Performance: Pre-compile multiple regular expressions in ExecutionSafetyManager

haseeb-heaven · haseeb-heaven · commit fc58e3f5610a · 2026-06-01T11:49:11.000Z
diff --git a/.jules/bolt.md b/.jules/bolt.md
@@ -0,0 +1,3 @@
+## 2025-02-23 - [Pre-compile Regex in Tight Loops]
+**Learning:** In Python, directly executing pre-compiled `re.Pattern` objects (e.g., `p.search(text)`) within tight safety-critical loops avoids regex cache lookup overhead and speeds up the application. Furthermore, list comprehensions at the class-body level don't have access to the class scope, but converting a generator to a tuple (e.g., `tuple(re.compile(p) for p in _PATTERNS)`) safely works around this limitation.
+**Action:** Pre-compile repeated regex checks into `re.Pattern` objects directly as class attributes, and use a generator within a `tuple()` when initializing them from other class variables.
diff --git a/libs/safety_manager.py b/libs/safety_manager.py
@@ -180,6 +180,39 @@ class ExecutionSafetyManager:
 		r"\bbash\b",
 	]
 
+	# =========================
+	# PERFORMANCE OPTIMIZATION: Pre-compile regex lists to avoid re.compile cache lookup overhead
+	# inside tight analysis loops. Using tuple of pre-compiled Patterns allows executing p.search
+	# directly. Generator expressions are used to avoid NameError inside the class body.
+	# =========================
+	_COMPILED_WRITE_PATTERNS = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_PATTERNS)
+	_COMPILED_WRITE_ON_HANDLE_PATTERNS = tuple(re.compile(p, re.IGNORECASE) for p in _WRITE_ON_HANDLE_PATTERNS)
+	_COMPILED_SENSITIVE_POSIX_PREFIXES = tuple(re.compile(p, re.IGNORECASE) for p in _SENSITIVE_POSIX_PREFIXES)
+	_COMPILED_DESTRUCTIVE_PATTERNS = tuple(re.compile(p) for p in _DESTRUCTIVE_PATTERNS)
+	_COMPILED_SHELL_PATTERNS = tuple(re.compile(p) for p in _SHELL_PATTERNS)
+
+	_posix_system_prefixes = [
+		r"/etc/\w+",
+		r"/tmp/\w+",
+		r"/var/\w+",
+		r"/usr/\w+",
+		r"/root/\w+",
+		r"/home/\w+/",
+		r"/proc/\w+",
+		r"/sys/\w+",
+		r"/dev/\w+",
+		r"/boot/\w+",
+		r"/opt/\w+",
+		r"/mnt/\w+",
+		r"/media/\w+",
+	]
+	_COMPILED_POSIX_SYSTEM_PREFIXES = tuple(re.compile(p, re.IGNORECASE) for p in _posix_system_prefixes)
+	_COMPILED_WINDOWS_DRIVE_LETTER = re.compile(r"[a-z]:[\\/]")
+	_COMPILED_POSIX_ABSOLUTE_QUOTED = re.compile(r"""["']/[^"'\s]""")
+	_COMPILED_OPEN_ARGS = re.compile(r"open\s*\(\s*([\"'][^\"']+[\"'])", re.IGNORECASE)
+	_COMPILED_WINDOWS_MATCH_DRIVE = re.compile(r"[a-zA-Z]:[\\/]")
+	_COMPILED_RD_COMMAND = re.compile(r"\brd\s+/s\s+/q\b")
+
 	def __init__(self, unsafe_mode: bool = False):
 		self.unsafe_mode = unsafe_mode
 
@@ -228,7 +261,7 @@ def _has_write_operation(self, code: str) -> bool:
 		"""Return True if *code* contains any write operation that must be
 		blocked in SAFE mode.
 		"""
-		return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_PATTERNS)
+		return any(p.search(code) for p in self._COMPILED_WRITE_PATTERNS)
 
 	# =========================
 	# WRITE-ON-HANDLE DETECTION
@@ -240,52 +273,38 @@ def _has_write_on_handle(self, code: str) -> bool:
 		"""Return True if *code* calls .write() on any object (handle check).
 		This is intentionally only evaluated when an absolute path is present.
 		"""
-		return any(re.search(p, code, re.IGNORECASE) for p in self._WRITE_ON_HANDLE_PATTERNS)
+		return any(p.search(code) for p in self._COMPILED_WRITE_ON_HANDLE_PATTERNS)
 
 	# =========================
 	# HOST ABSOLUTE PATH CHECK
 	# =========================
 	def _is_host_absolute_path(self, code: str) -> bool:
 		"""Return True if *code* references a host absolute path."""
+		code_lower = code.lower()
 		# Windows drive-letter path
-		if re.search(r"[a-z]:[\\/]", code.lower()):
+		if self._COMPILED_WINDOWS_DRIVE_LETTER.search(code_lower):
 			return True
 
