fix: pad encode_hash_with_base output to fixed length to prevent slice panics#8320
Merged
graphite-app[bot] merged 1 commit intomainfrom Feb 13, 2026
Conversation
Member
Author
How to use the Graphite Merge QueueAdd the label graphite: merge-when-ready to this PR to add it to the merge queue. You must have a Graphite account in order to use the merge queue. Sign up using this link. An organization admin has enabled the Graphite Merge Queue in this repository. Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue. This stack of pull requests is managed by Graphite. Learn more about stacking. |
encode_hash_with_base output to fixed length to prevent slice panics
Member
Author
|
I’ll submit a PR to Rollup later. |
Contributor
Benchmarks Rust
|
a5f6a49 to
683a780
Compare
hyf0
approved these changes
Feb 13, 2026
Member
Author
Merge activity
|
…ice panics (#8320) closes #8270, related to rollup/rollup#5720 ### Summary `base_encode::to_string` performs a true mathematical base conversion (repeated division), which produces **variable-length output** depending on the numeric magnitude of the input. For a 128-bit xxhash encoded in base 64, the output is typically 21 or 22 characters (~75% chance of 22, ~25% chance of 21), and can be shorter (~0.4% chance) if the least-significant bytes of the hash happen to be zero. This caused two issues: 1. **Potential panic**: Callers slice the hash at fixed offsets (e.g. `hash[..placeholder.len()]`), which panics if the hash string is shorter than expected. 2. **Incorrect `MAX_HASH_SIZE`**: It was set to 21, but the actual maximum for base 64 is `ceil(128/6) = 22`, preventing users from using `[hash:22]`. ### Additional For the xxhash use case, the 128-bit hash output is approximately uniformly random. Having 13+ leading zero bytes would require a probability of `1/256¹³ ≈ 10⁻³¹`, which is practically impossible. In practice, the output is almost always 21 characters (~75%) or 22 characters (~25%), with an occasional 20 characters (~0.4%).
1060b4f to
c353b67
Compare
683a780 to
fa8851a
Compare
Base automatically changed from
02-13-fix_xxhash_with_base_skips_hashing_when_input_is_exactly_16_bytes
to
main
February 13, 2026 12:46
This was referenced Feb 18, 2026
Closed
Closed
Merged
shulaoda
pushed a commit
that referenced
this pull request
Feb 18, 2026
## [1.0.0-rc.5] - 2026-02-18
💡 Smarter `entriesAware` Manual Code Splitting
New `entriesAware` and `entriesAwareMergeThreshold` options for `manualCodeSplitting.groups[]` enable
entry-reachability-based chunk splitting with automatic small chunk merging.
- `entriesAware: true` splits matched modules by entry reachability — modules reached by the same set of entries are grouped together, providing the most precise loading behavior with less over-fetching
- Chunks now get more readable names reflecting their entry associations (e.g. `vendor-entry-a-entry-b.js`) instead of opaque hashes
- `entriesAwareMergeThreshold` sets a byte-size threshold to merge tiny subgroups into the closest sibling with the fewest extra entries, reducing micro-chunk fragmentation while preserving precision
- Recommended to use together with `maxSize`: merge tiny chunks first to reduce request overhead, then cap large chunks to control payload size
```js
manualCodeSplitting: {
groups: [{
name: 'vendor',
test: /node_modules/,
entriesAware: true,
entriesAwareMergeThreshold: 28000, // bytes
}]
}
```
### 🚀 Features
- add `Visitor` to `rolldown/utils` (#8373) by @sapphi-red
- module-info: add `inputFormat` property to `ModuleInfo` (#8329) by @shulaoda
- default `treeshake.invalid_import_side_effects` to `false` (#8357) by @sapphi-red
- rolldown_utils: add `IndexBitSet` (#8343) by @sapphi-red
- rolldown_utils: add more methods and trait impls to BitSet (#8342) by @sapphi-red
- rolldown_plugin_vite_build_import_analysis: add support for `await import().then((m) => m.prop)` (#8328) by @sapphi-red
- rolldown_plugin_vite_reporter: support custom logger for build infos (#7652) by @shulaoda
- rust/mcs: support `entriesAwareMergeThreshold` (#8312) by @hyf0
- mcs: `maxSize` will split the oversized chunk with taking file relevance into account (#8277) by @hyf0
- rolldown_plugin_vite_import_glob: support template literal in glob import patterns (#8298) by @shulaoda
- rolldown_plugin_chunk_import_map: output importmap without spaces (#8297) by @sapphi-red
- add INEFFECTIVE_DYNAMIC_IMPORT warning in core (#8284) by @shulaoda
- mcs: generate more readable name for `entriesAware` chunks (#8275) by @hyf0
- mcs: support `entriesAware` (#8274) by @hyf0
### 🐛 Bug Fixes
- improve circular dependency detection in chunk optimizer (#8371) by @IWANABETHATGUY
- align `minify.compress: true` and `minify.mangle: true` with `minify: true` (#8367) by @sapphi-red
- rolldown_plugin_esm_external_require: apply conversion to UMD and IIFE outputs (#8359) by @sapphi-red
- cjs: bailout treeshaking on cjs modules that have multiple re-exports (#8348) by @hyf0
- handle member expression and this expression in JSX element name rewriting (#8323) by @IWANABETHATGUY
- pad `encode_hash_with_base` output to fixed length to prevent slice panics (#8320) by @shulaoda
