xref: /illumos-gate/usr/src/uts/common/fs/zfs/zcp.c (revision f22cbd2db87ae3945ed6a9166f8b9d61b65c6ab9)
1 /*
2  * CDDL HEADER START
3  *
4  * This file and its contents are supplied under the terms of the
5  * Common Development and Distribution License ("CDDL"), version 1.0.
6  * You may only use this file in accordance with the terms of version
7  * 1.0 of the CDDL.
8  *
9  * A full copy of the text of the CDDL should have accompanied this
10  * source.  A copy of the CDDL is also available via the Internet at
11  * http://www.illumos.org/license/CDDL.
12  *
13  * CDDL HEADER END
14  */
15 
16 /*
17  * Copyright (c) 2016, 2017 by Delphix. All rights reserved.
18  */
19 
20 /*
21  * ZFS Channel Programs (ZCP)
22  *
23  * The ZCP interface allows various ZFS commands and operations ZFS
24  * administrative operations (e.g. creating and destroying snapshots, typically
25  * performed via an ioctl to /dev/zfs by the zfs(1M) command and
26  * libzfs/libzfs_core) to be run * programmatically as a Lua script.  A ZCP
27  * script is run as a dsl_sync_task and fully executed during one transaction
28  * group sync.  This ensures that no other changes can be written concurrently
29  * with a running Lua script.  Combining multiple calls to the exposed ZFS
30  * functions into one script gives a number of benefits:
31  *
32  * 1. Atomicity.  For some compound or iterative operations, it's useful to be
33  * able to guarantee that the state of a pool has not changed between calls to
34  * ZFS.
35  *
36  * 2. Performance.  If a large number of changes need to be made (e.g. deleting
37  * many filesystems), there can be a significant performance penalty as a
38  * result of the need to wait for a transaction group sync to pass for every
39  * single operation.  When expressed as a single ZCP script, all these changes
40  * can be performed at once in one txg sync.
41  *
42  * A modified version of the Lua 5.2 interpreter is used to run channel program
43  * scripts. The Lua 5.2 manual can be found at:
44  *
45  *      http://www.lua.org/manual/5.2/
46  *
47  * If being run by a user (via an ioctl syscall), executing a ZCP script
48  * requires root privileges in the global zone.
49  *
50  * Scripts are passed to zcp_eval() as a string, then run in a synctask by
51  * zcp_eval_sync().  Arguments can be passed into the Lua script as an nvlist,
52  * which will be converted to a Lua table.  Similarly, values returned from
53  * a ZCP script will be converted to an nvlist.  See zcp_lua_to_nvlist_impl()
54  * for details on exact allowed types and conversion.
55  *
56  * ZFS functionality is exposed to a ZCP script as a library of function calls.
57  * These calls are sorted into submodules, such as zfs.list and zfs.sync, for
58  * iterators and synctasks, respectively.  Each of these submodules resides in
59  * its own source file, with a zcp_*_info structure describing each library
60  * call in the submodule.
61  *
62  * Error handling in ZCP scripts is handled by a number of different methods
63  * based on severity:
64  *
65  * 1. Memory and time limits are in place to prevent a channel program from
66  * consuming excessive system or running forever.  If one of these limits is
67  * hit, the channel program will be stopped immediately and return from
68  * zcp_eval() with an error code. No attempt will be made to roll back or undo
69  * any changes made by the channel program before the error occured.
70  * Consumers invoking zcp_eval() from elsewhere in the kernel may pass a time
71  * limit of 0, disabling the time limit.
72  *
73  * 2. Internal Lua errors can occur as a result of a syntax error, calling a
74  * library function with incorrect arguments, invoking the error() function,
75  * failing an assert(), or other runtime errors.  In these cases the channel
76  * program will stop executing and return from zcp_eval() with an error code.
77  * In place of a return value, an error message will also be returned in the
78  * 'result' nvlist containing information about the error. No attempt will be
79  * made to roll back or undo any changes made by the channel program before the
80  * error occured.
81  *
82  * 3. If an error occurs inside a ZFS library call which returns an error code,
83  * the error is returned to the Lua script to be handled as desired.
84  *
85  * In the first two cases, Lua's error-throwing mechanism is used, which
86  * longjumps out of the script execution with luaL_error() and returns with the
87  * error.
88  *
89  * See zfs-program(1M) for more information on high level usage.
90  */
91 
92 #include "lua.h"
93 #include "lualib.h"
94 #include "lauxlib.h"
95 
96 #include <sys/dsl_prop.h>
97 #include <sys/dsl_synctask.h>
98 #include <sys/dsl_dataset.h>
99 #include <sys/zcp.h>
100 #include <sys/zcp_iter.h>
101 #include <sys/zcp_prop.h>
102 #include <sys/zcp_global.h>
103 #include <util/sscanf.h>
104 
105 #define	ZCP_NVLIST_MAX_DEPTH 20
106 
107 uint64_t zfs_lua_check_instrlimit_interval = 100;
108 uint64_t zfs_lua_max_instrlimit = ZCP_MAX_INSTRLIMIT;
109 uint64_t zfs_lua_max_memlimit = ZCP_MAX_MEMLIMIT;
110 
111 /*
112  * Forward declarations for mutually recursive functions
113  */
114 static int zcp_nvpair_value_to_lua(lua_State *, nvpair_t *, char *, int);
115 static int zcp_lua_to_nvlist_impl(lua_State *, int, nvlist_t *, const char *,
116     int);
117 
118 typedef struct zcp_alloc_arg {
119 	boolean_t	aa_must_succeed;
120 	int64_t		aa_alloc_remaining;
121 	int64_t		aa_alloc_limit;
122 } zcp_alloc_arg_t;
123 
124 typedef struct zcp_eval_arg {
125 	lua_State	*ea_state;
126 	zcp_alloc_arg_t	*ea_allocargs;
127 	cred_t		*ea_cred;
128 	nvlist_t	*ea_outnvl;
129 	int		ea_result;
130 	uint64_t	ea_instrlimit;
131 } zcp_eval_arg_t;
132 
133 /*
134  * The outer-most error callback handler for use with lua_pcall(). On
135  * error Lua will call this callback with a single argument that
136  * represents the error value. In most cases this will be a string
137  * containing an error message, but channel programs can use Lua's
138  * error() function to return arbitrary objects as errors. This callback
139  * returns (on the Lua stack) the original error object along with a traceback.
140  *
141  * Fatal Lua errors can occur while resources are held, so we also call any
142  * registered cleanup function here.
143  */
144 static int
145 zcp_error_handler(lua_State *state)
146 {
147 	const char *msg;
148 
149 	zcp_cleanup(state);
150 
151 	VERIFY3U(1, ==, lua_gettop(state));
152 	msg = lua_tostring(state, 1);
153 	luaL_traceback(state, state, msg, 1);
154 	return (1);
155 }
156 
157 int
158 zcp_argerror(lua_State *state, int narg, const char *msg, ...)
159 {
160 	va_list alist;
161 
162 	va_start(alist, msg);
163 	const char *buf = lua_pushvfstring(state, msg, alist);
164 	va_end(alist);
165 
166 	return (luaL_argerror(state, narg, buf));
167 }
168 
169 /*
170  * Install a new cleanup function, which will be invoked with the given
171  * opaque argument if a fatal error causes the Lua interpreter to longjump out
172  * of a function call.
