Finding all regex matches has always been O(n²)
200 points by lalitmaganti 5 days ago | 49 comments
  • adzm 12 hours ago |
    Is there any reason that RE#'s two-pass approach couldn't be adopted by other regex engines?

    Ah, there is a post with more detail about RE# and discussion here recently that I must have missed: https://news.ycombinator.com/item?id=47206647

    • ieviev 12 hours ago |
      The part that makes it difficult is that it doesn't return the same matches, it returns almost the same matches but not exactly.

      But if PCRE semantics isn't set in stone then i hope leftmost longest could be the default some day. There's a lot of nice things you get for free with the two pass approach

  • zahlman 12 hours ago |
    > search a document for a pattern and it takes a second. search one a hundred times larger and it doesn't take a hundred seconds - it can take almost three hours.

    Most of this is about quadratic time find-all operations where a search operation is linear. But it's also still possible to get quadratic behaviour out of a single search without catastrophic backtracking, more easily than you might expect. In late January to early February, Tim Peters was talking about an example of this on the Python forums (see e.g. https://discuss.python.org/t/add-re-prefixmatch-deprecate-re...) and also related the experience of trying to diagnose the issue with AI (see https://discuss.python.org/t/claude-code-how-much-hype-how-m... and onward). Peters' example was:

      \d+\s+
    on a string containing only digits, a prefix match takes O(n) time as it considers every possible end position for the digit, and immediately sees no following whitespace. But the search is quadratic because it has to repeat that O(n) work at every position; the regex engine can't track the fact that it's already examined the string and found no whitespace, so it re-tries each digit match length.

    (This is arguably "backtracking" since it tries the longest match first, but clearly not in a catastrophic way; if you use `\d+?` instead then of course it only searches forward but is still O(n). It actually is slower in my testing in the Python implementation; I don't exactly know why. As noted in the discussion, the possessive quantifier `\d++` is considerably faster, and of course doesn't backtrack, but still causes O(n^2) searching. The repeated attempts to match `\s+` aren't the problem; the problem is repeatedly looking for digits in places where digits were already found and rejected.)

    The way to fix this proposed in the discussion is to use a negative lookbehind assertion before the digits: `(?<!\d)\d+\s+`. This way, the regex engine can bail out early when it's in the middle of a digit string; if the previous character was a digit, then either `\d+\s+` doesn't match here, or it would have matched there.

    A simpler idea is to just search for `\d\s+`, or even `\d\s` — since these will be present if and only if `\d+\s+` is. This way, though, you still need to do extra work with the partial match to identify the start and end of the full match. My first idea was to use positive lookbehind for the digits, since the lookbehind match doesn't need to backtrack. In fact lookbehinds require a fixed-length pattern, so this is really just a more complicated way to do the `\d\s+` simplification.

    ----

    > Hyperscan (and its fork Vectorscan) is a true linear-time all-matches regex engine. it achieves this by using "earliest match" semantics - reporting a match the moment the DFA enters a match state, instead of continuing to find the longest one.

    Is this not just equivalent to forcing "reluctant" quantifiers (`\d+?`) everywhere?

    • Izkata 12 hours ago |
      If there's supposed to be a literal asterisk in there somewhere, you can escape it with a backslash. Right now two paragraphs are italic because of mismatched asterisks.
      • zahlman 11 hours ago |
        Thanks. There are no asterisks in the regexes; I had simply missed the closing asterisk on some intentional emphasis. (And then I also had to fix some escaping inserted by the system to try to correct for the actual problem.)
    • MoonZ 12 hours ago |
      > In fact lookbehinds require a fixed-length pattern

      Just a small note: some regex engines support "variable length lookbehind", check the last column on this wikipedia article : https://en.wikipedia.org/wiki/Comparison_of_regular_expressi...

      • zahlman 11 hours ago |
        Good to know. Although a lookbehind for `\d+` doesn't really gain anything over a lookbehind for `\d` anyway; they match in the same circumstances, just with different results.
    • ieviev 11 hours ago |
      with all-matches semantics it returns a significantly higher number of matches than leftmost greedy.

      eg. /abc*/ and abccccc will return you matches at ab|c|c|c|c|c|

      I think it's very common and ok that people reason about other engines in terms of backtracking but it works very differently. And fixed length lookbehinds are more of a Java/Python thing, other engines support all lookbehinds.

      The main idea of linear regex and intuitive semantics is that it should be declarative and the engine does whatever is the fastest without you having to worry about it. Instead of describing character by character how to perform the search and where it can blow up, think of it as just a specification. Then you can truly express whatever is the shortest/most convenient to explain.

      Something i'm still trying to figure out and perhaps failing to understand is what are the killer features of backtracking regex that you would really miss if you were to use linear regex? It would help me a lot to know, i'm trying to convince others to make the switch

    • mjmas 3 hours ago |
      > the search is quadratic because it has to repeat that O(n) work at every position

      The problem is that this is one of the regexes that backtracking engines have a bad time with.

      With a NFA implementation it can be done in O(regexlen * haystacklen) time, though that only holds for true regular expressions (no backreferences).

      https://swtch.com/~rsc/regexp/regexp1.html

      And then for re.search, since the NFA wants to just do it once, it should run it with the pattern as

        ^.*?(\d+\s+).*$
      (where *? is a non-greedy repeat)
  • nine_k 11 hours ago |
    > nearly everything that matters in practice: where the matches are, how long they are, and how many there are

    I would say that regexes that matter in practice, e.g. when digging through logs, have clear boundaries that curb the pathological backtracking behavior. In particular, I find it difficult to imagine a practical need to find all matches of an expression like /.*a|b/, as shown in the article. Realistically you'd have to handle /\b.*a|b\b/, or similar, because realistically when you need all matches, you don't want intersecting matches. This means you want to proceed past the end of the n-th match to look for n+1-th match, and never want to use indeterminate prefixes like /.*a/.

    This OTOH gives a reasonably useful heuristic if your regexp comes from an untrusted source and could be adversarial. Check that it does not start with a prefix with a Kleene star, like /a*/. Require at least one positive match (in each alternate branch). Of course, /a+b|c/ would still be quadratic if your text is long sequences of "a" interspersed with characters other than "b". But this, again, is more of a theoretical case, to my mind.

    • ieviev 11 hours ago |
      > I would say that regexes that matter in practice, e.g. when digging through logs, have clear boundaries that curb the pathological backtracking behavior

      I agree with you in the sense that most practical regexes do not expose this quadratic blowup (from all matches) but i do not think the same about backtracking. The effect of backtracking is immediately clear when you're searching inside text without a clear anchor like \A or ^ or a very rare string prefix. It is much more visible with either larger patterns or larger character classes like unicode

    • hrmtst93837 27 minutes ago |
      That only works when you control both the pattern and the shape of the input. Once you accept user regexes or start scanning big log dumps without tight boundaries the weird cases stop being weird.

      Greedy globs plus unanchored branches can turn a boring batch job into a CPU bonfire, and defensive limits seems a lot less optional when one dumb pattern can pin a core for minutes. A timeout or a restricted regex subset is usually cheaper than pretending everybody writes sane patterns.

  • 10000truths 11 hours ago |
    Restricting regex features to guarantee time complexity works, but it requires sacrificing potentially useful features like backtracking (or in the article's case, constraining oneself to fixed-upper-bound-length needles).

    In a real-world deployment where you want to run any arbitrary regex in an idiot/malice-proof manner, the best solution is the same solution you'd use for running any other kind of untrusted code - sandbox it! A good regex API should limit its execution time and memory consumption and return a timeout error in case those limits are exceeded. Ideally, those parameters would be configurable at the API level. Unfortunately, the only regex libraries I know of that get this right are .NET's standard library Regex API and the third-party regex package in Python.

    • ieviev 9 hours ago |
      > constraining oneself to fixed-upper-bound-length needles

      wait! you haven't reached the important part of the post yet

  • thaumasiotes 11 hours ago |
    > the problem we're talking about in this post (finding all longest matches without quadratic blowup)

    Wait, what? I thought this was about finding all matches. With a minor tweak to the opening example:

    We want to match `(.*a | b)` against `bbbbbabbbbb`.

    I want to detect each `b` individually, and I also want to detect `bbbbba`, `bbbba`, `bbba`, `bba`, `ba`, and `a`. That's what it means to find all matches.

    • ieviev 10 hours ago |
      Good catch! I changed this to leftmost-longest nonoverlapping matches so it's not misleading
  • gpvos 10 hours ago |
    I find it weird to have the Perl innovation (?:...) be called "traditional regex". Perl was rather innovative back then, even if it's more than 30 years ago now. Traditional regex is what came before it (grep -E being the most advanced form). I wonder what counts as nontraditional in the author's eyes.
    • leoc 10 hours ago |
      In my head a regex-like thing of Perl origin is known as a 'perlex'.
      • MathMonkeyMan 6 hours ago |
        can call it PCRE now
    • ieviev 10 hours ago |
      Haha, you're right about that. I was looking for another word for "default"
    • coldtea 32 minutes ago |
      >even if it's more than 30 years ago now.