- `xxhash_with_base` skips hashing when input is exactly 16 bytes (#8319) by @shulaoda
- complete `ImportKind::try_from` with missing variants and correct `url-import` to `url-token` (#8310) by @shulaoda
- mark Node.js builtin modules as side-effect-free when resolved via `external` config (#8304) by @IWANABETHATGUY
- mcs: `maxSize` should split chunks correctly based on sizes (#8289) by @hyf0
### 🚜 Refactor
- introduce `RawMangleOptions` and `RawCompressOptions` (#8366) by @sapphi-red
- mcs: refactor `apply_manual_code_splitting` into `ManualSplitter` (#8346) by @hyf0
- rolldown_plugin_vite_reporter: simplify hook registration and remove redundant state (#8322) by @shulaoda
- use set to store user defined entry modules (#8315) by @IWANABETHATGUY
- rust/mcs: collect groups into map at first for having clean and performant operations (#8313) by @hyf0
- mcs: introduce newtype `ModuleGroupOrigin` and `ModuleGroupId` (#8311) by @hyf0
- remove unnecessary `FinalizerMutableState` struct (#8303) by @shulaoda
- move module finalization into `finalize_modules` (#8302) by @shulaoda
- extract `apply_transfer_parts_mutation` into its own module (#8301) by @shulaoda
- move ESM format check into `determine_export_mode` (#8294) by @shulaoda
- remove `warnings` field from `GenerateContext` (#8293) by @shulaoda
- extract util function remove clippy supression (#8290) by @IWANABETHATGUY
- move `is_in_node_modules` to `PathExt` trait in `rolldown_std_utils` (#8286) by @shulaoda
- rolldown_plugin_vite_reporter: remove unnecessary ineffective dynamic import detection logic (#8285) by @shulaoda
- dev: inject hmr runtime to `\0rolldown/runtime.js` (#8234) by @hyf0
- improve naming in chunk_optimizer (#8287) by @IWANABETHATGUY
- simplify PostChunkOptimizationOperation from bitflags to enum (#8283) by @IWANABETHATGUY
- optimize BitSet.index_of_one to return iterator instead of Vec (#8282) by @IWANABETHATGUY
### 📚 Documentation
- change default value in `format` JSDoc from `'esm'` to `'es'` (#8372) by @shulaoda
- in-depth: remove `invalidImportSideEffects` option mention from lazy barrel optimization doc (#8355) by @sapphi-red
- mcs: clarify `minSize` constraints (#8279) by @ShroXd
### ⚡ Performance
- use IndexVec for chunk TLA detection (#8341) by @sapphi-red
- only invoke single resolve call for the same specifier and import kind (#8332) by @sapphi-red
- rolldown_plugin_vite_reporter: skip gzip computation when `report_compressed_size` is disabled (#8321) by @shulaoda
### 🧪 Testing
- use `vi.waitFor` and `expect.poll` instead of custom `waitUtil` function (#8369) by @sapphi-red
- rolldown_plugin_esm_external_require_plugin: add tests (#8358) by @sapphi-red
- add watch file tests (#8330) by @sapphi-red
- rolldown_plugin_vite_build_import_analysis: add test for dynamic import treeshaking (#8327) by @sapphi-red
### ⚙️ Miscellaneous Tasks
- prepare-release: skip workflow on forked repositories (#8368) by @shulaoda
- format more files (#8360) by @sapphi-red
- deps: update oxc to v0.114.0 (#8347) by @camc314
- deps: update test262 submodule for tests (#8354) by @sapphi-red
- deps: update crate-ci/typos action to v1.43.5 (#8350) by @renovate[bot]
- deps: update oxc apps (#8351) by @renovate[bot]
- rolldown_plugin_vite_reporter: remove unnecessary README.md (#8334) by @shulaoda
- deps: update npm packages (#8338) by @renovate[bot]
- deps: update rust crates (#8339) by @renovate[bot]
- deps: update dependency oxlint-tsgolint to v0.13.0 (#8337) by @renovate[bot]
- deps: update github-actions (#8336) by @renovate[bot]
- deps: update napi to v3.8.3 (#8331) by @renovate[bot]
- deps: update dependency oxlint-tsgolint to v0.12.2 (#8325) by @renovate[bot]
- remove unnecessary transform.decorator (#8314) by @IWANABETHATGUY
- deps: update dependency rust to v1.93.1 (#8305) by @renovate[bot]
- deps: update dependency oxlint-tsgolint to v0.12.1 (#8300) by @renovate[bot]
- deps: update oxc apps (#8296) by @renovate[bot]
- docs: don't skip for build runs without cache (#8281) by @sapphi-red
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #8270, related to rollup/rollup#5720
Summary
base_encode::to_stringperforms a true mathematical base conversion (repeated division), which produces variable-length output depending on the numeric magnitude of the input. For a 128-bit xxhash encoded in base 64, the output is typically 21 or 22 characters (~75% chance of 22, ~25% chance of 21), and can be shorter (~0.4% chance) if the least-significant bytes of the hash happen to be zero.This caused two issues:
hash[..placeholder.len()]), which panics if the hash string is shorter than expected.MAX_HASH_SIZE: It was set to 21, but the actual maximum for base 64 isceil(128/6) = 22, preventing users from using[hash:22].Additional
For the xxhash use case, the 128-bit hash output is approximately uniformly random. Having 13+ leading zero bytes would require a probability of
1/256¹³ ≈ 10⁻³¹, which is practically impossible. In practice, the output is almost always 21 characters (~75%) or 22 characters (~25%), with an occasional 20 characters (~0.4%).