173  *
174  * If an error occurs, the cleanup function will be invoked exactly once and
175  * then unreigstered.
176  *
177  * Returns the registered cleanup handler so the caller can deregister it
178  * if no error occurs.
179  */
180 zcp_cleanup_handler_t *
181 zcp_register_cleanup(lua_State *state, zcp_cleanup_t cleanfunc, void *cleanarg)
182 {
183 	zcp_run_info_t *ri = zcp_run_info(state);
184 
185 	zcp_cleanup_handler_t *zch = kmem_alloc(sizeof (*zch), KM_SLEEP);
186 	zch->zch_cleanup_func = cleanfunc;
187 	zch->zch_cleanup_arg = cleanarg;
188 	list_insert_head(&ri->zri_cleanup_handlers, zch);
189 
190 	return (zch);
191 }
192 
193 void
194 zcp_deregister_cleanup(lua_State *state, zcp_cleanup_handler_t *zch)
195 {
196 	zcp_run_info_t *ri = zcp_run_info(state);
197 	list_remove(&ri->zri_cleanup_handlers, zch);
198 	kmem_free(zch, sizeof (*zch));
199 }
200 
201 /*
202  * Execute the currently registered cleanup handlers then free them and
203  * destroy the handler list.
204  */
205 void
206 zcp_cleanup(lua_State *state)
207 {
208 	zcp_run_info_t *ri = zcp_run_info(state);
209 
210 	for (zcp_cleanup_handler_t *zch =
211 	    list_remove_head(&ri->zri_cleanup_handlers); zch != NULL;
212 	    zch = list_remove_head(&ri->zri_cleanup_handlers)) {
213 		zch->zch_cleanup_func(zch->zch_cleanup_arg);
214 		kmem_free(zch, sizeof (*zch));
215 	}
216 }
217 
218 /*
219  * Convert the lua table at the given index on the Lua stack to an nvlist
220  * and return it.
221  *
222  * If the table can not be converted for any reason, NULL is returned and
223  * an error message is pushed onto the Lua stack.
224  */
225 static nvlist_t *
226 zcp_table_to_nvlist(lua_State *state, int index, int depth)
227 {
228 	nvlist_t *nvl;
229 	/*
230 	 * Converting a Lua table to an nvlist with key uniqueness checking is
231 	 * O(n^2) in the number of keys in the nvlist, which can take a long
232 	 * time when we return a large table from a channel program.
233 	 * Furthermore, Lua's table interface *almost* guarantees unique keys
234 	 * on its own (details below). Therefore, we don't use fnvlist_alloc()
235 	 * here to avoid the built-in uniqueness checking.
236 	 *
237 	 * The *almost* is because it's possible to have key collisions between
238 	 * e.g. the string "1" and the number 1, or the string "true" and the
239 	 * boolean true, so we explicitly check that when we're looking at a
240 	 * key which is an integer / boolean or a string that can be parsed as
241 	 * one of those types. In the worst case this could still devolve into
242 	 * O(n^2), so we only start doing these checks on boolean/integer keys
243 	 * once we've seen a string key which fits this weird usage pattern.
244 	 *
245 	 * Ultimately, we still want callers to know that the keys in this
246 	 * nvlist are unique, so before we return this we set the nvlist's
247 	 * flags to reflect that.
248 	 */
249 	VERIFY0(nvlist_alloc(&nvl, 0, KM_SLEEP));
250 
251 	/*
252 	 * Push an empty stack slot where lua_next() will store each
253 	 * table key.
254 	 */
255 	lua_pushnil(state);
256 	boolean_t saw_str_could_collide = B_FALSE;
257 	while (lua_next(state, index) != 0) {
258 		/*
259 		 * The next key-value pair from the table at index is
260 		 * now on the stack, with the key at stack slot -2 and
261 		 * the value at slot -1.
262 		 */
263 		int err = 0;
264 		char buf[32];
265 		const char *key = NULL;
266 		boolean_t key_could_collide = B_FALSE;
267 
268 		switch (lua_type(state, -2)) {
269 		case LUA_TSTRING:
270 			key = lua_tostring(state, -2);
271 
272 			/* check if this could collide with a number or bool */
273 			long long tmp;
274 			int parselen;
275 			if ((sscanf(key, "%lld%n", &tmp, &parselen) > 0 &&
276 			    parselen == strlen(key)) ||
277 			    strcmp(key, "true") == 0 ||
278 			    strcmp(key, "false") == 0) {
279 				key_could_collide = B_TRUE;
280 				saw_str_could_collide = B_TRUE;
281 			}
282 			break;
283 		case LUA_TBOOLEAN:
284 			key = (lua_toboolean(state, -2) == B_TRUE ?
285 			    "true" : "false");
286 			if (saw_str_could_collide) {
287 				key_could_collide = B_TRUE;
288 			}
289 			break;
290 		case LUA_TNUMBER:
291 			VERIFY3U(sizeof (buf), >,
292 			    snprintf(buf, sizeof (buf), "%lld",
293 			    (longlong_t)lua_tonumber(state, -2)));
294 			key = buf;
295 			if (saw_str_could_collide) {
296 				key_could_collide = B_TRUE;
297 			}
298 			break;
299 		default:
300 			fnvlist_free(nvl);
301 			(void) lua_pushfstring(state, "Invalid key "
302 			    "type '%s' in table",
303 			    lua_typename(state, lua_type(state, -2)));
304 			return (NULL);
305 		}
306 		/*
307 		 * Check for type-mismatched key collisions, and throw an error.
308 		 */
309 		if (key_could_collide && nvlist_exists(nvl, key)) {
310 			fnvlist_free(nvl);
311 			(void) lua_pushfstring(state, "Collision of "
312 			    "key '%s' in table", key);
313 			return (NULL);
314 		}
315 		/*
316 		 * Recursively convert the table value and insert into
317 		 * the new nvlist with the parsed key.  To prevent
318 		 * stack overflow on circular or heavily nested tables,
319 		 * we track the current nvlist depth.
320 		 */
321 		if (depth >= ZCP_NVLIST_MAX_DEPTH) {
322 			fnvlist_free(nvl);
323 			(void) lua_pushfstring(state, "Maximum table "
324 			    "depth (%d) exceeded for table",
325 			    ZCP_NVLIST_MAX_DEPTH);
326 			return (NULL);
327 		}
328 		err = zcp_lua_to_nvlist_impl(state, -1, nvl, key,
329 		    depth + 1);
330 		if (err != 0) {
331 			fnvlist_free(nvl);
332 			/*
333 			 * Error message has been pushed to the lua
334 			 * stack by the recursive call.
335 			 */
336 			return (NULL);
337 		}
338 		/*
339 		 * Pop the value pushed by lua_next().
340 		 */
341 		lua_pop(state, 1);
342 	}
343 
344 	/*
345 	 * Mark the nvlist as having unique keys. This is a little ugly, but we
346 	 * ensured above that there are no duplicate keys in the nvlist.
347 	 */
348 	nvl->nvl_nvflag |= NV_UNIQUE_NAME;
349 
350 	return (nvl);
351 }
352 
353 /*
354  * Convert a value from the given index into the lua stack to an nvpair, adding
355  * it to an nvlist with the given key.
