Decoder metadata interface

[197g]

See #2245, the intended ImageDecoder changes.

This changes the ImageDecoder trait to fix some underlying issues. The main change is a clarification to the responsibilities; the trait is an interface from an implementor towards the image library. That is, the protocol established from its interface should allow us to drive the decoder into our buffers and our metadata. It is not optimized to be used by an external caller which should prefer the use of ImageReader and other inherent methods instead.

This is a work-in-progress, below motivates the changes and discusses open points.

• ImageDecoder::peek_layout encourages decoders to read headers after the constructor. This fixes the inherent problem we had with communicating limits. The sequences for internal use is roughly:

  let mut decoder = …;
  decoder.set_limits(…); // Other global configuration we have?
  
  { // Potentially multiple times:
    let layout_info = decoder.peek_layout()?;
    let mut buffer = allocate_for(&layout_info);
    decoder.read_image(&mut buffer)?;
    decoder.xmp_metadata()?; // and other meta
  }
  
  // … for sequences, start again from `peek_layout()`

• ImageDecoder::read_image(&mut self) no longer consumes self. We no longer need the additional boxed method and its trait work around, the trait is now dyn-compatible.

Discussion

• Implement next_layout more consistently
  • avif
  • tga
  • pnm
  • tiff
  • dxt
  • qoi
  • dds
  • gif
• Maybe init peek_layout should return the full layout information in a single struct. We have a similar open issue for png in its own crate, and the related work for tiff is in the pipeline where its BufferLayoutPreference already exists to be extended with said information.
  • Review limits and remove its size bounds insofar as they can be checked against the communicated bounds in the metadata step by the image side.
  • Idea: If a decoder supports builtin transforms (e.g. YCbCr -> Rgb conversion, grayscale, thumbnailing) that are more efficient than post-processing then there could be a negotiation phase here where information is polled twice / multiple times by different methods. The design should leave this negative space to be added in 1.1, but it's not highly critical.
• Fix the sequence decoder to use the new API
• Make sure that read_image is 'destructive' in all decoders, i.e. re-reading an image and reading an image before init should never access an incorrect part of the underlying stream but instead return an error. Affects pnm and qoi for instance where the read will interpret bytes based on the dimensions and color, which would be invalid before reading the header and only valid for one read.
• Tests for reading an image with read_image then switching to a sequence reader. But that is supposed to become mainly an adapter that implements the iterator protocol.
• Remove remnants of the dyn-compatibility issue.
• Adapt to the possibility of fetching metadata after the image. This includes changing ImageReader with a new interface to return some of it. That may be better suited for a separate PR though.
  • Extract the CICP part of the metadata as CicpRgb and apply it to a decoded DynamicImage.
  • Ensure that this is supported by all the bindings.
• Deal with limits: Decoder metadata interface #2672 (comment)

[mstoeckl]

The main change is a clarification to the responsibilities; the trait is an interface from an implementor towards the image library. That is, the protocol established from its interface should allow us to drive the decoder into our buffers and our metadata. It is not optimized to be used by an external caller which should prefer the use of ImageReader and other inherent methods instead.

With this framing, I think Limits::max_image_width and Limits::max_image_height no longer need to be communicated to or handled by the ImageDecoder trait, because the external code can check ImageDecoder::dimensions() before invoking ImageDecoder::read_image(); only the memory limit (Limits::max_alloc) is essential. That being said, the current way Limits are handled by ImageDecoder isn't that awkward to implement, so to reduce migration costs keeping the current ImageDecoder::set_limits() API may be OK.

[fintelia]

A couple thoughts...

I do like the idea of handling animation decoding with this same trait. To understand, are you thinking of "sequences" as being animations or also stuff like the multiple images stored in a TIFF file? Even just handling animation has some tricky cases though. For instance in PNG, the default image that you get if you treat the image as non-animated may be different from the first frame of the animation. We might need both a read_image and a read_frame method.

The addition of an init method doesn't seem like it gains us much. The tricky part of our current new+set_limits API is that you get to look at the image dimensions and total output size in bytes when deciding what decoding limits to set. Requiring init (and by extension set_limits) to be called before reading the dimensions makes it basically the same as just having a with_limits constructor.

[197g]

Requiring init (and by extension set_limits) to be called before reading the dimensions makes it basically the same as just having a with_limits constructor.

