423 lines
24 KiB
Markdown
423 lines
24 KiB
Markdown
---
|
|
layout: page
|
|
title: Encoding Spec
|
|
---
|
|
|
|
# Encoding Spec
|
|
|
|
## Organization
|
|
|
|
### 64-bit Words
|
|
|
|
For the purpose of Cap'n Proto, a "word" is defined as 8 bytes, or 64 bits. Since alignment of
|
|
data is important, all objects (structs, lists, and blobs) are aligned to word boundaries, and
|
|
sizes are usually expressed in terms of words. (Primitive values are aligned to a multiple of
|
|
their size within a struct or list.)
|
|
|
|
### Messages
|
|
|
|
The unit of communication in Cap'n Proto is a "message". A message is a tree of objects, with
|
|
the root always being a struct.
|
|
|
|
Physically, messages may be split into several "segments", each of which is a flat blob of bytes.
|
|
Typically, a segment must be loaded into a contiguous block of memory before it can be accessed,
|
|
so that the relative pointers within the segment can be followed quickly. However, when a message
|
|
has multiple segments, it does not matter where those segments are located in memory relative to
|
|
each other; inter-segment pointers are encoded differently, as we'll see later.
|
|
|
|
Ideally, every message would have only one segment. However, there are a few reasons why splitting
|
|
a message into multiple segments may be convenient:
|
|
|
|
* It can be difficult to predict how large a message might be until you start writing it, and you
|
|
can't start writing it until you have a segment to write to. If it turns out the segment you
|
|
allocated isn't big enough, you can allocate additional segments without the need to relocate the
|
|
data you've already written.
|
|
* Allocating excessively large blocks of memory can make life difficult for memory allocators,
|
|
especially on 32-bit systems with limited address space.
|
|
|
|
The first word of the first segment of the message is always a pointer pointing to the message's
|
|
root struct.
|
|
|
|
### Objects
|
|
|
|
Each segment in a message contains a series of objects. For the purpose of Cap'n Proto, an "object"
|
|
is any value which may have a pointer pointing to it. Pointers can only point to the beginning of
|
|
objects, not into the middle, and no more than one pointer can point at each object. Thus, objects
|
|
and the pointers connecting them form a tree, not a graph. An object is itself composed of
|
|
primitive data values and pointers, in a layout that depends on the kind of object.
|
|
|
|
At the moment, there are three kinds of objects: structs, lists, and far-pointer landing pads.
|
|
Blobs might also be considered to be a kind of object, but are encoded identically to lists of
|
|
bytes.
|
|
|
|
## Value Encoding
|
|
|
|
### Primitive Values
|
|
|
|
The built-in primitive types are encoded as follows:
|
|
|
|
* `Void`: Not encoded at all. It has only one possible value thus carries no information.
|
|
* `Bool`: One bit. 1 = true, 0 = false.
|
|
* Integers: Encoded in little-endian format. Signed integers use two's complement.
|
|
* Floating-points: Encoded in little-endian IEEE-754 format.
|
|
|
|
Primitive types must always be aligned to a multiple of their size. Note that since the size of
|
|
a `Bool` is one bit, this means eight `Bool` values can be encoded in a single byte -- this differs
|
|
from C++, where the `bool` type takes a whole byte.
|
|
|
|
### Enums
|
|
|
|
Enums are encoded the same as `UInt16`.
|
|
|
|
## Object Encoding
|
|
|
|
### Blobs
|
|
|
|
The built-in blob types are encoded as follows:
|
|
|
|
* `Data`: Encoded as a pointer, identical to `List(UInt8)`.
|
|
* `Text`: Like `Data`, but the content must be valid UTF-8, and the last byte of the content must
|
|
be zero. The encoding allows bytes other than the last to be zero, but some applications
|
|
(especially ones written in languages that use NUL-terminated strings) may truncate at the first
|
|
zero. If a particular text field is explicitly intended to support zero bytes, it should
|
|
document this, but otherwise senders should assume that zero bytes are not allowed to be safe.
