| blob | 7fef48ee24b69534cff7498e7294de7db2340571 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #ifndef js_StructuredClone_h
8 #define js_StructuredClone_h
14 #include <stdint.h>
15 #include <utility>
24 /*
25 * API for safe passing of structured data, HTML 2018 Feb 21 section 2.7.
26 * <https://html.spec.whatwg.org/multipage/structured-data.html>
27 *
28 * This is a serialization scheme for JS values, somewhat like JSON. It
29 * preserves some aspects of JS objects (strings, numbers, own data properties
30 * with string keys, array elements) but not others (methods, getters and
31 * setters, prototype chains). Unlike JSON, structured data:
32 *
33 * - can contain cyclic references.
34 *
35 * - handles Maps, Sets, and some other object types.
36 *
37 * - supports *transferring* objects of certain types from one realm to
38 * another, rather than cloning them.
39 *
40 * - is specified by a living standard, and continues to evolve.
41 *
42 * - is encoded in a nonstandard binary format, and is never exposed to Web
43 * content in its serialized form. It's used internally by the browser to
44 * send data from one thread/realm/domain to another, not across the
45 * network.
46 */
51 /**
52 * The structured-clone serialization format version number.
53 *
54 * When serialized data is stored as bytes, e.g. in your Firefox profile, later
55 * versions of the engine may have to read it. When you upgrade Firefox, we
56 * don't crawl through your whole profile converting all saved data from the
57 * previous version of the serialization format to the latest version. So it is
58 * normal to have data in old formats stored in your profile.
59 *
60 * The JS engine can *write* data only in the current format version.
61 *
62 * It can *read* any data written in the current version, and data written for
63 * DifferentProcess scope in earlier versions.
64 *
65 *
66 * ## When to bump this version number
67 *
68 * When making a change so drastic that the JS engine needs to know whether
69 * it's reading old or new serialized data in order to handle both correctly,
70 * increment this version number. Make sure the engine can still read all
71 * old data written with previous versions.
72 *
73 * If StructuredClone.cpp doesn't contain code that distinguishes between
74 * version 8 and version 9, there should not be a version 9.
75 *
76 * Do not increment for changes that only affect SameProcess encoding.
77 *
78 * Increment only for changes that would otherwise break old serialized data.
79 * Do not increment for new data types. (Rationale: Modulo bugs, older versions
80 * of the JS engine can already correctly throw errors when they encounter new,
81 * unrecognized features. A version number bump does not actually help them.)
82 */
83 #define JS_STRUCTURED_CLONE_VERSION 8
87 /**
88 * Indicates the "scope of validity" of serialized data.
89 *
90 * Writing plain JS data produces an array of bytes that can be copied and
91 * read in another process or whatever. The serialized data is Plain Old Data.
92 * However, HTML also supports `Transferable` objects, which, when cloned, can
93 * be moved from the source object into the clone, like when you take a
94 * photograph of someone and it steals their soul.
95 * See <https://developer.mozilla.org/en-US/docs/Web/API/Transferable>.
96 * We support cloning and transferring objects of many types.
97 *
98 * For example, when we transfer an ArrayBuffer (within a process), we "detach"
99 * the ArrayBuffer, embed the raw buffer pointer in the serialized data, and
100 * later install it in a new ArrayBuffer in the destination realm. Ownership
101 * of that buffer memory is transferred from the original ArrayBuffer to the
102 * serialized data and then to the clone.
103 *
104 * This only makes sense within a single address space. When we transfer an
105 * ArrayBuffer to another process, the contents of the buffer must be copied
106 * into the serialized data. (The original ArrayBuffer is still detached,
107 * though, for consistency; in some cases the caller shouldn't know or care if
108 * the recipient is in the same process.)
109 *
110 * ArrayBuffers are actually a lucky case; some objects (like MessagePorts)
111 * can't reasonably be stored by value in serialized data -- it's pointers or
112 * nothing.
113 *
114 * So there is a tradeoff between scope of validity -- how far away the
115 * serialized data may be sent and still make sense -- and efficiency or
116 * features. The read and write algorithms therefore take an argument of this
117 * type, allowing the user to control those trade-offs.
118 */
120 /**
121 * The most restrictive scope, with greatest efficiency and features.
122 *
123 * When writing, this means: The caller promises that the serialized data
124 * will **not** be shipped off to a different process or stored in a
125 * database. However, it may be shipped to another thread. It's OK to
126 * produce serialized data that contains pointers to data that is safe to
127 * send across threads, such as array buffers. In Rust terms, the
128 * serialized data will be treated as `Send` but not `Copy`.
