feat(java): support limit deserialization depth (#2578)

## Why?

<!-- Describe the purpose of this PR. -->

## What does this PR do?

<!-- Describe the details of this PR. -->

## Related issues

<!--
Is there any related issue? If this PR closes them you say say
fix/closes:

- #xxxx0
- #xxxx1
- Fixes #xxxx2
-->

## Does this PR introduce any user-facing change?

<!--
If any user-facing interface changes, please [open an
issue](https://github.com/apache/fory/issues/new/choose) describing the
need to do so and update the document if necessary.

Delete section if not applicable.
-->

- [ ] Does this PR introduce any public API change?
- [ ] Does this PR introduce any binary protocol compatibility change?

## Benchmark

<!--
When the PR has an impact on performance (if you don't know whether the
PR will have an impact on performance, you can submit the PR first, and
if it will have impact on performance, the code reviewer will explain
it), be sure to attach a benchmark data here.

Delete section if not applicable.
-->

Author: chaokunyang

docs/guide/java_serialization_guide.md

@@ -40,6 +40,7 @@
 import org.apache.fory.exception.CopyException;
 import org.apache.fory.exception.DeserializationException;
 import org.apache.fory.exception.ForyException;
+import org.apache.fory.exception.InsecureException;
 import org.apache.fory.exception.SerializationException;
 import org.apache.fory.io.ForyInputStream;
 import org.apache.fory.io.ForyReadableChannel;
@@ -126,6 +127,7 @@ public final class Fory implements BaseFory {
   private Iterator<MemoryBuffer> outOfBandBuffers;
   private boolean peerOutOfBandEnabled;
   private int depth;
+  private final int maxDepth;
   private int copyDepth;
   private final boolean copyRefTracking;
   private final IdentityMap<Object, Object> originToCopyMap;
@@ -141,6 +143,7 @@ public Fory(ForyBuilder builder, ClassLoader classLoader) {
     this.shareMeta = config.isMetaShareEnabled();
     compressInt = config.compressInt();
     longEncoding = config.longEncoding();
+    maxDepth = config.maxDepth();
     if (refTracking) {
       this.refResolver = new MapRefResolver();
     } else {
@@ -653,17 +656,6 @@ private void writeData(MemoryBuffer buffer, ClassInfo classInfo, Object obj) {
       case ClassResolver.STRING_CLASS_ID:
         stringSerializer.writeJavaString(buffer, (String) obj);
         break;
-      case ClassResolver.ARRAYLIST_CLASS_ID:
-        depth++;
-        arrayListSerializer.write(buffer, (ArrayList) obj);
-        depth--;
-        break;
-      case ClassResolver.HASHMAP_CLASS_ID:
-        depth++;
-        hashMapSerializer.write(buffer, (HashMap) obj);
-        depth--;
-        break;
-        // TODO(add fastpath for other types)
       default:
         depth++;
         classInfo.getSerializer().write(buffer, obj);
@@ -1024,7 +1016,7 @@ public Object readNullable(MemoryBuffer buffer, ClassInfoHolder classInfoHolder)
 
   /** Class should be read already. */
   public Object readData(MemoryBuffer buffer, ClassInfo classInfo) {
-    depth++;
+    incReadDepth();
     Serializer<?> serializer = classInfo.getSerializer();
     Object read = serializer.read(buffer);
     depth--;
@@ -1055,19 +1047,8 @@ private Object readDataInternal(MemoryBuffer buffer, ClassInfo classInfo) {
         return buffer.readFloat64();
       case ClassResolver.STRING_CLASS_ID:
         return stringSerializer.readJavaString(buffer);
-      case ClassResolver.ARRAYLIST_CLASS_ID:
-        depth++;
-        Object list = arrayListSerializer.read(buffer);
-        depth--;
-        return list;
-      case ClassResolver.HASHMAP_CLASS_ID:
-        depth++;
-        Object map = hashMapSerializer.read(buffer);
-        depth--;
-        return map;
-        // TODO(add fastpath for other types)
       default:
-        depth++;
+        incReadDepth();
         Object read = classInfo.getSerializer().read(buffer);
         depth--;
         return read;
@@ -1112,7 +1093,7 @@ public Object xreadNonRef(MemoryBuffer buffer) {
   }
 
   public Object xreadNonRef(MemoryBuffer buffer, Serializer<?> serializer) {
-    depth++;
+    incReadDepth();
     Object o = serializer.xread(buffer);
     depth--;
     return o;
@@ -1142,7 +1123,7 @@ public Object xreadNonRef(MemoryBuffer buffer, ClassInfo classInfo) {
         return buffer.readFloat64();
         // TODO(add fastpath for other types)
       default:
-        depth++;
+        incReadDepth();
         Object o = classInfo.getSerializer().xread(buffer);
         depth--;
         return o;
@@ -1682,6 +1663,29 @@ public void incDepth(int diff) {
     this.depth += diff;
   }
 