|
|
Note that the NUL terminator is included in the size sent on the wire, but the runtime library
|
|
should not count it in any size reported to the application.
|
|
|
|
### Structs
|
|
|
|
A struct value is encoded as a pointer to its content. The content is split into two sections:
|
|
data and pointers, with the pointer section appearing immediately after the data section. This
|
|
split allows structs to be traversed (e.g., copied) without knowing their type.
|
|
|
|
A struct pointer looks like this:
|
|
|
|
lsb struct pointer msb
|
|
+-+-----------------------------+---------------+---------------+
|
|
|A| B | C | D |
|
|
+-+-----------------------------+---------------+---------------+
|
|
|
|
A (2 bits) = 0, to indicate that this is a struct pointer.
|
|
B (30 bits) = Offset, in words, from the end of the pointer to the
|
|
start of the struct's data section. Signed.
|
|
C (16 bits) = Size of the struct's data section, in words.
|
|
D (16 bits) = Size of the struct's pointer section, in words.
|
|
|
|
Fields are positioned within the struct according to an algorithm with the following principles:
|
|
|
|
* The position of each field depends only on its definition and the definitions of lower-numbered
|
|
fields, never on the definitions of higher-numbered fields. This ensures backwards-compatibility
|
|
when new fields are added.
|
|
* Due to alignment requirements, fields in the data section may be separated by padding. However,
|
|
later-numbered fields may be positioned into the padding left between earlier-numbered fields.
|
|
Because of this, a struct will never contain more than 63 bits of padding. Since objects are
|
|
rounded up to a whole number of words anyway, padding never ends up wasting space.
|
|
* Unions and groups need not occupy contiguous memory. Indeed, they may have to be split into
|
|
multiple slots if new fields are added later on.
|
|
|
|
Field offsets are computed by the Cap'n Proto compiler. The precise algorithm is too complicated
|
|
to describe here, but you need not implement it yourself, as the compiler can produce a compiled
|
|
schema format which includes offset information.
|
|
|
|
#### Default Values
|
|
|
|
A default struct is always all-zeros. To achieve this, fields in the data section are stored xor'd
|
|
with their defined default values. An all-zero pointer is considered "null"; accessor methods
|
|
for pointer fields check for null and return a pointer to their default value in this case.
|
|
|
|
There are several reasons why this is desirable:
|
|
|
|
* Cap'n Proto messages are often "packed" with a simple compression algorithm that deflates
|
|
zero-value bytes.
|
|
* Newly-allocated structs only need to be zero-initialized, which is fast and requires no knowledge
|
|
of the struct type except its size.
|
|
* If a newly-added field is placed in space that was previously padding, messages written by old
|
|
binaries that do not know about this field will still have its default value set correctly --
|
|
because it is always zero.
|
|
|
|
#### Zero-sized structs.
|
|
|
|
As stated above, a pointer whose bits are all zero is considered a null pointer, *not* a struct of
|
|
zero size. To encode a struct of zero size, set A, C, and D to zero, and set B (the offset) to -1.
|
|
|
|
**Historical explanation:** A null pointer is intended to be treated as equivalent to the field's
|
|
default value. Early on, it was thought that a zero-sized struct was a suitable synonym for
|
|
null, since interpreting an empty struct as any struct type results in a struct whose fields are
|
|
all default-valued. So, the pointer encoding was designed such that a zero-sized struct's pointer
|
|
would be all-zero, so that it could conveniently be overloaded to mean "null".
|
|
|
|
However, it turns out there are two important differences between a zero-sized struct and a null
|
|
pointer. First, applications often check for null explicitly when implementing optional fields.
|
|
Second, an empty struct is technically equivalent to the default value for the struct *type*,
|
|
whereas a null pointer is equivalent to the default value for the particular *field*. These are
|
|
not necessarily the same.
