fix(go): utf8-utf16 encoding (#792)

*Issue #, if available:*

*Description of changes:*

aws/private-aws-encryption-sdk-javascript-staging#764

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

---------

Co-authored-by: Shubham Chaturvedi <scchatur@amazon.com>

Author: ShubhamChaturvedi7

.gitmodules

@@ -4,4 +4,4 @@
 [submodule "TestModels/dafny-dependencies/dafny"]
 	path = TestModels/dafny-dependencies/dafny
 	url = https://github.com/dafny-lang/dafny.git
-	branch = actions-and-streaming-stdlibs
+	branch = actions-and-streaming-stdlibs

TestModels/SimpleTypes/SimpleString/runtimes/go/TestsFromDafny-go/WrappedSimpleTypesStringService/shim.go

@@ -10,4 +10,5 @@ require (
 )
 
 replace github.com/smithy-lang/smithy-dafny/TestModels/SimpleTypes/SimpleString v0.0.0 => ../ImplementationFromDafny-go
+
 replace github.com/aws/aws-cryptographic-material-providers-library/releases/go/smithy-dafny-standard-library => ../../../../../dafny-dependencies/StandardLibrary/runtimes/go/ImplementationFromDafny-go/

TestModels/SimpleTypes/SimpleString/runtimes/go/TestsFromDafny-go/go.mod

@@ -9,9 +9,20 @@ module  SimpleStringImplTest {
     import UTF8
     method{:test} GetString(){
         var client :- expect SimpleString.SimpleString();
-        TestGetString(client);
+        TestAllCases(client);
+    }
+
+    method TestAllCases(client: ISimpleTypesStringClient)
+      requires client.ValidState()
+      modifies client.Modifies
+      ensures client.ValidState()
+    {
+      TestGetString(client);
         TestGetStringKnownValue(client);
         TestGetStringNonAscii(client);
+        TestGetStringSurrogatePair(client);
+        TestGetStringMultipleSurrogatePair(client);
+        TestGetStringMultipleSurrogatePairAsString(client);
         TestGetStringUTF8(client);
         TestGetStringUTF8KnownValue(client);
     }
@@ -45,6 +56,48 @@ module  SimpleStringImplTest {
         expect ret.value.UnwrapOr("") == utf16EncodedString;
         print ret;
     }
+    method TestGetStringSurrogatePair(client: ISimpleTypesStringClient)
+      requires client.ValidState()
+      modifies client.Modifies
+      ensures client.ValidState()
+    {
+        // Formula to combine high and low surrogate to get the unicode codepoint:
+        //     codepoint = (highSurrogate - 0xD800) * 0x400 + (lowSurrogate - 0xDC00) + 0x10000
+        // The unicode codepoint of 𐀂 is 65538.
+        // 𐀂 has high surrogate 55296 (0xD800) and low surrogate 56322 (0xDC02)
+        // So,
+        // 1. (55296 - 0xD800) * 0x400 = 0 * 1024 = 0
+        // 2. (56322 - 0xDC00) = 2
+        // 3. 0 + 2 + 0x10000 = 65538
+        var surrogatePair: seq<char> := [0xD800 as char, 0xDC02 as char];
+        var ret :- expect client.GetString(SimpleString.Types.GetStringInput(value:= Some(surrogatePair)));
+        expect ret.value.UnwrapOr("") == surrogatePair;
+        print ret;
+    }
+    method TestGetStringMultipleSurrogatePair(client: ISimpleTypesStringClient)
+      requires client.ValidState()
+      modifies client.Modifies
+      ensures client.ValidState()
+    {
+        // 𐀂 := [0xD800 as char, 0xDC02 as char], 𐐷 := [0xD801 as char, 0xDC37 as char]
+        // => 𐀂𐐷 := [0xD800 as char, 0xDC02 as char, 0xD801 as char, 0xDC37 as char]
+        var surrogatePair: seq<char> := [0xD800 as char, 0xDC02 as char, 0xD801 as char, 0xDC37 as char];
+        var ret :- expect client.GetString(SimpleString.Types.GetStringInput(value:= Some(surrogatePair)));
+        expect ret.value.UnwrapOr("") == surrogatePair;
+        print ret;
+    }
+    method TestGetStringMultipleSurrogatePairAsString(client: ISimpleTypesStringClient)
+      requires client.ValidState()
+      modifies client.Modifies
+      ensures client.ValidState()
+    {
+        // 𐀂 := [0xD800 as char, 0xDC02 as char], 𐐷 := [0xD801 as char, 0xDC37 as char]
+        // => 𐀂𐐷 := [0xD800 as char, 0xDC02 as char, 0xD801 as char, 0xDC37 as char]
+        var surrogatePair := "\uD800\uDC02\uD801\uDC37";
+        var ret :- expect client.GetString(SimpleString.Types.GetStringInput(value:= Some(surrogatePair)));
+        expect ret.value.UnwrapOr("") == surrogatePair;
+        print ret;
+    }
     method TestGetStringUTF8(client: ISimpleTypesStringClient)
       requires client.ValidState()
       modifies client.Modifies

