Skip to content

src: fix Boyer-Moore array bounds safety #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jasnell merged 1 commit into from
Jul 10, 2025
Merged

src: fix Boyer-Moore array bounds safety #7

jasnell merged 1 commit into from
Jul 10, 2025

Conversation

@codebytere
Copy link
Member

@codebytere codebytere commented Jul 10, 2025
edited
Loading

Refs https://chromium-review.googlesource.com/c/chromium/src/+/6703757

The above CL enabled array bounds sanitization for Electron and therefore Node.js, which triggered a crash in parallel/test-buffer-indexof.js. Upon a bit more investigation, some Boyer-Moore related functions function were using biased pointer arithmetic to create array pointers that point outside the actual array bounds.

When start_ is large this creates pointers far outside the valid memory range. The sanitizer detects that we're creating and dereferencing pointers outside array boundaries, even though the final memory access happens to land in valid memory.

This changes the functions to use bounds-safe array indexing.

@codebytere codebytere requested review from anonrig and jasnell July 10, 2025 14:57
@codebytere codebytere mentioned this pull request Jul 10, 2025
Closed
@codebytere
src: fix Boyer-Moore array bounds safety
81f10d6 
Refs https://chromium-review.googlesource.com/c/chromium/src/+/6703757

The above CL enabled array bounds sanitization for Electron and therefore Node.js, which triggered
a crash in parallel/test-buffer-indexof.js. Upon a bit more investigation, some Boyer-Moore related functions
function were using biased pointer arithmetic to create array pointers that point outside the actual array bounds.

When start_ is large this creates pointers far outside the valid memory range. The sanitizer detects that we're creating and dereferencing pointers outside array boundaries, even though the final memory access happens to land in valid memory.

This changes the functions to use bounds-safe array indexing.
@codebytere codebytere requested a review from lemire July 10, 2025 15:23
@jasnell jasnell merged commit 67e56fd into nodejs:main Jul 10, 2025
6 checks passed
@lemire
Copy link
Member

lemire commented Jul 10, 2025

Is this code ever used outside of v8?

@lemire
Copy link
Member

lemire commented Jul 10, 2025

Or at all?

@anonrig
Copy link
Member

anonrig commented Jul 10, 2025

It's used by nodejs and Cloudflare workers.

@lemire
Copy link
Member

lemire commented Jul 10, 2025

@anonrig Thanks. I'll follow up with my questions elsewhere. :-)

@codebytere codebytere mentioned this pull request Jul 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasnell jasnell jasnell approved these changes

@anonrig anonrig Awaiting requested review from anonrig

@lemire lemire Awaiting requested review from lemire

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@codebytere @lemire @anonrig @jasnell