[FFmpeg-devel] avcodec/dovi_rpudec: replace brittle struct copying code

From: Niklas Haas <git@haasn.dev>

This code was unnecessarily trying to be robust against downgrades of
libavutil (relative to the version libavcodec was compiled against), but
in the process, ended up with very brittle code that is easy to
accidentally forget to update when adding new fields.

Instead, do the obvious thing and just directly copy the parts of the
struct known at compile time. Since it is not generally supported to
link against a version of libavutil older than the version libavcodec
was compiled against, the struct shrinking externally is not a case we
need to be worrying about.
---
 libavcodec/dovi_rpudec.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

Niklas Haas:
> From: Niklas Haas <git@haasn.dev>
> 
> This code was unnecessarily trying to be robust against downgrades of
> libavutil (relative to the version libavcodec was compiled against), but
> in the process, ended up with very brittle code that is easy to
> accidentally forget to update when adding new fields.
> 
> Instead, do the obvious thing and just directly copy the parts of the
> struct known at compile time. Since it is not generally supported to
> link against a version of libavutil older than the version libavcodec
> was compiled against, the struct shrinking externally is not a case we
> need to be worrying about.

The exact opposite is true: The code is trying to be robust against
upgrades of libavutil. The reason for this is potential trailing padding
in the structures that are copied here. It may be used for actual stuff
in a future libavutil and the approach you use here allows the compiler
to clobber it.

(How would this code be robust against downgrades of libavutil at all?
There is no check here that sizeof of the side data is big enough to
contain everything we expect it to contain.)

> ---
>  libavcodec/dovi_rpudec.c | 12 +++++-------
>  1 file changed, 5 insertions(+), 7 deletions(-)
> 
> diff --git a/libavcodec/dovi_rpudec.c b/libavcodec/dovi_rpudec.c
> index 7c7eda9d09..adf2c00cf5 100644
> --- a/libavcodec/dovi_rpudec.c
> +++ b/libavcodec/dovi_rpudec.c
> @@ -56,14 +56,12 @@ int ff_dovi_attach_side_data(DOVIContext *s, AVFrame *frame)
>          return AVERROR(ENOMEM);
>      }
>  
> -    /* Copy only the parts of these structs known to us at compiler-time. */
> -#define COPY(t, a, b, last) memcpy(a, b, offsetof(t, last) + sizeof((b)->last))
> -    COPY(AVDOVIRpuDataHeader, av_dovi_get_header(dovi), &s->header, disable_residual_flag);
> -    COPY(AVDOVIDataMapping, av_dovi_get_mapping(dovi), s->mapping, nlq_pivots);
> -    COPY(AVDOVIColorMetadata, av_dovi_get_color(dovi), s->color, source_diagonal);
> -    ext_sz = FFMIN(sizeof(AVDOVIDmData), dovi->ext_block_size);
> +    *av_dovi_get_header(dovi)  = s->header;
> +    *av_dovi_get_mapping(dovi) = *s->mapping;
> +    *av_dovi_get_color(dovi)   = *s->color;
> +    av_assert0(dovi->ext_block_size >= sizeof(AVDOVIDmData));
>      for (int i = 0; i < s->num_ext_blocks; i++)
> -        memcpy(av_dovi_get_ext(dovi, i), &s->ext_blocks[i], ext_sz);
> +        *av_dovi_get_ext(dovi, i) = s->ext_blocks[i];
>      dovi->num_ext_blocks = s->num_ext_blocks;
>      return 0;
>  }

On Wed, 05 Jun 2024 12:07:08 +0200 Andreas Rheinhardt <andreas.rheinhardt@outlook.com> wrote:
> Niklas Haas:
> > From: Niklas Haas <git@haasn.dev>
> > 
> > This code was unnecessarily trying to be robust against downgrades of
> > libavutil (relative to the version libavcodec was compiled against), but
> > in the process, ended up with very brittle code that is easy to
> > accidentally forget to update when adding new fields.
> > 
> > Instead, do the obvious thing and just directly copy the parts of the
> > struct known at compile time. Since it is not generally supported to
> > link against a version of libavutil older than the version libavcodec
> > was compiled against, the struct shrinking externally is not a case we
> > need to be worrying about.
> 
> The exact opposite is true: The code is trying to be robust against
> upgrades of libavutil. The reason for this is potential trailing padding
> in the structures that are copied here. It may be used for actual stuff
> in a future libavutil and the approach you use here allows the compiler
> to clobber it.
> 
> (How would this code be robust against downgrades of libavutil at all?
> There is no check here that sizeof of the side data is big enough to
> contain everything we expect it to contain.)

I should clearly not write code immediately after waking up.

Yes, true, the only thing this logic is trying to accomplish is being
robust against the struct gaining extra padding in the future.

That said, I still think the code as written is brittle and I'm not sure
it's providing anything useful. What is the likelihood of this struct
being extended in a way that does not affect the encoder, vs. the
likelihood of this struct being extended but somebody forgetting to bump
the equivalent "last field" entry in this file?

Anecdotally, the latter has already happened once.

> On Jun 5, 2024, at 5:23 AM, Niklas Haas <ffmpeg@haasn.xyz> wrote:
> 
> On Wed, 05 Jun 2024 12:07:08 +0200 Andreas Rheinhardt <andreas.rheinhardt@outlook.com> wrote:
>> Niklas Haas:
>>> From: Niklas Haas <git@haasn.dev>
>>> 
>>> This code was unnecessarily trying to be robust against downgrades of
>>> libavutil (relative to the version libavcodec was compiled against), but
>>> in the process, ended up with very brittle code that is easy to
>>> accidentally forget to update when adding new fields.
>>> 
>>> Instead, do the obvious thing and just directly copy the parts of the
>>> struct known at compile time. Since it is not generally supported to
>>> link against a version of libavutil older than the version libavcodec
>>> was compiled against, the struct shrinking externally is not a case we
>>> need to be worrying about.
>> 
>> The exact opposite is true: The code is trying to be robust against
>> upgrades of libavutil. The reason for this is potential trailing padding
>> in the structures that are copied here. It may be used for actual stuff
>> in a future libavutil and the approach you use here allows the compiler
>> to clobber it.
>> 
>> (How would this code be robust against downgrades of libavutil at all?
>> There is no check here that sizeof of the side data is big enough to
>> contain everything we expect it to contain.)
> 
> I should clearly not write code immediately after waking up.
> 
> Yes, true, the only thing this logic is trying to accomplish is being
> robust against the struct gaining extra padding in the future.
> 
> That said, I still think the code as written is brittle and I'm not sure
> it's providing anything useful. What is the likelihood of this struct
> being extended in a way that does not affect the encoder, vs. the
> likelihood of this struct being extended but somebody forgetting to bump
> the equivalent "last field" entry in this file?
> 
> Anecdotally, the latter has already happened once.

+1, having already tripped on this on my patch to add ext_mapping_idc* fields I can confirm that it's easy to trip on this, easy to miss unless you carefully inspect the RPU afterwards,  and then hard to spot where the problem is without having to trace through the code and catch this copy. 

The new approach seems much better in practice.

- Cosmin