356  *
357  * Values are converted as follows:
358  *
359  *   string -> string
360  *   number -> int64
361  *   boolean -> boolean
362  *   nil -> boolean (no value)
363  *
364  * Lua tables are converted to nvlists and then inserted. The table's keys
365  * are converted to strings then used as keys in the nvlist to store each table
366  * element.  Keys are converted as follows:
367  *
368  *   string -> no change
369  *   number -> "%lld"
370  *   boolean -> "true" | "false"
371  *   nil -> error
372  *
373  * In the case of a key collision, an error is thrown.
374  *
375  * If an error is encountered, a nonzero error code is returned, and an error
376  * string will be pushed onto the Lua stack.
377  */
378 static int
379 zcp_lua_to_nvlist_impl(lua_State *state, int index, nvlist_t *nvl,
380     const char *key, int depth)
381 {
382 	/*
383 	 * Verify that we have enough remaining space in the lua stack to parse
384 	 * a key-value pair and push an error.
385 	 */
386 	if (!lua_checkstack(state, 3)) {
387 		(void) lua_pushstring(state, "Lua stack overflow");
388 		return (1);
389 	}
390 
391 	index = lua_absindex(state, index);
392 
393 	switch (lua_type(state, index)) {
394 	case LUA_TNIL:
395 		fnvlist_add_boolean(nvl, key);
396 		break;
397 	case LUA_TBOOLEAN:
398 		fnvlist_add_boolean_value(nvl, key,
399 		    lua_toboolean(state, index));
400 		break;
401 	case LUA_TNUMBER:
402 		fnvlist_add_int64(nvl, key, lua_tonumber(state, index));
403 		break;
404 	case LUA_TSTRING:
405 		fnvlist_add_string(nvl, key, lua_tostring(state, index));
406 		break;
407 	case LUA_TTABLE: {
408 		nvlist_t *value_nvl = zcp_table_to_nvlist(state, index, depth);
409 		if (value_nvl == NULL)
410 			return (EINVAL);
411 
412 		fnvlist_add_nvlist(nvl, key, value_nvl);
413 		fnvlist_free(value_nvl);
414 		break;
415 	}
416 	default:
417 		(void) lua_pushfstring(state,
418 		    "Invalid value type '%s' for key '%s'",
419 		    lua_typename(state, lua_type(state, index)), key);
420 		return (EINVAL);
421 	}
422 
423 	return (0);
424 }
425 
426 /*
427  * Convert a lua value to an nvpair, adding it to an nvlist with the given key.
428  */
429 void
430 zcp_lua_to_nvlist(lua_State *state, int index, nvlist_t *nvl, const char *key)
431 {
432 	/*
433 	 * On error, zcp_lua_to_nvlist_impl pushes an error string onto the Lua
434 	 * stack before returning with a nonzero error code. If an error is
435 	 * returned, throw a fatal lua error with the given string.
436 	 */
437 	if (zcp_lua_to_nvlist_impl(state, index, nvl, key, 0) != 0)
438 		(void) lua_error(state);
439 }
440 
441 int
442 zcp_lua_to_nvlist_helper(lua_State *state)
443 {
444 	nvlist_t *nv = (nvlist_t *)lua_touserdata(state, 2);
445 	const char *key = (const char *)lua_touserdata(state, 1);
446 	zcp_lua_to_nvlist(state, 3, nv, key);
447 	return (0);
448 }
449 
450 void
451 zcp_convert_return_values(lua_State *state, nvlist_t *nvl,
452     const char *key, zcp_eval_arg_t *evalargs)
453 {
454 	int err;
455 	lua_pushcfunction(state, zcp_lua_to_nvlist_helper);
456 	lua_pushlightuserdata(state, (char *)key);
457 	lua_pushlightuserdata(state, nvl);
458 	lua_pushvalue(state, 1);
459 	lua_remove(state, 1);
460 	err = lua_pcall(state, 3, 0, 0); /* zcp_lua_to_nvlist_helper */
461 	if (err != 0) {
462 		zcp_lua_to_nvlist(state, 1, nvl, ZCP_RET_ERROR);
463 		evalargs->ea_result = SET_ERROR(ECHRNG);
464 	}
465 }
466 
467 /*
468  * Push a Lua table representing nvl onto the stack.  If it can't be
469  * converted, return EINVAL, fill in errbuf, and push nothing. errbuf may
470  * be specified as NULL, in which case no error string will be output.
471  *
472  * Most nvlists are converted as simple key->value Lua tables, but we make
473  * an exception for the case where all nvlist entries are BOOLEANs (a string
474  * key without a value). In Lua, a table key pointing to a value of Nil
475  * (no value) is equivalent to the key not existing, so a BOOLEAN nvlist
476  * entry can't be directly converted to a Lua table entry. Nvlists of entirely
477  * BOOLEAN entries are frequently used to pass around lists of datasets, so for
478  * convenience we check for this case, and convert it to a simple Lua array of
479  * strings.
480  */
481 int
482 zcp_nvlist_to_lua(lua_State *state, nvlist_t *nvl,
483     char *errbuf, int errbuf_len)
484 {
485 	nvpair_t *pair;
486 	lua_newtable(state);
487 	boolean_t has_values = B_FALSE;
488 	/*
489 	 * If the list doesn't have any values, just convert it to a string
490 	 * array.
491 	 */
492 	for (pair = nvlist_next_nvpair(nvl, NULL);
493 	    pair != NULL; pair = nvlist_next_nvpair(nvl, pair)) {
494 		if (nvpair_type(pair) != DATA_TYPE_BOOLEAN) {
495 			has_values = B_TRUE;
496 			break;
497 		}
498 	}
499 	if (!has_values) {
500 		int i = 1;
501 		for (pair = nvlist_next_nvpair(nvl, NULL);
502 		    pair != NULL; pair = nvlist_next_nvpair(nvl, pair)) {
503 			(void) lua_pushinteger(state, i);
504 			(void) lua_pushstring(state, nvpair_name(pair));
505 			(void) lua_settable(state, -3);
506 			i++;
507 		}
508 	} else {
509 		for (pair = nvlist_next_nvpair(nvl, NULL);
510 		    pair != NULL; pair = nvlist_next_nvpair(nvl, pair)) {
511 			int err = zcp_nvpair_value_to_lua(state, pair,
512 			    errbuf, errbuf_len);
513 			if (err != 0) {
514 				lua_pop(state, 1);
515 				return (err);
516 			}
517 			(void) lua_setfield(state, -2, nvpair_name(pair));
518 		}
519 	}
520 	return (0);
521 }
522 
523 /*
524  * Push a Lua object representing the value of "pair" onto the stack.
525  *
526  * Only understands boolean_value, string, int64, nvlist,
527  * string_array, and int64_array type values.  For other
528  * types, returns EINVAL, fills in errbuf, and pushes nothing.
