JavaScript ReDoS
-
JE-D-002
Core i7 8086k 4.9ghz
-
DESKTOP-B8VU58U
10 64-bit
Intel I7 4770 @3.4 Ghz
Time: 91134.100ms
Time: 59175.500ms(Strange time difference, and strangely a better performance then some better CPUs of you guys here)
-
Heh. Safari 12 apparently uses a better RE algorithm than any of the other browsers people are using here. I had to go and investigate carefully to make sure that it was actually executing the code, because it keeps on coming up with "0.000000000 seconds"/"0.000ms", but as far as I can tell by testing, it's actually doing it properly and coming up with the right answers. (2.2 GHz Core i7, OS X 10.13.6, Safari Version 12.0 (13606.2.11).)
-
I noticed that as well. Compliments to the Safari developers.
-
@Anonymous-Throwaway said in JavaScript ReDoS:
Heh. Safari 12 apparently uses a better RE algorithm than any of the other browsers people are using here. I had to go and investigate carefully to make sure that it was actually executing the code, because it keeps on coming up with "0.000000000 seconds"/"0.000ms", but as far as I can tell by testing, it's actually doing it properly and coming up with the right answers. (2.2 GHz Core i7, OS X 10.13.6, Safari Version 12.0 (13606.2.11).)
I assume it's just not returning precise enough values from
performance.now()
for it to give a nonzero result.
-
@ben_lubar : Well, yeah. The point isn't "this is running in an actual 0.0000... seconds to arbitrary precision" but rather "Safari's implementation isn't producing any noticeable delay". (performance.now() currently does not produce an actual full-accuracy high-resolution time value in any current browser, because that was how the browser-independent CPU timing attacks were implemented. According to MDN, as of version 60 Firefox rounds to the nearest millisecond like Safari. A little looking around suggests that Firefox first tried tenths of a millisecond but apparently found it wasn't enough to mitigate the threat.) Obviously the point is "Safari is doing this in less than half a millisecond, where all the other results from other browsers are taking at least half a minute regardless of CPU speed".
-
@Anonymous-Throwaway said in JavaScript ReDoS:
Safari is doing this in less than half a millisecond
That's the mark of using an RE engine that's not recursive. The tricky bit is that you pay for that elsewhere; the time to compile the RE itself can be horrid in other cases which the recursive engines don't have a problem with. (It's the translation into an expanded NFA that can blow up; the recursive engines simply don't do that step.) Also, comprehending how to construct an RE engine that does everything that modern RE dialects are supposed to support is hyper wizard guru level programming. I'm not joking. I guess Apple have hired one of the very few true world experts on this sort of thing.
-
@dkf said in JavaScript ReDoS:
I guess Apple have hired one of the very few true world experts on this sort of thing.
Probably the only expert they hired to work on Safari.
-
@loopback0 said in JavaScript ReDoS:
Probably the only expert they hired to work on Safari.
Yeah, it's such an awful browser… except that it's better than Firefox. And Edge. And Chrome started off as basically a steal of the open-source parts of Safari, so apparently Google likes Safari, too, but hey, what do they know? And this whole thread is about a huge and longstanding bug which seems to freeze up every browser in the market except Safari, which is apparently just further evidence that Safari and Apple are wrong, wrong, wrong.
-
-
@Anonymous-Throwaway Welcome to the forums!
-
@pie_flavor said in JavaScript ReDoS:
come on @ben_lubar put me in the table
The proper open source reaction is to fork the table, add yourself to your own fork and do a pull request
-
@Anonymous-Throwaway
:clippy: I see that you are blakeyrat’s alt. Would you like help calling yourself bad names?
-
Is there any reasonable way to verify that the jsfiddle does anything sensible, because:
The 0.0000000 are me mashing the button in rapid succession.
-
@bjolling said in JavaScript ReDoS:
to fork the table
She say, "You better no fork on the table, you son of a bitch."
-
@izzion said in JavaScript ReDoS:
:clippy:
I can't believe it took me this long to make the connection between Clippy the Microsoft assistant and
clippy
the Rust linter.
-
@pie_flavor said in JavaScript ReDoS:
clippy
the Rust linterIt looks like you're trying to tidy up your Rust code. Would you like some help with that? [Yes] [No]
-
@dkf Oh, I'm sure it could do with some of that itself.
https://i.imgur.com/Te3JYbt.png
e: apparently it's my fault, you're supposed to add it as a compiler component instead of a package manager module. Still, it's funny.
-
@bjolling said in JavaScript ReDoS:
@pie_flavor said in JavaScript ReDoS:
come on @ben_lubar put me in the table
The proper open source reaction is to fork the table, add yourself to your own fork and do a pull request
Seconded.
Currently I'm in last place because apparently my macbook's i7 is tons slower than other macbooks, but my phone should be in first place, too.
-
@Parody said in JavaScript ReDoS:
@Atazhaia Me too, honestly. I was thinking about how my old netbook acted after I undervolted it and put in some aggressive power management. That was XP, though.
Maybe I'll dig out my tablet tonight and see what that says. It's all defaults.
I dug up my tablet finally. The CPU stuff is set to defaults in the UEFI and Balanced in Windows 10, and Base Speed matches the processor text. Shows what I know.
