src: use JSON configuration and blob content for SEA

Author: joyeecheung

doc/api/single-executable-applications.md

@@ -54,28 +54,28 @@ tool, [postject][]:
    the following options:
 
    * `hello` - The name of the copy of the `node` executable created in step 2.
-   * `NODE_JS_CODE` - The name of the resource / note / section in the binary
+   * `NODE_SEA_BLOB` - The name of the resource / note / section in the binary
      where the contents of the JavaScript file will be stored.
    * `hello.js` - The name of the JavaScript file created in step 1.
-   * `--sentinel-fuse NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2` - The
+   * `--sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2` - The
      [fuse][] used by the Node.js project to detect if a file has been injected.
-   * `--macho-segment-name NODE_JS` (only needed on macOS) - The name of the
+   * `--macho-segment-name NODE_SEA` (only needed on macOS) - The name of the
      segment in the binary where the contents of the JavaScript file will be
      stored.
 
    To summarize, here is the required command for each platform:
 
    * On systems other than macOS:
      ```console
-     $ npx postject hello NODE_JS_CODE hello.js \
-         --sentinel-fuse NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2
+     $ npx postject hello NODE_SEA_BLOB hello.js \
+         --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
      ```
 
    * On macOS:
      ```console
-     $ npx postject hello NODE_JS_CODE hello.js \
-         --sentinel-fuse NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2 \
-         --macho-segment-name NODE_JS
+     $ npx postject hello NODE_SEA_BLOB hello.js \
+         --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 \
+         --macho-segment-name NODE_SEA
      ```
 
 5. Sign the binary:
@@ -137,13 +137,13 @@ of [`process.execPath`][].
 A tool aiming to create a single executable Node.js application must
 inject the contents of a JavaScript file into:
 
-* a resource named `NODE_JS_CODE` if the `node` binary is a [PE][] file
-* a section named `NODE_JS_CODE` in the `NODE_JS` segment if the `node` binary
+* a resource named `NODE_SEA_BLOB` if the `node` binary is a [PE][] file
+* a section named `NODE_SEA_BLOB` in the `NODE_SEA` segment if the `node` binary
   is a [Mach-O][] file
-* a note named `NODE_JS_CODE` if the `node` binary is an [ELF][] file
+* a note named `NODE_SEA_BLOB` if the `node` binary is an [ELF][] file
 
 Search the binary for the
-`NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2:0` [fuse][] string and flip the
+`NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2:0` [fuse][] string and flip the
 last character to `1` to indicate that a resource has been injected.
 
 ### Platform support

doc/contributing/maintaining-single-executable-application-support.md

@@ -66,7 +66,7 @@ To disable single executable application support, build Node.js with the
 ## Implementation
 
 When built with single executable application support, the Node.js process uses
-[`postject-api.h`][] to check if the `NODE_JS_CODE` section exists in the
+[`postject-api.h`][] to check if the `NODE_SEA_BLOB` section exists in the
 binary. If it is found, it passes the buffer to
 [`single_executable_application.js`][], which executes the contents of the
 embedded script.

node.gyp

@@ -82,6 +82,8 @@
       'src/js_stream.cc',
       'src/json_utils.cc',
       'src/js_udp_wrap.cc',
+      'src/json_parser.h',
+      'src/json_parser.cc',
       'src/module_wrap.cc',
       'src/node.cc',
       'src/node_api.cc',

