wcsmbs: Ensure wcstr worst-case linear execution time (BZ 23865)

It uses the same two-way algorithm used on strstr, strcasestr, and
memmem.  Different than strstr, neither the "shift table" optimization
nor the self-adapting filtering check is used because it would result in
a too-large shift table (and it also simplifies the implementation bit).

Checked on x86_64-linux-gnu and aarch64-linux-gnu.
Reviewed-by: DJ Delorie <dj@redhat.com>

3 files changed, 507 insertions, 72 deletions

diff --git a/string/test-strstr.c b/string/test-strstr.c
index 86237555c0..1eebdbcb51 100644
--- a/string/test-strstr.c
+++ b/string/test-strstr.c
@@ -59,6 +59,9 @@
 # undef weak_alias
 # define weak_alias(a, b)
 # define WCSSTR c_wcsstr
+# define __wmemcmp wmemcmp
+# define __wcsnlen wcsnlen
+# define __wcslen wcslen
 # include "wcsstr.c"
 # define C_IMPL WCSSTR
 #endif
@@ -217,6 +220,31 @@ check2 (void)
     }
 }
 
+static void
+check3 (void)
+{
+  /* Check that a long periodic needle does not cause false positives.  */
+  {
+    const CHAR input[] = L("F_BD_CE_BD_EF_BF_BD_EF_BF_BD_EF_BF_BD_EF_BF_BD"
+                            "_C3_88_20_EF_BF_BD_EF_BF_BD_EF_BF_BD"
+                            "_C3_A7_20_EF_BF_BD");
+    const CHAR need[] = L("_EF_BF_BD_EF_BF_BD_EF_BF_BD_EF_BF_BD_EF_BF_BD");
+    FOR_EACH_IMPL (impl, 0)
+      check_result (impl, input, need, NULL);
+  }
+
+  {
+    const CHAR input[] = L("F_BD_CE_BD_EF_BF_BD_EF_BF_BD_EF_BF_BD_EF_BF_BD"
+			   "_C3_88_20_EF_BF_BD_EF_BF_BD_EF_BF_BD"
+			   "_C3_A7_20_EF_BF_BD_DA_B5_C2_A6_20"
+			   "_EF_BF_BD_EF_BF_BD_EF_BF_BD_EF_BF_BD_EF_BF_BD");
+    const CHAR need[] = L("_EF_BF_BD_EF_BF_BD_EF_BF_BD_EF_BF_BD_EF_BF_BD");
+    FOR_EACH_IMPL (impl, 0)
+      check_result (impl, input, need, (CHAR *) input + 115);
+  }
+}
+
+
 #define N 1024
 
 static void
@@ -243,6 +271,148 @@ pr23637 (void)
     check_result (impl, h, n, exp_result);
 }
 
