|
On Jul 2, 2015 9:34 AM, "Roberto Ierusalimschy" <roberto@inf.puc-rio.br> wrote:
>
> > I'd be surprised if "while true do end" can break debug hooks, since
> > it's not making any C calls. Any time you make a C function available
> > though (such as string.rep) you have to watch out that the user can't
> > abuse it to overwhelm your app, e.g. with string.rep("a", 99999999) or
> > ("a"):rep(9999):rep(9999):rep(9999):rep(9999)...
>
> You do not even need the string library for that. You can write
> something like this:
>
> s = "01234567890123456789012345678901234567890123456789"
> s = s .. s .. s .. s .. s .. s .. s .. s .. s .. s
> s = s .. s .. s .. s .. s .. s .. s .. s .. s .. s
> s = s .. s .. s .. s .. s .. s .. s .. s .. s .. s
> s = s .. s .. s .. s .. s .. s .. s .. s .. s .. s
> s = s .. s .. s .. s .. s .. s .. s .. s .. s .. s
> s = s .. s .. s .. s .. s .. s .. s .. s .. s .. s
> s = s .. s .. s .. s .. s .. s .. s .. s .. s .. s
> s = s .. s .. s .. s .. s .. s .. s .. s .. s .. s
> s = s .. s .. s .. s .. s .. s .. s .. s .. s .. s
> s = s .. s .. s .. s .. s .. s .. s .. s .. s .. s
>
> No loops, no libraries, no large constants, few instructions...
> (It is even portable; it should break many languages :-)
It doesn't break MOO, since the interpreter sets an alarm(3) at the start/resume of each task. Running out of seconds is an uncatchable exception thrown at the beginning of the next bytecode. MOO runs in environments where swapping will begin before malloc returns NULL.
Because the scheduler is vindictive, tasks which eat a whole second will not run again until everybody else gets a full second, or until the queue is idle.
What protection from long bytecodes creates instead is a lack of atomicity. Because out-of-seconds is uncatchable, there is no way to unwind critical sections. What was proposed was an enhanced try-finally which reserves a specified number of bytecode ticks and seconds for the "finally" arm.
Note that exponential behavior in something like a regexp builtin function needs to be dealt with separately, potentially by mimicking the VM.
Jay