performance adjustment

Easton97-Jens · Easton97-Jens · commit ffdc0443aaf2 · 2026-04-12T19:30:34.000+02:00
diff --git a/src/request_body_processor/json_adapter.cc b/src/request_body_processor/json_adapter.cc
@@ -56,6 +56,28 @@ JsonParseResult normalizeResult(JsonParseResult result) {
 
 }  // namespace
 
+JsonParseResult JSONAdapter::parse(std::string &input,
+    JsonEventSink *sink, const JsonBackendParseOptions &options) const {
+    if (sink == nullptr) {
+        return makeResult(JsonParseStatus::InternalError,
+            JsonSinkStatus::InternalError, "JSON event sink is null.");
+    }
+
+    if (input.empty()) {
+        return makeResult(JsonParseStatus::Ok);
+    }
+
+#if defined(MSC_JSON_BACKEND_SIMDJSON)
+    return normalizeResult(parseDocumentWithSimdjson(input, sink, options));
+#elif defined(MSC_JSON_BACKEND_JSONCONS)
+    return normalizeResult(parseDocumentWithJsoncons(input, sink, options));
+#else
+    return makeResult(JsonParseStatus::InternalError,
+        JsonSinkStatus::InternalError,
+        "ModSecurity was built without a selected JSON backend.");
+#endif
+}
+
 JsonParseResult JSONAdapter::parse(const std::string &input,
     JsonEventSink *sink, const JsonBackendParseOptions &options) const {
     if (sink == nullptr) {
diff --git a/src/request_body_processor/json_adapter.h b/src/request_body_processor/json_adapter.h
@@ -25,6 +25,9 @@ namespace RequestBodyProcessor {
 
 class JSONAdapter {
  public:
+    JsonParseResult parse(std::string &input, JsonEventSink *sink,
+        const JsonBackendParseOptions &options = JsonBackendParseOptions()) const;
+
     JsonParseResult parse(const std::string &input, JsonEventSink *sink,
         const JsonBackendParseOptions &options = JsonBackendParseOptions()) const;
 };
diff --git a/src/request_body_processor/json_backend.h b/src/request_body_processor/json_backend.h
@@ -71,6 +71,9 @@ class JsonEventSink {
 JsonParseResult parseDocumentWithSimdjson(const std::string &input,
     JsonEventSink *sink, const JsonBackendParseOptions &options);
 
+JsonParseResult parseDocumentWithSimdjson(std::string &input,
+    JsonEventSink *sink, const JsonBackendParseOptions &options);
+
 JsonParseResult parseDocumentWithJsoncons(const std::string &input,
     JsonEventSink *sink, const JsonBackendParseOptions &options);
 
diff --git a/src/request_body_processor/json_backend_simdjson.cc b/src/request_body_processor/json_backend_simdjson.cc
@@ -20,7 +20,6 @@
 #include "src/request_body_processor/json_backend.h"
 
 #include <algorithm>
-#include <cassert>
 #include <chrono>
 #include <cstdint>
 #include <memory>
@@ -90,13 +89,33 @@ JsonParseResult fromSimdjsonError(simdjson::error_code error) {
     }
 }
 
+std::size_t effectiveTechnicalMaxDepth(
+    const JsonBackendParseOptions &options) {
+    return options.technical_max_depth > 0
+        ? static_cast<std::size_t>(options.technical_max_depth) : 1;
+}
+
+std::string_view trimTrailingJsonWhitespace(std::string_view token) {
+    while (!token.empty()) {
+        const char tail = token.back();
+        if (tail != ' ' && tail != '\t' && tail != '\n' && tail != '\r') {
+            break;
+        }
+        token.remove_suffix(1);
+    }
+    return token;
+}
+
 /*
  * The ondemand parser is reused per thread because simdjson benefits from
  * keeping its internal buffers warm across parses. thread_local storage keeps
  * the parser isolated to the calling thread, so no parser state is shared
  * across transactions running on different threads. The parse and full
  * document traversal both complete inside parseDocumentWithSimdjson(), so no
- * parser-backed state escapes this function.
+ * parser-backed state escapes this function. We intentionally do not add an
+ * automatic release/recreate heuristic here: the vendored simdjson API
+ * explicitly supports parser reuse, and retained capacity after unusually
+ * large inputs remains a conscious tradeoff rather than an accidental leak.
  */
 simdjson::ondemand::parser &getReusableSimdjsonParser() {
     thread_local std::unique_ptr<simdjson::ondemand::parser> parser;
@@ -116,8 +135,7 @@ simdjson::ondemand::parser &getReusableSimdjsonParser() {
 
