|
| 1 | ++++ |
| 2 | +title = "Proto Serialization Is Not Canonical" |
| 3 | +weight = 88 |
| 4 | +description = "Explains how serialization works and why it is not canonical." |
| 5 | +type = "docs" |
| 6 | ++++ |
| 7 | + |
| 8 | +<!--* |
| 9 | +# Document freshness: For more information, see go/fresh-source. |
| 10 | +freshness: { owner: 'haberman' reviewed: '2024-02-05' } |
| 11 | +*--> |
| 12 | + |
| 13 | +Many people want a serialized proto to canonically represent the contents of |
| 14 | +that proto. Use cases include: |
| 15 | + |
| 16 | +* using a serialized proto as a key in a hash table |
| 17 | +* taking a fingerprint or checksum of a serialized proto |
| 18 | +* comparing serialized payloads as a way of checking message equality |
| 19 | + |
| 20 | +Unfortunately, *protobuf serialization is not (and cannot be) canonical*. There |
| 21 | +are a few notable exceptions, such as MapReduce, but in general you should |
| 22 | +generally think of proto serialization as unstable. This page explains why. |
| 23 | + |
| 24 | +## Deterministic is not Canonical |
| 25 | + |
| 26 | +Deterministic serialization is not canonical. The serializer can generate |
| 27 | +different output for many reasons, including but not limited to the following |
| 28 | +variations: |
| 29 | + |
| 30 | +1. The protobuf schema changes in any way. |
| 31 | +1. The application being built changes in any way. |
| 32 | +1. The binary is built with different flags (eg. opt vs. debug). |
| 33 | +1. The protobuf library is updated. |
| 34 | + |
| 35 | +This means that hashes of serialized protos are fragile and not stable across |
| 36 | +time or space. |
| 37 | + |
| 38 | +There are many reasons why the serialized output can change. The above list is |
| 39 | +not exhaustive. Some of them are inherent difficulties in the problem space that |
| 40 | +would make it inefficient or impossible to guarantee canonical serialization |
| 41 | +even if we wanted to. Others are things we intentionally leave undefined to |
| 42 | +allow for optimization opportunities. |
| 43 | + |
| 44 | +## Inherent Barriers to Stable Serialization |
| 45 | + |
| 46 | +Protobuf objects preserve unknown fields to provide forward and backward |
| 47 | +compatibility. Unknown fields cannot be canonically serialized: |
| 48 | + |
| 49 | +1. Unknown fields can't distinguish between bytes and sub-messages, as both |
| 50 | + have the same wire type. This makes it impossible to canonicalize messages |
| 51 | + stored in the unknown field set. If we were going to canonicalize, we would |
| 52 | + need to recurse into unknown submessages to sort their fields by field |
| 53 | + number, but we don't have enough information to do this. |
| 54 | +1. Unknown fields are always serialized after known fields, for efficiency. But |
| 55 | + canonical serialization would require interleaving unknown fields with known |
| 56 | + fields by field number. This would cause efficiency and code size overheads |
| 57 | + for everybody, even people who do not use the feature. |
| 58 | + |
| 59 | +## Things Intentionally Left Undefined |
| 60 | + |
| 61 | +Even if canonical serialization was feasible (that is, if we could solve the |
| 62 | +unknown field problem), we intentionally leave serialization order undefined to |
| 63 | +allow for more optimization opportunities: |
| 64 | + |
| 65 | +1. If we can prove a field is never used in a binary, we can remove it from the |
| 66 | + schema completely and process it as an unknown field. This saves substantial |
| 67 | + code size and CPU cycles. |
| 68 | +2. There may be opportunities to optimize by serializing vectors of the same |
| 69 | + field together, even though this would break field number order. |
| 70 | + |
| 71 | +To leave room for optimizations like this, we want to intentionally scramble |
| 72 | +field order in some configurations, so that applications do not inappropriately |
| 73 | +depend on field order. |
0 commit comments