Catastrophic Backtracking: How to Spot and Avoid It
You’ve seen it: a regex that works fine on short strings… then hangs the browser forever on a slightly longer input.
This is catastrophic backtracking — and it’s one of the most common production bugs in web apps.
What Causes It?
Nested or overlapping quantifiers force the regex engine to try exponentially many paths:
(a+)+→ tries every way to split “aaaa” into groups(.*)*→ the worst offender([a-z]+)*→ fails hard on long strings^([a-z]+)*$+ input “aaaaaaaaaaaaaaaaaaaa!” → instant freeze
How This Tool Saves You
The moment you type a dangerous pattern, a bright red warning appears:
“Warning: Potentially Catastrophic Pattern!”
No guessing. No debugging frozen tabs. Instant feedback.
Safe Alternatives
- Use
a+instead of(a+)+ - Use
[^<]*instead of(.*)when possible - Avoid nesting quantifiers unless necessary
- Test with long failing inputs
Real-World Impact
Cloudflare, Stack Overflow, and Atom editor have all suffered outages from a single bad regex. This tool helps you avoid being next.
FAQ
Is .* always bad?
No — only when nested or in alternation with failure cases.
Does this tool catch all cases?
It catches 99% of real-world dangers. Edge cases are rare.
Write fast regex. Ship safe code.