bytecode-filter 0.1.1

Fast bytecode-compiled filter engine for delimiter-separated records
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375

//! # bytecode-filter
//!
//! A fast bytecode-compiled filter engine for delimiter-separated records.
//!
//! Filters are expressed in a small DSL, compiled to bytecode at startup, and
//! evaluated with **zero allocations** in the hot path.
//!
//! ## Features
//!
//! - **Zero-copy evaluation**: Records are split into fields without copying
//! - **SIMD-accelerated string matching**: Uses `memchr` for fast substring search
//! - **Precompiled regex**: Regex patterns are compiled once at startup
//! - **Key-value extraction**: Extract and match key-value pairs from record fields
//! - **Random sampling**: Built-in `rand(N)` for probabilistic filtering
//!
//! ## Example
//!
//! ```rust
//! use bytecode_filter::{compile, ParserConfig};
//! use bytes::Bytes;
//!
//! // Define your record schema
//! let mut config = ParserConfig::default();
//! config.set_delimiter(",");
//! config.add_field("LEVEL", 0);
//! config.add_field("CODE", 1);
//! config.add_field("BODY", 2);
//!
//! // Compile a filter expression
//! let filter = compile(r#"LEVEL == "error" AND CODE == "500""#, &config).unwrap();
//!
//! // Evaluate against records
//! let record = Bytes::from("error,500,internal failure");
//! assert!(filter.evaluate(record));
//!
//! let record = Bytes::from("info,200,ok");
//! assert!(!filter.evaluate(record));
//! ```
//!
//! ## Filter Syntax
//!
//! ### Basic Operations
//!
//! ```text
//! # Boolean literals
//! true
//! false
//!
//! # Random sampling (returns true 1/N of the time)
//! rand(100)    # 1% sample
//! rand(2)      # 50% sample
//!
//! # Payload-wide operations (match against the entire record)
//! payload contains "error"
//! payload starts_with "ERROR:"
//! payload ends_with ".json"
//! payload == "exact match"
//! payload matches "error_[0-9]+"
//! ```
//!
//! ### Field Operations
//!
//! ```text
//! # Equality
//! STATUS == "active"
//! STATUS != "deleted"
//!
//! # Set membership
//! LEVEL in {"error", "warn", "fatal"}
//!
//! # String matching
//! PATH contains "/api/"
//! PATH starts_with "GET"
//! PATH matches "/api/v[0-9]+/.*"
//!
//! # Case-insensitive
//! METHOD icontains "post"
//! LEVEL iequals "Error"
//!
//! # Empty checks
//! NOTES is_empty
//! NOTES not_empty
//! ```
//!
//! ### Key-Value Extraction
//!
//! For fields that contain key-value data (e.g., HTTP headers, metadata),
//! you can extract individual values:
//!
//! ```text
//! HEADERS.header("Content-Type") == "application/json"
//! HEADERS.header("Authorization") contains "Bearer"
//! HEADERS.header("X-Request-Id") exists
//! ```
//!
//! ### Boolean Logic
//!
//! ```text
//! # AND, OR, NOT
//! LEVEL == "error" AND CODE == "500"
//! LEVEL == "warn" OR LEVEL == "error"
//! NOT LEVEL == "debug"
//!
//! # Parentheses for grouping
//! (LEVEL == "error" OR LEVEL == "warn") AND BODY not_empty
//! ```
//!
//! ## Custom Schemas
//!
//! Fields and delimiters are fully configurable via [`ParserConfig`]:
//!
//! ```rust
//! use bytecode_filter::ParserConfig;
//!
//! let mut config = ParserConfig::default();
//! config.set_delimiter("\t");       // tab-separated
//! config.add_field("HOST", 0);
//! config.add_field("LEVEL", 1);
//! config.add_field("MESSAGE", 2);
//! ```
//!
//! Alternatively, use filter files with inline directives:
//!
//! ```text
//! @delimiter = "\t"
//! @field HOST = 0
//! @field LEVEL = 1
//! @field MESSAGE = 2
//!
//! LEVEL == "error" AND MESSAGE contains "timeout"
//! ```

#![warn(missing_docs)]
#![warn(clippy::all)]

mod compiler;
mod lexer;
mod loader;
mod opcode;
mod parser;
mod split;
mod vm;

pub use compiler::{compile, compile_expr, CompileError};
pub use lexer::{LexError, Lexer, Token};
pub use loader::{load_filter_file, load_filter_string, LoadError};
pub use opcode::Opcode;
pub use parser::{parse, Expr, ParseError, Parser, ParserConfig};
pub use split::{extract_header_value, PayloadParts, MAX_PARTS};
pub use vm::{reset_rand_counter, CompiledFilter};

#[cfg(test)]
mod integration_tests {
    use bytes::Bytes;

    use super::*;

    /// Helper: build a ParserConfig for a simple log-like schema.
    fn log_config() -> ParserConfig {
        let mut config = ParserConfig::default();
        config.add_field("LEVEL", 0);
        config.add_field("CODE", 1);
        config.add_field("METHOD", 2);
        config.add_field("PATH", 3);
        config.add_field("HEADERS", 4);
        config.add_field("BODY", 5);
        config
    }

    /// Build a test record with the given field values.
    fn make_record(fields: &[&str]) -> Bytes {
        Bytes::from(fields.join(";;;"))
    }

    /// Build a 6-field record with specific overrides.
    fn make_full_record(overrides: &[(usize, &str)]) -> Bytes {
        let mut fields = vec![""; 6];
        for (idx, value) in overrides {
            fields[*idx] = value;
        }
        make_record(&fields)
    }

    #[test]
    fn test_field_equality_and_headers() {
        let config = log_config();
        let filter = compile(
            r#"
            CODE == "500"
            AND METHOD == "POST"
            AND HEADERS.header("Content-Type") iequals "application/json"
            "#,
            &config,
        )
        .unwrap();