+static void
+pr23865 (void)
+{
+  /* Check that a very long haystack is handled quickly if the needle is
+     short and occurs near the beginning.  */
+  {
+    size_t m = 1000000;
+    const CHAR *needle =
+      L("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
+    CHAR *haystack = xmalloc ((m + 1) * sizeof (CHAR));
+    MEMSET (haystack, L('A'), m);
+    haystack[0] = L('B');
+    haystack[m] = L('\0');
+
+    FOR_EACH_IMPL (impl, 0)
+      check_result (impl, haystack, needle, haystack + 1);
+
+    free (haystack);
+  }
+
+  /* Check that a very long needle is discarded quickly if the haystack is
+     short.  */
+  {
+    size_t m = 1000000;
+    const CHAR *haystack =
+      L("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+	"ABABABABABABABABABABABABABABABABABABABABABABABABABABABABABABABABABAB");
+    CHAR *needle = xmalloc ((m + 1) * sizeof (CHAR));
+    MEMSET (needle, L'A', m);
+    needle[m] = L('\0');
+
+    FOR_EACH_IMPL (impl, 0)
+      check_result (impl, haystack, needle, NULL);
+
+    free (needle);
+  }
+
+  /* Check that the asymptotic worst-case complexity is not quadratic.  */
+  {
+    size_t m = 1000000;
+    CHAR *haystack = xmalloc ((2 * m + 2) * sizeof (CHAR));
+    CHAR *needle = xmalloc ((m + 2) * sizeof (CHAR));
+
+    MEMSET (haystack, L('A'), 2 * m);
+    haystack[2 * m] = L('B');
+    haystack[2 * m + 1] = L('\0');
+
+    MEMSET (needle, L('A'), m);
+    needle[m] = L('B');
+    needle[m + 1] = L('\0');
+
+    FOR_EACH_IMPL (impl, 0)
+      check_result (impl, haystack, needle, haystack + m);
+
+    free (needle);
+    free (haystack);
+  }
+
+  {
+    /* Ensure that with a barely periodic "short" needle, STRSTR's
+       search does not mistakenly skip just past the match point.  */
+    const CHAR *haystack =
+      L("\n"
+       "with_build_libsubdir\n"
+       "with_local_prefix\n"
+       "with_gxx_include_dir\n"
+       "with_cpp_install_dir\n"
+       "enable_generated_files_in_srcdir\n"
+       "with_gnu_ld\n"
+       "with_ld\n"
+       "with_demangler_in_ld\n"
+       "with_gnu_as\n"
+       "with_as\n"
+       "enable_largefile\n"
+       "enable_werror_always\n"
+       "enable_checking\n"
+       "enable_coverage\n"
+       "enable_gather_detailed_mem_stats\n"
+       "enable_build_with_cxx\n"
+       "with_stabs\n"
+       "enable_multilib\n"
+       "enable___cxa_atexit\n"
+       "enable_decimal_float\n"
+       "enable_fixed_point\n"
+       "enable_threads\n"
+       "enable_tls\n"
+       "enable_objc_gc\n"
+       "with_dwarf2\n"
+       "enable_shared\n"
+       "with_build_sysroot\n"
+       "with_sysroot\n"
+       "with_specs\n"
+       "with_pkgversion\n"
+       "with_bugurl\n"
+       "enable_languages\n"
+       "with_multilib_list\n");
+    const CHAR *needle =
+      L("\n"
+       "with_gnu_ld\n");
+
+    FOR_EACH_IMPL (impl, 0)
+      check_result (impl, haystack, needle, (CHAR*) haystack + 114);
+  }
+
+  {
+    /* Same bug, shorter trigger.  */
+    const CHAR *haystack = L("..wi.d.");
+    const CHAR *needle = L(".d.");
+    FOR_EACH_IMPL (impl, 0)
+      check_result (impl, haystack, needle, (CHAR*) haystack + 4);
+  }
+
+  /* Test case from Yves Bastide.
+     <https://www.openwall.com/lists/musl/2014/04/18/2>  */
+  {
+    const CHAR *input = L("playing play play play always");
+    const CHAR *needle = L("play play play");
+    FOR_EACH_IMPL (impl, 0)
+      check_result (impl, input, needle, (CHAR*) input + 8);
+  }
+
+  /* Test long needles.  */
+  {
+    size_t m = 1024;
+    CHAR *haystack = xmalloc ((2 * m + 1) * sizeof (CHAR));
+    CHAR *needle = xmalloc ((m + 1) * sizeof (CHAR));
+    haystack[0] = L('x');
+    MEMSET (haystack + 1, L(' '), m - 1);
+    MEMSET (haystack + m, L('x'), m);
+    haystack[2 * m] = L('\0');
+    MEMSET (needle, L('x'), m);
+    needle[m] = L('\0');
+
+    FOR_EACH_IMPL (impl, 0)
+      check_result (impl, haystack, needle, haystack + m);
+
+    free (needle);
+    free (haystack);
+  }
+}
+
 static int
 test_main (void)
 {
@@ -250,7 +420,9 @@ test_main (void)
 
   check1 ();
   check2 ();
+  check3 ();
   pr23637 ();
+  pr23865 ();
 