src/json_parser.cc

@@ -0,0 +1,76 @@
+#include "json_parser.h"
+#include "node_errors.h"
+#include "node_v8_platform-inl.h"
+#include "util-inl.h"
+
+namespace node {
+using v8::ArrayBuffer;
+using v8::Context;
+using v8::Isolate;
+using v8::Local;
+using v8::Object;
+using v8::String;
+using v8::Value;
+
+static Isolate* NewIsolate(v8::ArrayBuffer::Allocator* allocator) {
+  Isolate* isolate = Isolate::Allocate();
+  CHECK_NOT_NULL(isolate);
+  per_process::v8_platform.Platform()->RegisterIsolate(isolate,
+                                                       uv_default_loop());
+  Isolate::CreateParams params;
+  params.array_buffer_allocator = allocator;
+  Isolate::Initialize(isolate, params);
+  return isolate;
+}
+
+void JSONParser::FreeIsolate(Isolate* isolate) {
+  per_process::v8_platform.Platform()->UnregisterIsolate(isolate);
+  isolate->Dispose();
+}
+
+JSONParser::JSONParser()
+    : allocator_(ArrayBuffer::Allocator::NewDefaultAllocator()),
+      isolate_(NewIsolate(allocator_.get())),
+      handle_scope_(isolate_.get()),
+      context_(isolate_.get(), Context::New(isolate_.get())),
+      context_scope_(context_.Get(isolate_.get())) {}
+
+bool JSONParser::Parse(const std::string& content) {
+  DCHECK(!parsed_);
+
+  Isolate* isolate = isolate_.get();
+  Local<Context> context = context_.Get(isolate);
+
+  errors::PrinterTryCatch bootstrapCatch(isolate);
+  Local<Value> json_string_value;
+  Local<Value> result_value;
+  if (!ToV8Value(context, content).ToLocal(&json_string_value) ||
+      !json_string_value->IsString() ||
+      !v8::JSON::Parse(context, json_string_value.As<String>())
+           .ToLocal(&result_value) ||
+      !result_value->IsObject()) {
+    return false;
+  }
+  content_.Reset(isolate, result_value.As<Object>());
+  parsed_ = true;
+  return true;
+}
+
+std::optional<std::string> JSONParser::GetTopLevelField(
+    const std::string& field) {
+  Isolate* isolate = isolate_.get();
+  Local<Context> context = context_.Get(isolate);
+  Local<Object> content_object = content_.Get(isolate);
+  Local<Value> value;
+  errors::PrinterTryCatch bootstrapCatch(isolate);
+  if (!content_object
+           ->Get(context, OneByteString(isolate, field.c_str(), field.length()))
+           .ToLocal(&value) ||
+      !value->IsString()) {
+    return {};
+  }
+  Utf8Value utf8_value(isolate, value);
+  return utf8_value.ToString();
+}
+
+}  // namespace node

src/json_parser.h

@@ -0,0 +1,39 @@
+#ifndef SRC_JSON_PARSER_H_
+#define SRC_JSON_PARSER_H_
+
+#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+
+#include <memory>
+#include <optional>
+#include <string>
+#include "util.h"
+#include "v8.h"
+
+namespace node {
+// This is intended to be used to get some top-level fields out of a JSON
+// without having to spin up a full Node.js environment that unnecessarily
+// complicates things.
+class JSONParser {
+ public:
+  JSONParser();
+  ~JSONParser() {}
+  bool Parse(const std::string& content);
+  std::optional<std::string> GetTopLevelField(const std::string& field);
+
+ private:
+  // We might want a lighter-weight JSON parser for this use case. But for now
+  // using V8 is good enough.
+  static void FreeIsolate(v8::Isolate* isolate);
+  std::unique_ptr<v8::ArrayBuffer::Allocator> allocator_;
+  DeleteFnPtr<v8::Isolate, FreeIsolate> isolate_;
+  v8::HandleScope handle_scope_;
+  v8::Global<v8::Context> context_;
+  v8::Context::Scope context_scope_;
+  v8::Global<v8::Object> content_;
+  bool parsed_ = false;
+};
+}  // namespace node
+
+#endif  // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+
+#endif  // SRC_JSON_PARSER_H_

src/node.cc

@@ -1228,6 +1228,11 @@ static ExitCode StartInternal(int argc, char** argv) {
 
   uv_loop_configure(uv_default_loop(), UV_METRICS_IDLE_TIME);
 