529  */
530 static int
531 zcp_nvpair_value_to_lua(lua_State *state, nvpair_t *pair,
532     char *errbuf, int errbuf_len)
533 {
534 	int err = 0;
535 
536 	if (pair == NULL) {
537 		lua_pushnil(state);
538 		return (0);
539 	}
540 
541 	switch (nvpair_type(pair)) {
542 	case DATA_TYPE_BOOLEAN_VALUE:
543 		(void) lua_pushboolean(state,
544 		    fnvpair_value_boolean_value(pair));
545 		break;
546 	case DATA_TYPE_STRING:
547 		(void) lua_pushstring(state, fnvpair_value_string(pair));
548 		break;
549 	case DATA_TYPE_INT64:
550 		(void) lua_pushinteger(state, fnvpair_value_int64(pair));
551 		break;
552 	case DATA_TYPE_NVLIST:
553 		err = zcp_nvlist_to_lua(state,
554 		    fnvpair_value_nvlist(pair), errbuf, errbuf_len);
555 		break;
556 	case DATA_TYPE_STRING_ARRAY: {
557 		char **strarr;
558 		uint_t nelem;
559 		(void) nvpair_value_string_array(pair, &strarr, &nelem);
560 		lua_newtable(state);
561 		for (int i = 0; i < nelem; i++) {
562 			(void) lua_pushinteger(state, i + 1);
563 			(void) lua_pushstring(state, strarr[i]);
564 			(void) lua_settable(state, -3);
565 		}
566 		break;
567 	}
568 	case DATA_TYPE_UINT64_ARRAY: {
569 		uint64_t *intarr;
570 		uint_t nelem;
571 		(void) nvpair_value_uint64_array(pair, &intarr, &nelem);
572 		lua_newtable(state);
573 		for (int i = 0; i < nelem; i++) {
574 			(void) lua_pushinteger(state, i + 1);
575 			(void) lua_pushinteger(state, intarr[i]);
576 			(void) lua_settable(state, -3);
577 		}
578 		break;
579 	}
580 	case DATA_TYPE_INT64_ARRAY: {
581 		int64_t *intarr;
582 		uint_t nelem;
583 		(void) nvpair_value_int64_array(pair, &intarr, &nelem);
584 		lua_newtable(state);
585 		for (int i = 0; i < nelem; i++) {
586 			(void) lua_pushinteger(state, i + 1);
587 			(void) lua_pushinteger(state, intarr[i]);
588 			(void) lua_settable(state, -3);
589 		}
590 		break;
591 	}
592 	default: {
593 		if (errbuf != NULL) {
594 			(void) snprintf(errbuf, errbuf_len,
595 			    "Unhandled nvpair type %d for key '%s'",
596 			    nvpair_type(pair), nvpair_name(pair));
597 		}
598 		return (EINVAL);
599 	}
600 	}
601 	return (err);
602 }
603 
604 int
605 zcp_dataset_hold_error(lua_State *state, dsl_pool_t *dp, const char *dsname,
606     int error)
607 {
608 	if (error == ENOENT) {
609 		(void) zcp_argerror(state, 1, "no such dataset '%s'", dsname);
610 		return (NULL); /* not reached; zcp_argerror will longjmp */
611 	} else if (error == EXDEV) {
612 		(void) zcp_argerror(state, 1,
613 		    "dataset '%s' is not in the target pool '%s'",
614 		    dsname, spa_name(dp->dp_spa));
615 		return (NULL); /* not reached; zcp_argerror will longjmp */
616 	} else if (error == EIO) {
617 		(void) luaL_error(state,
618 		    "I/O error while accessing dataset '%s'", dsname);
619 		return (NULL); /* not reached; luaL_error will longjmp */
620 	} else if (error != 0) {
621 		(void) luaL_error(state,
622 		    "unexpected error %d while accessing dataset '%s'",
623 		    error, dsname);
624 		return (NULL); /* not reached; luaL_error will longjmp */
625 	}
626 	return (NULL);
627 }
628 
629 /*
630  * Note: will longjmp (via lua_error()) on error.
631  * Assumes that the dsname is argument #1 (for error reporting purposes).
632  */
633 dsl_dataset_t *
634 zcp_dataset_hold(lua_State *state, dsl_pool_t *dp, const char *dsname,
635     void *tag)
636 {
637 	dsl_dataset_t *ds;
638 	int error = dsl_dataset_hold(dp, dsname, tag, &ds);
639 	(void) zcp_dataset_hold_error(state, dp, dsname, error);
640 	return (ds);
641 }
642 
643 static int zcp_debug(lua_State *);
644 static zcp_lib_info_t zcp_debug_info = {
645 	.name = "debug",
646 	.func = zcp_debug,
647 	.pargs = {
648 	    { .za_name = "debug string", .za_lua_type = LUA_TSTRING},
649 	    {NULL, NULL}
650 	},
651 	.kwargs = {
652 	    {NULL, NULL}
653 	}
654 };
655 
656 static int
657 zcp_debug(lua_State *state)
658 {
659 	const char *dbgstring;
660 	zcp_run_info_t *ri = zcp_run_info(state);
661 	zcp_lib_info_t *libinfo = &zcp_debug_info;
662 
663 	zcp_parse_args(state, libinfo->name, libinfo->pargs, libinfo->kwargs);
664 
665 	dbgstring = lua_tostring(state, 1);
666 
667 	zfs_dbgmsg("txg %lld ZCP: %s", ri->zri_tx->tx_txg, dbgstring);
668 
669 	return (0);
670 }
671 
672 static int zcp_exists(lua_State *);
673 static zcp_lib_info_t zcp_exists_info = {
674 	.name = "exists",
675 	.func = zcp_exists,
676 	.pargs = {
677 	    { .za_name = "dataset", .za_lua_type = LUA_TSTRING},
678 	    {NULL, NULL}
679 	},
680 	.kwargs = {
681 	    {NULL, NULL}
682 	}
683 };
684 
685 static int
686 zcp_exists(lua_State *state)
687 {
688 	zcp_run_info_t *ri = zcp_run_info(state);
689 	dsl_pool_t *dp = ri->zri_pool;
690 	zcp_lib_info_t *libinfo = &zcp_exists_info;
691 
692 	zcp_parse_args(state, libinfo->name, libinfo->pargs, libinfo->kwargs);
693 
694 	const char *dsname = lua_tostring(state, 1);
695 
696 	dsl_dataset_t *ds;
697 	int error = dsl_dataset_hold(dp, dsname, FTAG, &ds);
698 	if (error == 0) {
699 		dsl_dataset_rele(ds, FTAG);
700 		lua_pushboolean(state, B_TRUE);
701 	} else if (error == ENOENT) {
702 		lua_pushboolean(state, B_FALSE);
703 	} else if (error == EXDEV) {
704 		return (luaL_error(state, "dataset '%s' is not in the "
705 		    "target pool", dsname));
706 	} else if (error == EIO) {
707 		return (luaL_error(state, "I/O error opening dataset '%s'",
708 		    dsname));
709 	} else if (error != 0) {
710 		return (luaL_error(state, "unexpected error %d", error));
711 	}
712 
713 	return (1);
714 }
715 
716 /*
717  * Allocate/realloc/free a buffer for the lua interpreter.
718  *
719  * When nsize is 0, behaves as free() and returns NULL.
720  *
721  * If ptr is NULL, behaves as malloc() and returns an allocated buffer of size
722  * at least nsize.
723  *
724  * Otherwise, behaves as realloc(), changing the allocation from osize to nsize.
725  * Shrinking the buffer size never fails.
726  *
727  * The original allocated buffer size is stored as a uint64 at the beginning of
728  * the buffer to avoid actually reallocating when shrinking a buffer, since lua
729  * requires that this operation never fail.