   printf ("%23s", "");
   FOR_EACH_IMPL (impl, 0)
diff --git a/wcsmbs/wcs-two-way.h b/wcsmbs/wcs-two-way.h
new file mode 100644
index 0000000000..fae4750aeb
--- /dev/null
+++ b/wcsmbs/wcs-two-way.h
@@ -0,0 +1,312 @@
+/* Wide character substring search, using the Two-Way algorithm.
+   Copyright (C) 2008-2024 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+/* Before including this file, you need to include <string.h> (and
+   <config.h> before that, if not part of libc), and define:
+     AVAILABLE(h, h_l, j, n_l)
+			     A macro that returns nonzero if there are
+			     at least N_L characters left starting at H[J].
+			     H is 'wchar_t *', H_L, J, and N_L are 'size_t';
+			     H_L is an lvalue.  For NUL-terminated searches,
+			     H_L can be modified each iteration to avoid
+			     having to compute the end of H up front.
+
+  For case-insensitivity, you may optionally define:
+     CMP_FUNC(p1, p2, l)     A macro that returns 0 iff the first L
+			     characters of P1 and P2 are equal.
+     CANON_ELEMENT(c)        A macro that canonicalizes an element right after
+			     it has been fetched from one of the two strings.
+			     The argument is an 'wchar_t'; the result must
+			     be an 'wchar_t' as well.
+*/
+
+#include <limits.h>
+#include <stdint.h>
+#include <sys/param.h>                  /* Defines MAX.  */
+
+/* We use the Two-Way string matching algorithm, which guarantees
+   linear complexity with constant space.
+
+   See http://www-igm.univ-mlv.fr/~lecroq/string/node26.html#SECTION00260
+   and http://en.wikipedia.org/wiki/Boyer-Moore_string_search_algorithm
+*/
+
+#ifndef CANON_ELEMENT
+# define CANON_ELEMENT(c) c
+#endif
+#ifndef CMP_FUNC
+# define CMP_FUNC __wmemcmp
+#endif
+
+/* Perform a critical factorization of NEEDLE, of length NEEDLE_LEN.
+   Return the index of the first character in the right half, and set
+   *PERIOD to the global period of the right half.
+
+   The global period of a string is the smallest index (possibly its
+   length) at which all remaining bytes in the string are repetitions
+   of the prefix (the last repetition may be a subset of the prefix).
+
+   When NEEDLE is factored into two halves, a local period is the
+   length of the smallest word that shares a suffix with the left half
+   and shares a prefix with the right half.  All factorizations of a
+   non-empty NEEDLE have a local period of at least 1 and no greater
+   than NEEDLE_LEN.
+
+   A critical factorization has the property that the local period
+   equals the global period.  All strings have at least one critical
+   factorization with the left half smaller than the global period.
+
+   Given an ordered alphabet, a critical factorization can be computed
+   in linear time, with 2 * NEEDLE_LEN comparisons, by computing the
+   larger of two ordered maximal suffixes.  The ordered maximal
+   suffixes are determined by lexicographic comparison of
+   periodicity.  */
+static size_t
+critical_factorization (const wchar_t *needle, size_t needle_len,
+			size_t *period)
+{
+  /* Index of last character of left half, or SIZE_MAX.  */
+  size_t max_suffix, max_suffix_rev;
+  size_t j; /* Index into NEEDLE for current candidate suffix.  */
+  size_t k; /* Offset into current period.  */
+  size_t p; /* Intermediate period.  */
+  wchar_t a, b; /* Current comparison bytes.  */
+
+  /* Special case NEEDLE_LEN of 1 or 2 (all callers already filtered
+     out 0-length needles.  */
+  if (needle_len < 3)
+    {
+      *period = 1;
+      return needle_len - 1;
+    }
+
+  /* Invariants:
+     0 <= j < NEEDLE_LEN - 1
+     -1 <= max_suffix{,_rev} < j (treating SIZE_MAX as if it were signed)
+     min(max_suffix, max_suffix_rev) < global period of NEEDLE
+     1 <= p <= global period of NEEDLE
+     p == global period of the substring NEEDLE[max_suffix{,_rev}+1...j]
+     1 <= k <= p
+  */
+
+  /* Perform lexicographic search.  */
+  max_suffix = SIZE_MAX;
+  j = 0;
+  k = p = 1;
+  while (j + k < needle_len)
+    {
+      a = CANON_ELEMENT (needle[j + k]);
+      b = CANON_ELEMENT (needle[max_suffix + k]);
+      if (a < b)
+	{
+	  /* Suffix is smaller, period is entire prefix so far.  */
+	  j += k;
+	  k = 1;
+	  p = j - max_suffix;
+	}
+      else if (a == b)
+	{
+	  /* Advance through repetition of the current period.  */
+	  if (k != p)
+	    ++k;
+	  else
+	    {
+	      j += p;
+	      k = 1;
+	    }
+	}
+      else /* b < a */
+	{
+	  /* Suffix is larger, start over from current location.  */
+	  max_suffix = j++;
+	  k = p = 1;
+	}
+    }
+  *period = p;
+
+  /* Perform reverse lexicographic search.  */
+  max_suffix_rev = SIZE_MAX;
+  j = 0;
+  k = p = 1;
+  while (j + k < needle_len)
+    {
+      a = CANON_ELEMENT (needle[j + k]);
+      b = CANON_ELEMENT (needle[max_suffix_rev + k]);
+      if (b < a)
+	{
+	  /* Suffix is smaller, period is entire prefix so far.  */
+	  j += k;
+	  k = 1;
+	  p = j - max_suffix_rev;
+	}
+      else if (a == b)
+	{