+  std::string sea_config = per_process::cli_options->experimental_sea_config;
+  if (!sea_config.empty()) {
+    return sea::BuildSingleExecutableBlob(sea_config);
+  }
+
   // --build-snapshot indicates that we are in snapshot building mode.
   if (per_process::cli_options->per_isolate->build_snapshot) {
     if (result->args().size() < 2) {

src/node_errors.cc

@@ -1209,6 +1209,13 @@ void TriggerUncaughtException(Isolate* isolate, const v8::TryCatch& try_catch) {
                            false /* from_promise */);
 }
 
+PrinterTryCatch::~PrinterTryCatch() {
+  if (!HasCaught()) {
+    return;
+  }
+  PrintCaughtException(isolate_, isolate_->GetCurrentContext(), *this);
+}
+
 }  // namespace errors
 
 }  // namespace node

src/node_errors.h

@@ -275,6 +275,17 @@ void PerIsolateMessageListener(v8::Local<v8::Message> message,
 
 void DecorateErrorStack(Environment* env,
                         const errors::TryCatchScope& try_catch);
+
+class PrinterTryCatch : public v8::TryCatch {
+ public:
+  explicit PrinterTryCatch(v8::Isolate* isolate)
+      : v8::TryCatch(isolate), isolate_(isolate) {}
+  ~PrinterTryCatch();
+
+ private:
+  v8::Isolate* isolate_;
+};
+
 }  // namespace errors
 
 v8::ModifyCodeGenerationFromStringsResult ModifyCodeGenerationFromStrings(

src/node_options.cc

@@ -990,6 +990,11 @@ PerProcessOptionsParser::PerProcessOptionsParser(
             kAllowedInEnvvar);
   Implies("--node-memory-debug", "--debug-arraybuffer-allocations");
   Implies("--node-memory-debug", "--verify-base-objects");
+
+  AddOption("--experimental-sea-config",
+            "Generate a blob that can be embedded into the single executable "
+            "application",
+            &PerProcessOptions::experimental_sea_config);
 }
 
 inline std::string RemoveBrackets(const std::string& host) {

src/node_options.h

@@ -265,6 +265,7 @@ class PerProcessOptions : public Options {
   bool print_help = false;
   bool print_v8_help = false;
   bool print_version = false;
+  std::string experimental_sea_config;
 
 #ifdef NODE_HAVE_I18N_SUPPORT
   std::string icu_data_dir;

src/node_sea.cc

@@ -1,6 +1,7 @@
 #include "node_sea.h"
 
 #include "env-inl.h"
+#include "json_parser.h"
 #include "node_external_reference.h"
 #include "node_internals.h"
 #include "node_union_bytes.h"
@@ -10,7 +11,7 @@
 // used by the postject_has_resource() function to efficiently detect if a
 // resource has been injected. See
 // https://github.com/nodejs/postject/blob/35343439cac8c488f2596d7c4c1dddfec1fddcae/postject-api.h#L42-L45.
-#define POSTJECT_SENTINEL_FUSE "NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2"
+#define POSTJECT_SENTINEL_FUSE "NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2"
 #include "postject-api.h"
 #undef POSTJECT_SENTINEL_FUSE
 
@@ -20,30 +21,46 @@
 
 #if !defined(DISABLE_SINGLE_EXECUTABLE_APPLICATION)
 