TestModels/SimpleTypes/SimpleString/test/SimpleStringImplTest.dfy

@@ -9,8 +9,6 @@ module WrappedSimpleTypesStringTest {
     import opened Wrappers
     method{:test} GetString() {
         var client :- expect WrappedSimpleTypesStringService.WrappedSimpleString();
-        SimpleStringImplTest.TestGetString(client);
-        SimpleStringImplTest.TestGetStringKnownValue(client);
-        SimpleStringImplTest. TestGetStringUTF8(client);
+        SimpleStringImplTest.TestAllCases(client);
     }
 }

TestModels/SimpleTypes/SimpleString/test/WrappedSimpleStringTest.dfy

@@ -2,14 +2,24 @@ package UTF8
 
 import (
 	"fmt"
-	"unicode"
+	"math"
 	"unicode/utf16"
 	"unicode/utf8"
 
 	"github.com/aws/aws-cryptographic-material-providers-library/releases/go/smithy-dafny-standard-library/Wrappers"
 	"github.com/dafny-lang/DafnyRuntimeGo/v4/dafny"
 )
 
+// The following constants are copied from the Go utf16 lib and are used
+// to check the validity of the utf16 surrogate pairs.
+const (
+	// 0xd800-0xdc00 encodes the high 10 bits of a pair.
+	// 0xdc00-0xe000 encodes the low 10 bits of a pair.
+	surr1 = 0xd800
+	surr2 = 0xdc00
+	surr3 = 0xe000
+)
+
 //IMP: The below extern implementations are only compatible
 //with unicode-char:false transpiled code.
 
@@ -19,46 +29,94 @@ import (
 // we need to encode the result in compatible dafny utf16 string before returning
 // the result.
 func Decode(utf8EncodedDafnySeq dafny.Sequence) Wrappers.Result {
-	utf8EncodedByteArray := dafny.ToByteArray(utf8EncodedDafnySeq)
-
-	utf16Encoded := utf16.Encode([]rune(string(utf8EncodedByteArray)))
-	var dafnyCharArray []dafny.Char
-	for _, c := range utf16Encoded {
-		if c == unicode.ReplacementChar {
-			err := fmt.Errorf("Encountered Not Allowed Replacement Character: %s ", unicode.ReplacementChar)
-			return Wrappers.Companion_Result_.Create_Failure_(dafny.SeqOfString(err.Error()))
-		}
-		dafnyCharArray = append(dafnyCharArray, dafny.Char(c))
+	res, err := DecodeFromNativeGoByteArray(dafny.ToByteArray(utf8EncodedDafnySeq))
+	if err != nil {
+		return Wrappers.Companion_Result_.Create_Failure_(dafny.SeqOfString(err.Error()))
 	}
-	return Wrappers.Companion_Result_.Default(dafny.SeqOfChars(dafnyCharArray...))
+
+	return Wrappers.Companion_Result_.Create_Success_(res)
 }
 