+	  /* Advance through repetition of the current period.  */
+	  if (k != p)
+	    ++k;
+	  else
+	    {
+	      j += p;
+	      k = 1;
+	    }
+	}
+      else /* a < b */
+	{
+	  /* Suffix is larger, start over from current location.  */
+	  max_suffix_rev = j++;
+	  k = p = 1;
+	}
+    }
+
+  /* Choose the shorter suffix.  Return the first character of the right
+     half, rather than the last character of the left half.  */
+  if (max_suffix_rev + 1 < max_suffix + 1)
+    return max_suffix + 1;
+  *period = p;
+  return max_suffix_rev + 1;
+}
+
+/* Return the first location of non-empty NEEDLE within HAYSTACK, or
+   NULL.  HAYSTACK_LEN is the minimum known length of HAYSTACK.
+
+   If AVAILABLE does not modify HAYSTACK_LEN (as in memmem), then at
+   most 2 * HAYSTACK_LEN - NEEDLE_LEN comparisons occur in searching.
+   If AVAILABLE modifies HAYSTACK_LEN (as in strstr), then at most 3 *
+   HAYSTACK_LEN - NEEDLE_LEN comparisons occur in searching.  */
+static inline wchar_t *
+two_way_short_needle (const wchar_t *haystack, size_t haystack_len,
+		      const wchar_t *needle, size_t needle_len)
+{
+  size_t i; /* Index into current character of NEEDLE.  */
+  size_t j; /* Index into current window of HAYSTACK.  */
+  size_t period; /* The period of the right half of needle.  */
+  size_t suffix; /* The index of the right half of needle.  */
+
+  /* Factor the needle into two halves, such that the left half is
+     smaller than the global period, and the right half is
+     periodic (with a period as large as NEEDLE_LEN - suffix).  */
+  suffix = critical_factorization (needle, needle_len, &period);
+
+  /* Perform the search.  Each iteration compares the right half
+     first.  */
+  if (CMP_FUNC (needle, needle + period, suffix) == 0)
+    {
+      /* Entire needle is periodic; a mismatch can only advance by the
+	 period, so use memory to avoid rescanning known occurrences
+	 of the period.  */
+      size_t memory = 0;
+      j = 0;
+      while (AVAILABLE (haystack, haystack_len, j, needle_len))
+	{
+	  const wchar_t *pneedle;
+	  const wchar_t *phaystack;
+
+	  /* Scan for matches in right half.  */
+	  i = MAX (suffix, memory);
+	  pneedle = &needle[i];
+	  phaystack = &haystack[i + j];
+	  while (i < needle_len && (CANON_ELEMENT (*pneedle++)
+				    == CANON_ELEMENT (*phaystack++)))
+	    ++i;
+	  if (needle_len <= i)
+	    {
+	      /* Scan for matches in left half.  */
+	      i = suffix - 1;
+	      pneedle = &needle[i];
+	      phaystack = &haystack[i + j];
+	      while (memory < i + 1 && (CANON_ELEMENT (*pneedle--)
+					== CANON_ELEMENT (*phaystack--)))
+		--i;
+	      if (i + 1 < memory + 1)
+		return (wchar_t *) (haystack + j);
+	      /* No match, so remember how many repetitions of period
+		 on the right half were scanned.  */
+	      j += period;
+	      memory = needle_len - period;
+	    }
+	  else
+	    {
+	      j += i - suffix + 1;
+	      memory = 0;
+	    }
+	}
+    }
+  else
+    {
+      const wchar_t *phaystack;
+      /* The comparison always starts from needle[suffix], so cache it
+	 and use an optimized first-character loop.  */
+      wchar_t needle_suffix = CANON_ELEMENT (needle[suffix]);
+
+      /* The two halves of needle are distinct; no extra memory is
+	 required, and any mismatch results in a maximal shift.  */
+      period = MAX (suffix, needle_len - suffix) + 1;
+      j = 0;
+      while (AVAILABLE (haystack, haystack_len, j, needle_len))
+	{
+	  wchar_t haystack_char;
+	  const wchar_t *pneedle;
+
+	  phaystack = &haystack[suffix + j];
+
+	  while (needle_suffix
+	      != (haystack_char = CANON_ELEMENT (*phaystack++)))
+	    {
+	      ++j;
+	      if (!AVAILABLE (haystack, haystack_len, j, needle_len))
+		goto ret0;
+	    }
+
+	  /* Scan for matches in right half.  */
+	  i = suffix + 1;
+	  pneedle = &needle[i];
+	  while (i < needle_len)
+	    {
+	      if (CANON_ELEMENT (*pneedle++)
+		  != (haystack_char = CANON_ELEMENT (*phaystack++)))
+		break;
+	      ++i;
+	    }
+	  if (needle_len <= i)
+	    {
+	      /* Scan for matches in left half.  */
+	      i = suffix - 1;
+	      pneedle = &needle[i];
+	      phaystack = &haystack[i + j];
+	      while (i != SIZE_MAX)
+		{
+		  if (CANON_ELEMENT (*pneedle--)
+		      != (haystack_char = CANON_ELEMENT (*phaystack--)))
+		    break;
+		  --i;
+		}
+	      if (i == SIZE_MAX)
+		return (wchar_t *) (haystack + j);
+	      j += period;
+	    }
+	  else
+	    j += i - suffix + 1;
+	}
+    }
+ret0: __attribute__ ((unused))
+  return NULL;
+}
+
+#undef AVAILABLE
+#undef CANON_ELEMENT
+#undef CMP_FUNC
diff --git a/wcsmbs/wcsstr.c b/wcsmbs/wcsstr.c
index b49630c1cf..b8485725c4 100644
--- a/wcsmbs/wcsstr.c
+++ b/wcsmbs/wcsstr.c
@@ -1,4 +1,5 @@
-/* Copyright (C) 1995-2024 Free Software Foundation, Inc.
+/* Locate a substring in a wide-character string.
+   Copyright (C) 1995-2024 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -15,18 +16,14 @@
    License along with the GNU C Library; if not, see
    <https://www.gnu.org/licenses/>.  */
 