|
|
|
|
It therefore became necessary to find a different encoding for zero-sized structs. Since the
|
|
struct has zero size, the pointer's offset can validly point to any location so long as it is
|
|
in-bounds. Since an offset of -1 points to the beginning of the pointer itself, it is known to
|
|
be in-bounds. So, we use an offset of -1 when the struct has zero size.
|
|
|
|
### Lists
|
|
|
|
A list value is encoded as a pointer to a flat array of values.
|
|
|
|
lsb list pointer msb
|
|
+-+-----------------------------+--+----------------------------+
|
|
|A| B |C | D |
|
|
+-+-----------------------------+--+----------------------------+
|
|
|
|
A (2 bits) = 1, to indicate that this is a list pointer.
|
|
B (30 bits) = Offset, in words, from the end of the pointer to the
|
|
start of the first element of the list. Signed.
|
|
C (3 bits) = Size of each element:
|
|
0 = 0 (e.g. List(Void))
|
|
1 = 1 bit
|
|
2 = 1 byte
|
|
3 = 2 bytes
|
|
4 = 4 bytes
|
|
5 = 8 bytes (non-pointer)
|
|
6 = 8 bytes (pointer)
|
|
7 = composite (see below)
|
|
D (29 bits) = Number of elements in the list, except when C is 7
|
|
(see below).
|
|
|
|
The pointed-to values are tightly-packed. In particular, `Bool`s are packed bit-by-bit in
|
|
little-endian order (the first bit is the least-significant bit of the first byte).
|
|
|
|
When C = 7, the elements of the list are fixed-width composite values -- usually, structs. In
|
|
this case, the list content is prefixed by a "tag" word that describes each individual element.
|
|
The tag has the same layout as a struct pointer, except that the pointer offset (B) instead
|
|
indicates the number of elements in the list. Meanwhile, section (D) of the list pointer -- which
|
|
normally would store this element count -- instead stores the total number of _words_ in the list
|
|
(not counting the tag word). The reason we store a word count in the pointer rather than an element
|
|
count is to ensure that the extents of the list's location can always be determined by inspecting
|
|
the pointer alone, without having to look at the tag; this may allow more-efficient prefetching in
|
|
some use cases. The reason we don't store struct lists as a list of pointers is because doing so
|
|
would take significantly more space (an extra pointer per element) and may be less cache-friendly.
|
|
|
|
In the future, we could consider implementing matrixes using the "composite" element type, with the
|
|
elements being fixed-size lists rather than structs. In this case, the tag would look like a list
|
|
pointer rather than a struct pointer. As of this writing, no such feature has been implemented.
|
|
|
|
A struct list must always be written using C = 7. However, a list of any element size (except
|
|
C = 1, i.e. 1-bit) may be *decoded* as a struct list, with each element being interpreted as being
|
|
a prefix of the struct data. For instance, a list of 2-byte values (C = 3) can be decoded as a
|
|
struct list where each struct has 2 bytes in their "data" section (and an empty pointer section). A
|
|
list of pointer values (C = 6) can be decoded as a struct list where each struct has a pointer
|
|
section with one pointer (and an empty data section). The purpose of this rule is to make it
|
|
possible to upgrade a list of primitives to a list of structs, as described under the
|
|
[protocol evolution rules](language.html#evolving-your-protocol).
|
|
(We make a special exception that boolean lists cannot be upgraded in this way due to the
|
|
unreasonable implementation burden.) Note that even though struct lists can be decoded from any
|
|
element size (except C = 1), it is NOT permitted to encode a struct list using any type other than
|
|
C = 7 because doing so would interfere with the [canonicalization algorithm](#canonicalization).
|
|
|
|
### Inter-Segment Pointers
|
|
|
|
When a pointer needs to point to a different segment, offsets no longer work. We instead encode
|
|
the pointer as a "far pointer", which looks like this:
|
|
|
|
lsb far pointer msb
|
|
+-+-+---------------------------+-------------------------------+
|
|
|A|B| C | D |
|
|
+-+-+---------------------------+-------------------------------+
|
|
|
|
A (2 bits) = 2, to indicate that this is a far pointer.
