Issue 1800753005: C++ bindings: A struct's Deserialize() now does validation before deserializing.

Issue 1800753005: C++ bindings: A struct's Deserialize() now does validation before deserializing. (Closed)

Created:
4 years, 9 months ago by vardhan

Modified:
4 years, 8 months ago

Reviewers:
ukode, viettrungluu, qsr

CC:
mojo-reviews_chromium.org, gregsimon, qsr+mojo_chromium.org, viettrungluu+watch_chromium.org, abarth-chromium, Aaron Boodman, darin (slow to review), ben+mojo_chromium.org, yzshen+mojopublicwatch_chromium.org

Base URL:
https://github.com/domokit/mojo.git@master

Target Ref:
refs/heads/master

Project:
mojo

Visibility:
Public.

More Reviews

Description

C++ bindings: A struct's Deserialize() now does validation before deserializing. * Consequently, |Deserialize()| now has a |buf_size| argument. BUG=#419 R=qsr@chromium.org, ukode@google.com, viettrungluu@chromium.org Committed: https://chromium.googlesource.com/external/mojo/+/bbe5f8b0feb702d18fda31aa86c9da59a4485a36

Patch Set 1 #

Total comments: 6

Patch Set 2 : Add |bytes_written| field Serialize(), DeserializeWithoutValidation(). Update consumers & tests. #

Patch Set 3 : oops, typos #

Total comments: 18

Patch Set 4 : Address comments. DeserializeWithoutValidation returns void, doesn't take in buf_size. #

Total comments: 16

Patch Set 5 : fix char* - >char bug in unittest. FixedBuffer can accept sizes that aren't 8 byte multiples. #

Created: 4 years, 8 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+154 lines, -76 lines)			Patch
M	examples/serialization/main.cc	View		1 chunk	+1 line, -2 lines	0 comments	Download
M	mojo/public/cpp/bindings/lib/bindings_internal.h	View	1 2 3 4	1 chunk	+2 lines, -0 lines	0 comments	Download
M	mojo/public/cpp/bindings/lib/fixed_buffer.h	View	1	1 chunk	+8 lines, -0 lines	0 comments	Download
M	mojo/public/cpp/bindings/lib/fixed_buffer.cc	View	1 2 3 4	1 chunk	+2 lines, -2 lines	0 comments	Download
M	mojo/public/cpp/bindings/lib/validation_errors.h	View		1 chunk	+1 line, -0 lines	0 comments	Download
M	mojo/public/cpp/bindings/tests/buffer_unittest.cc	View	1 2 3 4	1 chunk	+8 lines, -0 lines	0 comments	Download
M	mojo/public/cpp/bindings/tests/serialization_api_unittest.cc	View	1 2 3 4	3 chunks	+64 lines, -3 lines	0 comments	Download
M	mojo/public/cpp/bindings/tests/union_unittest.cc	View	1 2 3 4	1 chunk	+1 line, -2 lines	0 comments	Download
M	mojo/public/tools/bindings/generators/cpp_templates/struct_serialization_definition.tmpl	View	1 2 3 4	1 chunk	+43 lines, -7 lines	0 comments	Download
M	mojo/public/tools/bindings/generators/cpp_templates/wrapper_class_declaration.tmpl	View	1 2 3	1 chunk	+16 lines, -17 lines	0 comments	Download
M	services/authentication/accounts_db_manager.cc	View	1 2	2 chunks	+4 lines, -18 lines	0 comments	Download
M	services/url_response_disk_cache/url_response_disk_cache_db.cc	View	1 2 3	2 chunks	+4 lines, -25 lines	0 comments	Download

Messages

Total messages: 21 (2 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

viettrungluu

https://codereview.chromium.org/1800753005/diff/1/mojo/public/cpp/bindings/tests/union_unittest.cc File mojo/public/cpp/bindings/tests/union_unittest.cc (right): https://codereview.chromium.org/1800753005/diff/1/mojo/public/cpp/bindings/tests/union_unittest.cc#newcode660 mojo/public/cpp/bindings/tests/union_unittest.cc:660: small_struct->Serialize(buf, sizeof(buf)); Does Serialize() tell you how much space ...