129 *
130 * When reading, this means: Accept transferred objects and buffers
131 * (pointers). The caller promises that the serialized data was written
132 * using this API (otherwise, the serialized data may contain bogus
133 * pointers, leading to undefined behavior).
134 *
135 * Starts from 1 because there used to be a SameProcessSameThread enum value
136 * of 0 and these values are encoded into the structured serialization format
137 * as part of the SCTAG_HEADER, and IndexedDB persists the representation to
138 * disk.
139 */
142 /**
143 * When writing, this means we're writing for an audience in a different
144 * process. Produce serialized data that can be sent to other processes,
145 * bitwise copied, or even stored as bytes in a database and read by later
146 * versions of Firefox years from now. The HTML5 spec refers to this as
147 * "ForStorage" as in StructuredSerializeForStorage, though we use
148 * DifferentProcess for IPC as well as storage.
149 *
150 * Transferable objects are limited to ArrayBuffers, whose contents are
151 * copied into the serialized data (rather than just writing a pointer).
152 *
153 * When reading, this means: Do not accept pointers.
154 */
155 DifferentProcess,
157 /**
158 * Handle a backwards-compatibility case with IndexedDB (bug 1434308): when
159 * reading, this means to treat legacy SameProcess data as if it were
160 * DifferentProcess.
161 *
162 * Do not use this for writing; use DifferentProcess instead.
163 */
164 DifferentProcessForIndexedDB,
166 /**
167 * Existing code wants to be able to create an uninitialized
168 * JSStructuredCloneData without knowing the scope, then populate it with
169 * data (at which point the scope *is* known.)
170 */
171 Unassigned,
173 /**
174 * This scope is used when the deserialization context is unknown. When
175 * writing, DifferentProcess or SameProcess scope is chosen based on the
176 * nature of the object.
177 */
178 UnknownDestination,
179 };
181 /** Values used to describe the ownership individual Transferables.
182 *
183 * Note that these *can* show up in DifferentProcess clones, since
184 * DifferentProcess ArrayBuffers can be Transferred. In that case, this will
185 * distinguish the specific ownership mechanism: is it a malloc pointer or a
186 * memory mapping? */
188 /** Transferable data has not been filled in yet. */
191 /** Structured clone buffer does not yet own the data. */
194 /** All enum values at least this large are owned by the clone buffer. */
197 /** Data is a pointer that can be freed. */
200 /** Data is a memory mapped pointer. */
203 /**
204 * Data is embedding-specific. The engine can free it by calling the
205 * freeTransfer op. */
208 /**
209 * Same as SCTAG_TMO_CUSTOM, but the embedding can also use
210 * SCTAG_TMO_USER_MIN and greater, up to 2^32-1, to distinguish specific
211 * ownership variants.
212 */
213 SCTAG_TMO_USER_MIN
214 };
221 // The default is to deny all policy-controlled aspects.
227 // SharedArrayBuffers and WASM modules can only be cloned intra-process
228 // because the shared memory areas are allocated in process-private memory or
229 // because there are security issues of sharing them cross agent clusters.
230 // y default, we don't allow shared-memory and intra-cluster objects. Clients
231 // should therefore enable these 2 clone features when needed.
235 }
238 }
243 }
244 };
248 /**
249 * Read structured data from the reader r. This hook is used to read a value
250 * previously serialized by a call to the WriteStructuredCloneOp hook.
251 *
252 * tag and data are the pair of uint32_t values from the header. The callback
253 * may use the JS_Read* APIs to read any other relevant parts of the object
254 * from the reader r. closure is any value passed to the JS_ReadStructuredClone
255 * function.
256 *
257 * Return the new object on success, or raise an exception and return nullptr on
258 * error.
259 */
265 /**
266 * Structured data serialization hook. The engine can write primitive values,
267 * Objects, Arrays, Dates, RegExps, TypedArrays, ArrayBuffers, Sets, Maps,
268 * and SharedTypedArrays. Any other type of object requires application support.
269 * This callback must first use the JS_WriteUint32Pair API to write an object
270 * header, passing a value greater than JS_SCTAG_USER to the tag parameter.
271 * Then it can use the JS_Write* APIs to write any other relevant parts of
272 * the value v to the writer w. closure is any value passed to the
273 * JS_WriteStructuredClone function.
