fix: harden parser, VM, recall validator and fix 4 bugs

- Rename TimeoutError alias to RecheckTimeoutError to avoid shadowing
  the built-in
- Emit FAIL for unknown named backreferences instead of silently
  resolving to group 1
- Add context manager protocol to RecallValidator and close thread pool
  in HybridChecker/convenience functions to prevent resource leaks
- Replace DFS with BFS in product-automaton cycle detection to avoid
  missing valid cycles through globally-visited intermediate nodes
- Add parser depth limit, name/backref length bounds, multiline-aware
  anchors, atomic groups, possessive quantifiers, and real timeouts
  via ThreadPoolExecutor in recall validation
- Fix ruff E402 import ordering in scc_checker and source_scanner
- 874 tests pass (11 new in test_bugfixes.py)

Author: dvershinin

src/recheck/cli.py

@@ -3,8 +3,9 @@
 import argparse
 import sys
 
-from recheck import check, Config
-from recheck.parser.flags import Flags
+from redoctor import check, Config
+from redoctor.diagnostics.diagnostics import Status
+from redoctor.parser.flags import Flags
 
 
 def main():
@@ -60,7 +61,7 @@ def main():
         "-q",
         "--quiet",
         action="store_true",
-        help="Only output status (exit code 0=safe, 1=vulnerable, 2=error)",
+        help="Only output status (exit code 0=safe, 1=vulnerable, 2=error, 3=both)",
     )
     parser.add_argument(
         "-v",
@@ -77,7 +78,7 @@ def main():
     args = parser.parse_args()
 
     if args.version:
-        from recheck import __version__
+        from redoctor import __version__
 
         print("recheck {0}".format(__version__))
         return 0
@@ -113,6 +114,17 @@ def main():
         try:
             result = check(pattern, flags=flags, config=config)
 
+            if result.status == Status.ERROR:
+                has_error = True
+                if not args.quiet:
+                    print(
+                        "ERROR: {0}: {1}".format(
+                            pattern, result.error or "analysis error"
+                        ),
+                        file=sys.stderr,
+                    )
+                continue
+
             if args.quiet:
                 # Quiet mode: just track status
                 if result.is_vulnerable:
@@ -129,7 +141,7 @@ def main():
                     print("  Pump:   {0!r}".format(result.attack_pattern.pump))
                     print("  Suffix: {0!r}".format(result.attack_pattern.suffix))
                     # Generate example attack string
-                    attack = result.attack_pattern.build_attack_string(20)
+                    attack = result.attack_pattern.build(20)
                     print("  Example: {0!r}".format(attack))
                 if result.hotspot:
                     print("Hotspot: {0}".format(result.hotspot))
@@ -141,7 +153,7 @@ def main():
                     if result.complexity:
                         print("  Complexity: {0}".format(result.complexity))
                     if result.attack_pattern:
-                        attack = result.attack_pattern.build_attack_string(20)
+                        attack = result.attack_pattern.build(20)
                         print("  Attack: {0!r}".format(attack))
                     has_vulnerable = True
                 elif result.is_safe:
@@ -155,7 +167,9 @@ def main():
                 print("ERROR: {0}: {1}".format(pattern, e), file=sys.stderr)
 
     # Return appropriate exit code
-    if has_error:
+    if has_error and has_vulnerable:
+        return 3
+    elif has_error:
         return 2
     elif has_vulnerable:
         return 1

src/redoctor/__init__.py

@@ -22,9 +22,9 @@
 from redoctor.diagnostics.attack_pattern import AttackPattern
 from redoctor.diagnostics.hotspot import Hotspot
 from redoctor.parser.flags import Flags
-from redoctor.exceptions import RedoctorError, ParseError, TimeoutError
+from redoctor.exceptions import RedoctorError, ParseError, AnalysisTimeoutError
 
-__version__ = "0.1.0"
+__version__ = "0.1.4"
 
 __all__ = [
     # Main API
@@ -49,7 +49,7 @@
     # Exceptions
     "RedoctorError",
     "ParseError",
-    "TimeoutError",
+    "AnalysisTimeoutError",
     # Version
     "__version__",
 ]

src/redoctor/automaton/complexity_analyzer.py

@@ -115,95 +115,6 @@ def analyze(self) -> Tuple[Complexity, Optional[AmbiguityWitness]]:
 