730  */
731 static void *
732 zcp_lua_alloc(void *ud, void *ptr, size_t osize, size_t nsize)
733 {
734 	zcp_alloc_arg_t *allocargs = ud;
735 	int flags = (allocargs->aa_must_succeed) ?
736 	    KM_SLEEP : (KM_NOSLEEP | KM_NORMALPRI);
737 
738 	if (nsize == 0) {
739 		if (ptr != NULL) {
740 			int64_t *allocbuf = (int64_t *)ptr - 1;
741 			int64_t allocsize = *allocbuf;
742 			ASSERT3S(allocsize, >, 0);
743 			ASSERT3S(allocargs->aa_alloc_remaining + allocsize, <=,
744 			    allocargs->aa_alloc_limit);
745 			allocargs->aa_alloc_remaining += allocsize;
746 			kmem_free(allocbuf, allocsize);
747 		}
748 		return (NULL);
749 	} else if (ptr == NULL) {
750 		int64_t *allocbuf;
751 		int64_t allocsize = nsize + sizeof (int64_t);
752 
753 		if (!allocargs->aa_must_succeed &&
754 		    (allocsize <= 0 ||
755 		    allocsize > allocargs->aa_alloc_remaining)) {
756 			return (NULL);
757 		}
758 
759 		allocbuf = kmem_alloc(allocsize, flags);
760 		if (allocbuf == NULL) {
761 			return (NULL);
762 		}
763 		allocargs->aa_alloc_remaining -= allocsize;
764 
765 		*allocbuf = allocsize;
766 		return (allocbuf + 1);
767 	} else if (nsize <= osize) {
768 		/*
769 		 * If shrinking the buffer, lua requires that the reallocation
770 		 * never fail.
771 		 */
772 		return (ptr);
773 	} else {
774 		ASSERT3U(nsize, >, osize);
775 
776 		uint64_t *luabuf = zcp_lua_alloc(ud, NULL, 0, nsize);
777 		if (luabuf == NULL) {
778 			return (NULL);
779 		}
780 		(void) memcpy(luabuf, ptr, osize);
781 		VERIFY3P(zcp_lua_alloc(ud, ptr, osize, 0), ==, NULL);
782 		return (luabuf);
783 	}
784 }
785 
786 /* ARGSUSED */
787 static void
788 zcp_lua_counthook(lua_State *state, lua_Debug *ar)
789 {
790 	/*
791 	 * If we're called, check how many instructions the channel program has
792 	 * executed so far, and compare against the limit.
793 	 */
794 	lua_getfield(state, LUA_REGISTRYINDEX, ZCP_RUN_INFO_KEY);
795 	zcp_run_info_t *ri = lua_touserdata(state, -1);
796 
797 	ri->zri_curinstrs += zfs_lua_check_instrlimit_interval;
798 	if (ri->zri_maxinstrs != 0 && ri->zri_curinstrs > ri->zri_maxinstrs) {
799 		ri->zri_timed_out = B_TRUE;
800 		(void) lua_pushstring(state,
801 		    "Channel program timed out.");
802 		(void) lua_error(state);
803 	}
804 }
805 
806 static int
807 zcp_panic_cb(lua_State *state)
808 {
809 	panic("unprotected error in call to Lua API (%s)\n",
810 	    lua_tostring(state, -1));
811 	return (0);
812 }
813 
814 static void
815 zcp_eval_impl(dmu_tx_t *tx, boolean_t sync, zcp_eval_arg_t *evalargs)
816 {
817 	int err;
818 	zcp_run_info_t ri;
819 	lua_State *state = evalargs->ea_state;
820 
821 	VERIFY3U(3, ==, lua_gettop(state));
822 
823 	/*
824 	 * Store the zcp_run_info_t struct for this run in the Lua registry.
825 	 * Registry entries are not directly accessible by the Lua scripts but
826 	 * can be accessed by our callbacks.
827 	 */
828 	ri.zri_space_used = 0;
829 	ri.zri_pool = dmu_tx_pool(tx);
830 	ri.zri_cred = evalargs->ea_cred;
831 	ri.zri_tx = tx;
832 	ri.zri_timed_out = B_FALSE;
833 	ri.zri_sync = sync;
834 	list_create(&ri.zri_cleanup_handlers, sizeof (zcp_cleanup_handler_t),
835 	    offsetof(zcp_cleanup_handler_t, zch_node));
836 	ri.zri_curinstrs = 0;
837 	ri.zri_maxinstrs = evalargs->ea_instrlimit;
838 
839 	lua_pushlightuserdata(state, &ri);
840 	lua_setfield(state, LUA_REGISTRYINDEX, ZCP_RUN_INFO_KEY);
841 	VERIFY3U(3, ==, lua_gettop(state));
842 
843 	/*
844 	 * Tell the Lua interpreter to call our handler every count
845 	 * instructions. Channel programs that execute too many instructions
846 	 * should die with ETIME.
847 	 */
848 	(void) lua_sethook(state, zcp_lua_counthook, LUA_MASKCOUNT,
849 	    zfs_lua_check_instrlimit_interval);
850 
851 	/*
852 	 * Tell the Lua memory allocator to stop using KM_SLEEP before handing
853 	 * off control to the channel program. Channel programs that use too
854 	 * much memory should die with ENOSPC.
855 	 */
856 	evalargs->ea_allocargs->aa_must_succeed = B_FALSE;
857 
858 	/*
859 	 * Call the Lua function that open-context passed us. This pops the
860 	 * function and its input from the stack and pushes any return
861 	 * or error values.
862 	 */
863 	err = lua_pcall(state, 1, LUA_MULTRET, 1);
864 
865 	/*
866 	 * Let Lua use KM_SLEEP while we interpret the return values.
867 	 */
868 	evalargs->ea_allocargs->aa_must_succeed = B_TRUE;
869 
870 	/*
871 	 * Remove the error handler callback from the stack. At this point,
872 	 * there shouldn't be any cleanup handler registered in the handler
873 	 * list (zri_cleanup_handlers), regardless of whether it ran or not.
874 	 */
875 	list_destroy(&ri.zri_cleanup_handlers);
876 	lua_remove(state, 1);
877 
878 	switch (err) {
879 	case LUA_OK: {
880 		/*
881 		 * Lua supports returning multiple values in a single return
882 		 * statement.  Return values will have been pushed onto the
883 		 * stack:
884 		 * 1: Return value 1
885 		 * 2: Return value 2
886 		 * 3: etc...
887 		 * To simplify the process of retrieving a return value from a
888 		 * channel program, we disallow returning more than one value
889 		 * to ZFS from the Lua script, yielding a singleton return
890 		 * nvlist of the form { "return": Return value 1 }.
891 		 */
892 		int return_count = lua_gettop(state);
893 
894 		if (return_count == 1) {
895 			evalargs->ea_result = 0;
896 			zcp_convert_return_values(state, evalargs->ea_outnvl,
897 			    ZCP_RET_RETURN, evalargs);
898 		} else if (return_count > 1) {
899 			evalargs->ea_result = SET_ERROR(ECHRNG);
900 			(void) lua_pushfstring(state, "Multiple return "
901 			    "values not supported");
902 			zcp_convert_return_values(state, evalargs->ea_outnvl,
903 			    ZCP_RET_ERROR, evalargs);
904 		}
905 		break;
906 	}
907 	case LUA_ERRRUN:
908 	case LUA_ERRGCMM: {
909 		/*
910 		 * The channel program encountered a fatal error within the
911 		 * script, such as failing an assertion, or calling a function
912 		 * with incompatible arguments. The error value and the
913 		 * traceback generated by zcp_error_handler() should be on the
914 		 * stack.