4 years, 9 months ago (2016-03-14 22:56:24 UTC) #2

vardhan

4 years, 9 months ago (2016-03-14 23:11:34 UTC) #3

https://codereview.chromium.org/1800753005/diff/1/mojo/public/cpp/bindings/te...
File mojo/public/cpp/bindings/tests/union_unittest.cc (right):

https://codereview.chromium.org/1800753005/diff/1/mojo/public/cpp/bindings/te...
mojo/public/cpp/bindings/tests/union_unittest.cc:660:
small_struct->Serialize(buf, sizeof(buf));
On 2016/03/14 22:56:23, viettrungluu wrote:
> Does Serialize() tell you how much space it actually used (instead of forcing
> you to deal with the separately via GetSerializedSize())? Should it?

There's an implied contract that Serialize() will take exactly as much as
GetSerializeSize() if successful.

I think this should be easy enough to figure out how much was consumed on
failure (by exposing the underlying FixedBuffer's counter). Not sure how the API
should change to accodomate though.. should Serialize() return it, vs. a
true/false instead? in which case, the user will be forced to do a
GetSerializedSize() just to check a success condition.

https://codereview.chromium.org/1800753005/diff/1/mojo/public/cpp/bindings/te...
mojo/public/cpp/bindings/tests/union_unittest.cc:664:
EXPECT_TRUE(deserialized_struct->Deserialize(buf, sizeof(buf)));
On 2016/03/14 22:56:23, viettrungluu wrote:
> ... because presumably the actual serialized size should be what's passed in
> here, no?

(see comment above -- GetSerializedSize() indicates how much would be written).

https://codereview.chromium.org/1800753005/diff/1/mojo/public/tools/bindings/...
File
mojo/public/tools/bindings/generators/cpp_templates/struct_serialization_definition.tmpl
(right):

https://codereview.chromium.org/1800753005/diff/1/mojo/public/tools/bindings/...
mojo/public/tools/bindings/generators/cpp_templates/struct_serialization_definition.tmpl:32:
bool {{struct.name}}::Deserialize(void* buf, size_t buf_size) {
On 2016/03/14 22:56:23, viettrungluu wrote:
> I do wonder whether you shouldn't expose three things:
> * Validate
> * Deserialize
> * ValidateAndDeserialize

Initially, I was thinking about passing in a DeserializationOptions struct to
Deserialize() (which has a default, so you don't need to supply it most of the
time probably), which has a validation flag..

.. But I guess I can't think of a scenario where you /wouldn't/ want to validate
before deserializing? I'm not sure, but I'm okay with adding the non-validating
version.  In which case, what do you think about passing in  a  
DeserializationOptions struct?

viettrungluu

On 2016/03/14 23:11:34, vardhan wrote: > https://codereview.chromium.org/1800753005/diff/1/mojo/public/cpp/bindings/tests/union_unittest.cc > File mojo/public/cpp/bindings/tests/union_unittest.cc (right): > > https://codereview.chromium.org/1800753005/diff/1/mojo/public/cpp/bindings/tests/union_unittest.cc#newcode660 > ...

4 years, 9 months ago (2016-03-14 23:37:31 UTC) #4

On 2016/03/14 23:11:34, vardhan wrote:
>
https://codereview.chromium.org/1800753005/diff/1/mojo/public/cpp/bindings/te...
> File mojo/public/cpp/bindings/tests/union_unittest.cc (right):
> 
>
https://codereview.chromium.org/1800753005/diff/1/mojo/public/cpp/bindings/te...
> mojo/public/cpp/bindings/tests/union_unittest.cc:660:
> small_struct->Serialize(buf, sizeof(buf));
> On 2016/03/14 22:56:23, viettrungluu wrote:
> > Does Serialize() tell you how much space it actually used (instead of
forcing
> > you to deal with the separately via GetSerializedSize())? Should it?
> 
> There's an implied contract that Serialize() will take exactly as much as
> GetSerializeSize() if successful.
> 
> I think this should be easy enough to figure out how much was consumed on
> failure (by exposing the underlying FixedBuffer's counter). Not sure how the
API
> should change to accodomate though.. should Serialize() return it, vs. a
> true/false instead? in which case, the user will be forced to do a
> GetSerializedSize() just to check a success condition.

