644 | 0 | Ok((sid, StateID::SIZE)) |
645 | 0 | } |
646 | | |
647 | | /// Reads a state ID from the given slice. If the slice has insufficient |
648 | | /// length, then this panics. Otherwise, the deserialized integer is assumed |
649 | | /// to be a valid state ID. |
650 | | /// |
651 | | /// This also returns the number of bytes read. |
652 | 0 | pub(crate) fn read_state_id_unchecked(slice: &[u8]) -> (StateID, usize) { |
653 | 0 | let sid = StateID::from_ne_bytes_unchecked( |
654 | 0 | slice[..StateID::SIZE].try_into().unwrap(), |
655 | 0 | ); |
656 | 0 | (sid, StateID::SIZE) |
657 | 0 | } |
658 | | |
659 | | /// Write the given state ID to the beginning of the given slice of bytes |
660 | | /// using the specified endianness. The given slice must have length at least |
661 | | /// `StateID::SIZE`, or else this panics. Upon success, the total number of |
662 | | /// bytes written is returned. |
663 | 0 | pub(crate) fn write_state_id<E: Endian>( |
664 | 0 | sid: StateID, |
665 | 0 | dst: &mut [u8], |
666 | 0 | ) -> usize { |
667 | 0 | E::write_u32(sid.as_u32(), dst); |
668 | 0 | StateID::SIZE |
669 | 0 | } |
670 | | |
671 | | /// Try to read a u16 as a usize from the beginning of the given slice in |
672 | | /// native endian format. If the slice has fewer than 2 bytes or if the |
673 | | /// deserialized number cannot be represented by usize, then this returns an |
674 | | /// error. The error message will include the `what` description of what is |
675 | | /// being deserialized, for better error messages. `what` should be a noun in |
676 | | /// singular form. |
677 | | /// |
678 | | /// Upon success, this also returns the number of bytes read. |
679 | 0 | pub(crate) fn try_read_u16_as_usize( |
680 | 0 | slice: &[u8], |
681 | 0 | what: &'static str, |
682 | 0 | ) -> Result<(usize, usize), DeserializeError> { |
683 | 0 | try_read_u16(slice, what).and_then(|(n, nr)| { |
684 | 0 | usize::try_from(n) |
685 | 0 | .map(|n| (n, nr)) |
686 | 0 | .map_err(|_| DeserializeError::invalid_usize(what)) |
687 | 0 | }) |
688 | 0 | } |
689 | | |
690 | | /// Try to read a u32 as a usize from the beginning of the given slice in |
691 | | /// native endian format. If the slice has fewer than 4 bytes or if the |
692 | | /// deserialized number cannot be represented by usize, then this returns an |
693 | | /// error. The error message will include the `what` description of what is |
694 | | /// being deserialized, for better error messages. `what` should be a noun in |
695 | | /// singular form. |
696 | | /// |
697 | | /// Upon success, this also returns the number of bytes read. |
698 | 0 | pub(crate) fn try_read_u32_as_usize( |
699 | 0 | slice: &[u8], |
700 | 0 | what: &'static str, |
701 | 0 | ) -> Result<(usize, usize), DeserializeError> { |
702 | 0 | try_read_u32(slice, what).and_then(|(n, nr)| { |
703 | 0 | usize::try_from(n) |
704 | 0 | .map(|n| (n, nr)) |
705 | 0 | .map_err(|_| DeserializeError::invalid_usize(what)) |
706 | 0 | }) |
707 | 0 | } |
708 | | |
709 | | /// Try to read a u16 from the beginning of the given slice in native endian |
710 | | /// format. If the slice has fewer than 2 bytes, then this returns an error. |
711 | | /// The error message will include the `what` description of what is being |