|
|
B (1 bit) = 0 if the landing pad is one word, 1 if it is two words.
|
|
See explanation below.
|
|
C (29 bits) = Offset, in words, from the start of the target segment
|
|
to the location of the far-pointer landing-pad within that
|
|
segment. Unsigned.
|
|
D (32 bits) = ID of the target segment. (Segments are numbered
|
|
sequentially starting from zero.)
|
|
|
|
If B == 0, then the "landing pad" of a far pointer is normally just another pointer, which in turn
|
|
points to the actual object.
|
|
|
|
If B == 1, then the "landing pad" is itself another far pointer that is interpreted differently:
|
|
This far pointer (which always has B = 0) points to the start of the object's _content_, located in
|
|
some other segment. The landing pad is itself immediately followed by a tag word. The tag word
|
|
looks exactly like an intra-segment pointer to the target object would look, except that the offset
|
|
is always zero.
|
|
|
|
The reason for the convoluted double-far convention is to make it possible to form a new pointer
|
|
to an object in a segment that is full. If you can't allocate even one word in the segment where
|
|
the target resides, then you will need to allocate a landing pad in some other segment, and use
|
|
this double-far approach. This should be exceedingly rare in practice since pointers are normally
|
|
set to point to new objects, not existing ones.
|
|
|
|
### Capabilities (Interfaces)
|
|
|
|
When using Cap'n Proto for [RPC](rpc.html), every message has an associated "capability table"
|
|
which is a flat list of all capabilities present in the message body. The details of what this
|
|
table contains and where it is stored are the responsibility of the RPC system; in some cases, the
|
|
table may not even be part of the message content.
|
|
|
|
A capability pointer, then, simply contains an index into the separate capability table.
|
|
|
|
lsb capability pointer msb
|
|
+-+-----------------------------+-------------------------------+
|
|
|A| B | C |
|
|
+-+-----------------------------+-------------------------------+
|
|
|
|
A (2 bits) = 3, to indicate that this is an "other" pointer.
|
|
B (30 bits) = 0, to indicate that this is a capability pointer.
|
|
(All other values are reserved for future use.)
|
|
C (32 bits) = Index of the capability in the message's capability
|
|
table.
|
|
|
|
In [rpc.capnp](https://github.com/sandstorm-io/capnproto/blob/master/c++/src/capnp/rpc.capnp), the
|
|
capability table is encoded as a list of `CapDescriptors`, appearing along-side the message content
|
|
in the `Payload` struct. However, some use cases may call for different approaches. A message
|
|
that is built and consumed within the same process need not encode the capability table at all
|
|
(it can just keep the table as a separate array). A message that is going to be stored to disk
|
|
would need to store a table of `SturdyRef`s instead of `CapDescriptor`s.
|
|
|
|
## Serialization Over a Stream
|
|
|
|
When transmitting a message, the segments must be framed in some way, i.e. to communicate the
|
|
number of segments and their sizes before communicating the actual data. The best framing approach
|
|
may differ depending on the medium -- for example, messages read via `mmap` or shared memory may
|
|
call for a different approach than messages sent over a socket or a pipe. Cap'n Proto does not
|
|
attempt to specify a framing format for every situation. However, since byte streams are by far
|
|
the most common transmission medium, Cap'n Proto does define and implement a recommended framing
|
|
format for them.
|
|
|
|
When transmitting over a stream, the following should be sent. All integers are unsigned and
|
|
little-endian.
|
|
|
|
* (4 bytes) The number of segments, minus one (since there is always at least one segment).
|
|
* (N * 4 bytes) The size of each segment, in words.
|
|
* (0 or 4 bytes) Padding up to the next word boundary.
|
|
* The content of each segment, in order.