+using node::ExitCode;
+using node::Utf8Value;
+using v8::ArrayBuffer;
 using v8::Context;
 using v8::FunctionCallbackInfo;
+using v8::Global;
+using v8::HandleScope;
+using v8::Isolate;
+using v8::Just;
 using v8::Local;
+using v8::Maybe;
+using v8::Nothing;
 using v8::Object;
+using v8::String;
+using v8::TryCatch;
 using v8::Value;
 
 namespace node {
 namespace sea {
 
+static const uint32_t kMagic = 0x143da20;
+
 std::string_view FindSingleExecutableCode() {
   CHECK(IsSingleExecutable());
   static const std::string_view sea_code = []() -> std::string_view {
     size_t size;
 #ifdef __APPLE__
     postject_options options;
     postject_options_init(&options);
-    options.macho_segment_name = "NODE_JS";
+    options.macho_segment_name = "NODE_SEA";
     const char* code = static_cast<const char*>(
-        postject_find_resource("NODE_JS_CODE", &size, &options));
+        postject_find_resource("NODE_SEA_BLOB", &size, &options));
 #else
     const char* code = static_cast<const char*>(
-        postject_find_resource("NODE_JS_CODE", &size, nullptr));
+        postject_find_resource("NODE_SEA_BLOB", &size, nullptr));
 #endif
-    return {code, size};
+    uint32_t first_word = reinterpret_cast<const uint32_t*>(code)[0];
+    CHECK_EQ(first_word, kMagic);
+    // TODO(joyeecheung): do more checks here e.g. matching the versions.
+    return {code + sizeof(first_word), size - sizeof(first_word)};
   }();
   return sea_code;
 }
@@ -78,6 +95,71 @@ std::tuple<int, char**> FixupArgsForSEA(int argc, char** argv) {
   return {argc, argv};
 }
 
+ExitCode BuildSingleExecutableBlob(const std::string& config_path) {
+  std::string config;
+  int r = ReadFileSync(&config, config_path.c_str());
+  if (r != 0) {
+    fprintf(stderr,
+            "Cannot read single executable configuration from \"%s\n",
+            config_path.c_str());
+    return ExitCode::kGenericUserError;
+  }
+
+  std::string main_path;
+  std::string output_path;
+  {
+    JSONParser parser;
+    if (!parser.Parse(config)) {
+      fprintf(stderr, "Cannot parse JSON from \"%s\n", config_path.c_str());
+      return ExitCode::kGenericUserError;
+    }
+
+    main_path = parser.GetTopLevelField("main").value_or(std::string());
+    if (main_path.empty()) {
+      fprintf(stderr,
+              "\"main\" field of %s is not a string\n",
+              config_path.c_str());
+      return ExitCode::kGenericUserError;
+    }
+
+    output_path = parser.GetTopLevelField("output").value_or(std::string());
+    if (output_path.empty()) {
+      fprintf(stderr,
+              "\"output\" field of %s is not a string\n",
+              config_path.c_str());
+      return ExitCode::kGenericUserError;
+    }
+  }
+
+  std::string main_script;
+  // TODO(joyeecheung): unify the file utils.
+  r = ReadFileSync(&main_script, main_path.c_str());
+  if (r != 0) {
+    fprintf(stderr, "Cannot read main script %s\n", main_path.c_str());
+    return ExitCode::kGenericUserError;
+  }
+
+  std::vector<char> sink;
+  // TODO(joyeecheung): reuse the SnapshotSerializerDeserializer for this.
+  sink.reserve(sizeof(kMagic) + main_script.size());
+  const char* pos = reinterpret_cast<const char*>(&kMagic);
+  sink.insert(sink.end(), pos, pos + sizeof(kMagic));
+  sink.insert(
+      sink.end(), main_script.data(), main_script.data() + main_script.size());
+
+  uv_buf_t buf = uv_buf_init(sink.data(), sink.size());
+  r = WriteFileSync(output_path.c_str(), buf);
+  if (r != 0) {
+    fprintf(stderr, "Cannot write output to %s\n", output_path.c_str());
+    return ExitCode::kGenericUserError;
+  }
+
+  fprintf(stderr,
+          "Wrote single executable preparation blob to %s\n",
+          output_path.c_str());
+  return ExitCode::kNoFailure;
+}
+
 void Initialize(Local<Object> target,
                 Local<Value> unused,
                 Local<Context> context,