274 *
275 * Return true on success, false on error. On error, an exception should
276 * normally be set.
277 */
284 /**
285 * This is called when serialization or deserialization encounters an error.
286 * To follow HTML5, the application must throw a DATA_CLONE_ERR DOMException
287 * with error set to one of the JS_SCERR_* values.
288 *
289 * Note that if the .reportError field of the JSStructuredCloneCallbacks is
290 * set (to a function with this signature), then an exception will *not* be
291 * set on the JSContext when an error is encountered. The clone operation
292 * will still be aborted and will return false, however, so it is up to the
293 * embedding to do what it needs to for the error.
294 *
295 * Example: for the DOM, mozilla::dom::StructuredCloneHolder will save away
296 * the error message during its reportError callback. Then when the overall
297 * operation fails, it will clear any exception that might have been set
298 * from other ways to fail and pass the saved error message to
299 * ErrorResult::ThrowDataCloneError().
300 */
304 /**
305 * This is called when JS_ReadStructuredClone receives a transferable object
306 * not known to the engine. If this hook does not exist or returns false, the
307 * JS engine calls the reportError op if set, otherwise it throws a
308 * DATA_CLONE_ERR DOM Exception. This method is called before any other
309 * callback and must return a non-null object in returnObject on success.
310 *
311 * If this readTransfer() hook is called and produces an object, then the
312 * read() hook will *not* be called for the same object, since the main data
313 * will only contain a backreference to the already-read object.
314 */
320 /**
321 * Called when JS_WriteStructuredClone receives a transferable object not
322 * handled by the engine. If this hook does not exist or returns false, the JS
323 * engine will call the reportError hook or fall back to throwing a
324 * DATA_CLONE_ERR DOM Exception. This method is called before any other
325 * callback.
326 *
327 * tag: indicates what type of transferable this is. Must be greater than
328 * 0xFFFF0201 (value of the internal SCTAG_TRANSFER_MAP_PENDING_ENTRY)
329 *
330 * ownership: see TransferableOwnership, above. Used to communicate any needed
331 * ownership info to the FreeTransferStructuredCloneOp.
332 *
333 * content, extraData: what the ReadTransferStructuredCloneOp will receive
334 */
338 // Output:
343 /**
344 * Called when freeing a transferable handled by the embedding. Note that it
345 * should never trigger a garbage collection (and will assert in a
346 * debug build if it does.)
347 *
348 * This callback will be used to release ownership in three situations:
349 *
350 * 1. During serialization: an object is Transferred from, then an error is
351 * encountered later and the incomplete serialization is discarded.
352 *
353 * 2. During deserialization: before an object is Transferred to, an error
354 * is encountered and the incompletely deserialized clone is discarded.
355 *
356 * 3. Serialized data that includes Transferring is never deserialized (eg when
357 * the receiver disappears before reading in the message), and the clone data
358 * is destroyed.
359 *
360 */
365 /**
366 * Called when the transferring objects are checked. If this function returns
367 * false, the serialization ends throwing a DataCloneError exception.
368 */
374 /**
375 * Called when a SharedArrayBuffer (including one owned by a Wasm memory object)
376 * has been processed in context `cx` by structured cloning. If `receiving` is
377 * true then the SAB has been received from a channel and a new SAB object has
378 * been created; if false then an existing SAB has been serialized onto a
379 * channel.
380 *
381 * If the callback returns false then the clone operation (read or write) will
382 * signal a failure.
383 */
388 ReadStructuredCloneOp read;
389 WriteStructuredCloneOp write;
390 StructuredCloneErrorOp reportError;
391 ReadTransferStructuredCloneOp readTransfer;
392 TransferStructuredCloneOp writeTransfer;
393 FreeTransferStructuredCloneOp freeTransfer;
394 CanTransferStructuredCloneOp canTransfer;
395 SharedArrayBufferClonedOp sabCloned;
396 };
399 /**
400 * The buffer owns any Transferables that it might contain, and should
401 * properly release them upon destruction.
402 */
403 OwnsTransferablesIfAny,
405 /**
406 * Do not free any Transferables within this buffer when deleting it. This
407 * is used to mark a clone buffer as containing data from another process,
408 * and so it can't legitimately contain pointers. If the buffer claims to
409 * have transferables, it's a bug or an attack. This is also used for
410 * abandon(), where a buffer still contains raw data but the ownership has
411 * been given over to some other entity.