-/*
- * The original strstr() file contains the following comment:
- *
- * My personal strstr() implementation that beats most other algorithms.
- * Until someone tells me otherwise, I assume that this is the
- * fastest implementation of strstr() in C.
- * I deliberately chose not to comment it.  You should have at least
- * as much fun trying to understand it, as I had to write it :-).
- *
- * Stephen R. van den Berg, berg@pool.informatik.rwth-aachen.de */
-
 #include <wchar.h>
+#include <string.h>
+
+#define AVAILABLE(h, h_l, j, n_l)					\
+  (((j) + (n_l) <= (h_l))						\
+   || ((h_l) += __wcsnlen ((void*)((h) + (h_l)), (n_l) + 128),		\
+       (j) + (n_l) <= (h_l)))
+#include "wcs-two-way.h"
 
 #ifndef WCSSTR
 # define WCSSTR wcsstr
@@ -35,66 +32,20 @@
 wchar_t *
 WCSSTR (const wchar_t *haystack, const wchar_t *needle)
 {
-  wchar_t b, c;
-
-  if ((b = *needle) != L'\0')
-    {
-      haystack--;				/* possible ANSI violation */
-      do
-	if ((c = *++haystack) == L'\0')
-	  goto ret0;
-      while (c != b);
-
-      if (!(c = *++needle))
-	goto foundneedle;
-      ++needle;
-      goto jin;
-
-      for (;;)
-	{
-	  wchar_t a;
-	  const wchar_t *rhaystack, *rneedle;
-
-	  do
-	    {
-	      if (!(a = *++haystack))
-		goto ret0;
-	      if (a == b)
-		break;
-	      if ((a = *++haystack) == L'\0')
-		goto ret0;
-shloop:	      ;
-	    }
-	  while (a != b);
-
-jin:	  if (!(a = *++haystack))
-	    goto ret0;
-
-	  if (a != c)
-	    goto shloop;
-
-	  if (*(rhaystack = haystack-- + 1) == (a = *(rneedle = needle)))
-	    do
-	      {
-		if (a == L'\0')
-		  goto foundneedle;
-		if (*++rhaystack != (a = *++needle))
-		  break;
-		if (a == L'\0')
-		  goto foundneedle;
-	      }
-	    while (*++rhaystack == (a = *++needle));
-
-	  needle = rneedle;		  /* took the register-poor approach */
-
-	  if (a == L'\0')
-	    break;
-	}
-    }
-foundneedle:
-  return (wchar_t*) haystack;
-ret0:
-  return NULL;
+  /* Ensure haystack length is at least as long as needle length.
+     Since a match may occur early on in a huge haystack, use strnlen
+     and read ahead a few cachelines for improved performance.  */
+  size_t ne_len = __wcslen (needle);
+  size_t hs_len = __wcsnlen (haystack, ne_len | 128);
+  if (hs_len < ne_len)
+    return NULL;
+
+  /* Check whether we have a match.  This improves performance since we
+     avoid initialization overheads.  */
+  if (__wmemcmp (haystack, needle, ne_len) == 0)
+    return (wchar_t *) haystack;
+
+  return two_way_short_needle (haystack, hs_len, needle, ne_len);
 }
 /* This alias is for backward compatibility with drafts of the ISO C
    standard.  Unfortunately the Unix(TM) standard requires this name.  */