Merge TASK-004: Add httpserver::iovec_entry POD with layout-pinning asserts

Author: etr

src/Makefile.am

@@ -24,7 +24,7 @@ libhttpserver_la_SOURCES = string_utilities.cpp webserver.cpp http_utils.cpp fil
 # Detail headers (httpserver/details/*.hpp) live here so they cannot leak to
 # downstream consumers — the public surface comes in through <httpserver.hpp>.
 noinst_HEADERS = httpserver/string_utilities.hpp httpserver/details/modded_request.hpp httpserver/details/http_endpoint.hpp gettext.h
-nobase_include_HEADERS = httpserver.hpp httpserver/create_webserver.hpp httpserver/webserver.hpp httpserver/http_utils.hpp httpserver/file_info.hpp httpserver/http_request.hpp httpserver/http_response.hpp httpserver/http_resource.hpp httpserver/string_response.hpp httpserver/digest_auth_fail_response.hpp httpserver/deferred_response.hpp httpserver/file_response.hpp httpserver/pipe_response.hpp httpserver/empty_response.hpp httpserver/feature_unavailable.hpp httpserver/iovec_response.hpp httpserver/http_arg_value.hpp
+nobase_include_HEADERS = httpserver.hpp httpserver/create_webserver.hpp httpserver/webserver.hpp httpserver/http_utils.hpp httpserver/file_info.hpp httpserver/http_request.hpp httpserver/http_response.hpp httpserver/http_resource.hpp httpserver/string_response.hpp httpserver/digest_auth_fail_response.hpp httpserver/deferred_response.hpp httpserver/file_response.hpp httpserver/pipe_response.hpp httpserver/empty_response.hpp httpserver/feature_unavailable.hpp httpserver/iovec_entry.hpp httpserver/iovec_response.hpp httpserver/http_arg_value.hpp
 
 if HAVE_BAUTH
 libhttpserver_la_SOURCES += basic_auth_fail_response.cpp

src/httpserver.hpp

@@ -42,6 +42,7 @@
 #include "httpserver/http_resource.hpp"
 #include "httpserver/http_response.hpp"
 #include "httpserver/http_utils.hpp"
+#include "httpserver/iovec_entry.hpp"
 #include "httpserver/iovec_response.hpp"
 #include "httpserver/file_info.hpp"
 #include "httpserver/pipe_response.hpp"

src/httpserver/iovec_entry.hpp

@@ -0,0 +1,50 @@
+/*
+     This file is part of libhttpserver
+     Copyright (C) 2011-2019 Sebastiano Merlino
+
+     This library is free software; you can redistribute it and/or
+     modify it under the terms of the GNU Lesser General Public
+     License as published by the Free Software Foundation; either
+     version 2.1 of the License, or (at your option) any later version.
+
+     This library is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Lesser General Public License for more details.
+
+     You should have received a copy of the GNU Lesser General Public
+     License along with this library; if not, write to the Free Software
+     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
+     USA
+*/
+
+#if !defined (_HTTPSERVER_HPP_INSIDE_) && !defined (HTTPSERVER_COMPILATION)
+#error "Only <httpserver.hpp> or <httpserverpp> can be included directly."
+#endif
+
+#ifndef SRC_HTTPSERVER_IOVEC_ENTRY_HPP_
+#define SRC_HTTPSERVER_IOVEC_ENTRY_HPP_
+
+#include <cstddef>
+
+namespace httpserver {
+
+// Library-defined POD describing a single scatter/gather buffer at the
+// public API surface. Replaces `struct iovec` from <sys/uio.h>, keeping
+// the public-header surface free of POSIX-only system headers.
+//
+// Layout is pinned to match POSIX `struct iovec` and libmicrohttpd's
+// `MHD_IoVec` so the dispatch path can `reinterpret_cast` a contiguous
+// array of iovec_entry into either C type at zero copy. The pinning
+// asserts live next to the cast site (currently `iovec_response.cpp`,
+// moving to `details/body.hpp` once TASK-009 lands).
+//
+// `base` is `const void*` because libhttpserver never writes through
+// these buffers on the response path.
+struct iovec_entry {
+    const void* base;
+    std::size_t len;
+};
+
+}  // namespace httpserver
+#endif  // SRC_HTTPSERVER_IOVEC_ENTRY_HPP_