915 		 */
916 		VERIFY3U(1, ==, lua_gettop(state));
917 		if (ri.zri_timed_out) {
918 			evalargs->ea_result = SET_ERROR(ETIME);
919 		} else {
920 			evalargs->ea_result = SET_ERROR(ECHRNG);
921 		}
922 
923 		zcp_convert_return_values(state, evalargs->ea_outnvl,
924 		    ZCP_RET_ERROR, evalargs);
925 		break;
926 	}
927 	case LUA_ERRERR: {
928 		/*
929 		 * The channel program encountered a fatal error within the
930 		 * script, and we encountered another error while trying to
931 		 * compute the traceback in zcp_error_handler(). We can only
932 		 * return the error message.
933 		 */
934 		VERIFY3U(1, ==, lua_gettop(state));
935 		if (ri.zri_timed_out) {
936 			evalargs->ea_result = SET_ERROR(ETIME);
937 		} else {
938 			evalargs->ea_result = SET_ERROR(ECHRNG);
939 		}
940 
941 		zcp_convert_return_values(state, evalargs->ea_outnvl,
942 		    ZCP_RET_ERROR, evalargs);
943 		break;
944 	}
945 	case LUA_ERRMEM:
946 		/*
947 		 * Lua ran out of memory while running the channel program.
948 		 * There's not much we can do.
949 		 */
950 		evalargs->ea_result = SET_ERROR(ENOSPC);
951 		break;
952 	default:
953 		VERIFY0(err);
954 	}
955 }
956 
957 static void
958 zcp_pool_error(zcp_eval_arg_t *evalargs, const char *poolname)
959 {
960 	evalargs->ea_result = SET_ERROR(ECHRNG);
961 	(void) lua_pushfstring(evalargs->ea_state, "Could not open pool: %s",
962 	    poolname);
963 	zcp_convert_return_values(evalargs->ea_state, evalargs->ea_outnvl,
964 	    ZCP_RET_ERROR, evalargs);
965 
966 }
967 
968 static void
969 zcp_eval_sync(void *arg, dmu_tx_t *tx)
970 {
971 	zcp_eval_arg_t *evalargs = arg;
972 
973 	/*
974 	 * Open context should have setup the stack to contain:
975 	 * 1: Error handler callback
976 	 * 2: Script to run (converted to a Lua function)
977 	 * 3: nvlist input to function (converted to Lua table or nil)
978 	 */
979 	VERIFY3U(3, ==, lua_gettop(evalargs->ea_state));
980 
981 	zcp_eval_impl(tx, B_TRUE, evalargs);
982 }
983 
984 static void
985 zcp_eval_open(zcp_eval_arg_t *evalargs, const char *poolname)
986 {
987 
988 	int error;
989 	dsl_pool_t *dp;
990 	dmu_tx_t *tx;
991 
992 	/*
993 	 * See comment from the same assertion in zcp_eval_sync().
994 	 */
995 	VERIFY3U(3, ==, lua_gettop(evalargs->ea_state));
996 
997 	error = dsl_pool_hold(poolname, FTAG, &dp);
998 	if (error != 0) {
999 		zcp_pool_error(evalargs, poolname);
1000 		return;
1001 	}
1002 
1003 	/*
1004 	 * As we are running in open-context, we have no transaction associated
1005 	 * with the channel program. At the same time, functions from the
1006 	 * zfs.check submodule need to be associated with a transaction as
1007 	 * they are basically dry-runs of their counterparts in the zfs.sync
1008 	 * submodule. These functions should be able to run in open-context.
1009 	 * Therefore we create a new transaction that we later abort once
1010 	 * the channel program has been evaluated.
1011 	 */
1012 	tx = dmu_tx_create_dd(dp->dp_mos_dir);
1013 
1014 	zcp_eval_impl(tx, B_FALSE, evalargs);
1015 
1016 	dmu_tx_abort(tx);
1017 
1018 	dsl_pool_rele(dp, FTAG);
1019 }
1020 
1021 int
1022 zcp_eval(const char *poolname, const char *program, boolean_t sync,
1023     uint64_t instrlimit, uint64_t memlimit, nvpair_t *nvarg, nvlist_t *outnvl)
1024 {
1025 	int err;
1026 	lua_State *state;
1027 	zcp_eval_arg_t evalargs;
1028 
1029 	if (instrlimit > zfs_lua_max_instrlimit)
1030 		return (SET_ERROR(EINVAL));
1031 	if (memlimit == 0 || memlimit > zfs_lua_max_memlimit)
1032 		return (SET_ERROR(EINVAL));
1033 
1034 	zcp_alloc_arg_t allocargs = {
1035 		.aa_must_succeed = B_TRUE,
1036 		.aa_alloc_remaining = (int64_t)memlimit,
1037 		.aa_alloc_limit = (int64_t)memlimit,
1038 	};
1039 
1040 	/*
1041 	 * Creates a Lua state with a memory allocator that uses KM_SLEEP.
1042 	 * This should never fail.
1043 	 */
1044 	state = lua_newstate(zcp_lua_alloc, &allocargs);
1045 	VERIFY(state != NULL);
1046 	(void) lua_atpanic(state, zcp_panic_cb);
1047 
1048 	/*
1049 	 * Load core Lua libraries we want access to.
1050 	 */
1051 	VERIFY3U(1, ==, luaopen_base(state));
1052 	lua_pop(state, 1);
1053 	VERIFY3U(1, ==, luaopen_coroutine(state));
1054 	lua_setglobal(state, LUA_COLIBNAME);
1055 	VERIFY0(lua_gettop(state));
1056 	VERIFY3U(1, ==, luaopen_string(state));
1057 	lua_setglobal(state, LUA_STRLIBNAME);
1058 	VERIFY0(lua_gettop(state));
1059 	VERIFY3U(1, ==, luaopen_table(state));
1060 	lua_setglobal(state, LUA_TABLIBNAME);
1061 	VERIFY0(lua_gettop(state));
1062 
1063 	/*
1064 	 * Load globally visible variables such as errno aliases.
1065 	 */
1066 	zcp_load_globals(state);
1067 	VERIFY0(lua_gettop(state));
1068 
1069 	/*
1070 	 * Load ZFS-specific modules.
1071 	 */
1072 	lua_newtable(state);
1073 	VERIFY3U(1, ==, zcp_load_list_lib(state));
1074 	lua_setfield(state, -2, "list");
1075 	VERIFY3U(1, ==, zcp_load_synctask_lib(state, B_FALSE));
1076 	lua_setfield(state, -2, "check");
1077 	VERIFY3U(1, ==, zcp_load_synctask_lib(state, B_TRUE));
1078 	lua_setfield(state, -2, "sync");
1079 	VERIFY3U(1, ==, zcp_load_get_lib(state));
1080 	lua_pushcclosure(state, zcp_debug_info.func, 0);
1081 	lua_setfield(state, -2, zcp_debug_info.name);
1082 	lua_pushcclosure(state, zcp_exists_info.func, 0);
1083 	lua_setfield(state, -2, zcp_exists_info.name);
1084 	lua_setglobal(state, "zfs");
1085 	VERIFY0(lua_gettop(state));
1086 
1087 	/*
1088 	 * Push the error-callback that calculates Lua stack traces on
1089 	 * unexpected failures.