 std::size_t clampRequestedMaxDepth(std::size_t input_size,
     const JsonBackendParseOptions &options) {
-    const std::size_t requested_depth = options.technical_max_depth > 0
-        ? static_cast<std::size_t>(options.technical_max_depth) : 1;
+    const std::size_t requested_depth = effectiveTechnicalMaxDepth(options);
     const std::size_t max_possible_depth = (input_size / 2) + 1;
     return std::min(requested_depth, std::max<std::size_t>(1,
         max_possible_depth));
@@ -140,6 +158,13 @@ simdjson::error_code prepareParser(simdjson::ondemand::parser *parser,
         return simdjson::SUCCESS;
     }
 
+    // simdjson reuses parser buffers across parses. allocate() can grow the
+    // per-thread parser to satisfy a larger document or different max-depth,
+    // but it does not proactively shrink retained capacity for later, smaller
+    // inputs. In simdjson 4.6.1 the max-depth parameter is only enforced by
+    // simdjson's development checks, so we keep passing it here for that
+    // internal guardrail while our own walker enforces technical_max_depth at
+    // runtime using current_depth().
     return parser->allocate(input_size, required_max_depth);
 }
 
@@ -154,7 +179,10 @@ JsonParseResult getResult(ResultType &&result, TargetType *target) {
 
 class JsonBackendWalker {
  public:
-    explicit JsonBackendWalker(JsonEventSink *sink) : m_sink(sink) { }
+    JsonBackendWalker(JsonEventSink *sink,
+        const JsonBackendParseOptions &options)
+        : m_sink(sink),
+          m_technical_max_depth(effectiveTechnicalMaxDepth(options)) { }
 
     JsonParseResult walk(simdjson::ondemand::document *document) {
         bool is_scalar = false;
@@ -205,7 +233,8 @@ class JsonBackendWalker {
                     return result;
                 }
 
-                JsonSinkStatus sink_status = m_sink->on_number(raw_number);
+                JsonSinkStatus sink_status = m_sink->on_number(
+                    trimTrailingJsonWhitespace(raw_number));
                 if (sink_status != JsonSinkStatus::Continue) {
                     return stopTraversal(sink_status, "handling a root number");
                 }
@@ -241,11 +270,13 @@ class JsonBackendWalker {
                 }
                 return makeResult(JsonParseStatus::Ok);
             }
+            case simdjson::ondemand::json_type::unknown:
+                return makeResult(JsonParseStatus::ParseError,
+                    "Invalid JSON token encountered in simdjson backend.");
             case simdjson::ondemand::json_type::object:
             case simdjson::ondemand::json_type::array:
-            case simdjson::ondemand::json_type::unknown:
                 return makeResult(JsonParseStatus::InternalError,
-                    "Unexpected root scalar type encountered in simdjson backend.");
+                    "Unexpected root scalar container encountered in simdjson backend.");
         }
 
         return makeResult(JsonParseStatus::InternalError,
@@ -262,8 +293,14 @@ class JsonBackendWalker {
 
         switch (type) {
             case simdjson::ondemand::json_type::object:
+                if (auto result = enforceTechnicalDepth(value); !result.ok()) {
+                    return result;
+                }
                 return walkObject(value);
             case simdjson::ondemand::json_type::array:
+                if (auto result = enforceTechnicalDepth(value); !result.ok()) {
+                    return result;
+                }
                 return walkArray(value);
             case simdjson::ondemand::json_type::string:
                 return walkString(value);
@@ -279,8 +316,8 @@ class JsonBackendWalker {
                 return makeResult(JsonParseStatus::Ok);
             }
             case simdjson::ondemand::json_type::unknown:
-                return makeResult(JsonParseStatus::InternalError,
-                    "Unknown JSON token type encountered.");
+                return makeResult(JsonParseStatus::ParseError,
+                    "Invalid JSON token encountered in simdjson backend.");
         }
 
         return makeResult(JsonParseStatus::InternalError,
@@ -385,7 +422,8 @@ class JsonBackendWalker {
     }
 