You could, e.g., have an in-out buf_size (size_t*) parameter.

Whether it tells you the amount of space required on failure isn't
super-interesting, but for consistency it probably should do it.

The use-case would be something like:

char stack_buf[1000];
std::unique_ptr<char[]> heap_buf;
char* buf = nullptr;
size_t num_bytes = sizeof(stack_buf);
if (foo.Serialize(stack_buf, &num_bytes)) {
  // Fast path.
  buf = stack_buf;
} else {
  // Slow path.
  CHECK(num_bytes > sizeof(stack_buf)) << "D'oh";
  heap_buf.reset(new char[num_bytes]));
  // Or maybe Serialize() should accept a null buf_size param, if you don't
care?
  CHECK(foo.Serialize(heap_buf.get(), &num_bytes));
  buf = heap_buf.get();
}
// Write/send/whatever num_bytes from buf.

> 
>
https://codereview.chromium.org/1800753005/diff/1/mojo/public/cpp/bindings/te...
> mojo/public/cpp/bindings/tests/union_unittest.cc:664:
> EXPECT_TRUE(deserialized_struct->Deserialize(buf, sizeof(buf)));
> On 2016/03/14 22:56:23, viettrungluu wrote:
> > ... because presumably the actual serialized size should be what's passed in
> > here, no?
> 
> (see comment above -- GetSerializedSize() indicates how much would be
written).
> 
>
https://codereview.chromium.org/1800753005/diff/1/mojo/public/tools/bindings/...
> File
>
mojo/public/tools/bindings/generators/cpp_templates/struct_serialization_definition.tmpl
> (right):
> 
>
https://codereview.chromium.org/1800753005/diff/1/mojo/public/tools/bindings/...
>
mojo/public/tools/bindings/generators/cpp_templates/struct_serialization_definition.tmpl:32:
> bool {{struct.name}}::Deserialize(void* buf, size_t buf_size) {
> On 2016/03/14 22:56:23, viettrungluu wrote:
> > I do wonder whether you shouldn't expose three things:
> > * Validate
> > * Deserialize
> > * ValidateAndDeserialize
> 
> Initially, I was thinking about passing in a DeserializationOptions struct to
> Deserialize() (which has a default, so you don't need to supply it most of the
> time probably), which has a validation flag..
> 
> .. But I guess I can't think of a scenario where you /wouldn't/ want to
validate
> before deserializing? I'm not sure, but I'm okay with adding the
non-validating
> version.

If you trust the data source, why would you want the overhead of validating?

> In which case, what do you think about passing in  a  
> DeserializationOptions struct?

In general, I think it'd be preferable to have orthogonal functions, because it
helps with being able to layer.

E.g., layer X may take buffers assuming that they're valid (validated or
otherwise known to be valid), and deserialize from that.

Layer Y1, which gets data from an untrusted source, may wish to validate data,
before handing it to layer X. Layer Y2, which gets data from a trusted source,
may wish to just immediately hand buffers to layer X.

qsr

Could you update services/url_response_disk_cache/url_response_disk_cache_db.cc to use this?

4 years, 9 months ago (2016-03-16 08:36:53 UTC) #5

vardhan

(Oops, i replied to the email instead of on the codereview tool, so duplicating it ...

4 years, 9 months ago (2016-03-16 19:42:15 UTC) #6

(Oops, i replied to the email instead of on the codereview tool, so duplicating
it here.)

> You could, e.g., have an in-out buf_size (size_t*) parameter.
> 
> Whether it tells you the amount of space required on failure isn't
> super-interesting, but for consistency it probably should do it.
> 
> The use-case would be something like:
> 
> char stack_buf[1000];
> std::unique_ptr<char[]> heap_buf;
> char* buf = nullptr;
> size_t num_bytes = sizeof(stack_buf);
> if (foo.Serialize(stack_buf, &num_bytes)) {
>   // Fast path.
>   buf = stack_buf;
> } else {
>   // Slow path.
>   CHECK(num_bytes > sizeof(stack_buf)) << "D'oh";
>   heap_buf.reset(new char[num_bytes]));
>   // Or maybe Serialize() should accept a null buf_size param, if you don't
> care?
It can't be null if |buf_size| is also used to represent the size of the buffer.