src/httpserver/iovec_response.hpp

@@ -30,6 +30,7 @@
 #include <vector>
 #include "httpserver/http_utils.hpp"
 #include "httpserver/http_response.hpp"
+#include "httpserver/iovec_entry.hpp"
 
 struct MHD_Response;
 
@@ -39,25 +40,66 @@ class iovec_response : public http_response {
  public:
      iovec_response() = default;
 
+     // Owning constructor: the response takes ownership of the string buffers.
+     // The iovec_entry array is built eagerly at construction so get_raw_response()
+     // allocates nothing on the hot dispatch path.
      explicit iovec_response(
-             std::vector<std::string> buffers,
+             std::vector<std::string> owned_buffers,
              int response_code = http::http_utils::http_ok,
-             const std::string& content_type = http::http_utils::text_plain):
-         http_response(response_code, content_type),
-         buffers(std::move(buffers)) { }
+             const std::string& content_type = http::http_utils::text_plain);
+
+     /**
+      * Non-owning constructor: the caller supplies pre-built iovec_entry pairs.
+      * This is TASK-004's genuine zero-copy path: no heap allocation or data
+      * copy is performed.
+      *
+      * @attention The caller is responsible for keeping the pointed-to buffers
+      * alive at least until MHD_destroy_response() returns for the response
+      * produced by get_raw_response(). libmicrohttpd holds a reference to the
+      * buffer pointers until MHD_destroy_response() is called in the dispatch
+      * path (webserver.cpp). Freeing any backing buffer before that point
+      * causes a use-after-free inside libmicrohttpd (CWE-416). In practice
+      * this means the buffers must outlive the iovec_response object AND the
+      * MHD response lifecycle, which ends at MHD_destroy_response().
+      *
+      * @note This API surface is transitional (see PRD-RSP-REQ-006 /
+      * TASK-010); it will be removed or replaced in a future v2.0 revision.
+      */
+     explicit iovec_response(
+             std::vector<iovec_entry> caller_entries,
+             int response_code = http::http_utils::http_ok,
+             const std::string& content_type = http::http_utils::text_plain);
+
+     // Copy construction and copy assignment are deleted: the owning constructor
+     // stores void* pointers (entries_) into owned_buffers_ string storage.
+     // A defaulted copy would shallow-copy entries_ while deep-copying
+     // owned_buffers_ to new addresses, making entries_ dangle as soon as the
+     // source is destroyed (CWE-416). Deletion forces callers onto move
+     // semantics, which are safe because std::vector move transfers the heap
+     // block and keeps string addresses stable.
+     iovec_response(const iovec_response&) = delete;
+     iovec_response& operator=(const iovec_response&) = delete;
 
-     iovec_response(const iovec_response& other) = default;
      iovec_response(iovec_response&& other) noexcept = default;
-
-     iovec_response& operator=(const iovec_response& b) = default;
-     iovec_response& operator=(iovec_response&& b) = default;
+     iovec_response& operator=(iovec_response&& b) noexcept = default;
 
      ~iovec_response() = default;
 
+     // Returns a new MHD_Response* or nullptr on error (e.g. buffer count
+     // exceeds MHD's unsigned-int limit). The caller does not own the returned
+     // pointer; MHD manages its lifetime. May return nullptr; all callers on
+     // the dispatch path must check before use.
      MHD_Response* get_raw_response();
 
  private:
-     std::vector<std::string> buffers;
+     // Owned string buffers (populated by the owning constructor).
+     std::vector<std::string> owned_buffers_;
+
+     // Flattened iovec_entry array ready for the MHD cast. For the owning
+     // constructor this is populated at construction time (zero allocation on
+     // dispatch). For the non-owning constructor the caller-supplied entries
+     // are stored directly.
+     std::vector<iovec_entry> entries_;
 };
 