      Here's your answer.

      >Traditional regex is what came before it

      No, that's "ancient regex".

  • conartist6 9 hours ago |
    @ievev Have you ever seen an implementation like @bablr/regex? https://github.com/bablr-lang/regex-vm It's an NFA system so it isn't going to be winning any awards for throughput, but in this particular case it does seem to completely avoid the complexity blowup. It will run your heap out of memory though on really big inputs.

    The strategy this engine uses is just to evolve the state as a function of time. A match can be successfully completed, yet not be emitted because some other longer match could still supercede it by being longer or more leftmost.

    I tried the pattern /d+s+/g on 10,000,000 digits followed by no space. It took 4 seconds to return no results. I tried it on 20,000,000 digits followed by no space. It took 8 seconds to return no results. I tried on 100,000,000 and I ran out of heap space.

    Test setup: https://gist.github.com/conartist6/051838025af1e04d966e03aa9...

    • ieviev 9 hours ago |
      I have not heard of this before, i will have a look!
    • tzs 7 hours ago |
      Do any RE implementations do anything like the query planning that databases do or the rewrites that compilers do that can replace the RE with a different sequence of REs or string searches that might execute faster?

      For example in the expression in your example (I'm assuming based on your description of the test data that /d+s+/ means the same as /\d+\s+/ in the RE engines I've used) any match must contain a digit followed by a space.

      A scan for all places where a digit is followed by whitespace with each such place then being checked to find the length of the string of whitespace starting there and the length of the string of digits ending there should be linear time and constant heap space.

      • conartist6 6 hours ago |
        You're correct, I accidentally omitted backslashes on \d and \s. I checked and the pattern was correct during the test.
    • hyperpape 6 hours ago |
      Returning no results is going to be linear in any DFA or NFA based implementation, though. You go character by character, and confirm that there are no matches.

      It's only when you return multiple matches that the engines have a problem and become superlinear.

  • nitely 9 hours ago |
    FWIW, nim-regex does achieve linear time in the rebar test[0], even if the regex includes capture groups. It's NFA based.

    [0]: https://github.com/BurntSushi/rebar/pull/20#issuecomment-256...

    • ieviev 8 hours ago |
      Oh that is interesting! I haven't even looked Nim regex until now, is it similar to the approach in Go?
      • nitely 7 hours ago |
        It's similar to RE2, but it lacks the on the fly DFA, ie: it's just the classic Thompson's NFA with some tweaks. It does not implement find all the same way, though.
  • babelfish 8 hours ago |
    Cursor just wrote a great blog post on this - "Fast regex search: indexing text for agent tools" https://cursor.com/blog/fast-regex-search
  • ummonk 7 hours ago |
    Great stuff.

    I would argue that hardened mode should be default though, similar to how siphash is the default hashing function in Rust hash maps. Faster mode should be opt in if the user is confident that the supplied data is nonmalicious and they need the speed up.

    • ieviev 7 hours ago |
      I’m still open to it and thinking about it actually. I will explore if it’s possible to eliminate the large losses on common patterns and if it turns out it is then it’s a no brainer.

      Going forward this and the extended operators + large pattern perf will hopefully be a strong selling point to gain more traction

  • mjmas 3 hours ago |
    > no capture groups > [...] > no lazy quantifiers - .*?

    Here's the caveats.

    And so running a regex engine on the matches seems like it would get you back to O(regexlen * haystacklen * matchcount) or roughly O(mn²) again.

  • hawtads 30 minutes ago |
    The original Kleene Star Regex was invented to model neural networks. Have you tried throwing a transformer at the problem /s? Also O(n²) but at least you get hardware acceleration ¯\(ツ)/¯

    Here's Kleene's Representation of Events in Nerve Nets and Finite Automata:

    https://www.rand.org/content/dam/rand/pubs/research_memorand...

  • p0w3n3d 20 minutes ago |
    I always thought that finite automata can go with O(n) through the string, with some perks like multistate (i.e. when finding [ab](b)+a in abba you get first state at character 1 and second first state at the 2nd character. Although I understand that regex syntax can be complicated and you can do really O(n^2) in it, but maybe the easier regex could be compiled the easier way...