|
|
|
|
### Packing
|
|
|
|
For cases where bandwidth usage matters, Cap'n Proto defines a simple compression scheme called
|
|
"packing". This scheme is based on the observation that Cap'n Proto messages contain lots of
|
|
zero bytes: padding bytes, unset fields, and high-order bytes of small-valued integers.
|
|
|
|
In packed format, each word of the message is reduced to a tag byte followed by zero to eight
|
|
content bytes. The bits of the tag byte correspond to the bytes of the unpacked word, with the
|
|
least-significant bit corresponding to the first byte. Each zero bit indicates that the
|
|
corresponding byte is zero. The non-zero bytes are packed following the tag.
|
|
|
|
For example, here is some typical Cap'n Proto data (a struct pointer (offset = 2, data size = 3,
|
|
pointer count = 2) followed by a text pointer (offset = 6, length = 53)) and its packed form:
|
|
|
|
unpacked (hex): 08 00 00 00 03 00 02 00 19 00 00 00 aa 01 00 00
|
|
packed (hex): 51 08 03 02 31 19 aa 01
|
|
|
|
In addition to the above, there are two tag values which are treated specially: 0x00 and 0xff.
|
|
|
|
* 0x00: The tag is followed by a single byte which indicates a count of consecutive zero-valued
|
|
words, minus 1. E.g. if the tag 0x00 is followed by 0x05, the sequence unpacks to 6 words of
|
|
zero.
|
|
|
|
Or, put another way: the tag is first decoded as if it were not special. Since none of the bits
|
|
are set, it is followed by no bytes and expands to a word full of zeros. After that, the next
|
|
byte is interpreted as a count of _additional_ words that are also all-zero.
|
|
|
|
* 0xff: The tag is followed by the bytes of the word (as if it weren't special), but after those
|
|
bytes is another byte with value N. Following that byte is N unpacked words that should be copied
|
|
directly. These unpacked words may or may not contain zeros -- it is up to the compressor to
|
|
decide when to end the unpacked span and return to packing each word. The purpose of this rule
|
|
is to minimize the impact of packing on data that doesn't contain any zeros -- in particular,
|
|
long text blobs. Because of this rule, the worst-case space overhead of packing is 2 bytes per
|
|
2 KiB of input (256 words = 2KiB).
|
|
|
|
Examples:
|
|
|
|
unpacked (hex): 00 (x 32 bytes)
|
|
packed (hex): 00 03
|
|
|
|
unpacked (hex): 8a (x 32 bytes)
|
|
packed (hex): ff 8a (x 8 bytes) 03 8a (x 24 bytes)
|
|
|
|
Notice that both of the special cases begin by treating the tag as if it weren't special. This
|
|
is intentionally designed to make encoding faster: you can compute the tag value and encode the
|
|
bytes in a single pass through the input word. Only after you've finished with that word do you
|
|
need to check whether the tag ended up being 0x00 or 0xff.
|
|
|
|
It is possible to write both an encoder and a decoder which only branch at the end of each word,
|
|
and only to handle the two special tags. It is not necessary to branch on every byte. See the
|
|
C++ reference implementation for an example.
|
|
|
|
Packing is normally applied on top of the standard stream framing described in the previous
|
|
section.
|
|
|
|
### Compression
|
|
|
|
When Cap'n Proto messages may contain repetitive data (especially, large text blobs), it makes sense
|
|
to apply a standard compression algorithm in addition to packing. When CPU time is scarce, we
|
|
recommend [LZ4 compression](https://code.google.com/p/lz4/). Otherwise, [zlib](http://www.zlib.net)
|
|
is slower but will compress more.
|
|
|
|
## Canonicalization
|
|
|
|
Cap'n Proto messages have a well-defined canonical form. Cap'n Proto encoders are NOT required to
|
|
output messages in canonical form, and in fact they will almost never do so by default. However,
|
|
it is possible to write code which canonicalizes a Cap'n Proto message without knowing its schema.
|
|
|
|
A canonical Cap'n Proto message must adhere to the following rules:
|
|
|
|
* The object tree must be encoded in preorder (with respect to the order of the pointers within
|
|
each object).