It's a dyn-compatible way that achieves the goal of the constructor so it is actually an abstraction.

The tricky part of our current new+set_limits API is that you get to look at the image dimensions and total output size in bytes when deciding what decoding limits to set.

What do you by this? The main problem in png that I'm aware of is the lack of configured limits for reading the header in the ImageReader path, that motivated the extra constructor in the first place. With png we can not modify the limits after the fact but also we don't really perform any large size-dependent allocation within the decoder.

I'm also not suggesting that calling set_limits after the layout inspection would be disallowed but obviously is decoder dependent on whether that 'frees' additional capacity. I guess if that is sufficient remains to be seen? When we allocate a buffer (with applied allocator limits)´ that allows forwarding the remaining buffer size to the decoder. Or, set aside a different buffer allowance for metadata vs. image data. Whatever change is necessary in png just comes on top anyways, the init flow just allows us to abstract this and thus apply it with an existing Box<dyn ImageDecoder> so we don't have to do it all before. Indeed, as the comment on size eludes to we may want to different limit structs: one user facing that we use in ImageReader and one binding-facing that is passed to ImageDecoder::set_limits. Then settings just need to be

[197g]

@fintelia This now includes the other changes including to ImageReader as a draft of what I meant in #2679 (comment). In short:

• The file guessing routines and the construction of the boxed decoder are split into a separate type, ImageFile, which provides the previous methods of ImageReader but also an into_reader for the mutable, stateful interface.
• ImageReader:
  • features all accessors for metadata considering that some formats fill said metadata (or a pointer to it) after an image is decoded.
  • has viewbox as a re-imagining of the previous ImageDecoderRect trait but split into two responsibilites: the trait does the efficiency decision on an image-by-image basis with an interface that allows a partial application of the viewbox (in jpeg and tiff we would decode whole tiles); then the reader takes care of translating that into an exact layout. Note that another type of image buffer with offset+rowpitch information could do that adjustment zerocopy—I still want to get those benefits of the type erased buffer/image-canvas someday and this fits in.
• The code also retrieves the CICP from the color profile and annotates the DynamicImage with it where available. For sanity's sake the moxcms integration was rewritten to allow a smaller dependency to be used here, I'll split these off the PR if we decide to go that route.
• Conceivably there's a gain_map (or similar) that may be queried similar to the metadata methods. For that to be more ergonomic I'd like to seriously consider read_plane for, in tiff lingo, planar images as well as associated and non-associated mask data; and more speculatively other extra samples that are bump maps? uv? true cmyk?. While that does not necessarily all go into 1.* for any output that is not quite neatly statically sorted and sized as an Rgba 4-channel-homogeneous-host-order, I imagine it will be much simpler for a decoder to provides its data successively in multiple calls instead of a contiguous large byte slice. Similar to viewbox we'd allow this where ImageReader provides the compatibility to re-layout the image for the actual user—except where explicitly instructed. Adjusting ImageReader::decode to that effect should be no problem in principle.

[RunDevelopment]

I can't speak about image metadata, but I really don't like the new ImageDecoder interface as both an implementor of the interface and a potential user of it. Right now, it's just not clear to me at all how decoders should behave. My problems are:

1. init. This is just two-phase initialization and opens so many questions.
   • Do users have to call it? The docs say "should" not "must" be called before read_image.
   • Are users allowed to call it multiple times? If so, the decoder has to keep track of whether the header has already been read.
   • Since init returns a layout, what's the point of dimensions() and color_type()? And what if they disagree?
   • What should dimensions and co do before init is called?
   • If init fails, what should happen to methods like dimensions and read_image? When called, should they panic, return an error, return default values?
   • After calling read_image, do you have to re-init before calling read_image again?
2. viewbox makes it more difficult to implement decoders.
   • Now they always have to internally keep track of the viewbox rect if rect decoding is supported.
   • After calling viewbox, what should dimensions be? If they should be the viewbox size, should they reflect the new viewbox even before calling init?
   • It's not clear what should happen if viewbox returns ok, but init errors.
   • What should happen if users supply a viewbox outside the bounds of the image?
3. When calling viewbox, is the offset of the rect relative to the (0,0) of the full image or the last set viewbox?
4. What should happen if read_image is called twice? Should it read the same image again, error, read the next image in the sequence? The docs don't say.
   • If the intended behavior is "read the same image again", then those semantics would force all decoders to require Seek for the reader (or keep an in memory copy of the image for subsequent reads). Not an unreasonable requirement, but it should be explicitly documented.