1090 	 */
1091 	lua_pushcfunction(state, zcp_error_handler);
1092 	VERIFY3U(1, ==, lua_gettop(state));
1093 
1094 	/*
1095 	 * Load the actual script as a function onto the stack as text ("t").
1096 	 * The only valid error condition is a syntax error in the script.
1097 	 * ERRMEM should not be possible because our allocator is using
1098 	 * KM_SLEEP.  ERRGCMM should not be possible because we have not added
1099 	 * any objects with __gc metamethods to the interpreter that could
1100 	 * fail.
1101 	 */
1102 	err = luaL_loadbufferx(state, program, strlen(program),
1103 	    "channel program", "t");
1104 	if (err == LUA_ERRSYNTAX) {
1105 		fnvlist_add_string(outnvl, ZCP_RET_ERROR,
1106 		    lua_tostring(state, -1));
1107 		lua_close(state);
1108 		return (SET_ERROR(EINVAL));
1109 	}
1110 	VERIFY0(err);
1111 	VERIFY3U(2, ==, lua_gettop(state));
1112 
1113 	/*
1114 	 * Convert the input nvlist to a Lua object and put it on top of the
1115 	 * stack.
1116 	 */
1117 	char errmsg[128];
1118 	err = zcp_nvpair_value_to_lua(state, nvarg,
1119 	    errmsg, sizeof (errmsg));
1120 	if (err != 0) {
1121 		fnvlist_add_string(outnvl, ZCP_RET_ERROR, errmsg);
1122 		lua_close(state);
1123 		return (SET_ERROR(EINVAL));
1124 	}
1125 	VERIFY3U(3, ==, lua_gettop(state));
1126 
1127 	evalargs.ea_state = state;
1128 	evalargs.ea_allocargs = &allocargs;
1129 	evalargs.ea_instrlimit = instrlimit;
1130 	evalargs.ea_cred = CRED();
1131 	evalargs.ea_outnvl = outnvl;
1132 	evalargs.ea_result = 0;
1133 
1134 	if (sync) {
1135 		err = dsl_sync_task(poolname, NULL,
1136 		    zcp_eval_sync, &evalargs, 0, ZFS_SPACE_CHECK_ZCP_EVAL);
1137 		if (err != 0)
1138 			zcp_pool_error(&evalargs, poolname);
1139 	} else {
1140 		zcp_eval_open(&evalargs, poolname);
1141 	}
1142 	lua_close(state);
1143 
1144 	return (evalargs.ea_result);
1145 }
1146 
1147 /*
1148  * Retrieve metadata about the currently running channel program.
1149  */
1150 zcp_run_info_t *
1151 zcp_run_info(lua_State *state)
1152 {
1153 	zcp_run_info_t *ri;
1154 
1155 	lua_getfield(state, LUA_REGISTRYINDEX, ZCP_RUN_INFO_KEY);
1156 	ri = lua_touserdata(state, -1);
1157 	lua_pop(state, 1);
1158 	return (ri);
1159 }
1160 
1161 /*
1162  * Argument Parsing
1163  * ================
1164  *
1165  * The Lua language allows methods to be called with any number
1166  * of arguments of any type. When calling back into ZFS we need to sanitize
1167  * arguments from channel programs to make sure unexpected arguments or
1168  * arguments of the wrong type result in clear error messages. To do this
1169  * in a uniform way all callbacks from channel programs should use the
1170  * zcp_parse_args() function to interpret inputs.
1171  *
1172  * Positional vs Keyword Arguments
1173  * ===============================
1174  *
1175  * Every callback function takes a fixed set of required positional arguments
1176  * and optional keyword arguments. For example, the destroy function takes
1177  * a single positional string argument (the name of the dataset to destroy)
1178  * and an optional "defer" keyword boolean argument. When calling lua functions
1179  * with parentheses, only positional arguments can be used:
1180  *
1181  *     zfs.sync.snapshot("rpool@snap")
1182  *
1183  * To use keyword arguments functions should be called with a single argument
1184  * that is a lua table containing mappings of integer -> positional arguments
1185  * and string -> keyword arguments:
1186  *
1187  *     zfs.sync.snapshot({1="rpool@snap", defer=true})
1188  *
1189  * The lua language allows curly braces to be used in place of parenthesis as
1190  * syntactic sugar for this calling convention:
1191  *
1192  *     zfs.sync.snapshot{"rpool@snap", defer=true}
1193  */
1194 
1195 /*
1196  * Throw an error and print the given arguments.  If there are too many
1197  * arguments to fit in the output buffer, only the error format string is
1198  * output.
1199  */
1200 static void
1201 zcp_args_error(lua_State *state, const char *fname, const zcp_arg_t *pargs,
1202     const zcp_arg_t *kwargs, const char *fmt, ...)
1203 {
1204 	int i;
1205 	char errmsg[512];
1206 	size_t len = sizeof (errmsg);
1207 	size_t msglen = 0;
1208 	va_list argp;
1209 
1210 	va_start(argp, fmt);
1211 	VERIFY3U(len, >, vsnprintf(errmsg, len, fmt, argp));
1212 	va_end(argp);
1213 
1214 	/*
1215 	 * Calculate the total length of the final string, including extra
1216 	 * formatting characters. If the argument dump would be too large,
1217 	 * only print the error string.