>   CHECK(foo.Serialize(heap_buf.get(), &num_bytes));
>   buf = heap_buf.get();
> }
> // Write/send/whatever num_bytes from buf.

I guess having |buf_size| represent both "incoming buf size" and "size written"
would work..
It doesn't feel as eloquent though, although it uses a fewer # of arguments.. I
don't have a good argument against this though.

what about just separating |num_bytes|'s responsibility:
bool Serialize(void* buf, size_t buf_size, size_t* written_bytes = nullptr);

This way, you don't have to provide a |written_bytes|, and |buf_size| could be a
constant?

> If you trust the data source, why would you want the overhead of validating?
> 
> > In which case, what do you think about passing in  a  
> > DeserializationOptions struct?
> 
> In general, I think it'd be preferable to have orthogonal functions, because
it
> helps with being able to layer.
> 
> E.g., layer X may take buffers assuming that they're valid (validated or
> otherwise known to be valid), and deserialize from that.
> 
> Layer Y1, which gets data from an untrusted source, may wish to validate data,
> before handing it to layer X. Layer Y2, which gets data from a trusted source,
> may wish to just immediately hand buffers to layer X.

Sure, I'm okay with Validate(), Deserialize(), ValidateAndDeserialize().

should Deserialize() validate by default instead, and we instead introduce
DeserializeWithoutValidating()?
I'm still assuming you'll want to validate majority of the time, so i'm
proposing the "Deserialize()" name serve the majority use case

vardhan

On 2016/03/16 08:36:53, qsr wrote: > Could you update services/url_response_disk_cache/url_response_disk_cache_db.cc > to use this? That's ...

4 years, 9 months ago (2016-03-16 19:43:04 UTC) #7

viettrungluu

On 2016/03/16 19:42:15, vardhan wrote: > (Oops, i replied to the email instead of on ...

4 years, 9 months ago (2016-03-16 23:08:23 UTC) #8

On 2016/03/16 19:42:15, vardhan wrote:
> (Oops, i replied to the email instead of on the codereview tool, so
duplicating
> it here.)
> 
> > You could, e.g., have an in-out buf_size (size_t*) parameter.
> > 
> > Whether it tells you the amount of space required on failure isn't
> > super-interesting, but for consistency it probably should do it.
> > 
> > The use-case would be something like:
> > 
> > char stack_buf[1000];
> > std::unique_ptr<char[]> heap_buf;
> > char* buf = nullptr;
> > size_t num_bytes = sizeof(stack_buf);
> > if (foo.Serialize(stack_buf, &num_bytes)) {
> >   // Fast path.
> >   buf = stack_buf;
> > } else {
> >   // Slow path.
> >   CHECK(num_bytes > sizeof(stack_buf)) << "D'oh";
> >   heap_buf.reset(new char[num_bytes]));
> >   // Or maybe Serialize() should accept a null buf_size param, if you don't
> > care?
> It can't be null if |buf_size| is also used to represent the size of the
buffer.
> 
> >   CHECK(foo.Serialize(heap_buf.get(), &num_bytes));
> >   buf = heap_buf.get();
> > }
> > // Write/send/whatever num_bytes from buf.
> 
> I guess having |buf_size| represent both "incoming buf size" and "size
written"
> would work..
> It doesn't feel as eloquent though, although it uses a fewer # of arguments..
I
> don't have a good argument against this though.
> 
> what about just separating |num_bytes|'s responsibility:
> bool Serialize(void* buf, size_t buf_size, size_t* written_bytes = nullptr);
> 
> This way, you don't have to provide a |written_bytes|, and |buf_size| could be
a
> constant?

That's fine too.