Computer Name: ZOT-FOT-PIK
OS: Windows 10 (32-bit)
CPU Model: Atom Z3775 (1.46 GHz Base, ~2.2 in Bursts)
Time: 271296.500ms
-
@ben_lubar get a data
Device Name: "Very Quick Brick"
OS: Android Pie
CPU Model: Qualcomm Snapdragon 845
Time: 151009.300msJust a generic 2018 flagship smartphone, I'm sure any other one would get a similar result.
-
@aliceif Have some more
Computer name: a-X550LD Operating system: Ubuntu 18.04.1 LTS x86_64 CPU model: Intel Core i5-4200U @ 4x 2.6GHz Time: 139399.600ms
-
@blakeyrat said in JavaScript ReDoS:
he's never seen a Godzilla film that should be illegal.
I've never seen a Godzilla film that should be illegal either.
-
@aliceif Welcome back!
-
ulvhamne@sneakybits ~ $ node -e 'console.time("ReDoS"); /^(?:a?){30}a{30}$/.test(new Array(31).join("a")); console.timeEnd("ReDoS");'
The program 'node' is currently not installed. You can install it by typing:
sudo apt install nodejs-legacy
ulvhamne@sneakybits ~ $ inxi
CPU~Dual core Intel Core i7-7500U (-HT-MCP-) speed/max~3499/3500 MHz Kernel~4.8.0-30-generic x86_64 Up~92 days Mem~5880.1/15928.6MB HDD~NA(-) Procs~251 Client~Shell inxi~2.2.35Fuck node, that's why.
And then:
Computer name:
Operating system: Mint 64-bit
CPU model:
Time: 568598.000msThough, it sat there doing fuck all for about 20 minutes before finishing, which I know because it took half the commute to get there. So Idún knows how accurate the timing actually is.
-
@Carnage Whoa, you managed to get a worse time than my MacBook!
Still don't know why it was so slow, but oh well.
-
@barisu said in JavaScript ReDoS:
Where are the rich kids with their 8700k's?
Where are the rich kids with their 9900k's?
-
@ben_lubar how the hell was I "just mentioned" by this post?
-
@Tsaukpaetra I edited it and presumably it had fallen out of your notification list.
-
@ben_lubar said in JavaScript ReDoS:
@Tsaukpaetra I edited it and presumably it had fallen out of your notification list.
But I thought editing a post never sends notifications? Oh well.
-
@ben_lubar Do edited posts send @mention notifications today? flip coin
e:
-
@Tsaukpaetra said in JavaScript ReDoS:
@ben_lubar said in JavaScript ReDoS:
@Tsaukpaetra I edited it and presumably it had fallen out of your notification list.
But I thought editing a post never sends notifications? Oh well.
Or you could do like Discourse and send one notification per person per post, even on edits. I think we had a thread about that...
-
@HardwareGeek said in JavaScript ReDoS:
@pie_flavor said in JavaScript ReDoS:
I should rename my laptop Shatterbird.
There's one for the Off by One thread.
Chatterbird?
-
Computer name:
Operating system: Android 8.1.0
CPU model:
Time: 222370.400msThat's my Nokia 7 plus
-
And I'm still not in the table. @ben_lubar
-
@pie_flavor said in JavaScript ReDoS:
And I'm still not in the table. @ben_lubar
Yeah, me neither, @ben_lubar
-
@pie_flavor said in JavaScript ReDoS:
And I'm still not in the table. @ben_lubar
Edit: ah sorry, ESL an all that. I didn't notice the subtlety between being on the table and being in the table .
-
Ran it on new computer
Computer name: ginger Operating system: Windows 10 Home CPU model: AMD Ryzen 2700x Time: 83840.480ms
-
@barisu Me too!
Computer name: Layla Operating system: Windows 10 64-bit CPU model: Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz (8 CPUs) Time: 103598.965ms
-
@aliceif Welcome back! Seems like today is the day of welcome-backing.
-
@pie_flavor Waiting for @accalia. (I know blakeyrat won't come back).
-
-
Random thought: some people who left haven't returned because they are waiting for others in a dependency cycle, causing a deadlock.
-
@Zecc maybe they're all waiting on @MasterPlanSoftware? I see he's been unbanned.
-
@pie_flavor said in JavaScript ReDoS:
@Zecc maybe they're all waiting on @MasterPlanSoftware? I see he's been unbanned.
Really? I thought Alex himself was pissed at him.
Can we keep some balance on the sanity scale? I want @dhromed back.
-
@Zecc said in JavaScript ReDoS:
(I know blakeyrat won't come back).
He's lurking; I'd bet he'll post sooner or later.
-
Oh, I might as well repost now that I also have a new(er) computer now.
Computer name: TkZbox ( ZBox 1080k ) Operating system: Windows 10 64-bit CPU model: i7-7700 @ 3.6GHz Time: 81216.805ms
-
@HardwareGeek said in JavaScript ReDoS:
@Zecc said in JavaScript ReDoS:
(I know blakeyrat won't come back).
He's lurking; I'd bet he'll post sooner or later.
I'm betting on he won't post until X days/weeks/something after the last time we make a comment about that. Just because.
-
@dcon said in JavaScript ReDoS:
@HardwareGeek said in JavaScript ReDoS:
@Zecc said in JavaScript ReDoS:
(I know blakeyrat won't come back).
He's lurking; I'd bet he'll post sooner or later.
I'm betting on he won't post until X days/weeks/something after the last time we make a comment about that. Just because.
He'll get drawn back into posting at some point.