diff --git a/docs/modernization/build-inventory.md b/docs/modernization/build-inventory.md index b25f2c8..4cbf4a5 100644 --- a/docs/modernization/build-inventory.md +++ b/docs/modernization/build-inventory.md @@ -93,9 +93,10 @@ Known local toolchain state: `pp_ui_core`, `pano_cli`, and their current headless test binaries, including foundation event/logging/task queue coverage, PNG metadata and decode, PPI header/layout, settings document, document - snapshot/per-layer-frame/move/duration/face-pixel/PPI export coverage, paint - brush/stroke/stroke-script coverage, renderer shader descriptor and OpenGL - capability coverage, UI color parsing, and layout XML parse coverage. + snapshot/per-layer-frame/move/duration/face-pixel/PPI export coverage, + snapshot-embedded face-payload rejection, paint brush/stroke/stroke-script + coverage, renderer shader descriptor and OpenGL capability coverage, UI + color parsing, and layout XML parse coverage. - `pano_cli inspect-image` reports PNG IHDR metadata as JSON and is covered by `pano_cli_inspect_png_metadata_smoke` with a tiny IHDR fixture. - `pp_assets_image_pixels_tests` decodes PNG payloads, encodes RGBA8 pixels to diff --git a/docs/modernization/debt.md b/docs/modernization/debt.md index e659279..dd07086 100644 --- a/docs/modernization/debt.md +++ b/docs/modernization/debt.md @@ -28,7 +28,7 @@ agent or engineer to remove them without reconstructing context from chat. | DEBT-0007 | Open | Modernization | `vcpkg.json` and `windows-msvc-vcpkg-headless` are validated for the headless Windows component matrix, but app targets still use vendored libraries and Android/Apple triplets are not proven | Dependency migration must stay incremental while SDK/patched/vendor dependencies remain in use | `$env:VCPKG_ROOT="C:\Program Files\Microsoft Visual Studio\2022\Community\VC\vcpkg"; cmake --preset windows-msvc-vcpkg-headless`; `ctest --preset desktop-fast-vcpkg --build-config Debug` | Component targets consume vcpkg packages where reliable and desktop app, Android, and Apple triplets are validated or explicitly documented as permanent vendor exceptions | | DEBT-0008 | Open | Modernization | `windows-msvc-default` preset is used for local validation because the VS 2026 generator is not installed here | The target VS 2026 preset must remain, but this machine configures with Visual Studio 17 2022 | `cmake --preset windows-msvc-default`; `ctest --preset desktop-fast --build-config Debug` | Validate `windows-vs2026-x64` on a machine with Visual Studio 2026 installed and make it the default Windows validation preset | | DEBT-0009 | Open | Modernization | Android root CMake validation currently builds headless targets only, not APK/package variants | Platform app entrypoints still live in legacy Gradle/CMake projects and need Phase 6 alignment | `powershell -ExecutionPolicy Bypass -File scripts\automation\platform-build.ps1 -Presets android-arm64` | Android standard, Quest, and Focus/Wave package targets consume shared component targets and have package smoke commands | -| DEBT-0010 | Open | Modernization | `pp_document` is a pure layer/frame/document/undo-history model with alpha-lock metadata, snapshot construction, per-layer frame metadata, renderer-free RGBA8 face payload storage, renderer-free alpha8 selection-mask storage, and PPI import/export helpers, but it is not yet wired to legacy `Canvas`, legacy save, or legacy action commands | Keep extraction incremental while preserving app behavior | `ctest --preset desktop-fast --build-config Debug`; `pano_cli create-document --width 64 --height 32 --layers 2`; `pano_cli load-project --path tests\data\projects\minimal-project.ppi`; `pp_document_ppi_import_tests`; `pp_document_ppi_export_tests`; `pano_cli_simulate_document_edits_smoke` | Legacy document behavior is represented by `pp_document` tests and the app consumes it