---

Regarding rectangle decoding, I think it would be better if we force decoders to support arbitrary rects. That's because the current interface is actually less efficient by allowing decoder to support only certain rects. To read a specific rect that is not supported as is, ImageReader has to read a too-large rect and then crop the read image, allocating the memory for the too-large image only to throw it away. It is forced to do this, because of the API.

However, most image formats are based on lines of block (macro pixels). So we can do a trick. Decode a line according to the too-large rect, and then only copy the pixels in the real rect to the output buffer. This reduces the memory overhead for unsupported rects from O(width*height) to O(width*block_height). Supported rects don't need this dance and can decode into the output buffer directly. I.e. that's kinda what DDS does.

And if a format can't do the line-based trick for unsupported rects, then decoders should just allocate a temp buffer for the too-large rect and then crop (=copy what is needed). This is still just as efficient as the best ImageReader can do.

For use cases where users can use rowpitch to ignore the exccess parts of the too-large rect, we could just have a method that gives back a preferred rect, which can be decoded very efficiently.

So the API could look like this:

trait ImageDecoder {
    // ...
    /// Returns a viewbox that contains all pixels of the given rect but can potentially be decoded more efficiently.
    /// If rect decoding is not supported or no more-efficient rect exists, the given rect is returned as is.
    fn preferred_viewbox(&self, viewbox: Rect) -> Rect {
        viewbox // default impl
    }
    fn read_image_rect(&mut self, buf, viewbox) -> ImageResult {
        Err(ImageError::Decoding(Decoding::RectDecodingNotSupported)) // or similar
    }

This API should make rect decoding easier to use, easier to implement, and allow for more efficient implementations.

[197g]

1. init. This is just two-phase initialization and opens so many questions.

That was one of the open questions, the argument you're presenting makes it clear it should return the layout and that's it. Renamed to next_layout accordingly. I'd like to remove the existing dimensions()/color_type methods from the trait as well. There's no point using separate method calls for communicating them.

---

• For use cases where users can use rowpitch, […]

  That is ultimately the crux of the problem. I'd say it's pretty much the only problem even though that does not appreciate the complexity. A lot of what you put forth is overly specific to solving one instance of it, obviously focusing on DDS. That's not bad but take a step back to the larger picture. There's no good way to communicate all kinds of layouts that the caller could handle: tiled, planar, depths, sample types …. With the information being exchanged right now, no-one can find a best-match between the requirements of image's data types (and Limits) and what the decoder can provide. This won't be solved by moving complexity into the decoders, we need to get structured information out of them primarily, then make that decision / handling the resulting byte data in image's code.

• 2. viewbox makes it more difficult to implement decoders.

  The point of the default implementation in this PR is that it is purely opt-in. Don't implement the method for decoders that can not provide viewbox decoding and everything works correctly. The documentation seems to be confusing, point taken. We're always going to have inefficiencies, I'm for working through the distinct alternative layouts that allow an optimization one-by-one. More importantly for this PR immediately is what outcome a caller may want and what interface would give it to them—in this case I've worked on the use-case of extracting part of an atlas.

• However, most image formats are based on lines of block (macro pixels). So we can do a trick.

  I'm not designing anything in this interface around a singular "trick", that's the wrong way around. That is how we got here. That's precisely what created ImageDecoderRect, almost to the dot. Falsehoods programmer's assume about image decoding will lead that to this breaking down and to be horrible to maintain. The trick you mention should live in the decoder's trait impl and nowhere else and we can bring it back where appropriate and possible. (Note that if you do it for a specific format, some formats will be even more efficient and not require you decode anything line-by-line but skip ahead, do tiles, … That's just to drive home the point that you do not want to do this above the decoder abstraction but below it in the ImageDecoder impl).

• It is forced to do this, because of the API.

  The decoder impls is only forced to do anything if we force it via an interface—this PR does not; read_image_rect(&mut self, buf, viewbox) does force a decoder to be able to handle all possible viewboxes—this PR does not. I'm definitely taking worse short-term efficiency over code maintenance problems—the latter won't get us efficiency in the long run either.

---

When calling viewbox, is the offset of the rect relative to the (0,0) of the full image or the last set viewbox?

