JavaScript ReDoS
-
Web Browser: Pale Moon v28.1.0
Computer name: [REDACTED]_desktop
Operating system: Windows 10 64-bit
CPU model: Intel Core i5-6400 @ 2.70 GHz
Time: 918646.000ms
-
@anonymous234 said in JavaScript ReDoS:
@ben_lubar said in JavaScript ReDoS:
Can you people make sure you're clicking the correct link so I don't need to keep doing math?
Or you could switch to seconds which is clearly more useful in this context.
Wait, is that what he's complaining about? Moving the decimal marker to the left three places???? What???!!?!?
-
@ben_lubar said in JavaScript ReDoS:
For PowerShell users:
node -e 'console.time(''ReDoS''); /^(?:a?){30}a{30}$/.test(new Array(31).join(''a'')); console.timeEnd(''ReDoS'');'
uh... that's the same thing?
edit: what the fuck
-
Computer name: DESKTOP-WHRGRBL
OS: Win10 1803 17134.285
CPU: Core i7 7700-HQ
Node version: 8.0.0
Time: 121738.768ms
Notes: The laptop was not plugged in so the CPU was in low-power mode.
-
@Placeholder said in JavaScript ReDoS:
@Placeholder And since this is an e-peen measuring contest...
Computer name:
Operating system: Windows 10 64-bit
CPU model: i7-8086k @ 5.2GHz
Time: 38196.000msIt's great to finally have a use for all that CPU power!
Dammit you beat me to it!
-
Well played Ben. Tricked us all into running Node and/or JS.
-
For reference, .NET does it in 3.4979ms.
-
@pie_flavor how much does it slow per added character?
-
@swayde Looping tests actually end up with a number of milliseconds too small to print but only after the first one, making me think it does some seriously interesting caching.
-
Thorin Oakenshield
Pentium 4 570J ES @ 4.6 GHz
Time: 87680.540ms Ikaruga
Athlon X4 880K @ 4.2GHz
Time: 145471.877ms
-
@pie_flavor Unless you turn it off, it precompiles regexes into an optimized state machine and reuses them as long as the string version of the regex compares equal.
-
@ben_lubar said in JavaScript ReDoS:
@boomzilla said in JavaScript ReDoS:
Desktop
You have really boring computer names.
Liar. My machine is actually named for this:
-
@pie_flavor said in JavaScript ReDoS:
Computer name: DESKTOP-WHRGRBL
OS: Win10 1803 17134.285
CPU: Core i7 7700-HQ
Node version: 8.0.0
Time: 121738.768ms
Notes: The laptop was not plugged in so the CPU was in low-power mode.
-
@HardwareGeek said in JavaScript ReDoS:
@pie_flavor said in JavaScript ReDoS:
Computer name: DESKTOP-WHRGRBL
OS: Win10 1803 17134.285
CPU: Core i7 7700-HQ
Node version: 8.0.0
Time: 121738.768ms
Notes: The laptop was not plugged in so the CPU was in low-power mode.Windows' auto-naming FTW!
-
@boomzilla I always name my desktop Godzilla and my laptop Rodan and it bugs me to no end that Ben's desktop is also named Godzilla even though he's never seen a Godzilla film that should be illegal.
-
come on @ben_lubar put me in the table
-
@pie_flavor said in JavaScript ReDoS:
come on @ben_lubar put me in the table
I read that as "put me on the table" and assumed you were referring to a wooden one, and I was confused as to why Ben would do that and why you'd want him to.
-
@HardwareGeek Boy, I'd love to have a wooden table. All the surfaces around me are cheapshit plastic, including my desk and the dining table.
-
I should rename my laptop Shatterbird. Because it's controlling silicon.
-
@pie_flavor said in JavaScript ReDoS:
I should rename my laptop Shatterbird.
There's one for the Off by One thread.
-
@HardwareGeek said in JavaScript ReDoS:
@pie_flavor said in JavaScript ReDoS:
I should rename my laptop Shatterbird.
There's one for the Off by One thread.
Ah yes, the new world boss:
-
-
@barisu said in JavaScript ReDoS:
Where are the rich kids with their 8700k's?
A better question is: Where are all the even richer kids with HEDT computers showing off their i9s and Threadrippers?
-
Work laptop: [REDACTED]-aza19 | i5-6200U | 122670.226ms
-
@HardwareGeek said in JavaScript ReDoS:
@pie_flavor said in JavaScript ReDoS:
come on @ben_lubar put me in the table
I read that as "put me on the table" and assumed you were referring to a wooden one, and I was confused as to why Ben would do that and why you'd want him to.