 }  // namespace httpserver

src/iovec_response.cpp

@@ -19,26 +19,113 @@
 */
 
 #include "httpserver/iovec_response.hpp"
+#include "httpserver/iovec_entry.hpp"
+
+#include <cstddef>
+#include <limits>
 #include <microhttpd.h>
+#include <sys/uio.h>
+#include <type_traits>
 #include <vector>
 
 struct MHD_Response;
 
 namespace httpserver {
 
+// ---------------------------------------------------------------------------
+// TASK-004: layout-pinning static_asserts.
+//
+// httpserver::iovec_entry is the public scatter/gather POD; libmicrohttpd's
+// MHD_IoVec is the actual cast target on the dispatch path. POSIX struct
+// iovec is asserted in parallel because the spec mandates it and because
+// every platform we ship to defines all three with identical layout
+// (glibc, musl, macOS, FreeBSD, NetBSD, OpenBSD, illumos).
+//
+// LIBHTTPSERVER_TODO_TASK004_MEMCPY_FALLBACK: if any of the asserts below
+// ever fires on a divergent-layout platform, the fix is to replace the
+// reinterpret_cast in the dispatch path with an element-by-element copy
+// into a stack/heap MHD_IoVec[]. Until such a platform appears the
+// asserts are the gate — a build failure on the divergent platform is
+// the desired outcome (loud, immediate, with the assert string naming
+// what diverged).
+// ---------------------------------------------------------------------------
+static_assert(sizeof(::httpserver::iovec_entry) == sizeof(struct iovec),
+    "iovec_entry size must match POSIX struct iovec — divergent platform; "
+    "implement memcpy fallback (see TASK-004)");
+static_assert(offsetof(::httpserver::iovec_entry, base) ==
+                  offsetof(struct iovec, iov_base),
+    "iovec_entry::base offset must match struct iovec::iov_base");
+static_assert(offsetof(::httpserver::iovec_entry, len) ==
+                  offsetof(struct iovec, iov_len),
+    "iovec_entry::len offset must match struct iovec::iov_len");
+
+static_assert(sizeof(::httpserver::iovec_entry) == sizeof(MHD_IoVec),
+    "iovec_entry size must match libmicrohttpd MHD_IoVec — MHD layout drift");
+static_assert(offsetof(::httpserver::iovec_entry, base) ==
+                  offsetof(MHD_IoVec, iov_base),
+    "iovec_entry::base offset must match MHD_IoVec::iov_base");
+static_assert(offsetof(::httpserver::iovec_entry, len) ==
+                  offsetof(MHD_IoVec, iov_len),
+    "iovec_entry::len offset must match MHD_IoVec::iov_len");
+
+// Alignment pinning: ensures the reinterpret_cast array stride is safe on
+// architectures that trap on misaligned loads (SPARC, some ARM configs).
+// CWE-704: without alignof equality the cast is UB even when size/offset match.
+static_assert(alignof(::httpserver::iovec_entry) == alignof(struct iovec),
+    "iovec_entry alignment must match POSIX struct iovec — divergent platform; "
+    "implement memcpy fallback (see TASK-004)");
+static_assert(alignof(::httpserver::iovec_entry) == alignof(MHD_IoVec),
