"""
# Serialise package
This package provides support for serialising and deserialising arbitrary data
structures.
The API is designed to require capability tokens, as otherwise serialising
would leak the bit patterns of all private information in a type if the
resulting Array[U8] could be examined.
Deserialisation is fundamentally unsafe currently: there isn't yet a
verification pass to check that the resulting object graph maintains a
well-formed heap or that individual objects maintain any expected local
invariants. However, if only "trusted" data (i.e. data produced by Pony
serialisation from the same binary) is deserialised, it will always maintain a
well-formed heap and all object invariants.
Note that serialised data is not usable between different Pony binaries. This is
due to the use of type identifiers rather than a heavy-weight self-describing
serialisation schema. This also means it isn't safe to deserialise something
serialised by the same program compiled for a different platform.
The [Serialise.signature](serialise-Serialise.md#signature) method is provided
for the purposes of comparing communicating Pony binaries to determine if they
are the same. Confirming this before deserialising data can help mitigate the
risk of accidental serialisation across different Pony binaries, but does not on
its own address the security issues of accepting data from untrusted sources.
"""
use @"internal.signature"[Array[U8] val]()
use @pony_ctx[Pointer[None]]()
use @pony_alloc[Pointer[U8]](ctx: Pointer[None], size: USize)
use @pony_alloc_final[Pointer[U8]](ctx: Pointer[None], size: USize)
use @pony_serialise[None](ctx: Pointer[None], data: Any box, typ: Pointer[None],
arr_out: Array[U8] tag, alloc_fn: @{(Pointer[None], USize): Pointer[U8]},
throw_fn: @{(): None ?}) ?
use @pony_deserialise[Any iso^](ctx: Pointer[None], typ: Pointer[None],
arr_in: Array[U8] val, alloc_fn: @{(Pointer[None], USize): Pointer[U8]},
alloc_final_fn: @{(Pointer[None], USize): Pointer[U8]}, throw_fn: @{(): None ?}) ?
primitive Serialise
fun signature(): Array[U8] val =>
"""
Returns a byte array that is unique to this compiled Pony binary, for the
purposes of comparing before deserialising any data from that source.
It is statistically impossible for two serialisation-incompatible Pony
binaries to have the same serialise signature.
"""
@"internal.signature"()
primitive SerialiseAuth
"""
This is a capability that allows the holder to serialise objects. It does not
allow the holder to examine serialised data or to deserialise objects.
"""
new create(auth: AmbientAuth) =>
None
primitive DeserialiseAuth
"""
This is a capability token that allows the holder to deserialise objects. It
does not allow the holder to serialise objects or examine serialised data.
"""
new create(auth: AmbientAuth) =>
None
primitive OutputSerialisedAuth
"""
This is a capability token that allows the holder to examine serialised data.
This should only be provided to types that need to write serialised data to
some output stream, such as a file or socket. A type with the [SerialiseAuth](serialise-SerialiseAuth.md)
capability should usually not also have OutputSerialisedAuth, as the
combination gives the holder the ability to examine the bitwise contents of
any object it has a reference to.
"""
new create(auth: AmbientAuth) =>
None
primitive InputSerialisedAuth
"""
This is a capability token that allows the holder to treat arbitrary
bytes as serialised data. This is the most dangerous capability, as currently
it is possible for a malformed chunk of data to crash your program if it is
deserialised.
"""
new create(auth: AmbientAuth) =>
None
class val Serialised
"""
This represents serialised data. How it can be used depends on the other
capabilities a caller holds.
"""
let _data: Array[U8] val
new create(auth: SerialiseAuth, data: Any box) ? =>
"""
A caller with SerialiseAuth can create serialised data from any object.
"""
let r = recover Array[U8] end
let alloc_fn =
@{(ctx: Pointer[None], size: USize): Pointer[U8] =>
@pony_alloc(ctx, size)
}
let throw_fn = @{() ? => error }
@pony_serialise(@pony_ctx(), data, Pointer[None], r, alloc_fn, throw_fn) ?
_data = consume r
new input(auth: InputSerialisedAuth, data: Array[U8] val) =>
"""
A caller with InputSerialisedAuth can create serialised data from any
arbitrary set of bytes. It is the caller's responsibility to ensure that
the data is in fact well-formed serialised data. This is currently the most
dangerous method, as there is currently no way to check validity at
runtime.
"""
_data = data
fun apply(auth: DeserialiseAuth): Any iso^ ? =>
"""
A caller with DeserialiseAuth can create an object graph from serialised
data.
"""
let alloc_fn =
@{(ctx: Pointer[None], size: USize): Pointer[U8] =>
@pony_alloc(ctx, size)
}
let alloc_final_fn =
@{(ctx: Pointer[None], size: USize): Pointer[U8] =>
@pony_alloc_final(ctx, size)
}
let throw_fn = @{() ? => error }
@pony_deserialise(@pony_ctx(), Pointer[None], _data, alloc_fn,
alloc_final_fn, throw_fn) ?
fun output(auth: OutputSerialisedAuth): Array[U8] val =>
"""
A caller with OutputSerialisedAuth can gain access to the underlying bytes
that contain the serialised data. This can be used to write those bytes to,
for example, a file or socket.
"""
_data