It's suppose to be to the full image. Yeah, that needs more documentation and pointers to the proper implementation.

[fintelia]

This has a subtle behavior change. Previously we reserved the space for the output buffer and then passed the reduced memory limit onto the decoder to limit its metadata/scratch buffer allocations. But at this point in the code we've already told the decoder that it is free to use the entire memory limit amount for those purposes. So we effectively only limiting memory to 2x the requested amount.

[197g]

That's true. The quicker fix here is to pass limits only once we have gotten the layout which would be closest to what we're doing right now on the main branch but obviously not really address if decoders are able to handle it. In gif we .. duplicate the allocation arbitrarily, right now, too:

image/src/codecs/gif.rs

Lines 172 to 174 in 7f44147

	self.limits.reserve_usize(buffer_size)?;
	let mut frame_buffer = vec![0; buffer_size];
	self.limits.free_usize(buffer_size);

We must rework the limits system regardless if it is to work with animations, too. That is to say at some point the struct will have been moved into the decoder but some higher level part of IO is still going to do allocations; but also de-allocations (!). Should those count? How do we access the limits if so?

For consuming animations you'd typically have a swapchain-like fixed capacity queue setup. The decoder would consume some of the limits while allocating for each new frame, then those limits should get refreshed over time when the frames have been fully consumed and dropped.. We can't fully handle this either right now (as seen in gif).

[197g]

I've ported this to taking half the allocation for ImageReader instead. That works reasonably well and we can consistently do it (maybe even more explainable now). One problem with the interface that remains from the previous iteration is that there is no guidance for dealing with multiple calls to it, when some allocations are already consumed.

[fintelia]

nit: it is easier for scrolling through the file if the impl blocks for each struct immediately follow the definitions

[fintelia]

Which formats do we expect to be able to implement viewboxes?

TIFF should be able to do it by only reading the necessarily strips/tiles. And DDS can because GPU compressed formats are designed for random access. But for other compressed formats, I think it might be rather annoying?

[197g]

Even jpeg could profit. We'll need to be more precise in the description but I had intended that, in either return case, the values outside the initially indicated viewbox will be allowed to be treated as 'dont-care' by the decoder in their original (or only partially cropped) layout. For these pixels the decoder not need present the actual underlying image data.

With some integration that would allow wins beyond just a binary decoding decision. Some form of integration would be possible for:

• all the PAM varieties, bmp, tga save on IO with full support; for small viewboxes if we Seek/read_at
• in jpeg we need not process the data from any of the MCU's that do not intersect the data even if the bitstream must be decoded to align with the file
• avif and webp seem similar to that where they might avoid processing values (obviously needing integration of it).

For anything non-RGB we get to save on conversion, too. I expect we uncover different forms of gains once we have a better understanding of a declarative form.

[fintelia]

The "previously decoded" part here makes me a bit nervous. I think we'll want to be clearer about what the user has to do to make sure they don't get None for images that actually do have EXIF data

[197g]

This is a bit odd and will depend on the format and metadatum. For instance, XMP is encoded per-image in tiff but only once in gif (despite us representing this as an image sequence) and also only once in png (no word about APNG). Problematically, in gif and png the standard requires absolutely no ordering with any of the other chunks. So it might be encountered before all of the header information is done; or after all the images have been consumed.

The problem with back references is of course the unclear association. And when multiple are included we always have a problem with consuming them 'after the end' since it should need to be buffered or the decoder able to store seek-back points (like png). Encoding all that in the interface is a challenge, i will incur some unavoidable complexity.

[197g]

Resolving the naming question as peek_layout, hopefully satisfactory for now.

[197g]

@fintelia I understand this is too big for a code-depth review but I'd be interested in the directional input. Is the merging of 'animations' and simple images as well as the optimization hint methods convincing enough? Is the idea of returning data from read_image something that works for you? The struct is meant to be Default-able and fills in the information for into_frames() but I'll sketch out some way of putting the metadata indicators in there (i.e. should you poll xmp for this frame, or wait until the end, or is it constant of the file).

As an aside, in wondermagick we basically find that sequence encoding is a missing API to match imagemagick. We can currently only do this with gif, despite tiff and webp having absolutely no conceptual problems with it (avif too, but imagemagick behaves odd, does not match libavifs decoding and the rust libraries don't provide it). It would be nice to make those traits symmetric so the direction here influences the encoding, too.