     JsonParseResult walkNumber(simdjson::ondemand::value value) {
-        std::string_view raw_number = value.raw_json_token();
+        std::string_view raw_number = trimTrailingJsonWhitespace(
+            value.raw_json_token());
         JsonSinkStatus sink_status = m_sink->on_number(raw_number);
 
         if (sink_status != JsonSinkStatus::Continue) {
@@ -410,52 +448,79 @@ class JsonBackendWalker {
         return makeResult(JsonParseStatus::Ok);
     }
 
+    JsonParseResult enforceTechnicalDepth(simdjson::ondemand::value value) {
+        const int32_t current_depth = value.current_depth();
+        if (current_depth <= 0) {
+            return makeResult(JsonParseStatus::InternalError,
+                "Invalid current depth reported by simdjson backend.");
+        }
+
+        if (static_cast<std::size_t>(current_depth) > m_technical_max_depth) {
+            return makeResult(JsonParseStatus::ParseError,
+                "JSON nesting depth exceeds backend technical max depth.");
+        }
+
+        return makeResult(JsonParseStatus::Ok);
+    }
+
     JsonEventSink *m_sink;
+    std::size_t m_technical_max_depth;
 };
 
-}  // namespace
+struct PreparedSimdjsonInput {
+    simdjson::padded_string_view view{};
+    simdjson::padded_string owned_copy{};
+};
 
-JsonParseResult parseDocumentWithSimdjson(const std::string &input,
-    JsonEventSink *sink, const JsonBackendParseOptions &options) {
-    if (sink == nullptr) {
-        return makeResult(JsonParseStatus::InternalError,
-            JsonSinkStatus::InternalError, "JSON event sink is null.");
-    }
+PreparedSimdjsonInput prepareMutableSimdjsonInput(std::string *input) {
+    PreparedSimdjsonInput prepared;
 
-    const char *const input_data = input.data();
-    const std::size_t input_size = input.size();
+    // The production request-body path owns a mutable std::string, so we can
+    // pad that buffer in place and keep the logical JSON length in the
+    // returned padded_string_view. This removes the extra padded_string copy
+    // while still satisfying simdjson's padding requirement explicitly.
+    prepared.view = simdjson::pad(*input);
+    return prepared;
+}
 
-    simdjson::ondemand::parser &parser = getReusableSimdjsonParser();
-    // This only prepares parser capacity and max-depth bookkeeping. It does
-    // not make the caller-provided string safe for zero-copy parsing.
-    if (auto error = prepareParser(&parser, input_size, options); error) {
-        return fromSimdjsonError(error);
+PreparedSimdjsonInput prepareConstSimdjsonInput(const std::string &input) {
+    PreparedSimdjsonInput prepared;
+    prepared.view = simdjson::padded_string_view(input);
+
+    // The const path must not guess about std::string capacity. We only parse
+    // directly when simdjson itself confirms that the existing allocation
+    // and/or trailing whitespace provide sufficient padding.
+    if (prepared.view.has_sufficient_padding()) {
+        return prepared;
     }
 