+    "iovec_entry alignment must match MHD_IoVec — MHD layout drift");
+
+// Standard-layout guarantee: required so that reinterpret_cast between
+// pointer-interconvertible types is well-defined under -fstrict-aliasing.
+static_assert(std::is_standard_layout_v<::httpserver::iovec_entry>,
+    "iovec_entry must be standard layout for reinterpret_cast to MHD_IoVec");
+
+iovec_response::iovec_response(
+        std::vector<std::string> owned_buffers,
+        int response_code,
+        const std::string& content_type)
+    : http_response(response_code, content_type),
+      owned_buffers_(std::move(owned_buffers)) {
+    // Build the iovec_entry array eagerly so get_raw_response() is
+    // allocation-free on the hot dispatch path.
+    entries_.reserve(owned_buffers_.size());
+    for (const auto& b : owned_buffers_) {
+        entries_.push_back({b.data(), b.size()});
+    }
+}
+
+iovec_response::iovec_response(
+        std::vector<iovec_entry> caller_entries,
+        int response_code,
+        const std::string& content_type)
+    : http_response(response_code, content_type),
+      entries_(std::move(caller_entries)) {
+    // owned_buffers_ is empty — buffer ownership stays with the caller.
+}
+
 MHD_Response* iovec_response::get_raw_response() {
-    // MHD_create_response_from_iovec makes an internal copy of the iov array,
-    // so the local vector is safe. The buffer data pointed to by iov_base must
-    // remain valid until the response is destroyed — this is guaranteed because
-    // the buffers are owned by this iovec_response object.
-    std::vector<MHD_IoVec> iov(buffers.size());
-    for (size_t i = 0; i < buffers.size(); ++i) {
-        iov[i].iov_base = buffers[i].data();
-        iov[i].iov_len = buffers[i].size();
+    // Guard against integer narrowing: MHD_create_response_from_iovec takes
+    // an unsigned int count. A vector with more than UINT_MAX entries would
+    // silently truncate, causing MHD to read only part of the array while the
+    // reported body length diverges from the actual allocation (CWE-190,
+    // CWE-125). Return nullptr (the documented MHD "error" sentinel) instead.
+    if (entries_.size() >
+            static_cast<std::size_t>(
+                std::numeric_limits<unsigned int>::max())) {
+        return nullptr;
     }
+
+    // The reinterpret_cast is well-defined because the layout-pinning
+    // static_asserts above guarantee identical size, field offsets, and
+    // alignment between iovec_entry and MHD_IoVec (C++ [basic.align],
+    // CWE-704). entries_ was populated at construction time: no heap
+    // allocation occurs on this path. The cast bridge will move into
+    // details/body.hpp when TASK-009 lands.
     return MHD_create_response_from_iovec(
-        iov.data(),
-        static_cast<unsigned int>(iov.size()),
+        reinterpret_cast<const MHD_IoVec*>(entries_.data()),
+        static_cast<unsigned int>(entries_.size()),
         nullptr,
         nullptr);
 }