 // Encode encodes utf16 encoded dafny char (rune) to utf-8 Go rune sequence.
 // Anything we receive here is supposed to be utf16 encoded Go rune
 // since this extern is for unicode-char:false.
 func Encode(utf16EncodedDafnySeq dafny.Sequence) Wrappers.Result {
-	encodedUtf16 := utf16EncodedDafnySeqToUint16(utf16EncodedDafnySeq)
-	decodedUtf16 := utf16.Decode(encodedUtf16)
-	var utf8EncodedBytes []byte
-	for _, r := range decodedUtf16 {
-		if !utf8.ValidRune(r) || r == unicode.ReplacementChar {
-			return Wrappers.Companion_Result_.Create_Failure_(dafny.SeqOfString("Failed to utf8 encode rune"))
-		}
-		buf := make([]byte, utf8.RuneLen(r))
-		n := utf8.EncodeRune(buf, r)
-		utf8EncodedBytes = append(utf8EncodedBytes, buf[:n]...)
+	utf8EncodedBytes, err := decodeUtf16(utf16EncodedDafnySeq)
+	if err != nil {
+		return Wrappers.Companion_Result_.Create_Failure_(dafny.SeqOfString(err.Error()))
 	}
 	return Wrappers.Companion_Result_.Create_Success_(dafny.SeqOfBytes(utf8EncodedBytes))
 }
 
-func utf16EncodedDafnySeqToUint16(seq dafny.Sequence) []uint16 {
-	var r []uint16
+// This method is to be called from the Type Conversion layer.
+// We reuse the same method so that all conversions are consistent.
+func DecodeFromNativeGoByteArray(utf8EncodedByteArray []byte) (dafny.Sequence, error) {
+	if !utf8.Valid(utf8EncodedByteArray) {
+		return nil, fmt.Errorf("invalid utf8 encoded sequence: %v", utf8EncodedByteArray)
+	}
+	utf16Encoded := utf16.Encode([]rune(string(utf8EncodedByteArray)))
+	var dafnyCharArray []dafny.Char
+	for _, c := range utf16Encoded {
+		dafnyCharArray = append(dafnyCharArray, dafny.Char(c))
+	}
+	return dafny.SeqOfChars(dafnyCharArray...), nil
+}
+
+// decode appends to buf the Unicode code point sequence represented
+// by the UTF-16 encoding seq, then encode the code point as utf8 and return the utf8 buffer
+func decodeUtf16(seq dafny.Sequence) ([]byte, error) {
+	utf8EncodedBytes := []byte{}
+
 	for i := dafny.Iterate(seq); ; {
-		val, ok := i()
-		if !ok {
-			return r
+		firstVal, firstValExists := i()
+		if !firstValExists {
+			// Iterator has finished, return the buffer
+			return utf8EncodedBytes, nil
 		} else {
-			r = append(r, uint16(val.(dafny.Char)))
+			var ar rune
+
+			// We should be able to rely on dafny that anything inside the seq is utf16 encoded
+			// with unicode-char: false. But given the Long Psi issue, it's better to be safe.
+			// First check if it's a dafny.Char type, then check if it's within the limits of uint16.
+			firstChar, firstValIsAChar := firstVal.(dafny.Char)
+			if !firstValIsAChar || firstChar > math.MaxUint16 || firstChar < 0 {
+				return nil, fmt.Errorf("invalid utf16 encoded sequence: %v", seq)
+			}
+
+			// Downcast to uint16
+			switch r1 := uint16(firstChar); {
+
+			case r1 < surr1, surr3 <= r1:
+				// normal rune
+				ar = rune(r1)
+
+			case utf16.IsSurrogate(rune(r1)):
+				// If firstVal is surrogate, then we need the secondVal to construct the pair
+				secondVal, ok := i()
+
+				// Same sanity check as line 84
+				secondChar, secondValIsAChar := secondVal.(dafny.Char)
+				if !ok || !secondValIsAChar || secondChar > math.MaxUint16 || secondChar < 0 {
+					return nil, fmt.Errorf("invalid utf16 encoded sequence: %v", seq)
+				}
+
+				// Check if the secondVal is within the valid low surrogate range
+				if surr2 <= uint16(secondChar) && uint16(secondChar) < surr3 {
+					// valid surrogate sequence
+					ar = utf16.DecodeRune(rune(r1), rune(uint16(secondChar)))
+				} else {
+					return nil, fmt.Errorf("invalid utf16 encoded sequence: %v", seq)
+				}
+			default:
+				return nil, fmt.Errorf("invalid utf16 encoded sequence: %v", seq)
+			}
+
+			// Create the buffer (upto 4 bytes) to hold the utf8 rune
+			buf := make([]byte, utf8.RuneLen(ar))
+			n := utf8.EncodeRune(buf, ar)
+
+			// Append to the result
+			utf8EncodedBytes = append(utf8EncodedBytes, buf[:n]...)
 		}
 	}
 }