1218 	 */
1219 	msglen = strlen(errmsg);
1220 	msglen += strlen(fname) + 4; /* : + {} + null terminator */
1221 	for (i = 0; pargs[i].za_name != NULL; i++) {
1222 		msglen += strlen(pargs[i].za_name);
1223 		msglen += strlen(lua_typename(state, pargs[i].za_lua_type));
1224 		if (pargs[i + 1].za_name != NULL || kwargs[0].za_name != NULL)
1225 			msglen += 5; /* < + ( + )> + , */
1226 		else
1227 			msglen += 4; /* < + ( + )> */
1228 	}
1229 	for (i = 0; kwargs[i].za_name != NULL; i++) {
1230 		msglen += strlen(kwargs[i].za_name);
1231 		msglen += strlen(lua_typename(state, kwargs[i].za_lua_type));
1232 		if (kwargs[i + 1].za_name != NULL)
1233 			msglen += 4; /* =( + ) + , */
1234 		else
1235 			msglen += 3; /* =( + ) */
1236 	}
1237 
1238 	if (msglen >= len)
1239 		(void) luaL_error(state, errmsg);
1240 
1241 	VERIFY3U(len, >, strlcat(errmsg, ": ", len));
1242 	VERIFY3U(len, >, strlcat(errmsg, fname, len));
1243 	VERIFY3U(len, >, strlcat(errmsg, "{", len));
1244 	for (i = 0; pargs[i].za_name != NULL; i++) {
1245 		VERIFY3U(len, >, strlcat(errmsg, "<", len));
1246 		VERIFY3U(len, >, strlcat(errmsg, pargs[i].za_name, len));
1247 		VERIFY3U(len, >, strlcat(errmsg, "(", len));
1248 		VERIFY3U(len, >, strlcat(errmsg,
1249 		    lua_typename(state, pargs[i].za_lua_type), len));
1250 		VERIFY3U(len, >, strlcat(errmsg, ")>", len));
1251 		if (pargs[i + 1].za_name != NULL || kwargs[0].za_name != NULL) {
1252 			VERIFY3U(len, >, strlcat(errmsg, ", ", len));
1253 		}
1254 	}
1255 	for (i = 0; kwargs[i].za_name != NULL; i++) {
1256 		VERIFY3U(len, >, strlcat(errmsg, kwargs[i].za_name, len));
1257 		VERIFY3U(len, >, strlcat(errmsg, "=(", len));
1258 		VERIFY3U(len, >, strlcat(errmsg,
1259 		    lua_typename(state, kwargs[i].za_lua_type), len));
1260 		VERIFY3U(len, >, strlcat(errmsg, ")", len));
1261 		if (kwargs[i + 1].za_name != NULL) {
1262 			VERIFY3U(len, >, strlcat(errmsg, ", ", len));
1263 		}
1264 	}
1265 	VERIFY3U(len, >, strlcat(errmsg, "}", len));
1266 
1267 	(void) luaL_error(state, errmsg);
1268 	panic("unreachable code");
1269 }
1270 
1271 static void
1272 zcp_parse_table_args(lua_State *state, const char *fname,
1273     const zcp_arg_t *pargs, const zcp_arg_t *kwargs)
1274 {
1275 	int i;
1276 	int type;
1277 
1278 	for (i = 0; pargs[i].za_name != NULL; i++) {
1279 		/*
1280 		 * Check the table for this positional argument, leaving it
1281 		 * on the top of the stack once we finish validating it.
1282 		 */
1283 		lua_pushinteger(state, i + 1);
1284 		lua_gettable(state, 1);
1285 
1286 		type = lua_type(state, -1);
1287 		if (type == LUA_TNIL) {
1288 			zcp_args_error(state, fname, pargs, kwargs,
1289 			    "too few arguments");
1290 			panic("unreachable code");
1291 		} else if (type != pargs[i].za_lua_type) {
1292 			zcp_args_error(state, fname, pargs, kwargs,
1293 			    "arg %d wrong type (is '%s', expected '%s')",
1294 			    i + 1, lua_typename(state, type),
1295 			    lua_typename(state, pargs[i].za_lua_type));
1296 			panic("unreachable code");
1297 		}
1298 
1299 		/*
1300 		 * Remove the positional argument from the table.
1301 		 */
1302 		lua_pushinteger(state, i + 1);
1303 		lua_pushnil(state);
1304 		lua_settable(state, 1);
1305 	}
1306 
1307 	for (i = 0; kwargs[i].za_name != NULL; i++) {
1308 		/*
1309 		 * Check the table for this keyword argument, which may be
1310 		 * nil if it was omitted. Leave the value on the top of
1311 		 * the stack after validating it.
1312 		 */
1313 		lua_getfield(state, 1, kwargs[i].za_name);
1314 
1315 		type = lua_type(state, -1);
1316 		if (type != LUA_TNIL && type != kwargs[i].za_lua_type) {
1317 			zcp_args_error(state, fname, pargs, kwargs,
1318 			    "kwarg '%s' wrong type (is '%s', expected '%s')",
1319 			    kwargs[i].za_name, lua_typename(state, type),
1320 			    lua_typename(state, kwargs[i].za_lua_type));
1321 			panic("unreachable code");
1322 		}
1323 
1324 		/*
1325 		 * Remove the keyword argument from the table.
1326 		 */
1327 		lua_pushnil(state);
1328 		lua_setfield(state, 1, kwargs[i].za_name);
1329 	}
1330 
1331 	/*
1332 	 * Any entries remaining in the table are invalid inputs, print
1333 	 * an error message based on what the entry is.
1334 	 */
1335 	lua_pushnil(state);
1336 	if (lua_next(state, 1)) {
1337 		if (lua_isnumber(state, -2) && lua_tointeger(state, -2) > 0) {
1338 			zcp_args_error(state, fname, pargs, kwargs,
1339 			    "too many positional arguments");
1340 		} else if (lua_isstring(state, -2)) {
1341 			zcp_args_error(state, fname, pargs, kwargs,
1342 			    "invalid kwarg '%s'", lua_tostring(state, -2));
1343 		} else {
1344 			zcp_args_error(state, fname, pargs, kwargs,
1345 			    "kwarg keys must be strings");
1346 		}
1347 		panic("unreachable code");
1348 	}
1349 
1350 	lua_remove(state, 1);
1351 }
1352 
1353 static void
1354 zcp_parse_pos_args(lua_State *state, const char *fname, const zcp_arg_t *pargs,
1355     const zcp_arg_t *kwargs)
1356 {
1357 	int i;
1358 	int type;
1359 
1360 	for (i = 0; pargs[i].za_name != NULL; i++) {
1361 		type = lua_type(state, i + 1);
1362 		if (type == LUA_TNONE) {
1363 			zcp_args_error(state, fname, pargs, kwargs,
1364 			    "too few arguments");
1365 			panic("unreachable code");
1366 		} else if (type != pargs[i].za_lua_type) {
1367 			zcp_args_error(state, fname, pargs, kwargs,
1368 			    "arg %d wrong type (is '%s', expected '%s')",
1369 			    i + 1, lua_typename(state, type),
1370 			    lua_typename(state, pargs[i].za_lua_type));
1371 			panic("unreachable code");
1372 		}
1373 	}
1374 	if (lua_gettop(state) != i) {
1375 		zcp_args_error(state, fname, pargs, kwargs,
1376 		    "too many positional arguments");
1377 		panic("unreachable code");
1378 	}
1379 
1380 	for (i = 0; kwargs[i].za_name != NULL; i++) {
1381 		lua_pushnil(state);
1382 	}
1383 }
1384 
1385 /*
1386  * Checks the current Lua stack against an expected set of positional and
1387  * keyword arguments. If the stack does not match the expected arguments
1388  * aborts the current channel program with a useful error message, otherwise
1389  * it re-arranges the stack so that it contains the positional arguments
1390  * followed by the keyword argument values in declaration order. Any missing
1391  * keyword argument will be represented by a nil value on the stack.
1392  *
1393  * If the stack contains exactly one argument of type LUA_TTABLE the curly
1394  * braces calling convention is assumed, otherwise the stack is parsed for
1395  * positional arguments only.
1396  *
1397  * This function should be used by every function callback. It should be called
1398  * before the callback manipulates the Lua stack as it assumes the stack
1399  * represents the function arguments.
1400  */
1401 void
1402 zcp_parse_args(lua_State *state, const char *fname, const zcp_arg_t *pargs,
1403     const zcp_arg_t *kwargs)
1404 {
1405 	if (lua_gettop(state) == 1 && lua_istable(state, 1)) {
1406 		zcp_parse_table_args(state, fname, pargs, kwargs);
1407 	} else {
1408 		zcp_parse_pos_args(state, fname, pargs, kwargs);
1409 	}
1410 }
1411