 		# Quoted POSIX absolute path: '/...' or "/..."
-		if re.search(r"""["']/[^"'\s]""", code):
+		if self._COMPILED_POSIX_ABSOLUTE_QUOTED.search(code):
 			return True
 
 		# Unquoted well-known POSIX system directory prefixes
-		_posix_system_prefixes = [
-			r"/etc/\w+",
-			r"/tmp/\w+",
-			r"/var/\w+",
-			r"/usr/\w+",
-			r"/root/\w+",
-			r"/home/\w+/",
-			r"/proc/\w+",
-			r"/sys/\w+",
-			r"/dev/\w+",
-			r"/boot/\w+",
-			r"/opt/\w+",
-			r"/mnt/\w+",
-			r"/media/\w+",
-		]
-		if any(re.search(p, code, re.IGNORECASE) for p in _posix_system_prefixes):
+		if any(p.search(code) for p in self._COMPILED_POSIX_SYSTEM_PREFIXES):
 			return True
 
 		# open() call whose first positional argument is an absolute path string
-		open_args = re.findall(r"open\s*\(\s*([\"'][^\"']+[\"'])", code, re.IGNORECASE)
+		open_args = self._COMPILED_OPEN_ARGS.findall(code)
 		for arg in open_args:
 			path = arg.strip("'\"")
-			if path.startswith("/") or re.match(r"[a-zA-Z]:[\\/]", path):
+			if path.startswith("/") or self._COMPILED_WINDOWS_MATCH_DRIVE.match(path):
 				return True
 
 		return False
 
 	def _is_sensitive_posix_path(self, code: str) -> bool:
 		"""Return True if *code* references a sensitive POSIX system path."""
-		return any(re.search(p, code, re.IGNORECASE) for p in self._SENSITIVE_POSIX_PREFIXES)
+		return any(p.search(code) for p in self._COMPILED_SENSITIVE_POSIX_PREFIXES)
 
 	# =========================
 	# MAIN CHECK
@@ -297,7 +316,7 @@ def assess_execution(self, code: str, mode: str) -> Decision:
 		code_lower = code.lower()
 
 		#  HARD BLOCK WINDOWS RECURSIVE DELETE (CRITICAL FIX)
-		if re.search(r"\brd\s+/s\s+/q\b", code_lower):
+		if self._COMPILED_RD_COMMAND.search(code_lower):
 			return Decision(False, ["Recursive deletion is blocked."])
 
 		#  UNSAFE MODE - still detect dangerous operations but allow with warnings
@@ -326,15 +345,15 @@ def assess_execution(self, code: str, mode: str) -> Decision:
 		# (shutdown, reboot, mkfs, dd, format, diskpart) in addition to
 		# filesystem deletes.
 		# =========================
-		if any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS):
+		if any(p.search(code_lower) for p in self._COMPILED_DESTRUCTIVE_PATTERNS):
 			return Decision(False, ["Destructive operation blocked."])
 
 		# =========================
 		# SHELL BLOCK
 		# BUG FIX #2: Uses _SHELL_PATTERNS with \b word-boundary regex instead
 		# of plain substring `in` check to avoid false positives.
 		# =========================
-		if any(re.search(p, code_lower) for p in self._SHELL_PATTERNS):
+		if any(p.search(code_lower) for p in self._COMPILED_SHELL_PATTERNS):
 			return Decision(False, ["Shell execution is blocked."])
 
 		# =========================
@@ -370,7 +389,7 @@ def is_dangerous_operation(self, code: str) -> bool:
 		if not code or not code.strip():
 			return False
 		code_lower = code.lower()
-		return any(re.search(p, code_lower) for p in self._DESTRUCTIVE_PATTERNS)
+		return any(p.search(code_lower) for p in self._COMPILED_DESTRUCTIVE_PATTERNS)
 
 	# =========================
 	# ARTIFACT EXPORT

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## 2025-02-23 - [Pre-compile Regex in Tight Loops]`
	`2`	+Learning: In Python, directly executing pre-compiled `re.Pattern` objects (e.g., `p.search(text)`) within tight safety-critical loops avoids regex cache lookup overhead and speeds up the application. Furthermore, list comprehensions at the class-body level don't have access to the class scope, but converting a generator to a tuple (e.g., `tuple(re.compile(p) for p in _PATTERNS)`) safely works around this limitation.
	`3`	+Action: Pre-compile repeated regex checks into `re.Pattern` objects directly as class attributes, and use a generator within a `tuple()` when initializing them from other class variables.