'Dear Penthouse, I never thought this would happen to me but..'
-
i7-4500U @ 1.80GHz 2.39GHz ( I never understood that), Chrome Version 68.0.3440.106 (Official Build) (64-bit). Named L5.
Should really figure out how to get it to not "This page is not responding". It seems to halt execution until the "Wait" button is clicked...
-
@Tsaukpaetra said in JavaScript ReDoS:
i7-4500U @ 1.80GHz 2.39GHz ( I never understood that)
Base speed and current speed. This little benchmark only puts strain on one core so the CPU can go into full turbo mode on that core, which for the 4500U goes up to 3 GHz.
Edit: Iirc, the base speed is part of the CPU name string taken from the CPU and the second number is the speed Windows is reporting it running at right now.
Edit2: Yes, it is. (Taken from Linux.)
-
Windows VM hosted by VirtualBox on FreeBSD, named VM10-1, Xeon E3-1230 V2 @ 3.3 GHz on Chrome Version 69.0.3497.100 (Official Build) (64-bit):
-
@Atazhaia said in JavaScript ReDoS:
This little benchmark only puts strain on one core
What's funny is that it doesn't take a core and stick to it. And, according to Task Manager, it doesn't even peg a full core's worth of time either.
Wonder what's going on...
-
@Atazhaia said in JavaScript ReDoS:
Base speed and current speed.
Didn't help my confusion... There's three different speeds there! :O
-
Computer name: [work laptop]-292
Operating system: Windows 10 64-bit
CPU model: i7-4712MQ
Time: 132865.800ms
Time: 120659.600ms
Time: 1161997.000ms
-
@Tsaukpaetra Yeah, it's confusing. At the top of the window is the CPU name string. Base speed as listed in the task manager would be the current speed as reported by the CPU I guess. Speed is, um, I dunno! Speed as measured by Windows?
And yeah, in Windows it looks like an even load spread across all cores while in Linux I see it pegging one core at 100%, occasionally changing core. (In this test it stayed on the same physical core, just changing the logical core).
-
@topspin said in JavaScript ReDoS:
Why the hell is my MacBook like 5 times slower than yours?
Either Firefox generally does not do well on this thing or I have some rogue script running in one of the dozen other tabs. Maybe I should restart it or something.
Also, I'm not sure if Safari has the only decent implementation or just bails. Like the phone, desktop safari is too fast to measure.Some more tests.
Computer: e180workbox
OS: RHEL 7.5
CPU: i7-4790 @ 3.60GHz
Time: 86658.271msComputer: node167
OS: CentOS 7
CPU: Xeon Gold 6132 @ 2.60GHz
Time: 88572.227msThe compute node is seriously underutilized, idling on 27 cores while not being particularly fast on the other, and would prefer to get fed some AVX-512 instructions instead. Fuck you, give me FLOPS!
-
@topspin said in JavaScript ReDoS:
@ben_lubar said in JavaScript ReDoS:
language implementations where it isn't either of those things?
One common regular expression extension that does provide additional power is called backreferences. ... The power that backreferences add comes at great cost: in the worst case, the best known implementations require exponential search algorithms, like the one Perl uses. Perl (and the other languages) could
PCREs are not actually REs, and maintaining two execution paths is
Although not benchmarked here, Java uses a backtracking implementation too. In fact, the java.util.regex interface requires a backtracking implementation, because arbitrary Java code can be substituted into the matching path
Regular expression matching systems are a massive hairball. The only way they could be more terrifying is if some mad bastard made a multi-threaded matcher.
-
pjh@hpdesktop:~$ node -e 'console.time("ReDoS"); /^(?:a?){30}a{30}$/.test(new Array(31).join("a")); console.timeEnd("ReDoS");' ReDoS: 155322.037ms pjh@hpdesktop:~$ inxi CPU~Quad core Intel Xeon E5-1620 v2 (-MT-MCP-) speed/max~3691/3900 MHz Kernel~4.15.0-32-generic x86_64 Up~41 days Mem~14169.1/24032.8MB HDD~2000.4GB(33.6% used) Procs~617 Client~Shell inxi~2.3.56
pjh@acer-linux:~$ node -e 'console.time("ReDoS"); /^(?:a?){30}a{30}$/.test(new Array(31).join("a")); console.timeEnd("ReDoS");' ReDoS: 245161.111ms pjh@acer-linux:~$ inxi CPU~Quad core Intel Pentium N4200 (-MCP-) speed/max~1073/2500 MHz Kernel~4.15.0-33-generic x86_64 Up~17 days Mem~6209.5/7801.2MB HDD~2000.4GB(1.3% used) Procs~346 Client~Shell inxi~2.3.56 ```
-
@blakeyrat all of the computers here are Stargate themed.
