contrib: add Hyperscan regex engine

[zhxie]

Signed-off-by: Xie Zhihao [email protected]

Commit Message: contrib: add Hyperscan regex engine
Additional Description: Hyperscan has been introduced as an input matcher earlier this year. Since the regex engine interface has been completed, the patch extent the usage of Hyperscan into a contrib regex engine.
Risk Level: Low
Testing: Unit
Docs Changes: API
Release Notes: N/A
Platform Specific Features: Requires processor with SSSE3 support (nearly any modern x86 processor)

[repokitteh-read-only]

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).
envoyproxy/dependency-shepherds assignee is @moderation

🐱

Caused by: #21973 was opened by zhxie.

see: more, trace.

[wrowe]

/assign-from envoyproxy/envoy-maintainers

[repokitteh-read-only]

envoyproxy/envoy-maintainers assignee is @jmarantz

🐱

Caused by: a #21973 (comment) was created by @wrowe.

see: more, trace.

[wrowe]

Ping @moderation for deps review?

[moderation]

Metadata only change for the dependency

/lgtm deps

[phlax]

one small nit but otherwise lgtm from docs pov

[jmarantz]

Flushing some comments. Lots to dig into here.

[zhxie]

Replied offline about end users consideration.

Scalable path evaluation is not conflict with regex engine update. In fact, a regex engine can be used everywhere in Envoy, especially in security region (including WAF-like extensions like RBAC).

[zhxie]

/retest flaky

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #21973 (comment) was created by @zhxie.

see: more, trace.

[jmarantz]

looks good -- just a few more small questions.

[jmarantz]

why did we drop this paragraph?

[zhxie]

The paragraph has been moved to api/contrib/envoy/extensions/regex_engines/hyperscan/v3alpha/hyperscan.proto since it is the introduction of the engine itself.

[jmarantz]

I'm not 100% sure I understand -- are you saying that you'll flip the defaults in the .proto file file to try to match re2 behavior?

[jmarantz]

Yeah I think what I really want to express here is that the line of code can't be hit.

There's certainly a concern with lines of code that can't be tested, and whether anyone would catch this assert successfully and what they would do about that if there was no memory left.

We used to have a macro to indicate specifically that a line of code can't be hit, and previously the toolchain running the coverage analysis would not count those lines, but that stopped working at some point when the toolchain evolved.

WDYT of just using RELEASE_ASSERT here rather than throwing an exception?

[jmarantz]

I think @zhxie did a great job with the code in this PR -- thanks for all the iteration.

I still have some higher level concerns

• what are the exact steps someone would take to rebuild Envoy with this feature
• what changes would a user need to existing re2 regexes?
• wouldn't the user (eg in High CPU usage for matching routes (re2::DFA::InlinedSearchLoop) #20147) be better off using https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/common/matcher/v3/matcher.proto ?

I am worried about propagating an alternate regex syntax (even as contrib/...) and bifurcating the community. I also wish Hyperscan didn't bring in Boost.

I thought also about whether some of the Hyperscan techniques should just be ported to re2 but that seems unlikely. There was some enlightening discussion on google/re2#383 . Notably -- there are microbenchmarks showing Hyperscan's raw speed but no obvious benchmarks exposed in the context of Envoy operations.

@mattklein123

In light of the above I'd like to get senior-maintainer opinion on this.

/assign-from @envoyproxy/senior-maintainers

[repokitteh-read-only]

@envoyproxy/senior-maintainers assignee is @alyssawilk

🐱

Caused by: a #21973 (comment) was created by @jmarantz.

see: more, trace.

[alyssawilk]

I had largely thought that with contrib we didn't have to monitor things like dependency bloat from boost or extra regex engines. I'm going to throw senior maintianer pass over to Matt as he's back tomorrow and he was driving the recent changes to contrib.

[mattklein123]

In light of the above I'd like to get senior-maintainer opinion on this.

I'm OK with this one coming into contrib as I've heard of multiple requests for using HyperScan to speed up matching (for example in WAF scenarios). IMO it's OK to let this into contrib and see how it gets used? Happy to defer to other opinions if they are strong however.

[alyssawilk]

SGTM. @moderation can we get one more deps LGTM so we can merge this in?

[jmarantz]

OK with me then. @zhxie were you going to change defaults in this PR to make it as easy as possible for a configuration that works with re2 to also work with hyperscan?

[zhxie]

@jmarantz of course. As I have mentioned, I have removed all options in Hyperscan regex engine proto to align the behavior with RE2.

envoy/api/contrib/envoy/extensions/regex_engines/hyperscan/v3alpha/hyperscan.proto

Lines 24 to 25 in e09647f

	message Hyperscan {
	}

[jmarantz]

Sorry still not totally getting it.

I was thinking when reviewing code earlier that some of the out-of-the-box options for Hyperscan around embedded newlines and unicode were different than what I think RE2 behavior is, and that we'd need explicit defaults to make them as compatible as practical.

[jmarantz]

Per slack discussion the defaults are set to maximize compatibility with RE2. Thanks for pushing this all the way through!

[moderation]

/lgtm deps

This is a metadata only dependency change. The initial Hyperscan contrib extension that brings in unwanted dependencies like Boost was added prior to the current contrib extension policy - https://github.com/envoyproxy/envoy/blob/main/EXTENSION_POLICY.md#contrib-extensions. The Hyperscan input matcher and regex engine would likely no longer be approved without an end user sponsor. These extensions appear to be R&D activities for a vendor without end users.

[sambercovici]

I see that hyperscan is compiled without "FAT_RUNTIME": "on"
Was there any reason fore this?