This is the regular expression that caused all Cloudflare servers to use 100% CPU and thereby cause a 27-minute outage:
The last part of the regex is odd:(?:(?:\"|'|\]|\}|\\|\d|(?:nan|infinity|true|false|null|undefined|symbo +l|math)|\`|\-|\+)+[)]*;?((?:\s|-|~|!|{}|\|\||\+)*.*(?:.*=.*)))
The last grouping does not do anything useful: it is not followed by a quantifier, nor does it capture. It can be simplified to.*(?:.*=.*)
or to some variation thereof. But this is not how the regex discussion ends in the blog post:.*=.*
But laziness isn’t the total solution to this backtracking behaviour. Changing the catastrophic example .*.*=.*; to .*?.*?=.*?; doesn’t change its run time at all. x=x still takes 555 steps and x= followed by 20 x’s still takes 5,353 steps.I am guessing this is politically driven: Some people at Cloudflare want to use Rust and this snafu is a convenient excuse.The only real solution, short of fully re-writing the pattern to be more specific, is to move away from a regular expression engine with this backtracking mechanism. Which we are doing within the next few weeks.
Another angle to consider is that of personnel. The postmortem does not dwell on the fact that this regular expression made it through review. Meaning that not only the person who wrote the regular expression was unaware of the backtracking potential of the above, but neither did the reviewer.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Cloudflare blames PCRE for outage
by Tanktalus (Canon) on Jul 16, 2019 at 01:07 UTC | |
by LanX (Saint) on Dec 03, 2019 at 16:34 UTC | |
Re: Cloudflare blames PCRE for outage
by trippledubs (Deacon) on Jul 16, 2019 at 02:23 UTC | |
Re: Cloudflare blames PCRE for outage
by Anonymous Monk on Jul 16, 2019 at 07:06 UTC |
Back to
Perl News