TestModels/dafny-dependencies/StandardLibrary/runtimes/go/ImplementationFromDafny-go/UTF8/externs.go

@@ -7,4 +7,3 @@ require github.com/aws/aws-cryptographic-material-providers-library/releases/go/
 replace github.com/aws/aws-cryptographic-material-providers-library/releases/go/smithy-dafny-standard-library v0.0.0 => ../ImplementationFromDafny-go
 
 require github.com/dafny-lang/DafnyRuntimeGo/v4 v4.9.1
-

TestModels/dafny-dependencies/StandardLibrary/runtimes/go/TestsFromDafny-go/go.mod

@@ -434,28 +434,20 @@ var enum interface{}
       }
 
       if (shape.hasTrait(DafnyUtf8BytesTrait.class)) {
-        writer.addUseImports(SmithyGoDependency.stdlib("unicode/utf8"));
+        throw new UnsupportedOperationException(
+          "Dafny utf8bytes trait is not supported in aws sdk models: " +
+          shape.toShapeId().getName()
+        );
       }
-      final var underlyingType = shape.hasTrait(DafnyUtf8BytesTrait.class)
-        ? """
-            dafny.SeqOf(func () []interface{} {
-            utf8.ValidString(%s%s)
-            b := []byte(%s%s)
-            f := make([]interface{}, len(b))
-            for i, v := range b {
-                f[i] = v
+      final var underlyingType =
+        """
+            func () dafny.Sequence {
+            res, err := UTF8.DecodeFromNativeGoByteArray([]byte(%s%s))
+            if err != nil {
+              panic("invalid utf8 input provided")
             }
-            return f
-        }()...)""".formatted(
-            dereferenceIfRequired,
-            dataSource,
-            dereferenceIfRequired,
-            dataSource
-          )
-        : "dafny.SeqOfChars([]dafny.Char(%s%s)...)".formatted(
-            dereferenceIfRequired,
-            dataSource
-          );
+            return res
+        }()""".formatted(dereferenceIfRequired, dataSource);
 
       return """
       func () %s {

codegen/smithy-dafny-codegen/src/main/java/software/amazon/polymorph/smithygo/awssdk/shapevisitor/AwsSdkToDafnyShapeVisitor.java

@@ -466,10 +466,12 @@ public String stringShape(final StringShape shape) {
         );
     }
 
-    //Handle the @utf8Bytes Trait
-    final var underlyingType = shape.hasTrait(DafnyUtf8BytesTrait.class)
-      ? "uint8"
-      : "dafny.Char";
+    if (shape.hasTrait(DafnyUtf8BytesTrait.class)) {
+      throw new UnsupportedOperationException(
+        "Dafny utf8bytes trait is not supported in aws sdk models: " +
+        shape.toShapeId().getName()
+      );
+    }
 
     var nilCheck = "";
     final String unAssertedDataSource = dataSource.startsWith("input.(")
@@ -481,28 +483,22 @@ public String stringShape(final StringShape shape) {
         nilCheck =
           "if %s == nil { return nil }".formatted(unAssertedDataSource);
       } else {
-        nilCheck = "if %s == nil { return s }".formatted(unAssertedDataSource);
+        nilCheck =
+          "if %s == nil { return \"\" }".formatted(unAssertedDataSource);
       }
     }
 
     return """
-     func() (%sstring) {
-         var s string
-     %s
-         for i := dafny.Iterate(%s) ; ; {
-             val, ok := i()
-             if !ok {
-                 return %s[]string{s}[0]
-             } else {
-                 s = s + string(val.(%s))
-             }
-        }
+    func() (%sstring) {
+      %s
+      a := UTF8.Encode(%s.(dafny.Sequence)).Dtor_value()
+      s := string(dafny.ToByteArray(a.(dafny.Sequence)))
+      return %ss
     }()""".formatted(
         this.isPointable ? "*" : "",
         nilCheck,
         dataSource,
-        this.isPointable ? "&" : "",
-        underlyingType
+        this.isPointable ? "&" : ""
       );
   }