Error Pattern Safety Guidelines for Agentic Engines
This document outlines the safety guidelines for error pattern regex in agentic engines to prevent infinite loops in JavaScript.
When using regex patterns with the JavaScript global flag (/pattern/g), patterns that can match zero-width (empty strings) can cause infinite loops. This happens because:
regex.exec() with the g flag uses lastIndex to track positionlastIndex doesn't advance❌ NEVER USE THESE PATTERNS:
// Pure .* - matches everything including empty string at end
/.*/g
// Single character with * - matches zero or more (including zero)
/a*/g
// Patterns that can match empty string
/(x|y)*/g
✅ ALWAYS USE PATTERNS LIKE THESE:
// Required prefix before .*
/error.*/gi
/error.*permission.*denied/gi
// Specific structure with required content
/\[(\d{4}-\d{2}-\d{2})\]\s+(ERROR):\s+(.+)/g
// Required characters throughout
/access denied.*user.*not authorized/gi
Always require at least one character match
.+ instead of .* when you need "something"Never use bare .* as the entire pattern
error.*.* or .*?Test patterns against empty string
const regex = /your-pattern/g;
if (regex.test("")) {
throw new Error("Pattern matches empty string - DANGEROUS!");
}
Use specific anchors when possible
^error.*.*error$\berror\bAll error patterns must pass these tests:
// Test that pattern doesn't match empty string
func TestPatternSafety(t *testing.T) {
pattern := "your-pattern"
regex := regexp.MustCompile(pattern)
if regex.MatchString("") {
t.Error("Pattern matches empty string!")
}
}
test("should not match empty string", () => {
const regex = new RegExp("your-pattern", "g");
expect(regex.test("")).toBe(false);
});
The validate_errors.cjs script has built-in protections:
regex.lastIndex stops advancing// Safety check in validate_errors.cjs
if (regex.lastIndex === lastIndex) {
core.error(`Infinite loop detected! Pattern: ${pattern.pattern}`);
break;
}
When adding new error patterns to engines:
Write the pattern with required content
{
Pattern: `(?i)error.*permission.*denied`,
LevelGroup: 0,
MessageGroup: 0,
Description: "Permission denied error",
}
Test against empty string
make test-unitTestAllEnginePatternsSafeTest with actual log samples
Document the pattern
Patterns are converted from Go to JavaScript:
// Go pattern (case-insensitive flag)
Pattern: `(?i)error.*permission.*denied`
// Converted to JavaScript
new RegExp("error.*permission.*denied", "gi")
The (?i) prefix is removed because JavaScript uses the i flag instead.
// Requires "error" prefix
Pattern: `(?i)error.*permission.*denied`
// Requires specific timestamp format
Pattern: `(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z)\s+\[(ERROR)\]\s+(.+)`
// Requires "access denied" prefix
Pattern: `(?i)access denied.*user.*not authorized`
If you find a pattern that matches empty string:
Before (unsafe):
Pattern: `.*error.*` // Can match empty at start/end
After (safe):
Pattern: `error.*` // Requires "error" at start
// OR
Pattern: `.*error.+` // Requires "error" and at least one char after
// OR
Pattern: `\berror\b.*` // Requires word "error"
Before committing pattern changes:
make test-unitTestAllEnginePatternsSafe passesTestErrorPatternsNoInfiniteLoopPotential passescd pkg/workflow/js && npm testpkg/workflow/engine_error_patterns_infinite_loop_test.gopkg/workflow/js/validate_errors.test.cjspkg/workflow/error_pattern_tuning_test.go