contract: checked_add overflow guard in verify_layout + MD040 fix

claude · claude · commit 4e537c7436f8 · 2026-06-07T13:16:09.000Z
Two CodeRabbit fixes for PR #477: 1. soa_envelope.rs — checked_add overflow guard (Major finding) verify_layout() now computes every column's byte-range end via checked_add rather than raw usize addition. On 32-bit targets (wasm32), row_offset (u32 ≤ 4.29e9) + col_bytes can exceed usize::MAX and wrap to a small value that would silently pass the `a_end > stride` check. The new closure returns ColumnOutOfBounds on overflow, covering both positional overflow and wasm32-wrap in one code path. 2. soa-three-tier-model.md — add `text` language tag (MD040) The layout table code fence was untagged. Added `text` to satisfy the no-language-specified lint. The CodeRabbit "critical" finding about MailboxSoaSnapshot violating zero-dep is NOT fixed here — that finding is architecturally incorrect. ndarray IS a declared dependency per workspace policy; the plan is correct as-is. https://claude.ai/code/session_0147hSzjmWZDuy2MSQNrhEK5
diff --git a/crates/lance-graph-contract/src/soa_envelope.rs b/crates/lance-graph-contract/src/soa_envelope.rs
@@ -194,8 +194,23 @@ pub trait SoaEnvelope {
         let cols = self.columns();
         let mut summed = 0usize;
         let stride = self.row_stride();
+        // `row_offset as usize + col_bytes` can wrap on 32-bit targets (wasm32):
+        // row_offset is u32 (≤ 4.29e9) and col_bytes can reach 8 × 65535, so the
+        // sum can exceed usize::MAX on a 32-bit usize and wrap to a small value
+        // that would slip past the `a_end > stride` check. Compute every end with
+        // checked_add and reject overflow as ColumnOutOfBounds.
+        let checked_end = |c: &ColumnDescriptor| -> Result<usize, EnvelopeError> {
+            (c.row_offset as usize)
+                .checked_add(c.col_bytes_per_row())
+                .ok_or(EnvelopeError::ColumnOutOfBounds {
+                    col: c.name_id,
+                    col_end: usize::MAX,
+                    stride,
+                })
+        };
         for (i, a) in cols.iter().enumerate() {
-            let (a_start, a_end) = a.row_byte_range();
+            let a_start = a.row_offset as usize;
+            let a_end = checked_end(a)?;
             summed += a.col_bytes_per_row();
             if a_end > stride {
                 return Err(EnvelopeError::ColumnOutOfBounds {
@@ -205,7 +220,8 @@ pub trait SoaEnvelope {
                 });
             }
             for b in &cols[i + 1..] {
-                let (b_start, b_end) = b.row_byte_range();
+                let b_start = b.row_offset as usize;
+                let b_end = checked_end(b)?;
                 let overlap = a_start < b_end && b_start < a_end;
                 if overlap {
                     return Err(EnvelopeError::ColumnOverlap {
diff --git a/docs/architecture/soa-three-tier-model.md b/docs/architecture/soa-three-tier-model.md
@@ -187,7 +187,7 @@ The row is a register bank.
 
 **Current / transitional layout** (target state removes `entity_type[N]` — see §3.2):
 
-```
+```text
   Byte offset   Width    Column               LE kind
   ──────────    ─────    ──────               ───────
   0             4·N      energy[N]            f32 × N