         return Complexity.safe(), None
 
-    def _build_multi_transition_witness(self) -> Optional[AmbiguityWitness]:
-        """Build a witness from multi-transition information.
-
-        Multi-transitions indicate that multiple epsilon paths from the same
-        state lead to the same character transition. This is the pattern for
-        nested quantifiers like (a+)+ where:
-        - After reading 'a' and being at state S
-        - We can continue the inner loop (one path)
-        - Or exit inner and re-enter via outer loop (another path)
-        """
-        if not self.ordered_nfa.multi_transitions:
-            return None
-
-        # Get the first multi-transition
-        for (from_state, to_state), count in self.ordered_nfa.multi_transitions.items():
-            if count > 1:
-                # Find a sample character for this transition
-                sample_char = ord("a")
-                for trans in self.ordered_nfa.get_transitions(from_state):
-                    if trans.target == to_state and trans.char:
-                        s = trans.char.sample()
-                        if s is not None:
-                            sample_char = s
-                            break
-
-                # Build prefix: path from initial to from_state
-                prefix = self._find_path_to_state(from_state)
-
-                # Build pump: one character that uses the multi-transition
-                pump = [sample_char]
-
-                # Build suffix: non-matching character
-                suffix = [ord("!")]
-
-                return AmbiguityWitness(
-                    prefix=prefix,
-                    pump=pump,
-                    suffix=suffix,
-                    state1=from_state,
-                    state2=to_state,
-                )
-        return None
-
-    def _find_path_to_state(self, target: State) -> List[int]:
-        """Find a path from initial state to target state."""
-        if self.ordered_nfa.initial is None:
-            return []
-        if self.ordered_nfa.initial == target:
-            return []
-
-        visited: Set[State] = set()
-        queue: deque[Tuple[State, List[int]]] = deque([(self.ordered_nfa.initial, [])])
-
-        while queue:
-            state, path = queue.popleft()
-            if state == target:
-                return path
-            if state in visited:
-                continue
-            visited.add(state)
-
-            for trans in self.ordered_nfa.get_transitions(state):
-                if trans.char:
-                    sample = trans.char.sample()
-                    if sample is not None:
-                        queue.append((trans.target, path + [sample]))
-
-        return []
-
-    def _check_exponential_ambiguity_with_product(
-        self,
-        divergent_pairs: List[NFAStatePair],
-        product_trans: Dict[NFAStatePair, List[Tuple[IChar, NFAStatePair]]],
-    ) -> Optional[AmbiguityWitness]:
-        """Check for EDA using pre-computed product automaton."""
-        for pair in divergent_pairs:
-            cycle = self._find_cycle_in_product(pair, product_trans)
-            if cycle and len(cycle) > 0:
-                prefix = self._find_path_to_pair(pair, product_trans)
-                suffix = self._find_path_to_accepting(pair, product_trans)
-                return AmbiguityWitness(
-                    prefix=prefix,
-                    pump=cycle,
-                    suffix=suffix,
-                    state1=pair.state1,
-                    state2=pair.state2,
-                )
-        return None
-
     def _check_polynomial_ambiguity_with_product(
         self,
         divergent_pairs: List[NFAStatePair],
@@ -320,24 +231,35 @@ def _find_cycle_in_product(
         start: NFAStatePair,
         transitions: Dict[NFAStatePair, List[Tuple[IChar, NFAStatePair]]],
     ) -> List[int]:
-        """Find a cycle starting and ending at the given pair."""
+        """Find a cycle starting and ending at the given pair.
+
+        Uses BFS from the immediate successors of *start* so that each
+        intermediate node is visited at most once while still allowing
+        multiple successors to independently search for a path back.
+        """
+        # Seed the BFS with all direct successors of start
+        queue: deque[Tuple[NFAStatePair, List[int]]] = deque()
+        for char, next_pair in transitions.get(start, []):
+            sample = char.sample()
+            if sample is not None:
+                queue.append((next_pair, [sample]))
+
         visited: Set[NFAStatePair] = set()
-        stack: List[Tuple[NFAStatePair, List[int]]] = [(start, [])]
 
-        while stack:
-            pair, chars = stack.pop()
+        while queue:
+            pair, chars = queue.popleft()
 
-            if pair == start and chars:
+            if pair == start:
                 return chars
 
-            if pair in visited and pair != start:
+            if pair in visited:
                 continue
             visited.add(pair)
 
             for char, next_pair in transitions.get(pair, []):
                 sample = char.sample()
                 if sample is not None:
-                    stack.append((next_pair, chars + [sample]))
+                    queue.append((next_pair, chars + [sample]))
 
         return []
 

src/redoctor/automaton/scc_checker.py

@@ -7,6 +7,7 @@
 4. IDA: Look for divergent chains between SCCs
 """
 
+import logging
 from dataclasses import dataclass
 from enum import Enum
 from typing import Dict, FrozenSet, List, Optional, Set, Tuple
@@ -17,6 +18,8 @@
 from redoctor.diagnostics.complexity import Complexity
 from redoctor.unicode.ichar import IChar
 
+logger = logging.getLogger(__name__)
+
 
 class MatchMode(Enum):
     """How the regex is expected to be used for matching.
@@ -217,8 +220,12 @@ def check(self) -> Tuple[Complexity, Optional[AmbiguityWitness]]:
 
             return Complexity.safe(), None
 
+        except (ValueError, KeyError, IndexError):
+            # Known non-critical exceptions from NFA construction/analysis
+            logger.debug("SCC analysis failed with non-critical error", exc_info=True)
+            return Complexity.safe(), None
         except Exception:
-            # Any error during analysis - return safe to be conservative
+            logger.error("Unexpected error during SCC analysis", exc_info=True)
             return Complexity.safe(), None
 
     def _build_quick_witness(self) -> AmbiguityWitness:
@@ -400,10 +407,6 @@ def _check_eda_with_pair_graph(
                             # Found EDA: diagonal -> off-diagonal -> diagonal
                             return (scc, path + [next_char] if path else [next_char])
 