test/Makefile.am

@@ -26,7 +26,7 @@ LDADD += -lcurl
 
 AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/src/httpserver/ -DHTTPSERVER_COMPILATION
 METASOURCES = AUTO
-check_PROGRAMS = basic file_upload http_utils threaded nodelay string_utilities http_endpoint ban_system ws_start_stop authentication deferred http_resource http_response create_webserver new_response_types daemon_info uri_log feature_unavailable
+check_PROGRAMS = basic file_upload http_utils threaded nodelay string_utilities http_endpoint ban_system ws_start_stop authentication deferred http_resource http_response create_webserver new_response_types daemon_info uri_log feature_unavailable header_hygiene_iovec iovec_entry iovec_response
 
 MOSTLYCLEANFILES = *.gcda *.gcno *.gcov
 
@@ -52,6 +52,9 @@ uri_log_SOURCES = unit/uri_log_test.cpp
 # LDADD (modern ld enforces --no-copy-dt-needed-entries).
 uri_log_LDADD = $(LDADD) -lmicrohttpd
 feature_unavailable_SOURCES = unit/feature_unavailable_test.cpp
+header_hygiene_iovec_SOURCES = unit/header_hygiene_iovec_test.cpp
+iovec_entry_SOURCES = unit/iovec_entry_test.cpp
+iovec_response_SOURCES = unit/iovec_response_test.cpp
 
 noinst_HEADERS = littletest.hpp
 AM_CXXFLAGS += -Wall -fPIC -Wno-overloaded-virtual

test/unit/header_hygiene_iovec_test.cpp

@@ -0,0 +1,80 @@
+/*
+     This file is part of libhttpserver
+     Copyright (C) 2011-2019 Sebastiano Merlino
+
+     This library is free software; you can redistribute it and/or
+     modify it under the terms of the GNU Lesser General Public
+     License as published by the Free Software Foundation; either
+     version 2.1 of the License, or (at your option) any later version.
+
+     This library is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     Lesser General Public License for more details.
+
+     You should have received a copy of the GNU Lesser General Public
+     License along with this library; if not, write to the Free Software
+     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
+     USA
+*/
+
+// Header-hygiene sentinel for TASK-004:
+//
+// AC #4 of TASK-004 ("public header must not include <sys/uio.h>") is
+// enforced by including iovec_entry.hpp in isolation, then checking the
+// well-known include-guard macros that <sys/uio.h> defines on every
+// supported platform:
+//
+//   Linux/glibc:  _SYS_UIO_H   (set by <sys/uio.h>)
+//   macOS/BSD:    _SYS_UIO_H_  (set by <sys/uio.h>)
+//   musl:         _SYS_UIO_H   (same as glibc)
+//
+// If any of those macros is defined after including iovec_entry.hpp, the
+// header has leaked <sys/uio.h> and the build fails with a descriptive
+// #error message. The TU compiling at all (and none of those macros being
+// defined) is the assertion — no runtime test is needed for this guarantee.
+//
+// HTTPSERVER_COMPILATION is defined by AM_CPPFLAGS in test/Makefile.am
+// so the inclusion guard in iovec_entry.hpp is satisfied.
+
+#include "httpserver/iovec_entry.hpp"
+
+// --- preprocessor-based leak detection ------------------------------------
+
+#ifdef _SYS_UIO_H
+#  error "<sys/uio.h> was pulled in transitively by httpserver/iovec_entry.hpp (glibc/musl guard _SYS_UIO_H)"
+#endif
+
+#ifdef _SYS_UIO_H_
+#  error "<sys/uio.h> was pulled in transitively by httpserver/iovec_entry.hpp (macOS/BSD guard _SYS_UIO_H_)"
+#endif
+
+// --------------------------------------------------------------------------
+
+#include "./littletest.hpp"
+
+LT_BEGIN_SUITE(header_hygiene_iovec_suite)
+    void set_up() {
+    }
+
+    void tear_down() {
+    }
+LT_END_SUITE(header_hygiene_iovec_suite)
+
+// Verify that iovec_entry is accessible and sizeof/alignof are non-zero
+// without any POSIX headers in scope. This confirms that no system types
+// leaked in through iovec_entry.hpp and that the type is self-contained.
+LT_BEGIN_AUTO_TEST(header_hygiene_iovec_suite, iovec_entry_visible_without_sys_uio)
+    // If any system header leaked in, alignof/sizeof would still be correct,
+    // but the #error directives above ensure this test is only reached on a
+    // clean TU. These checks confirm the type is truly self-contained.
+    static_assert(sizeof(httpserver::iovec_entry) > 0,
+                  "iovec_entry must have non-zero size without sys/uio.h");
+    static_assert(alignof(httpserver::iovec_entry) > 0,
+                  "iovec_entry must have non-zero alignment without sys/uio.h");
+    LT_CHECK_EQ(true, true);  // TU compiled clean: no sys/uio.h leak detected
+LT_END_AUTO_TEST(iovec_entry_visible_without_sys_uio)
+
+LT_BEGIN_AUTO_TEST_ENV()
+    AUTORUN_TESTS()
+LT_END_AUTO_TEST_ENV()