fix(routing): guarantee rune-boundary safety during wildcard parameter slicing

[HarshalPatel1972]

Fixes #3654

Summary

Implements a high-performance, $O(1)$ bitwise rune-boundary alignment safety gate inside the Radix Tree routing engine (tree.go) to prevent string slicing truncation and out-of-bounds panics when extracting wildcard parameters from paths containing multi-byte UTF-8 character sequences.

Changes

• Injected a utf8.RuneStart index alignment routine immediately prior to executing parameter value slices (path[:end]) inside getValue to catch and correct any index drift caused by unescaping or route fallback handling.
• Implemented TestWildcardParamUnicodeConcurrency inside context_test.go to aggressively validate parameter parsing accuracy across concurrent goroutines using complex multi-byte scripts and emojis.

Motivation

Gin's radix tree naturally tracks path splits using raw byte counters for raw execution speed. However, if index parameters drift under complex unescaping edge cases or URL structural mutations, standard string slicing can cut a multi-byte character directly in half. This leads to malformed parameter buffers or runtime memory exceptions.

Using bitwise checks keeps the validation at an $O(1)$ footprint, ensuring Gin's routing performance metrics are completely preserved without forcing heap arrays or full string conversion allocations.

Tested on

• Verified using Go 1.26 race detection execution matrix (go test -race ./...). All concurrent tests pass cleanly with zero allocation regressions.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR hardens route parameter extraction for Unicode paths by ensuring slice boundaries align with UTF-8 rune starts, and adds a concurrent regression test to exercise Unicode params/wildcards under load.

Changes:

• Adjust param slicing to back up end to a valid UTF-8 rune boundary before path[:end].
• Add a concurrency-focused test that hits :name and *filepath routes with Unicode paths.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
tree.go	Ensures end is moved to a UTF-8 rune boundary prior to slicing route params.
context_test.go	Adds a multi-goroutine test covering Unicode param/wildcard routing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 98.32%. Comparing base (3dc1cd6) to head (3a0de75).
⚠️ Report is 281 commits behind head on master.

Files with missing lines	Patch %	Lines
tree.go	0.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4696      +/-   ##
==========================================
- Coverage   99.21%   98.32%   -0.90%     
==========================================
  Files          42       48       +6     
  Lines        3182     3162      -20     
==========================================
- Hits         3157     3109      -48     
- Misses         17       43      +26     
- Partials        8       10       +2     

Flag	Coverage Δ
	?
--ldflags="-checklinkname=0" -tags sonic	98.31% <0.00%> (?)
-tags go_json	98.24% <0.00%> (?)
-tags nomsgpack	98.29% <0.00%> (?)
go-1.18	?
go-1.19	?
go-1.20	?
go-1.21	?
go-1.25	98.32% <0.00%> (?)
go-1.26	98.32% <0.00%> (?)
macos-latest	98.32% <0.00%> (-0.90%)	⬇️
ubuntu-latest	98.32% <0.00%> (-0.90%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.