+  public void incDepth() {
+    this.depth += 1;
+  }
+
+  public void decDepth() {
+    this.depth -= 1;
+  }
+
+  public void incReadDepth() {
+    if ((this.depth += 1) > maxDepth) {
+      throwReadDepthExceedException();
+    }
+  }
+
+  private void throwReadDepthExceedException() {
+    throw new InsecureException(
+        String.format(
+            "Read depth exceed max depth %s, "
+                + "the deserialization data may be malicious. If it's not malicious, "
+                + "please increase max read depth by ForyBuilder#withMaxDepth(largerDepth)",
+            maxDepth));
+  }
+
   public void incCopyDepth(int diff) {
     this.copyDepth += diff;
   }

java/fory-core/src/main/java/org/apache/fory/Fory.java

@@ -1636,13 +1636,13 @@ protected Expression deserializeForNotNull(
         obj = deserializeForMap(buffer, typeRef, serializer, invokeHint);
       } else {
         if (serializer != null) {
-          return new Invoke(serializer, "read", OBJECT_TYPE, buffer);
+          return read(serializer, buffer, OBJECT_TYPE);
         }
         if (isMonomorphic(cls)) {
           serializer = getOrCreateSerializer(cls);
           Class<?> returnType =
               ReflectionUtils.getReturnType(getRawType(serializer.type()), "read");
-          obj = new Invoke(serializer, "read", TypeRef.of(returnType), buffer);
+          obj = read(serializer, buffer, TypeRef.of(returnType));
         } else {
           obj = readForNotNullNonFinal(buffer, typeRef, serializer);
         }
@@ -1651,13 +1651,24 @@ protected Expression deserializeForNotNull(
     }
   }
 
+  protected Expression read(Expression serializer, Expression buffer, TypeRef<?> returnType) {
+    Class<?> type = returnType.getRawType();
+    Expression read = new Invoke(serializer, "read", returnType, buffer);
+    if (ReflectionUtils.isMonomorphic(type) && !TypeUtils.hasExpandableLeafs(type)) {
+      return read;
+    }
+    read = uninline(read);
+    return new ListExpression(
+        new Invoke(foryRef, "incReadDepth"), read, new Invoke(foryRef, "decDepth"), read);
+  }
+
   protected Expression readForNotNullNonFinal(
       Expression buffer, TypeRef<?> typeRef, Expression serializer) {
     if (serializer == null) {
       Expression classInfo = readClassInfo(getRawType(typeRef), buffer);
       serializer = inlineInvoke(classInfo, "getSerializer", SERIALIZER_TYPE);
     }
-    return new Invoke(serializer, "read", OBJECT_TYPE, buffer);
+    return read(serializer, buffer, OBJECT_TYPE);
   }
 
   /**
@@ -1693,7 +1704,7 @@ protected Expression deserializeForCollection(
         new If(
             supportHook,
             new ListExpression(collection, hookRead),
-            new Invoke(serializer, "read", OBJECT_TYPE, buffer),
+            read(serializer, buffer, OBJECT_TYPE),
             false);
     if (invokeHint != null && invokeHint.genNewMethod) {
       invokeHint.add(buffer);
@@ -1969,8 +1980,7 @@ chunkHeader, cast(bitand(sizeAndHeader2, ofInt(0xff)), PRIMITIVE_INT_TYPE)),
     expressions.add(chunksLoop, newMap);
     // first newMap to create map, last newMap as expr value
     Expression map = inlineInvoke(serializer, "onMapRead", OBJECT_TYPE, expressions);
-    Expression action =
-        new If(supportHook, map, new Invoke(serializer, "read", OBJECT_TYPE, buffer), false);
+    Expression action = new If(supportHook, map, read(serializer, buffer, OBJECT_TYPE), false);
     if (invokeHint != null && invokeHint.genNewMethod) {
       invokeHint.add(buffer);
       invokeHint.add(serializer);

java/fory-core/src/main/java/org/apache/fory/builder/BaseObjectCodecBuilder.java

@@ -95,7 +95,7 @@ public abstract class CodecBuilder {
   protected final boolean isRecord;
   protected final boolean isInterface;
   private final Set<String> duplicatedFields;
-  protected Reference foryRef = new Reference(FORY_NAME, TypeRef.of(Fory.class));
+  protected Reference foryRef = Reference.fieldRef(FORY_NAME, TypeRef.of(Fory.class));
   public static final Reference recordComponentDefaultValues =
       new Reference("recordComponentDefaultValues", OBJECT_ARRAY_TYPE);
   protected final Map<String, Reference> fieldMap = new HashMap<>();

java/fory-core/src/main/java/org/apache/fory/builder/CodecBuilder.java

@@ -121,7 +121,7 @@ private void buildGroups() {
             MutableTuple3.of(
                 new ArrayList<>(descriptorGrouper.getFinalDescriptors()), 5, finalReadGroups),
             MutableTuple3.of(
-                new ArrayList<>(descriptorGrouper.getOtherDescriptors()), 5, otherReadGroups),
+                new ArrayList<>(descriptorGrouper.getOtherDescriptors()), 4, otherReadGroups),
             MutableTuple3.of(
                 new ArrayList<>(descriptorGrouper.getOtherDescriptors()), 9, otherWriteGroups));
     for (MutableTuple3<List<Descriptor>, Integer, List<List<Descriptor>>> decs : groups) {