-                        # Also check if next leads to a diagonal we already saw
-                        if next_pair in visited and next_pair[0] == next_pair[1]:
-                            return (scc, path + [next_char] if path else [next_char])
-
                 # Continue BFS
                 for next_char, next_pair in pair_edges.get(current, []):
                     if next_pair not in visited:
@@ -416,50 +419,10 @@ def _check_polynomial(
     ) -> Optional[Tuple[int, List[Tuple[List[NFAState], List[NFAChar]]]]]:
         """Check for IDA (Polynomial Degree of Ambiguity).
 
-        IDA exists when there's a chain of SCCs with divergence accumulating.
-        The degree is the length of the longest such chain.
+        Note: This is a stub. IDA detection is handled by the product
+        automaton in ComplexityAnalyzer._check_polynomial_ambiguity_with_product.
         """
-        if not self.sccs or not self.graph:
-            return None
-
-        # Compute the IDA degree for each SCC using dynamic programming
-        scc_degrees: Dict[int, int] = {}
-        scc_pumps: Dict[int, List[Tuple[List[NFAState], List[NFAChar]]]] = {}
-
-        # Sort SCCs topologically (reversed order of Tarjan's output)
-        for i, scc in enumerate(self.sccs):
-            if self.graph.is_atom(scc):
-                scc_degrees[i] = 0
-                scc_pumps[i] = []
-            else:
-                scc_degrees[i] = 1
-                scc_pumps[i] = []
-
-        # Check for IDA chains between SCCs
-        # (This is a simplified version - full implementation would need G3 graph)
-        max_degree = max(scc_degrees.values()) if scc_degrees else 0
-
-        if max_degree <= 1:
-            return None
-
-        # Collect pumps for the max degree chain
-        pumps: List[Tuple[List[NFAState], List[NFAChar]]] = []
-        for i, degree in scc_degrees.items():
-            if degree == max_degree:
-                scc = self.sccs[i]
-                # Get a sample char from this SCC
-                sample_chars: List[NFAChar] = []
-                for state in scc:
-                    for char, target in self.graph.neighbors.get(state, []):
-                        if target in set(scc):
-                            sample_chars.append(char)
-                            break
-                    if sample_chars:
-                        break
-                pumps.append((scc, sample_chars))
-                break
-
-        return (max_degree, pumps) if pumps else None
+        return None
 
     def _build_witness(
         self, eda_result: Tuple[List[NFAState], List[NFAChar]]

src/redoctor/checker.py

@@ -30,6 +30,10 @@ def __init__(self, config: Config = None):
             timeout=self.config.recall_timeout,
         )
 
+    def close(self) -> None:
+        """Release resources held by the checker."""
+        self.validator.close()
+
     def check(self, pattern: str, flags: Flags = None) -> Diagnostics:
         """Check a regex pattern for ReDoS vulnerabilities.
 
@@ -72,7 +76,7 @@ def check_pattern(self, pattern: Pattern) -> Diagnostics:
             # If automaton checker returns unknown, use fuzz as fallback
             if result.status == Status.UNKNOWN:
                 fuzz_result = self.fuzz_checker.check_pattern(pattern)
-                if fuzz_result.is_vulnerable:
+                if fuzz_result.is_vulnerable or fuzz_result.is_safe:
                     result = fuzz_result
 
             # If automaton says SAFE, trust it.
@@ -152,14 +156,17 @@ def check(pattern: str, flags: Flags = None, config: Config = None) -> Diagnosti
         Diagnostics result with vulnerability information.
 
     Example:
-        >>> from recheck import check
+        >>> from redoctor import check
         >>> result = check(r"^(a+)+$")
         >>> if result.is_vulnerable:
         ...     print(f"Vulnerable: {result.complexity}")
         ...     print(f"Attack: {result.attack}")
     """
     checker = HybridChecker(config)
-    return checker.check(pattern, flags)
+    try:
+        return checker.check(pattern, flags)
+    finally:
+        checker.close()
 
 
 def check_pattern(pattern: Pattern, config: Config = None) -> Diagnostics:
@@ -173,7 +180,10 @@ def check_pattern(pattern: Pattern, config: Config = None) -> Diagnostics:
         Diagnostics result.
     """
     checker = HybridChecker(config)
-    return checker.check_pattern(pattern)
+    try:
+        return checker.check_pattern(pattern)
+    finally:
+        checker.close()
 
 
 def is_safe(pattern: str, flags: Flags = None, config: Config = None) -> bool: