Regexes are Hard: Decision-making, Difficulties, and Risks in Programming Regular Expressions

TL;DR

This study explores the decision-making process, difficulties, and risks faced by developers when programming regexes, revealing widespread challenges and lack of awareness about security issues, with implications for future tools and practices.

Contribution

First comprehensive analysis of regex development cycle focusing on decision-making, difficulties, and risk awareness, based on surveys and interviews with professional developers.

Findings

Regexes are hard to read, search, validate, and document.

Most developers are unaware of critical security risks in regexes.

Developers who know about risks often do not handle them effectively.

Abstract

Regular expressions (regexes) are a powerful mechanism for solving string-matching problems. They are supported by all modern programming languages, and have been estimated to appear in more than a third of Python and JavaScript projects. Yet existing studies have focused mostly on one aspect of regex programming: readability. We know little about how developers perceive and program regexes, nor the difficulties that they face. In this paper, we provide the first study of the regex development cycle, with a focus on (1) how developers make decisions throughout the process, (2) what difficulties they face, and (3) how aware they are about serious risks involved in programming regexes. We took a mixed-methods approach, surveying 279 professional developers from a diversity of backgrounds (including top tech firms) for a high-level perspective, and interviewing 17 developers to learn the details about the difficulties that they face and the solutions that they prefer. In brief, regexes are hard. Not only are they hard to read, our participants said that they are hard to search for, hard to validate, and hard to document. They are also hard to master: the majority of our studied developers were unaware of critical security risks that can occur when using regexes, and those who knew of the risks did not deal with them in effective manners. Our findings provide multiple implications for future work, including semantic regex search engines for regex reuse and improved input generators for regex validation.