|
|
* The message must be encoded as a single segment. (When signing or hashing a canonical Cap'n Proto
|
|
message, the segment table shall not be included, because it would be redundant.)
|
|
* Trailing zero-valued words in a struct's data or pointer segments must be truncated. Since zero
|
|
represents a default value, this does not change the struct's meaning. This rule is important
|
|
to ensure that adding a new field to a struct does not affect the canonical encoding of messages
|
|
that do not set that field.
|
|
* Similarly, for a struct list, if a trailing word in a section of all structs in the list is zero,
|
|
then it must be truncated from all structs in the list. (All structs in a struct list must have
|
|
equal sizes, hence a trailing zero can only be removed if it is zero in all elements.)
|
|
* Any struct pointer pointing to a zero-sized struct should have an offset of -1.
|
|
* Canonical messages are not packed. However, packing can still be applied for transmission
|
|
purposes; the message must simply be unpacked before checking signatures.
|
|
|
|
Note that Cap'n Proto 0.5 introduced the rule that struct lists must always be encoded using
|
|
C = 7 in the [list pointer](#lists). Prior versions of Cap'n Proto allowed struct lists to be
|
|
encoded using any element size, so that small structs could be compacted to take less than a word
|
|
per element, and many encoders in fact implemented this. Unfortunately, this "optimization" made
|
|
canonicalization impossible without knowing the schema, which is a significant obstacle. Therefore,
|
|
the rules have been changed in 0.5, but data written by previous versions may not be possible to
|
|
canonicalize.
|
|
|
|
## Security Considerations
|
|
|
|
A naive implementation of a Cap'n Proto reader may be vulnerable to attacks based on various kinds
|
|
of malicious input. Implementations MUST guard against these.
|
|
|
|
### Pointer Validation
|
|
|
|
Cap'n Proto readers must validate pointers, e.g. to check that the target object is within the
|
|
bounds of its segment. To avoid an upfront scan of the message (which would defeat Cap'n Proto's
|
|
O(1) parsing performance), validation should occur lazily when the getter method for a pointer is
|
|
called, throwing an exception or returning a default value if the pointer is invalid.
|
|
|
|
### Amplification attack
|
|
|
|
A message containing cyclic (or even just overlapping) pointers can cause the reader to go into
|
|
an infinite loop while traversing the content.
|
|
|
|
To defend against this, as the application traverses the message, each time a pointer is
|
|
dereferenced, a counter should be incremented by the size of the data to which it points. If this
|
|
counter goes over some limit, an error should be raised, and/or default values should be returned. We call this limit the "traversal limit" (or, sometimes, the "read limit").
|
|
|
|
The C++ implementation currently defaults to a limit of 64MiB, but allows the caller to set a
|
|
different limit if desired. Another reasonable strategy is to set the limit to some multiple of
|
|
the original message size; however, most applications should place limits on overall message sizes
|
|
anyway, so it makes sense to have one check cover both.
|
|
|
|
**List amplification:** A list of `Void` values or zero-size structs can have a very large element count while taking constant space on the wire. If the receiving application expects a list of structs, it will see these zero-sized elements as valid structs set to their default values. If it iterates through the list processing each element, it could spend a large amount of CPU time or other resources despite the message being small. To defend against this, the "traversal limit" should count a list of zero-sized elements as if each element were one word instead. This rule was introduced in the C++ implementation in [commit 1048706](https://github.com/sandstorm-io/capnproto/commit/104870608fde3c698483fdef6b97f093fc15685d).
|
|
|
|
### Stack overflow DoS attack
|
|
|
|
A message with deeply-nested objects can cause a stack overflow in typical code which processes
|
|
messages recursively.
|
|
|
|
To defend against this, as the application traverses the message, the pointer depth should be
|
|
tracked. If it goes over some limit, an error should be raised. The C++ implementation currently
|
|
defaults to a limit of 64 pointers, but allows the caller to set a different limit.
|