-    // TODO: Revisit zero-copy only when the caller can guarantee a stable
-    // buffer whose allocation is at least len + SIMDJSON_PADDING bytes.
-    //
-    // We intentionally keep the padded_string copy here. The current input is
-    // a const std::string built from the request-body snapshot/append path, so
-    // it does not provide guaranteed padding for simdjson's direct iterate()
-    // overloads. In practice large request bodies often end up with
-    // size() == capacity(), making any direct path allocator- and stdlib-
-    // dependent. padded_string keeps this backend deterministic until the
-    // caller can provide guaranteed lifetime and padding.
 #ifdef MSC_JSON_AUDIT_INSTRUMENTATION
     const auto padded_start = std::chrono::steady_clock::now();
-    simdjson::padded_string padded(input);
-    recordSimdjsonPaddedCopy(input_size, static_cast<std::uint64_t>(
+    prepared.owned_copy = simdjson::padded_string(input);
+    recordSimdjsonPaddedCopy(input.size(), static_cast<std::uint64_t>(
         std::chrono::duration_cast<std::chrono::nanoseconds>(
             std::chrono::steady_clock::now() - padded_start).count()));
 #else
-    simdjson::padded_string padded(input);
+    prepared.owned_copy = simdjson::padded_string(input);
 #endif
-    simdjson::ondemand::document document;
+    prepared.view = prepared.owned_copy;
+    return prepared;
+}
+
+JsonParseResult parsePreparedDocumentWithSimdjson(
+    simdjson::padded_string_view input, JsonEventSink *sink,
+    const JsonBackendParseOptions &options) {
+    simdjson::ondemand::parser &parser = getReusableSimdjsonParser();
+    // This only prepares parser capacity and max-depth bookkeeping. Buffer
+    // lifetime and padding must already have been handled by the caller.
+    if (auto error = prepareParser(&parser, input.length(), options); error) {
+        return fromSimdjsonError(error);
+    }
 
+    simdjson::ondemand::document document;
 #ifdef MSC_JSON_AUDIT_INSTRUMENTATION
     const auto iterate_start = std::chrono::steady_clock::now();
-    if (auto error = parser.iterate(padded).get(document); error) {
+    if (auto error = parser.iterate(input).get(document); error) {
         recordSimdjsonIterate(static_cast<std::uint64_t>(
             std::chrono::duration_cast<std::chrono::nanoseconds>(
                 std::chrono::steady_clock::now() - iterate_start).count()));
@@ -465,18 +530,37 @@ JsonParseResult parseDocumentWithSimdjson(const std::string &input,
         std::chrono::duration_cast<std::chrono::nanoseconds>(
             std::chrono::steady_clock::now() - iterate_start).count()));
 #else
-    if (auto error = parser.iterate(padded).get(document); error) {
+    if (auto error = parser.iterate(input).get(document); error) {
         return fromSimdjsonError(error);
     }
 #endif
 
-    JsonBackendWalker walker(sink);
-    assert(input.data() == input_data);
-    assert(input.size() == input_size);
-    JsonParseResult walk_result = walker.walk(&document);
-    assert(input.data() == input_data);
-    assert(input.size() == input_size);
-    return walk_result;
+    JsonBackendWalker walker(sink, options);
+    return walker.walk(&document);
+}
+
+}  // namespace
+
+JsonParseResult parseDocumentWithSimdjson(std::string &input,
+    JsonEventSink *sink, const JsonBackendParseOptions &options) {
+    if (sink == nullptr) {
+        return makeResult(JsonParseStatus::InternalError,
+            JsonSinkStatus::InternalError, "JSON event sink is null.");
+    }
+
+    PreparedSimdjsonInput prepared = prepareMutableSimdjsonInput(&input);
+    return parsePreparedDocumentWithSimdjson(prepared.view, sink, options);
+}
+
+JsonParseResult parseDocumentWithSimdjson(const std::string &input,
+    JsonEventSink *sink, const JsonBackendParseOptions &options) {
+    if (sink == nullptr) {
+        return makeResult(JsonParseStatus::InternalError,
+            JsonSinkStatus::InternalError, "JSON event sink is null.");
+    }
+
+    PreparedSimdjsonInput prepared = prepareConstSimdjsonInput(input);
+    return parsePreparedDocumentWithSimdjson(prepared.view, sink, options);
 }
 
 }  // namespace RequestBodyProcessor
diff --git a/test/unit/json_backend_depth_tests.cc b/test/unit/json_backend_depth_tests.cc