        // Matching case
        let record = make_full_record(&[
            (1, "500"),
            (2, "POST"),
            (4, "Content-Type: application/json\r\nHost: example.com\r\n"),
        ]);
        assert!(filter.evaluate(record), "Should match all three clauses");

        // Case-insensitive header value
        let record = make_full_record(&[
            (1, "500"),
            (2, "POST"),
            (4, "Content-Type: APPLICATION/JSON\r\n"),
        ]);
        assert!(filter.evaluate(record), "Should match case-insensitive");

        // Wrong CODE
        let record = make_full_record(&[
            (1, "200"),
            (2, "POST"),
            (4, "Content-Type: application/json\r\n"),
        ]);
        assert!(!filter.evaluate(record), "Should not match wrong code");

        // Wrong METHOD
        let record = make_full_record(&[
            (1, "500"),
            (2, "GET"),
            (4, "Content-Type: application/json\r\n"),
        ]);
        assert!(!filter.evaluate(record), "Should not match wrong method");

        // Missing header
        let record = make_full_record(&[(1, "500"), (2, "POST"), (4, "Host: example.com\r\n")]);
        assert!(!filter.evaluate(record), "Should not match missing header");
    }

    #[test]
    fn test_url_pattern_matching() {
        let config = log_config();
        let filter = compile(
            r#"
            LEVEL in {"error", "warn", "fatal"}
            AND PATH matches "(?i).*/(?:admin|internal)/.*"
            "#,
            &config,
        )
        .unwrap();

        for level in ["error", "warn", "fatal"] {
            let record = make_full_record(&[(0, level), (3, "GET /api/admin/users HTTP/1.1")]);
            assert!(
                filter.evaluate(record),
                "Should match level {} with admin URL",
                level
            );
        }

        let record = make_full_record(&[(0, "warn"), (3, "GET /internal/status HTTP/1.1")]);
        assert!(filter.evaluate(record), "Should match internal URL");

        // Non-matching: wrong level
        let record = make_full_record(&[(0, "debug"), (3, "GET /admin/users HTTP/1.1")]);
        assert!(!filter.evaluate(record), "Should not match debug level");

        // Non-matching: no sensitive URL
        let record = make_full_record(&[(0, "error"), (3, "GET /api/users HTTP/1.1")]);
        assert!(!filter.evaluate(record), "Should not match public URL");
    }

    #[test]
    fn test_combined_or() {
        let config = log_config();
        let filter = compile(
            r#"
            (
                CODE == "500"
                AND METHOD == "POST"
                AND HEADERS.header("Content-Type") iequals "application/json"
            )
            OR
            (
                LEVEL in {"error", "warn", "fatal"}
                AND PATH matches "(?i).*/admin/.*"
            )
            "#,
            &config,
        )
        .unwrap();

        // First branch match
        let record = make_full_record(&[
            (1, "500"),
            (2, "POST"),
            (4, "Content-Type: application/json\r\n"),
        ]);
        assert!(filter.evaluate(record), "Should match first branch");

        // Second branch match
        let record = make_full_record(&[(0, "error"), (3, "POST /api/admin/submit HTTP/1.1")]);
        assert!(filter.evaluate(record), "Should match second branch");

        // Neither branch
        let record = make_full_record(&[(0, "info"), (3, "GET /api/users HTTP/1.1")]);
        assert!(!filter.evaluate(record), "Should match neither branch");
    }

    #[test]
    fn test_rand_sampling() {
        vm::reset_rand_counter();

        let config = log_config();
        let filter = compile(r#"LEVEL == "error" AND rand(10)"#, &config).unwrap();

        let record = make_record(&["error", "500", "GET"]);
        let matches: usize = (0..100)
            .filter(|_| filter.evaluate(record.clone()))
            .count();

        assert!(
            matches == 10,
            "Expected exactly 10 matches with deterministic counter, got {}",
            matches
        );
    }

    #[test]
    fn test_empty_checks() {
        let config = log_config();

        let filter = compile("BODY is_empty", &config).unwrap();
        assert!(filter.evaluate(make_record(&["error", "500", "GET", "/", "", ""])));
        assert!(!filter.evaluate(make_record(&[
            "error",
            "500",
            "GET",
            "/",
            "",
            "some body"
        ])));

        let filter = compile("BODY not_empty", &config).unwrap();
        assert!(!filter.evaluate(make_record(&["error", "500", "GET", "/", "", ""])));
        assert!(filter.evaluate(make_record(&[
            "error",
            "500",
            "GET",
            "/",
            "",
            "some body"
        ])));
    }

    #[test]
    fn test_case_insensitive_contains() {
        let config = log_config();
        let filter = compile(r#"PATH icontains "ADMIN""#, &config).unwrap();

        assert!(filter.evaluate(make_full_record(&[(3, "GET /admin/users HTTP/1.1")])));
        assert!(filter.evaluate(make_full_record(&[(3, "GET /ADMIN/users HTTP/1.1")])));
        assert!(filter.evaluate(make_full_record(&[(3, "GET /Admin/users HTTP/1.1")])));
        assert!(!filter.evaluate(make_full_record(&[(3, "GET /api/users HTTP/1.1")])));
    }

    #[test]
    fn test_filter_stats() {
        let config = log_config();
        let filter = compile(
            r#"LEVEL in {"error", "warn"} AND payload matches "timeout""#,
            &config,
        )
        .unwrap();

        assert_eq!(filter.string_count(), 2); // "error" and "warn"
        assert_eq!(filter.regex_count(), 1); // "timeout"
        assert!(filter.bytecode_len() > 0);
        assert_eq!(filter.delimiter(), b";;;");
    }
}