-
@dkf said in JavaScript ReDoS:
The only way they could be more terrifying is if some mad bastard made a multi-threaded matcher.
At least my Xeon would have something to do, even though it prefers to have its SIMD units filled instead.
-
From my boomzilla VM that I use for NodeBB stuff (so I have node installed there):
boomzilla@boomzilla:~$ node -e 'console.time("ReDoS"); /^(?:a?){30}a{30}$/.test(new Array(31).join("a")); console.timeEnd("ReDoS");' ReDoS: 90162.598ms boomzilla@boomzilla:~$ inxi CPU(s)~2 Single core Intel Core i7-4770s (-HT-SMP-) speed~3392 MHz (max) Kernel~4.4.0-116-generic x86_64 Up~2 min Mem~885.8/3933.7MB HDD~42.9GB(60.4% used) Procs~267 Client~Shell inxi~2.2.35
-
Name: devincej2
8.1 (64-bit) 69.0.3497.100 (Official Build) (64-bit)
Xeon E3-1245 v3 @ 3.40 GHz
Using the link from the top of the thread:
Number of seconds:
94.053900000
(after twice telling Chrome to wait until the script finished what it was doing)
-
I think we need to give @ben_lubar little blue pills, his e-peen measurer is broken
-
Just for the heck of it, I adapted this back for older browsers:
Name: Parody's DSi
Browser: Nintendo DSi Browser (Opera 9.50)
CPU: Custom ARM9 133 MHzI let it run overnight but in the morning it was still sitting there. Hacking it a bit more to dump out every length from 1-30 shows that the trend is about
time(n) = time(n-1)*2.08
.I measured up through n=25, time=1505437, so my estimate for n=30 is 58,694,818 ms or about 16.3 hours.
-
@Atazhaia said in JavaScript ReDoS:
Yeah, it's confusing. At the top of the window is the CPU name string. Base speed as listed in the task manager would be the current speed as reported by the CPU I guess. Speed is, um, I dunno! Speed as measured by Windows?
Checking with the PCs at home. The top of the task manager shows the CPU model string. Why Intel includes the base speed I do not know. The base speed should show the default speed for the CPU and for an Intel CPU that should be the same as what's listed in the model string. While speed shows the current speed of the CPU. So I dunno what wtf-ery is going on with @Tsaukpaetra's base speed.
-
@Atazhaia
Maybe the Rainbow Dash mod he installed is auto-overclocking his CPU for him to make it more sparkley
-
@izzion said in JavaScript ReDoS:
@Atazhaia
Maybe the Rainbow Dash mod he installed is auto-overclocking his CPU for him to make it more sparkleyIt's definitely not 20 percent cooler if that's the case....
-
@Atazhaia According to Intel's CPU info pages, the speed in the model text (upper-right in the Windows Task Manager) is the speed at which they determined the processor's power usage (TDP). Base Speed and current Speed are going to be determined by your power management settings; @Tsaukpaetra has a mobile processor, so by default they're going to bounce all over the place. I have most of power management disabled on my desktop PC and so the three speeds match most of the time. (It boosts above the Base once in a while.)
-
@pie_flavor said in JavaScript ReDoS:
DESKTOP-WHRGRBL
-
@Parody Hm. It was a while since I booted into Windows on a laptop so I can't check. But on my desktops the base speed is always the rated speed and never changes while (current) speed is constantly changing. From about 1.6 to 3.73 on my 3.47 base speed desktop.
-
I've got one more.
Computer name: Alex' MacBook Air
Operating system: 69, OS X 10.14.0 64-bit
CPU model: Intel(R) Core(TM) i5-3317U CPU @ 1.70GHz (MacBook Air (11-inch, Mid 2012))
Time: 178463.600ms
-
May as well poke the final machine I use too:
azabox | Ryzen 5 1400 | 113453.290ms
-
@Atazhaia Me too, honestly. I was thinking about how my old netbook acted after I undervolted it and put in some aggressive power management. That was XP, though.
Maybe I'll dig out my tablet tonight and see what that says. It's all defaults.