The GitHub Actions job "Fory CI" on 
fory.git/fix-fory-inputstream-quadratic-growth has failed.
Run started by GitHub user temni (triggered by temni).

Head commit for run:
8004948f363dad206fde8f7de5da414bfda4adce / Evgeniy Kirichenko 
<[email protected]>
perf(java): avoid quadratic buffer growth in stream deserialization

ForyInputStream.fillBuffer and ForyReadableChannel.fillBuffer grew the
internal buffer to the exact target size: the available()-verified fast
path allocated exactly targetSize, and the fallback nextBufferSize was
capped with Math.min(grown, targetSize). Since the stream buffer
accumulates the whole payload during one deserialize() call, the buffer
was always exactly full after a fill, so every small read (for example
readByte -> fillBuffer(1)) reallocated and copied the entire buffer.
Stream deserialization was O(n^2) overall and multi-MB payloads
appeared to hang at 100% CPU inside growBuffer.

Grow by at least a doubling step instead: the verified fast path grows
to max(targetSize, 2 * capacity), and the fallback doubles without the
targetSize cap. Allocation on the unverified path stays bounded by
roughly twice the bytes actually received, so truncated or hostile
streams still fail before large buffers are reserved.

Also align ForyReadableChannel.nextBufferSize's clamp with
ForyInputStream (Integer.MAX_VALUE - 8) and update the stream-fill
growth guidance in docs/security/deserialization.md to match.

Co-Authored-By: Claude Fable 5 <[email protected]>
Claude-Session: https://claude.ai/code/session_01EnqiU1ARyovGifhbfLkCfz

Report URL: https://github.com/apache/fory/actions/runs/28584189452

With regards,
GitHub Actions via GitBox


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to