fix: strengthen Map/Set key hashing against collision DoS#1556
Open
mvanhorn wants to merge 2 commits into
Open
fix: strengthen Map/Set key hashing against collision DoS#1556mvanhorn wants to merge 2 commits into
mvanhorn wants to merge 2 commits into
Conversation
saghul
reviewed
Jul 2, 2026
| @@ -52665,6 +52665,16 @@ static JSValueConst map_normalize_key_const(JSContext *ctx, JSValueConst key) | |||
| } | |||
|
|
|||
| /* XXX: better hash ? */ | |||
Contributor
There was a problem hiding this comment.
time to drop the comment now?
| } | ||
|
|
||
| /* XXX: better hash ? */ | ||
| static uint32_t map_hash_u64(uint64_t h) |
Contributor
There was a problem hiding this comment.
Is this some well-known formula? maybe add a comment with a reference pl
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Strengthens the hashing of
Map/Setkeys against collision-based denial of service. String keys with embedded NUL bytes and float64 keys with adversarial bit patterns previously funneled into a single bucket, making insertion quadratic. Keys now hash with an avalanche mix so bucket distribution stays even under attacker-chosen inputs.Why this matters
Issue #205 reports that
Map/Setinsertion can be driven quadratic with crafted keys. Two families were exploitable: strings sharing a prefix up to a NUL byte, and float64 values whose 32-bit halves are equal and share low bits (easy to generate via aDataView). Both collapsed to the same low hash bits, so once the table grew to 4096 buckets they all landed in one bucket and each insert walked the whole chain.The string path is hardened, and the float64 key hash now runs the 64-bit pattern through a multiply/xorshift avalanche folded to 32 bits before the bucket mask, so equal-word / shared-low-bit families no longer collide.
NaNnormalization and+0/-0unification are preserved.Testing
make,make test(Result: 0/64 errors), andbuild/run-test262 -c tests.conf -f tests/test_builtin.jsall pass.tests/test_builtin.jsgains regression coverage for NUL-prefixed string keys, the equal-word float collision family at 4096 entries (bothMapandSet),NaN, and+0/-0.Fixes #205