How to Kill Java with a Regular Expression

We recently stumbled upon a phenomen we absolutely weren't aware of: You can kill any Java IDE and also any Java process with a simple regular expression ...

Back in university, I was taught that regular expressions, which are called regular grammars or type 3 grammars, always end up in a finite state automaton and can therefore be processed in linear time (input length doubles, processing time doubles). However, that's only true for "sane" expressions. A regular expression can also result in an non-deterministic finite state automaton and things can get messed up quite badly.

Consider the expression (0*)*A. This is any number of zeros, followed by an upper case A. Now, if you use Matcher.find() for this expression, everything is fine as long as there is a match in the input. However, if you call this with "00000000000000000000" as input, your program will hang (and so will the regex console in Eclipse or IntelliJ and every Java-based online regex service).

What at first glance looks like an infinite loop turns out to be catastrophic backtracking. What this basically means is that the matcher detects that no A was found at the end of the input. Now the outer quantifier goes one step back, the inner one forward, and again, no result. Therefore, the matcher goes back step by step and tries all combinations to find a match. It will eventually return (without a match), but the complexity (and therefore the runtime) of this is exponential (adding one character to the input doubles the runtime). A detailed description can be found in this article on catastrophic backtracking.

Here are some runtimes I measured (which almost exactly double for each character added):

0000000000: 0.1ms
00000000000: 0.2ms
000000000000: 0.7ms
0000000000000: 1.3ms
00000000000000: 1.7ms
000000000000000: 3.5ms
0000000000000000: 7.2ms
00000000000000000: 13.9ms
000000000000000000: 27.5ms
0000000000000000000: 55.5ms
00000000000000000000: 113.0ms
000000000000000000000: 226.4ms
0000000000000000000000: 439.1ms
00000000000000000000000: 886.0ms

As a little side-note: For micro benchmarks like this, you always need to "warm" up the JVM, as the HotSpot JIT will jump in at some point and optimize the code. Therefore, the first run looks like this:

0000000000: 6.8ms
00000000000: 11.8ms
000000000000: 25.5ms
0000000000000: 39.5ms
00000000000000: 6.3ms  <- JIT jumped in and started to translate
000000000000000: 5.4ms  to native code.
0000000000000000: 7.1ms
00000000000000000: 14.2ms
000000000000000000: 26.8ms
0000000000000000000: 54.4ms
00000000000000000000: 109.6ms
000000000000000000000: 222.1ms
0000000000000000000000: 439.2ms
00000000000000000000000: 885.6ms

So, what's the take-away here? If you're running a server application or anything critical used by many users, don't let them enter regular expressions unless you really trust them. There are regex implementations that detect this problem and abort, but Java (up to JDK 8) doesn't.

Note: You can test this with your local IDE or a small Java program to your heart's content, but please don't start to knock out all the regex tester websites out there. Those guys provide a nice tool free of charge, so it would be quite unfair.

Here is the tiny benchmark I used:

public class Test {
  public static void main(String[] args) {
    for (int runs = 0; runs < 2; runs++) {
      Pattern pattern = Pattern.compile("(0*)*A");
      // Run from 5 to 25 characters
      for (int length = 5; length < 25; length++) {
        // Build input of specified length
  	String input = "";
  	for (int i = 0; i < length; i++) { input += "0"; }
          // Measure the average duration of two calls... 
  	  long start = System.nanoTime();
 	  for (int i = 0; i < 2; i++) {
	    pattern.matcher(input).find();
          }
          System.out.println(input + ": " 
            + ((System.nanoTime() - start) / 2000000d) 
            + "ms");
        }
      }
    }
  }
}