> 
> > If you trust the data source, why would you want the overhead of validating?
> > 
> > > In which case, what do you think about passing in  a  
> > > DeserializationOptions struct?
> > 
> > In general, I think it'd be preferable to have orthogonal functions, because
> it
> > helps with being able to layer.
> > 
> > E.g., layer X may take buffers assuming that they're valid (validated or
> > otherwise known to be valid), and deserialize from that.
> > 
> > Layer Y1, which gets data from an untrusted source, may wish to validate
data,
> > before handing it to layer X. Layer Y2, which gets data from a trusted
source,
> > may wish to just immediately hand buffers to layer X.
> 
> Sure, I'm okay with Validate(), Deserialize(), ValidateAndDeserialize().
> 
> should Deserialize() validate by default instead, and we instead introduce
> DeserializeWithoutValidating()?
> I'm still assuming you'll want to validate majority of the time, so i'm
> proposing the "Deserialize()" name serve the majority use case

OK.

qsr

https://codereview.chromium.org/1800753005/diff/40001/services/url_response_disk_cache/url_response_disk_cache_db.cc File services/url_response_disk_cache/url_response_disk_cache_db.cc (right): https://codereview.chromium.org/1800753005/diff/40001/services/url_response_disk_cache/url_response_disk_cache_db.cc#newcode31 services/url_response_disk_cache/url_response_disk_cache_db.cc:31: size_t size = GetSerializedSize_(*input); Is it expected that I ...

4 years, 9 months ago (2016-03-23 08:14:37 UTC) #11

viettrungluu

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/cpp/bindings/tests/serialization_api_unittest.cc File mojo/public/cpp/bindings/tests/serialization_api_unittest.cc (right): https://codereview.chromium.org/1800753005/diff/40001/mojo/public/cpp/bindings/tests/serialization_api_unittest.cc#newcode43 mojo/public/cpp/bindings/tests/serialization_api_unittest.cc:43: auto deserialize_ret = out_val.Deserialize(bytes.data(), bytes.size()); You may as well ...

4 years, 9 months ago (2016-03-23 17:43:53 UTC) #12

vardhan

ptal https://codereview.chromium.org/1800753005/diff/40001/mojo/public/cpp/bindings/tests/serialization_api_unittest.cc File mojo/public/cpp/bindings/tests/serialization_api_unittest.cc (right): https://codereview.chromium.org/1800753005/diff/40001/mojo/public/cpp/bindings/tests/serialization_api_unittest.cc#newcode43 mojo/public/cpp/bindings/tests/serialization_api_unittest.cc:43: auto deserialize_ret = out_val.Deserialize(bytes.data(), bytes.size()); On 2016/03/23 17:43:53, ...

4 years, 9 months ago (2016-03-23 23:28:43 UTC) #13

ptal

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/cpp/binding...
File mojo/public/cpp/bindings/tests/serialization_api_unittest.cc (right):

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/cpp/binding...
mojo/public/cpp/bindings/tests/serialization_api_unittest.cc:43: auto
deserialize_ret = out_val.Deserialize(bytes.data(), bytes.size());
On 2016/03/23 17:43:53, viettrungluu wrote:
> You may as well say "bool" instead of "auto", especially since you rely on
this
> below.

Done.

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/cpp/binding...
mojo/public/cpp/bindings/tests/serialization_api_unittest.cc:185: // Test
DeserializeWithoutValidation
On 2016/03/23 17:43:53, viettrungluu wrote:
> nit: This comment would need some punctuation, but it's basically a useless
> comment so you may as well just delete it.

Done.

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/cpp/binding...
mojo/public/cpp/bindings/tests/serialization_api_unittest.cc:187: void*
buf[100];
On 2016/03/23 17:43:53, viettrungluu wrote:
> void*?

Done.

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/cpp/binding...
mojo/public/cpp/bindings/tests/serialization_api_unittest.cc:190: // Since there
is no bounds checker, this will pass even though it's bad.
On 2016/03/23 17:43:53, viettrungluu wrote:
> Since you didn't initialize the contents of buf, you don't even know that it's
> bad.

oops!

