Demystifying Regular Expression Bugs: A comprehensive study on regular expression bug causes, fixes, and testing
share
Regular expressions cause string-related bugs and open security vulnerabilities for DOS attacks. However, beyond ReDoS (Regular expression Denial of Service), little is known about the extent to which regular expression issues affect software development and how these issues are addressed in practice. We conduct an empirical study of 356 merged regex-related pull request bugs from Apache, Mozilla, Facebook, and Google GitHub repositories. We identify and classify the nature of the regular expression problems, the fixes, and the related changes in the test code. The most important findings in this paper are as follows: 1) incorrect regular expression behavior is the dominant root cause of regular expression bugs (165/356, 46.3 and other code issues that require regular expression changes in the fix (29.5 and more lines of code to fix them compared to the general pull requests, 3) most (51 Certain regex bug types (e.g., compile error, performance issues, regex representation) are less likely to include test code changes than others, and 4) the dominant type of test code changes in regex-related pull requests is test case addition (75 understanding of the practical problems faced by developers when using, fixing, and testing regular expressions.
READ FULL TEXT