412 */
413 IgnoreTransferablesIfAny,
415 /**
416 * A buffer that cannot contain Transferables at all. This usually means
417 * the buffer is empty (not yet filled in, or having been cleared).
418 */
419 NoTransferables
420 };
440 };
446 /**
447 * JSStructuredCloneData represents structured clone data together with the
448 * information needed to read/write/transfer/free the records within it, in the
449 * form of a set of callbacks.
450 */
459 BufferList bufList_;
461 // The (address space, thread) scope within which this clone is valid. Note
462 // that this must be either set during construction, or start out as
463 // Unassigned and transition once to something else.
468 OwnTransferablePolicy ownTransferables_ =
478 // The constructor must be infallible but SystemAllocPolicy is not, so both
479 // the initial size and initial capacity of the BufferList must be zero.
484 // Steal the raw data from a BufferList. In this case, we don't know the
485 // scope and none of the callback info is assigned yet.
487 OwnTransferablePolicy ownership)
496 OwnTransferablePolicy policy) {
500 }
504 }
509 }
511 }
516 }
517 }
524 }
526 }
534 }
539 }
541 // Append new data to the end of the buffer.
545 }
547 // Update data stored within the existing buffer. There must be at least
548 // 'size' bytes between the position of 'iter' and the end of the buffer.
559 }
561 }
565 }
570 }
572 // Return a new read-only JSStructuredCloneData that "borrows" the contents
573 // of |this|. Its lifetime should not exceed the donor's. This is only
574 // allowed for DifferentProcess clones, so finalization of the borrowing
575 // clone will do nothing.
581 IgnoreTransferablesIfAny);
582 }
584 // Iterate over all contained data, one BufferList segment's worth at a
585 // time, and invoke the given FunctionToApply with the data pointer and
586 // size. The function should return a bool value, and this loop will exit
587 // with false if the function ever returns false.
594 }
596 }
598 }
600 // Append the entire contents of other's bufList_ to our own.
605 }
609 }
614 // This internal method exposes the real value of scope_. It's meant to be
615 // used only when starting the writing.
617 };
619 /**
620 * Implements StructuredDeserialize and StructuredDeserializeWithTransfer.
621 *
622 * Note: If `data` contains transferable objects, it can be read only once.
623 */
630 /**
631 * Implements StructuredSerialize, StructuredSerializeForStorage, and
632 * StructuredSerializeWithTransfer.
633 *
634 * Note: If the scope is DifferentProcess then the cloneDataPolicy must deny
635 * shared-memory objects, or an error will be signaled if a shared memory object
636 * is seen.
637 */
651 /**
652 * The C-style API calls to read and write structured clones are fragile --
653 * they rely on the caller to properly handle ownership of the clone data, and
654 * the handling of the input data as well as the interpretation of the contents
655 * of the clone buffer are dependent on the callbacks passed in. If you
656 * serialize and deserialize with different callbacks, the results are
657 * questionable.
658 *
659 * JSAutoStructuredCloneBuffer wraps things up in an RAII class for data
660 * management, and uses the same callbacks for both writing and reading
661 * (serializing and deserializing).
662 */
664 JSStructuredCloneData data_;
674 }
688 /**
689 * Adopt some memory. It will be automatically freed by the destructor.
690 * data must have been allocated by the JS engine (e.g., extracted via
691 * JSAutoStructuredCloneBuffer::steal).
692 */
698 /**
699 * Release ownership of the buffer and assign it and ownership of it to
700 * `data`.
701 */
720 }
724 }
727 // Copy and assignment are not supported.
732 };
734 // The range of tag values the application may use for its own custom object
735 // types.
736 #define JS_SCTAG_USER_MIN ((uint32_t)0xFFFF8000)
737 #define JS_SCTAG_USER_MAX ((uint32_t)0xFFFFFFFF)
739 #define JS_SCERR_RECURSION 0
740 #define JS_SCERR_TRANSFERABLE 1
741 #define JS_SCERR_DUP_TRANSFERABLE 2
742 #define JS_SCERR_UNSUPPORTED_TYPE 3
743 #define JS_SCERR_SHMEM_TRANSFERABLE 4
744 #define JS_SCERR_TYPED_ARRAY_DETACHED 5
745 #define JS_SCERR_WASM_NO_TRANSFER 6
746 #define JS_SCERR_NOT_CLONABLE 7
747 #define JS_SCERR_NOT_CLONABLE_WITH_COOP_COEP 8