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/tools/bindi...
File
mojo/public/tools/bindings/generators/cpp_templates/struct_serialization_definition.tmpl
(right):

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/tools/bindi...
mojo/public/tools/bindings/generators/cpp_templates/struct_serialization_definition.tmpl:1:
{%- import "struct_macros.tmpl" as struct_macros %}
On 2016/03/23 17:43:53, viettrungluu wrote:
> (Please make sure the .tmpl files end with a newline.)

Done. (it wasn't -- thanks!)

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/tools/bindi...
mojo/public/tools/bindings/generators/cpp_templates/struct_serialization_definition.tmpl:38:
bool {{struct.name}}::Deserialize(void* buf, size_t buf_size) {
On 2016/03/23 17:43:53, viettrungluu wrote:
> const void*?
> 
> Also, can't/shouldn't Deserialize() (and DeserializeWithoutValidation()) tell
> you how many bytes it actually "consumed"?

discussed offline -- "bytes consumed" is hard to compute with pointers.

i think its possible if we enforce depth-first order when serializing a struct's
fields into a buffer: this way when deserializing, we could maintain the most
recent pointer (+ size of the object) we jump to since that would be the last
thing in the buffer.

either way, it would still require changes to the internal Deserialize_() which
involves changing some consumers.  so if this proves necessary, we could do it
in a later change.

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/tools/bindi...
mojo/public/tools/bindings/generators/cpp_templates/struct_serialization_definition.tmpl:56:
bool {{struct.name}}::DeserializeWithoutValidation(void* buf,
On 2016/03/23 17:43:53, viettrungluu wrote:
> const void*?

Can't right now because Deserialization is currently mutable -- we rewrite
offsets to pointers, and resetting the encoded handle offsets.

I'll add a TODO here, but making it const involves getting rid of
DecodePointersAndHandles, which is on my list of things to do for the new C++
bindings generator.

https://codereview.chromium.org/1800753005/diff/40001/mojo/public/tools/bindi...
mojo/public/tools/bindings/generators/cpp_templates/struct_serialization_definition.tmpl:67:
return true;
On 2016/03/23 17:43:53, viettrungluu wrote:
> Then why does it return anything at all?

Done.

https://codereview.chromium.org/1800753005/diff/40001/services/url_response_d...
File services/url_response_disk_cache/url_response_disk_cache_db.cc (right):

https://codereview.chromium.org/1800753005/diff/40001/services/url_response_d...
services/url_response_disk_cache/url_response_disk_cache_db.cc:31: size_t size =
GetSerializedSize_(*input);
On 2016/03/23 08:14:37, qsr wrote:
> Is it expected that I still need a private method here?

No -- I forgot to update GetSerializedSize. Thanks!

viettrungluu

https://codereview.chromium.org/1800753005/diff/60001/mojo/public/cpp/bindings/lib/bindings_internal.h File mojo/public/cpp/bindings/lib/bindings_internal.h (right): https://codereview.chromium.org/1800753005/diff/60001/mojo/public/cpp/bindings/lib/bindings_internal.h#newcode101 mojo/public/cpp/bindings/lib/bindings_internal.h:101: // TODO(vardhan): Should RemoveStructPtr<> be internal-only? Should be /the/ ...

4 years, 8 months ago (2016-03-30 17:49:02 UTC) #17

vardhan

ptal https://codereview.chromium.org/1800753005/diff/60001/mojo/public/cpp/bindings/lib/bindings_internal.h File mojo/public/cpp/bindings/lib/bindings_internal.h (right): https://codereview.chromium.org/1800753005/diff/60001/mojo/public/cpp/bindings/lib/bindings_internal.h#newcode101 mojo/public/cpp/bindings/lib/bindings_internal.h:101: // TODO(vardhan): Should RemoveStructPtr<> be internal-only? Should be ...

4 years, 8 months ago (2016-03-30 22:49:07 UTC) #18

vardhan

4 years, 8 months ago (2016-03-31 20:03:43 UTC) #21

Message was sent while issue was closed.

Committed patchset #5 (id:80001) manually as
bbe5f8b0feb702d18fda31aa86c9da59a4485a36 (presubmit successful).

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages