Skip to content

strconv: replace Ryu ftoa with Dragonbox #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

strconv: replace Ryu ftoa with Dragonbox #56

wants to merge 1 commit into from
+1,519 −105

Conversation

austinderek
Copy link

Dragonbox is a faster ftoa algorithm that provides the same guarantees
as Ryu: round-trip conversion, shortest length, and correct rounding.
The author of the reference implementation has agreed to distribute
this file under Go's BSD-style license.

The new implementation has been fuzz-tested against the current
Ryu implementation in addition to the existing test suite.
Benchmarks show at least ~15-20% performance improvement.
Benchmarks and fuzz-testing code are available at:
https://github.com/taichimaeda/dragonbox-bench/

Dragonbox only supports shortest-precision conversion, so we continue to
use Ryu-printf for fixed precision.

Fixes golang#74886

🔄 This is a mirror of upstream PR golang#75195

@austinderek austinderek force-pushed the master branch 2 times, most recently from d50240b to 8bcda6c Compare August 30, 2025 09:01
@austinderek austinderek force-pushed the master branch 22 times, most recently from d50240b to 8bcda6c Compare August 30, 2025 20:01
@austinderek austinderek force-pushed the master branch 4 times, most recently from 6a08e80 to 70b640f Compare August 31, 2025 14:02
@austinderek austinderek force-pushed the master branch 2 times, most recently from 29d43df to 08ee556 Compare October 22, 2025 14:04
@staging
Copy link

staging bot commented Oct 22, 2025

PullRequest network review has been cancelled

You can reactivate the code review job from the PullRequest dashboard - or - by adding [pr] to the title of this code review.

@staging
Copy link

staging bot commented Oct 22, 2025

HackerOne Code Security Review

🟢 Scan Complete: 3 Issue(s)

Here's how the code changes were interpreted and info about the tools used for scanning.

📖 Summary of Changes The changes involve updating the floating-point to string conversion algorithm in the strconv package. The Ryu algorithm has been replaced with the Dragonbox algorithm for generating the shortest floating-point representation. A new `denorm` flag was added to the `genericFtoa` function to handle denormalized numbers. The `ftoaryu.go` file remains unchanged.
File Summary
src/strconv/ftoa.go The primary change is replacing the Ryu algorithm with the Dragonbox algorithm for the shortest floating-point representation, and adding a new denorm flag to handle denormalized numbers in the genericFtoa function.
src/strconv/ftoaryu.go No changes were made to the file. The content of the old and new versions are identical.
ℹ️ Issues Detected

NOTE: These may not require action!

Below are unvalidated results from the Analysis Tools that ran during the latest scan for transparency. We investigate each of these for accuracy and relevance before surfacing them as a potential problem.

How will I know if something is a problem?
When validation completes, any concerns that warrant attention prior to merge will be posted as inline comments. These will show up in 2 ways:

  • Expert review (most cases): Issues will be posted by experts who manually reviewed and validated them. These are real HackerOne engineers (not bots) reviewing through an integrated IDE-like tool. You can communicate with them like any other reviewer. They'll stay assigned and get notified with commit & comment updates.
  • Automatically: In cases where our validation checks have highest confidence the problem is legitimate and urgent. These will include a description of contextual reasoning why & actionable next steps.
File & Line Issue
src/strconv/ftoaryu.go Line 226 No security vulnerabilities were introduced by the changes. The changes involve removing the ryuFtoaShortest function and related code, which is a refactoring or feature change rather than a security issue. The remaining code handles floating-point to string conversion using the Ryū algorithm and doesn't introduce any new security concerns.
src/strconv/dragonbox.go Line 29 This file implements the Dragonbox algorithm for floating-point to string conversion. After reviewing the code, I don't see any security vulnerabilities introduced by the changes. The code performs mathematical operations for precise floating-point conversion without any input validation issues, memory safety concerns, or other security problems. The implementation appears to be a pure computational algorithm with no external inputs or security-sensitive operations.
src/strconv/ftoa.go Line 123 The code changes from using the Ryu algorithm to the Dragonbox algorithm for floating point to string conversion. While this is likely a performance or accuracy improvement, the change itself doesn't introduce security vulnerabilities. The code properly handles the new 'denorm' flag that was added to track denormalized floating point values.
🧰 Analysis tools

⏱️ Latest scan covered changes up to commit 3e0e6c9 (latest)

@austinderek austinderek force-pushed the master branch 26 times, most recently from d94a8c5 to 5bf50a0 Compare October 23, 2025 03:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@austinderek @taichimaeda