Skip to content
This repository has been archived by the owner on Mar 25, 2024. It is now read-only.

"[".repeat(N) takes superlinear time to parse #26

Closed
dtolnay opened this issue Mar 17, 2024 · 0 comments · Fixed by #27
Closed

"[".repeat(N) takes superlinear time to parse #26

dtolnay opened this issue Mar 17, 2024 · 0 comments · Fixed by #27

Comments

@dtolnay
Copy link
Owner

dtolnay commented Mar 17, 2024

Reported by Christian Dürr by email:

Description

I just ran a fuzzer against one of my crates and have come to the realization that certain input causes huge amounts of processing time with serde_yaml::from_str.
In release mode just 100_000 repeated [ cause parsing times of over 15 seconds.

This also applies to the libyaml C library, but since unsafe-libyaml is technically a Rust rewrite I've decided to contact you directly.
It also seems like the C library is unmaintained.

Simple Repro

fn main() {
    let input = "[".repeat(1_000_000);
    let test: String = serde_yaml::from_str(&input).unwrap();
}
@dtolnay dtolnay mentioned this issue Mar 17, 2024
Merged
kodiakhq bot pushed a commit to pdylanross/fatigue that referenced this issue Mar 18, 2024
@dependabot
chore: Bump serde_yaml from 0.9.32 to 0.9.33 (#263)
154e78b 
Bumps serde_yaml from 0.9.32 to 0.9.33.

Release notes
Sourced from serde_yaml's releases.

0.9.33

Fix quadratic parse time for YAML containing deeply nested flow collections (dtolnay/unsafe-libyaml#26)




Commits

f4c9ed9 Release 0.9.33
b4edaee Pull in yaml_parser_fetch_more_tokens fix from libyaml
8a5542c Resolve non_local_definitions warning in test
See full diff in compare view




Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix quadratic behavior in yaml_parser_fetch_more_tokens dtolnay/unsafe-libyaml
1 participant
@dtolnay