On Fri, 03 Jul 2009 17:13:45 +1000, Tim Starling wrote:
Steve Sanbeg wrote:
I'd assume we want locked down. Loops would
be hard in any locked-down
environment; I don't recall seeing any recommendation in this thread on
how that wold be done. Recursion is much simpler, just track the depth,
and throw an exception if it goes to deep; emacs lisp already uses this
mechanism.
Loops are essential for readable code. There is no problem with
allowing loops in conjunction with time limits, that we don't have
already with complex templates. In fact, time limits for complex
templates would be an improvement over the system of expansion limits
we have at the moment.
In some cases they would be helpful; i.e. to loop over all of the template
arguments instead of those horrible #switch things they use now. But
letting people run out the clock with arbitrarily complex loops seems
messy.
On the one hand, anyone can easily write code to take up the
maximum alloted time, and stuff as many into a page as they could, to
either prevent the page from rendering at all, or cause the system to stop
executing code before it gets to the parts that are supposed to be there.
On the other hand, it could make templates fail unpredictably; with a
seemingly small change having just enough affect on execution time for the
template to fail, at least some of the time.
Recursion can give a long running time even if the
depth is limited.
By calling the function multiple times from its own body, you can have
exponential time order in the recursion depth.
All those calls still end up on the same stack; even if it could be a tree
in theory, the stack only grows one way, and execution time would only be
linear.
I found some documentation on the example I'd thought of emulating, which
may clarify a little:
http://www.delorie.com/gnu/docs/elisp-manual-21/elisp_123.html
This variable defines the maximum depth allowed in calls to eval, apply,
and funcall before an error is signaled (with error message "Lisp nesting
exceeds max-lisp-eval-depth"). This limit, with the associated error when
it is exceeded, is one way that Lisp avoids infinite recursion on an
ill-defined function.
The depth limit counts internal uses of eval, apply, and funcall, such as
for calling the functions mentioned in Lisp expressions, and recursive
evaluation of function call arguments and function body forms, as well as
explicit calls in Lisp code.