712 | | /// deserialized, for better error messages. `what` should be a noun in |
713 | | /// singular form. |
714 | | /// |
715 | | /// Upon success, this also returns the number of bytes read. |
716 | 0 | pub(crate) fn try_read_u16( |
717 | 0 | slice: &[u8], |
718 | 0 | what: &'static str, |
719 | 0 | ) -> Result<(u16, usize), DeserializeError> { |
720 | 0 | check_slice_len(slice, size_of::<u16>(), what)?; |
721 | 0 | Ok((read_u16(slice), size_of::<u16>())) |
722 | 0 | } |
723 | | |
724 | | /// Try to read a u32 from the beginning of the given slice in native endian |
725 | | /// format. If the slice has fewer than 4 bytes, then this returns an error. |
726 | | /// The error message will include the `what` description of what is being |
727 | | /// deserialized, for better error messages. `what` should be a noun in |
728 | | /// singular form. |
729 | | /// |
730 | | /// Upon success, this also returns the number of bytes read. |
731 | 0 | pub(crate) fn try_read_u32( |
732 | 0 | slice: &[u8], |
733 | 0 | what: &'static str, |
734 | 0 | ) -> Result<(u32, usize), DeserializeError> { |
735 | 0 | check_slice_len(slice, size_of::<u32>(), what)?; |
736 | 0 | Ok((read_u32(slice), size_of::<u32>())) |
737 | 0 | } |
738 | | |
739 | | /// Try to read a u128 from the beginning of the given slice in native endian |
740 | | /// format. If the slice has fewer than 16 bytes, then this returns an error. |
741 | | /// The error message will include the `what` description of what is being |
742 | | /// deserialized, for better error messages. `what` should be a noun in |
743 | | /// singular form. |
744 | | /// |
745 | | /// Upon success, this also returns the number of bytes read. |
746 | 0 | pub(crate) fn try_read_u128( |
747 | 0 | slice: &[u8], |
748 | 0 | what: &'static str, |
749 | 0 | ) -> Result<(u128, usize), DeserializeError> { |
750 | 0 | check_slice_len(slice, size_of::<u128>(), what)?; |
751 | 0 | Ok((read_u128(slice), size_of::<u128>())) |
752 | 0 | } |
753 | | |
754 | | /// Read a u16 from the beginning of the given slice in native endian format. |
755 | | /// If the slice has fewer than 2 bytes, then this panics. |
756 | | /// |
757 | | /// Marked as inline to speed up sparse searching which decodes integers from |
758 | | /// its automaton at search time. |
759 | | #[cfg_attr(feature = "perf-inline", inline(always))] |
760 | 0 | pub(crate) fn read_u16(slice: &[u8]) -> u16 { |
761 | 0 | let bytes: [u8; 2] = slice[..size_of::<u16>()].try_into().unwrap(); |
762 | 0 | u16::from_ne_bytes(bytes) |
763 | 0 | } |
764 | | |
765 | | /// Read a u32 from the beginning of the given slice in native endian format. |
766 | | /// If the slice has fewer than 4 bytes, then this panics. |
767 | | /// |
768 | | /// Marked as inline to speed up sparse searching which decodes integers from |
769 | | /// its automaton at search time. |
770 | | #[cfg_attr(feature = "perf-inline", inline(always))] |
771 | 0 | pub(crate) fn read_u32(slice: &[u8]) -> u32 { |
772 | 0 | let bytes: [u8; 4] = slice[..size_of::<u32>()].try_into().unwrap(); |
773 | 0 | u32::from_ne_bytes(bytes) |
774 | 0 | } |
775 | | |
776 | | /// Read a u128 from the beginning of the given slice in native endian format. |
777 | | /// If the slice has fewer than 16 bytes, then this panics. |
778 | 0 | pub(crate) fn read_u128(slice: &[u8]) -> u128 { |
779 | 0 | let bytes: [u8; 16] = slice[..size_of::<u128>()].try_into().unwrap(); |
780 | 0 | u128::from_ne_bytes(bytes) |
781 | 0 | } |
782 | | |
783 | | /// Checks that the given slice has some minimal length. If it's smaller than |
784 | | /// the bound given, then a "buffer too small" error is returned with `what` |
785 | | /// describing what the buffer represents. |
786 | 0 | pub(crate) fn check_slice_len<T>( |
787 | 0 | slice: &[T], |
788 | 0 | at_least_len: usize, |
789 | 0 | what: &'static str, |
790 | 0 | ) -> Result<(), DeserializeError> { |
791 | 0 | if slice.len() < at_least_len { |
792 | 0 | return Err(DeserializeError::buffer_too_small(what)); |
793 | 0 | } |
794 | 0 | Ok(()) |
795 | 0 | } |
796 | | |
797 | | /// Multiply the given numbers, and on overflow, return an error that includes |
798 | | /// 'what' in the error message. |
799 | | /// |
800 | | /// This is useful when doing arithmetic with untrusted data. |
801 | 0 | pub(crate) fn mul( |
802 | 0 | a: usize, |
803 | 0 | b: usize, |
804 | 0 | what: &'static str, |
805 | 0 | ) -> Result<usize, DeserializeError> { |
806 | 0 | match a.checked_mul(b) { |
807 | 0 | Some(c) => Ok(c), |
808 | 0 | None => Err(DeserializeError::arithmetic_overflow(what)), |
809 | | } |
810 | 0 | } |
811 | | |
812 | | /// Add the given numbers, and on overflow, return an error that includes |
813 | | /// 'what' in the error message. |
814 | | /// |
815 | | /// This is useful when doing arithmetic with untrusted data. |
816 | 0 | pub(crate) fn add( |
817 | 0 | a: usize, |
818 | 0 | b: usize, |
819 | 0 | what: &'static str, |
820 | 0 | ) -> Result<usize, DeserializeError> { |
821 | 0 | match a.checked_add(b) { |
822 | 0 | Some(c) => Ok(c), |
823 | 0 | None => Err(DeserializeError::arithmetic_overflow(what)), |
824 | | } |
825 | 0 | } |
826 | | |
827 | | /// Shift `a` left by `b`, and on overflow, return an error that includes |
828 | | /// 'what' in the error message. |
829 | | /// |
830 | | /// This is useful when doing arithmetic with untrusted data. |
831 | 0 | pub(crate) fn shl( |
832 | 0 | a: usize, |
833 | 0 | b: usize, |
834 | 0 | what: &'static str, |
835 | 0 | ) -> Result<usize, DeserializeError> { |
836 | 0 | let amount = u32::try_from(b) |
837 | 0 | .map_err(|_| DeserializeError::arithmetic_overflow(what))?; |
838 | 0 | match a.checked_shl(amount) { |
839 | 0 | Some(c) => Ok(c), |
840 | 0 | None => Err(DeserializeError::arithmetic_overflow(what)), |
841 | | } |
842 | 0 | } |
843 | | |
844 | | /// Returns the number of additional bytes required to add to the given length |
845 | | /// in order to make the total length a multiple of 4. The return value is |
846 | | /// always less than 4. |
847 | 0 | pub(crate) fn padding_len(non_padding_len: usize) -> usize { |
848 | 0 | (4 - (non_padding_len & 0b11)) & 0b11 |
849 | 0 | } |
850 | | |
851 | | /// A simple trait for writing code generic over endianness. |
852 | | /// |
853 | | /// This is similar to what byteorder provides, but we only need a very small |
854 | | /// subset. |
855 | | pub(crate) trait Endian { |
856 | | /// Writes a u16 to the given destination buffer in a particular |
857 | | /// endianness. If the destination buffer has a length smaller than 2, then |
858 | | /// this panics. |
859 | | fn write_u16(n: u16, dst: &mut [u8]); |
860 | | |
861 | | /// Writes a u32 to the given destination buffer in a particular |
862 | | /// endianness. If the destination buffer has a length smaller than 4, then |
863 | | /// this panics. |
864 | | fn write_u32(n: u32, dst: &mut [u8]); |
865 | | |
866 | | /// Writes a u128 to the given destination buffer in a particular |
867 | | /// endianness. If the destination buffer has a length smaller than 16, |
868 | | /// then this panics. |
869 | | fn write_u128(n: u128, dst: &mut [u8]); |
870 | | } |
871 | | |
872 | | /// Little endian writing. |
873 | | pub(crate) enum LE {} |
874 | | /// Big endian writing. |
875 | | pub(crate) enum BE {} |
876 | | |
877 | | #[cfg(target_endian = "little")] |
878 | | pub(crate) type NE = LE; |
879 | | #[cfg(target_endian = "big")] |
880 | | pub(crate) type NE = BE; |
881 | | |
882 | | impl Endian for LE { |
883 | 0 | fn write_u16(n: u16, dst: &mut [u8]) { |
884 | 0 | dst[..2].copy_from_slice(&n.to_le_bytes()); |
885 | 0 | } |
886 | | |
887 | 0 | fn write_u32(n: u32, dst: &mut [u8]) { |
888 | 0 | dst[..4].copy_from_slice(&n.to_le_bytes()); |
889 | 0 | } |
890 | | |
891 | 0 | fn write_u128(n: u128, dst: &mut [u8]) { |
892 | 0 | dst[..16].copy_from_slice(&n.to_le_bytes()); |
893 | 0 | } |
894 | | } |
895 | | |
896 | | impl Endian for BE { |
897 | 0 | fn write_u16(n: u16, dst: &mut [u8]) { |
898 | 0 | dst[..2].copy_from_slice(&n.to_be_bytes()); |
899 | 0 | } |
900 | | |
901 | 0 | fn write_u32(n: u32, dst: &mut [u8]) { |
902 | 0 | dst[..4].copy_from_slice(&n.to_be_bytes()); |
903 | 0 | } |
904 | | |
905 | 0 | fn write_u128(n: u128, dst: &mut [u8]) { |
906 | 0 | dst[..16].copy_from_slice(&n.to_be_bytes()); |
907 | 0 | } |
908 | | } |
909 | | |
910 | | #[cfg(all(test, feature = "alloc"))] |
911 | | mod tests { |
912 | | use super::*; |
913 | | |
914 | | #[test] |
915 | | fn labels() { |
916 | | let mut buf = [0; 1024]; |
917 | | |
918 | | let nwrite = write_label("fooba", &mut buf).unwrap(); |
919 | | assert_eq!(nwrite, 8); |
920 | | assert_eq!(&buf[..nwrite], b"fooba\x00\x00\x00"); |
921 | | |
922 | | let nread = read_label(&buf, "fooba").unwrap(); |
923 | | assert_eq!(nread, 8); |
924 | | } |
925 | | |
926 | | #[test] |
927 | | #[should_panic] |
928 | | fn bad_label_interior_nul() { |
929 | | // interior NULs are not allowed |
930 | | write_label("foo\x00bar", &mut [0; 1024]).unwrap(); |
931 | | } |
932 | | |
933 | | #[test] |
934 | | fn bad_label_almost_too_long() { |
935 | | // ok |
936 | | write_label(&"z".repeat(255), &mut [0; 1024]).unwrap(); |
937 | | } |
938 | | |
939 | | #[test] |
940 | | #[should_panic] |
941 | | fn bad_label_too_long() { |
942 | | // labels longer than 255 bytes are banned |
943 | | write_label(&"z".repeat(256), &mut [0; 1024]).unwrap(); |
944 | | } |
945 | | |
946 | | #[test] |
947 | | fn padding() { |
948 | | assert_eq!(0, padding_len(8)); |
949 | | assert_eq!(3, padding_len(9)); |
950 | | assert_eq!(2, padding_len(10)); |
951 | | assert_eq!(1, padding_len(11)); |
952 | | assert_eq!(0, padding_len(12)); |
953 | | assert_eq!(3, padding_len(13)); |
954 | | assert_eq!(2, padding_len(14)); |
955 | | assert_eq!(1, padding_len(15)); |
956 | | assert_eq!(0, padding_len(16)); |
957 | | } |
958 | | } |