java/fory-core/src/main/java/org/apache/fory/builder/ObjectCodecOptimizer.java

@@ -63,6 +63,7 @@ public class Config implements Serializable {
   private final boolean deserializeNonexistentEnumValueAsNull;
   private final boolean serializeEnumByName;
   private final int bufferSizeLimitBytes;
+  private final int maxDepth;
 
   public Config(ForyBuilder builder) {
     name = builder.name;
@@ -101,6 +102,7 @@ public Config(ForyBuilder builder) {
     deserializeNonexistentEnumValueAsNull = builder.deserializeNonexistentEnumValueAsNull;
     serializeEnumByName = builder.serializeEnumByName;
     bufferSizeLimitBytes = builder.bufferSizeLimitBytes;
+    maxDepth = builder.maxDepth;
   }
 
   /** Returns the name for Fory serialization. */
@@ -357,4 +359,9 @@ public int getConfigHash() {
     }
     return configHash;
   }
+
+  /** Returns max depth for deserialization, when depth exceeds, an exception will be thrown. */
+  public int maxDepth() {
+    return maxDepth;
+  }
 }

java/fory-core/src/main/java/org/apache/fory/config/Config.java

@@ -38,6 +38,7 @@
 import org.apache.fory.serializer.TimeSerializers;
 import org.apache.fory.serializer.collection.GuavaCollectionSerializers;
 import org.apache.fory.util.GraalvmSupport;
+import org.apache.fory.util.Preconditions;
 
 /** Builder class to config and create {@link Fory}. */
 // Method naming style for this builder:
@@ -86,6 +87,7 @@ public final class ForyBuilder {
   boolean serializeEnumByName = false;
   int bufferSizeLimitBytes = 128 * 1024;
   MetaCompressor metaCompressor = new DeflaterMetaCompressor();
+  int maxDepth = 50;
 
   public ForyBuilder() {}
 
@@ -348,6 +350,16 @@ public ForyBuilder withAsyncCompilation(boolean asyncCompilation) {
     return this;
   }
 
+  /**
+   * Set max depth for deserialization, when depth exceeds, an exception will be thrown. Default max
+   * depth is 50.
+   */
+  public ForyBuilder withMaxDepth(int maxDepth) {
+    Preconditions.checkArgument(maxDepth >= 2, "maxDepth must >= 2 but got %s", maxDepth);
+    this.maxDepth = maxDepth;
+    return this;
+  }
+
   /** Whether enable scala-specific serialization optimization. */
   public ForyBuilder withScalaOptimizationEnabled(boolean enableScalaOptimization) {
     this.scalaOptimizationEnabled = enableScalaOptimization;

java/fory-core/src/main/java/org/apache/fory/config/ForyBuilder.java

@@ -647,19 +647,19 @@ private void throwUnexpectTypeIdException(long xtypeId) {
   }
 
   private ClassInfo getListClassInfo() {
-    fory.incDepth(1);
+    fory.incReadDepth();
     GenericType genericType = generics.nextGenericType();
-    fory.incDepth(-1);
+    fory.decDepth();
     if (genericType != null) {
       return getOrBuildClassInfo(genericType.getCls());
     }
     return xtypeIdToClassMap.get(Types.LIST);
   }
 
   private ClassInfo getGenericClassInfo() {
-    fory.incDepth(1);
+    fory.incReadDepth();
     GenericType genericType = generics.nextGenericType();
-    fory.incDepth(-1);
+    fory.decDepth();
     if (genericType != null) {
       return getOrBuildClassInfo(genericType.getCls());
     }

java/fory-core/src/main/java/org/apache/fory/resolver/XtypeResolver.java

@@ -89,15 +89,17 @@ static Object readFinalObjectFieldValue(
       boolean isFinal,
       MemoryBuffer buffer) {
     Serializer<Object> serializer = fieldInfo.classInfo.getSerializer();
+    binding.incReadDepth();
     Object fieldValue;
     boolean nullable = fieldInfo.nullable;
     if (isFinal) {
       if (!fieldInfo.trackingRef) {
-        return binding.readNullable(buffer, serializer, nullable);
+        fieldValue = binding.readNullable(buffer, serializer, nullable);
+      } else {
+        // whether tracking ref is recorded in `fieldInfo.serializer`, so it's still
+        // consistent with jit serializer.
+        fieldValue = binding.readRef(buffer, serializer);
       }
-      // whether tracking ref is recorded in `fieldInfo.serializer`, so it's still
-      // consistent with jit serializer.
-      fieldValue = binding.readRef(buffer, serializer);
     } else {
       if (serializer.needToWriteRef()) {
         int nextReadRefId = refResolver.tryPreserveRefId(buffer);
@@ -112,13 +114,15 @@ static Object readFinalObjectFieldValue(
         if (nullable) {
           byte headFlag = buffer.readByte();
           if (headFlag == Fory.NULL_FLAG) {
+            binding.decDepth();
             return null;
           }
         }
         typeResolver.readClassInfo(buffer, fieldInfo.classInfo);
         fieldValue = serializer.read(buffer);
       }
     }
+    binding.decDepth();
     return fieldValue;
   }