through a boundary/facade | +| DEBT-0010 | Open | Modernization | `pp_document` is a pure layer/frame/document/undo-history model with alpha-lock metadata, snapshot construction, per-layer frame metadata, renderer-free RGBA8 face payload storage, snapshot-embedded face-payload validation, renderer-free alpha8 selection-mask storage, and PPI import/export helpers, but it is not yet wired to legacy `Canvas`, legacy save, or legacy action commands | Keep extraction incremental while preserving app behavior | `ctest --preset desktop-fast --build-config Debug`; `pano_cli create-document --width 64 --height 32 --layers 2`; `pano_cli load-project --path tests\data\projects\minimal-project.ppi`; `pp_document_tests`; `pp_document_ppi_import_tests`; `pp_document_ppi_export_tests`; `pano_cli_simulate_document_edits_smoke` | Legacy document behavior is represented by `pp_document` tests and the app consumes it through a boundary/facade | | DEBT-0011 | Open | Modernization | `package-smoke` validates the Windows CMake app artifact only, not AppX/APK/Apple/WebGL package outputs | Platform package targets are not migrated to root CMake yet | `powershell -ExecutionPolicy Bypass -File scripts\automation\package-smoke.ps1 -Preset windows-msvc-default -Configuration Debug` | Package-smoke covers Windows AppX, Android APK variants, Apple bundles, and WebGL output where local toolchains are present | | DEBT-0012 | Open | Modernization | `pp_ui_core` uses vcpkg tinyxml2 on `windows-msvc-vcpkg-headless`, but retains `pp_vendor_tinyxml2` for default and unproven platform presets | Mobile/AppX/Apple triplets and app packaging still need validation before removing the vendored fallback | `ctest --preset desktop-fast-vcpkg --build-config Debug`; `ctest --preset desktop-fast --build-config Debug`; `powershell -ExecutionPolicy Bypass -File scripts\automation\platform-build.ps1 -Presets android-arm64` | All supported presets consume vcpkg tinyxml2 or document a permanent vendored exception | | DEBT-0013 | Open | Modernization | `pp_assets`, `pp_document`, `pano_cli inspect-project`, `pano_cli load-project`, and `pano_cli save-project` validate the fixed PPI header, thumbnail/body byte layout, generated multi-layer/multi-frame PPI writing with explicit layer opacity/blend/alpha-lock/visibility metadata, per-layer frame durations, metadata-only and targeted dirty-face-payload save/load round-trips, layer/frame index, dirty-face descriptors, dirty-face PNG payload metadata, asset-level RGBA PNG payload decoding, pure document-to-PPI export, and decoded pixel attachment to `pp_document`, but full legacy PPI round-trip parity is not yet extracted | Full PPI save parity requires staged extraction of legacy `Canvas` serialization and image/layer payload handling | `ctest --preset desktop-fast --build-config Debug`; `pp_assets_image_pixels_tests`; `pp_assets_ppi_header_tests`; `pp_document_ppi_import_tests`; `pp_document_ppi_export_tests`; `pano_cli_inspect_project_layout_smoke`; `pano_cli_load_project_metadata_smoke`; `pano_cli_save_project_roundtrip_smoke`; `pano_cli_save_project_payload_roundtrip_smoke` | Full PPI load/save fixtures cover thumbnails, decoded layer face payloads attached to documents, frames, corrupt payloads, dirty-face payload saving, arbitrary legacy canvas payload/layout combinations, and legacy app round-trip compatibility | diff --git a/docs/modernization/roadmap.md b/docs/modernization/roadmap.md index 31280f6..cf156ec 100644 --- a/docs/modernization/roadmap.md +++ b/docs/modernization/roadmap.md @@ -325,7 +325,8 @@ started with a pure canvas/layer/frame model, alpha-lock metadata, snapshot construction, per-layer frame metadata, layer metadata operations, frame move/duration queries, renderer-free RGBA8 cube-face payload storage, renderer-free alpha8 selection-mask storage, PPI image import/export, and -layer/frame/undo-redo history invariant tests. +layer/frame/undo-redo history invariant tests. Snapshot construction validates +embedded face-pixel payload bounds and byte counts. `pp_renderer_api` has started with renderer-neutral texture/readback descriptors and validation tests. `pp_paint_renderer` has started with deterministic CPU layer compositing over renderer extents using @@ -693,7 +694,8 @@ Results: - `pp_paint_stroke_script_tests` passed. - `pp_document_tests` passed, including snapshot construction, alpha-lock metadata, per-layer frame metadata, frame move, duration, face-pixel payload - storage/replacement/rejection, and history invariants. + storage/replacement/rejection, snapshot-embedded face-payload rejection, and + history invariants. - `pp_document_ppi_import_tests` passed, including decoded PPI dirty-face payload attachment to `pp_document` layer/frame storage and out-of-range payload rejection. @@ -812,6 +814,8 @@ Results: - `pp_document::export_ppi_project_document` exposes pure document-to-PPI byte export through CTest coverage; legacy Canvas save integration remains tracked by DEBT-0010/DEBT-0013. +- Snapshot creation now rejects invalid embedded RGBA8 face payloads before + document export or history can persist malformed state. - PowerShell package-smoke wrapper validates the Windows CMake app executable and runtime `data/` copy. - Android arm64 configured with NDK 29.0.14206865 through the platform-build diff --git a/src/document/document.cpp b/src/document/document.cpp index f24989c..802ddc9 100644 --- a/src/document/document.cpp +++ b/src/document/document.cpp @@ -232,6 +232,23 @@ namespace { return pp::foundation::Status::success(); } +[[nodiscard]] pp::foundation::Status validate_frame_face_pixels( + std::span frames, + std::uint32_t document_width, + std::uint32_t document_height) noexcept +{ + for (const auto& frame : frames) { + for (const auto& pixels : frame.face_pixels) { + const auto pixels_status = validate_face_pixels(pixels, document_width, document_height); + if (!pixels_status.ok()) { + return pixels_status; + } + } + } + + return pp::foundation::Status::success(); +} + } pp::foundation::Result CanvasDocument::create(DocumentConfig config) @@ -308,6 +325,11 @@ pp::foundation::Result CanvasDocument::create_from_snapshot(Docu pp::foundation::Status::out_of_range("document layer frame count exceeds the configured limit")); } + const auto face_pixels_status = validate_frame_face_pixels(layer_frames, config.width, config.height); + if (!face_pixels_status.ok()) { + return pp::foundation::Result::failure(face_pixels_status); + } + for (const auto& frame_config : layer_frames) { const auto duration_status = validate_frame_duration(frame_config.duration_ms); if (!duration_status.ok()) { @@ -333,6 +355,14 @@ pp::foundation::Result CanvasDocument::create_from_snapshot(Docu return pp::foundation::Result::failure(duration_status); } + const auto face_pixels_status = validate_frame_face_pixels( + std::span(&frame_config, 1), + config.width, + config.height); + if (!face_pixels_status.ok()) { + return pp::foundation::Result::failure(face_pixels_status); + } + document.frames_.push_back(frame_config); } diff --git a/tests/document/document_tests.cpp b/tests/document/document_tests.cpp index a596213..1837ba2 100644 --- a/tests/document/document_tests.cpp +++ b/tests/document/document_tests.cpp @@ -311,6 +311,88 @@ void rejects_invalid_snapshot_metadata(pp::tests::Harness& h) PP_EXPECT(h, bad_layer_frame.status().code == StatusCode::invalid_argument); } +void rejects_invalid_snapshot_face_pixels(pp::tests::Harness& h) +{ + const AnimationFrame frames[] { { .duration_ms = 100, .face_pixels = {} } }; + const AnimationFrame bad_byte_count_frames[] { + { + .duration_ms = 100, + .face_pixels = { + LayerFacePixels { + .face_index = 0, + .x = 0, + .y = 0, + .width = 1, + .height = 1, + .rgba8 = {}, + }, + }, + }, + }; + const AnimationFrame outside_frames[] { + { + .duration_ms = 100, + .face_pixels = { + LayerFacePixels { + .face_index = 0, + .x = 63, + .y = 0, + .width = 2, + .height = 1, + .rgba8 = { 1, 2, 3, 4, 5, 6, 7, 8 }, + }, + }, + }, + }; + const DocumentLayerConfig bad_byte_count_layers[] { + { + .name = "Ink", + .frames = bad_byte_count_frames, + }, + }; + const DocumentLayerConfig outside_layers[] { + { + .name = "Ink", + .frames = outside_frames, + }, + }; + const DocumentLayerConfig layers[] { + { + .name = "Ink", + .frames = {}, + }, + }; + + const auto bad_layer_payload = CanvasDocument::create_from_snapshot(DocumentSnapshotConfig { + .width = 64, + .height = 64, + .layers = bad_byte_count_layers, + .frames = frames, + .selection_masks = {}, + }); + const auto outside_layer_payload = CanvasDocument::create_from_snapshot(DocumentSnapshotConfig { + .width = 64, + .height = 64, + .layers = outside_layers, + .frames = frames, + .selection_masks = {}, + }); + const auto bad_root_payload = CanvasDocument::create_from_snapshot(DocumentSnapshotConfig { + .width = 64, + .height = 64, + .layers = layers, + .frames = bad_byte_count_frames, + .selection_masks = {}, + }); + + PP_EXPECT(h, !bad_layer_payload.ok()); + PP_EXPECT(h, bad_layer_payload.status().code == StatusCode::invalid_argument); + PP_EXPECT(h, !outside_layer_payload.ok()); + PP_EXPECT(h, outside_layer_payload.status().code == StatusCode::out_of_range); + PP_EXPECT(h, !bad_root_payload.ok()); + PP_EXPECT(h, bad_root_payload.status().code == StatusCode::invalid_argument); +} + void manages_animation_frames_and_duration(pp::tests::Harness& h) { auto document_result = CanvasDocument::create( @@ -744,6 +826,7 @@ int main() harness.run("creates_document_from_snapshot_metadata", creates_document_from_snapshot_metadata); harness.run("preserves_per_layer_snapshot_timelines", preserves_per_layer_snapshot_timelines); harness.run("rejects_invalid_snapshot_metadata", rejects_invalid_snapshot_metadata); + harness.run("rejects_invalid_snapshot_face_pixels", rejects_invalid_snapshot_face_pixels); harness.run("manages_animation_frames_and_duration", manages_animation_frames_and_duration); harness.run("moves_frames_and_preserves_active_frame_identity", moves_frames_and_preserves_active_frame_identity); harness.run("rejects_invalid_animation_frame_operations", rejects_invalid_animation_frame_operations); diff --git a/tests/document/ppi_export_tests.cpp b/tests/document/ppi_export_tests.cpp index 32eb877..a84af20 100644 --- a/tests/document/ppi_export_tests.cpp +++ b/tests/document/ppi_export_tests.cpp @@ -122,7 +122,7 @@ void exports_document_metadata_and_face_payloads(pp::tests::Harness& h) PP_EXPECT(h, imported.value().face_pixel_payload_count() == 2U); } -void rejects_export_when_document_payload_cannot_encode(pp::tests::Harness& h) +void rejects_snapshot_payload_that_cannot_export(pp::tests::Harness& h) { const AnimationFrame root_frames[] { { .duration_ms = 100, .face_pixels = {} }, @@ -161,12 +161,8 @@ void rejects_export_when_document_payload_cannot_encode(pp::tests::Harness& h) .selection_masks = {}, }); - PP_EXPECT(h, document.ok()); - - const auto exported = export_ppi_project_document(document.value()); - - PP_EXPECT(h, !exported.ok()); - PP_EXPECT(h, exported.status().code == StatusCode::invalid_argument); + PP_EXPECT(h, !document.ok()); + PP_EXPECT(h, document.status().code == StatusCode::invalid_argument); } } @@ -175,6 +171,6 @@ int main() { pp::tests::Harness harness; harness.run("exports_document_metadata_and_face_payloads", exports_document_metadata_and_face_payloads); - harness.run("rejects_export_when_document_payload_cannot_encode", rejects_export_when_document_payload_cannot_encode); + harness.run("rejects_snapshot_payload_that_cannot_export", rejects_snapshot_payload_that_cannot_export); return harness.finish(); }