Skip to content

buffer: optimize buffer.concat performance #61721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mertcanaltin wants to merge 7 commits into
base: main
Choose a base branch
from
+50 −9
Open

buffer: optimize buffer.concat performance #61721

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7ded458
buffer: optimize buffer.concat performance
mertcanaltin Feb 7, 2026
a7fd75d
revert comment lines
mertcanaltin Feb 7, 2026
885c7a3
revert comment lines
mertcanaltin Feb 7, 2026
ba806ae
revert listLen caching
mertcanaltin Feb 7, 2026
559f5e9
move type validation before allocation
mertcanaltin Feb 7, 2026
1898304
use TypedArrayPrototypeGetByteLength
mertcanaltin Feb 8, 2026
4848305
add test for spoofed length getter in concat
mertcanaltin Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 40 additions & 9 deletions lib/buffer.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ const {
TypedArrayPrototypeGetLength,
TypedArrayPrototypeSet,
TypedArrayPrototypeSlice,
TypedArrayPrototypeSubarray,
Uint8Array,
} = primordials;

Expand Down Expand Up @@ -614,25 +615,55 @@ Buffer.concat = function concat(list, length) {
if (length === undefined) {
length = 0;
for (let i = 0; i < list.length; i++) {
if (list[i].length) {
length += list[i].length;
const buf = list[i];
if (!isUint8Array(buf)) {
// TODO(BridgeAR): This should not be of type ERR_INVALID_ARG_TYPE.
// Instead, find the proper error code for this.
throw new ERR_INVALID_ARG_TYPE(
`list[${i}]`, ['Buffer', 'Uint8Array'], buf);
}
length += TypedArrayPrototypeGetByteLength(buf);
}
} else {
validateOffset(length, 'length');

const buffer = allocate(length);
let pos = 0;
for (let i = 0; i < list.length; i++) {
const buf = list[i];
const bufLength = TypedArrayPrototypeGetByteLength(buf);
TypedArrayPrototypeSet(buffer, buf, pos);
pos += bufLength;
}

if (pos < length) {
TypedArrayPrototypeFill(buffer, 0, pos, length);
}
Comment on lines +637 to +639
Copy link
Member

@gurgunday gurgunday Feb 7, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we even hit this part? I think this is unreachable because you moved type validation to the beginning and it will always fill after going through all of them?

Copy link
Member Author

@mertcanaltin mertcanaltin Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's still reachable if a buffer gets detached between the validation and copy loops buf.length becomes 0, pos won't advance, leaving uninitialized bytes without the zero-fill.

Copy link
Member

@gurgunday gurgunday Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really sure how it can be detached unless a length getter is compromised. It's all synchronous code here?

In any case, it would be nice to have coverage for it

Other than coverage, the PR LGTM

Copy link
Member

@Renegade334 Renegade334 Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about an assert here?

(Attempting to read from a detached buffer should throw an error from the engine in any case.)

Copy link
Member

@jasnell jasnell Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the buffer gets detached between these points should actually cause the Uint8Array.prototype.set operation to fail.

Consider the example:

const u8_1 = new Uint8Array([1,2,3,4]);
const u8_2 = new Uint8Array([5,6,7,8]);

let called = false;

Object.defineProperty(u8_1, 'length', {
  get() {
    // The first time this is called, return the actual length of the array
    // The second time this is called, we'll also transfer the ArrayBuffer of the second

    if (!called) {
      called = true;
    } else {
      u8_2.buffer.transfer();
    }
    return 4;
  },
});

const buf = Buffer.concat([u8_1, u8_2]);
console.log(buf);
node:buffer:631
      TypedArrayPrototypeSet(buffer, buf, pos);
      ^

TypeError: Cannot perform %TypedArray%.prototype.set on a detached ArrayBuffer
    at Buffer.set (<anonymous>)
    at Buffer.concat (node:buffer:631:7)
    at Object.<anonymous> (/home/jsnell/tmp/fubar.js:20:20)
    at Module._compile (node:internal/modules/cjs/loader:1811:14)
    at Object..js (node:internal/modules/cjs/loader:1942:10)
    at Module.load (node:internal/modules/cjs/loader:1532:32)
    at Module._load (node:internal/modules/cjs/loader:1334:12)
    at wrapModuleLoad (node:internal/modules/cjs/loader:255:19)
    at Module.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:154:5)
    at node:internal/main/run_main_module:33:47

Node.js v26.0.0-pre

I'm all for being defensive here tho.

Copy link
Member

@Renegade334 Renegade334 Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TypedArrayPrototypeGetLength would be the tonic there, presumably.

Copy link
Member

@jasnell jasnell Feb 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably. Also just make sure that Uint8Array.prototype.set itself does not call the user overide getter (it shouldn't.. but let's confirm)

Copy link
Member Author

@mertcanaltin mertcanaltin Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, switched to TypedArrayPrototypeGetByteLength to avoid the spoofed length getter. Zero-fill kept as defensive measure.

Copy link
Member

@jasnell jasnell Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would be sure to also add a test that covers the spoofed length test.

Copy link
Member Author

@mertcanaltin mertcanaltin Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added now, thanks

Comment on lines +637 to +639
Copy link
Member

@Renegade334 Renegade334 Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: my preference would still be for an assert here, since pos !== length is de facto an invalid state.

Copy link
Member Author

@mertcanaltin mertcanaltin Feb 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer keeping the zero-fill here if we're ever wrong about it being unreachable, zero-filling is safer than crashing the process with uninitialized memory in the buffer.

return buffer;
}

const buffer = Buffer.allocUnsafe(length);
let pos = 0;
validateOffset(length, 'length');
for (let i = 0; i < list.length; i++) {
const buf = list[i];
if (!isUint8Array(buf)) {
if (!isUint8Array(list[i])) {
// TODO(BridgeAR): This should not be of type ERR_INVALID_ARG_TYPE.
// Instead, find the proper error code for this.
throw new ERR_INVALID_ARG_TYPE(
`list[${i}]`, ['Buffer', 'Uint8Array'], list[i]);
}
pos += _copyActual(buf, buffer, pos, 0, buf.length, true);
}

const buffer = allocate(length);
let pos = 0;
for (let i = 0; i < list.length; i++) {
const buf = list[i];
const bufLength = TypedArrayPrototypeGetByteLength(buf);
if (pos + bufLength > length) {
TypedArrayPrototypeSet(buffer,
TypedArrayPrototypeSubarray(buf, 0, length - pos),
pos);
pos = length;
break;
}
TypedArrayPrototypeSet(buffer, buf, pos);
pos += bufLength;
}

// Note: `length` is always equal to `buffer.length` at this point
Expand Down
10 changes: 10 additions & 0 deletions test/parallel/test-buffer-concat.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,3 +122,13 @@ assert.deepStrictEqual(
assert.deepStrictEqual(Buffer.concat([new Uint8Array([0x41, 0x42]),
new Uint8Array([0x43, 0x44])]),
Buffer.from('ABCD'));

// Spoofed length getter should not cause uninitialized memory exposure
{
const u8_1 = new Uint8Array([1, 2, 3, 4]);
const u8_2 = new Uint8Array([5, 6, 7, 8]);
Object.defineProperty(u8_1, 'length', { get() { return 100; } });
const buf = Buffer.concat([u8_1, u8_2]);
assert.strictEqual(buf.length, 8);
assert.deepStrictEqual(buf, Buffer.from([1, 2, 3, 4, 5, 6, 7, 8]));
}
Loading