Eval()?



  • Discuss

    Caution: Your response / reaction to this could reveal more about you than you realise.

    Note: Your initial response may be considered to be your actual response.

    Hint: I would love to help / guide you, but that would defeat the purpose of this topic. Sorry.


  • area_deu

    Does VB.NET even have that?



  • @loose said:

    Discuss

    No.



  • in databinding context at least



  • @aliceif said:

    Does VB.NET even have that?

    Kinda, sorta, maybe?



  • My first reaction:

    "WTF is this thread, I don't have time for this shit"

    My second reaction:

    "eval? Meh. It has its uses, but there are probably better alternatives around (especially in node.js)"



  • @cartman82 said:

    "WTF is this thread, I don't have time for this shit"

    lol :rofl:



  • Don't have a clue (@Maciejasjmj's response not withstanding) and I not even sure if I have a hankering to find out :smile:

    If it don't, is that a good thing or a bad thing?



  • eval() makes implementations of languages more complicated.

    For example, in C, the eval function would have to run a full C compiler.

    But you can use it to implement self-modifying code which is otherwise impossible in most languages.

    Not that that's a good idea for most applications.


  • Notification Spam Recipient

    I love eval()! It is the only way our public facing, no-authentication-required credit card app can evaluate any code the user tries to throw at it without validating it first. That's what I call flexible!


  • SockDev

    @loose said:

    Discuss

    Assuming you are talking about eval as it exists in many scripting languages, such as JavaScript and Python....

    Dangerous use with caution avoid if possible

    For preference find another way to solve problem that does not require directly executing untrusted code.

    It is in theory occasionally necessary, but i have yet to find a situation where there is not a safer solution, often the safer solution has a positive performance gain, or at worst a negligible performance hit.



  • @loose said:

    Discuss

    (eval)


  • eval()?

    I think I'd complete this like follows:

    eval(user_expressions[1])? eval(user_expressions[2]) : eval(user_expressions[3]);
    

    Filed under: Oops, this isn't a job interview?


    Actually, I've made use of that in ECMAScript when I just wanted to test some expressions without having to save an editor document and reload a browser page each time. But are there any other legitimate usages? I very much doubt it. Especially not with hostile input.



  • Important but with a huge potential for misuse. A key part of any metacircular evaluator.



  • @anonymous234 said:

    But you can use it to implement self-modifying code which is otherwise impossible in most languages.

    Of course, you can always do that in C by modifying your own assembly. I think. :confused:

    Does Java even have an Eval() analogue? Maybe you could do something with running the compiler and using reflection or whatever to pull in the resulting class file? My "advanced" java experience isn't exactly, well, advanced



  • @aliceif said:

    Does VB.NET even have that?

    I'm afraid yes.

    The framework knows dynamical classes, and the MethodBuilder class (with e. g. the CreateMethodBody method) - this requires knowledge of the IL, though.

    And they have even a kind of tutorial to show the principles of how to build an expression interpreter. (Loading the symbols seems to be left as an exercise to the reader.)

    There must be more, but I didn't find it so far.


  • Discourse touched me in a no-no place

    eval()

    It's a power tool. We use power tools because they're useful, but we put guards on them because we also like to keep our fingers. Respect the tool, but don't be afraid of it. Be afraid of the tool using the tool unwisely…



  • Go kind of has it - a parser is part of the standard library, and there's an additional package golang.org/x/tools/go/ssa/interp that can run programs, including those that have imported that package.

    Bonus: The interpreter has a single global buffer for output, so good luck using it in a multithreaded program.



  • @PWolff said:

    There must be more, but I didn't find it so far.

    Well, there's Microsoft.CSharp.CSharpCodeProvider, Microsoft.VisualBasic.VBCodeProvider and CompileAssemblyFromSource(CompilerParameters options,params string[] sources).

    And yes, it's exactly as evil as it sounds.



  • @Maciejasjmj said:

    it's exactly as evial() as it sounds

    FTFM



  • @mrguyorama said:

    Does Java even have an Eval() analogue?

    For Java code no.


  • SockDev

    @Eldelshell said:

    For Java code no.

    just about the only thing Java did right, that.

    :tropical_drink:



  • :do_not_want.webm:

    I've got a C code generator lying around and even that makes me cringe



  • However, you can straight up evaluate JAVASCRIPT. WHY?

    Does Java really need the help of Javascript to do ANYTHING?

    :wtf:



  • From the Wikipedia:

    The Rhino project was started at Netscape in 1997. At the time, Netscape was planning to produce a version of Netscape Navigator written fully in Java

    There are efforts to port NodeJS to Java (ditching V8). But no, in 15 years I haven't seen any utility for this.


  • SockDev

    @Eldelshell said:

    There are efforts to port NodeJS to Java (ditching V8).

    :wtf: why?! V8 is miles ahead of Rhino!


  • Discourse touched me in a no-no place



  • @Eldelshell said:

    At the time, Netscape was planning to produce a version of Netscape Navigator written fully in Java

    In 1997, wow, that would have been incredibly stupid. Running the rendering engine entirely on top of already slow-at-the-time java? On machines from 97? That would have been a legendarily slow and bad web browser


  • Discourse touched me in a no-no place

    @mrguyorama said:

    That would have been a legendarily slow and bad web browser

    You'll note that such a beast never saw the light of day.


  • area_deu

    That site's got style.



  • <link rel="stylesheet" type="text/css" href="annoying.css" />

    EDIT: Oops, you were talking about the BeanShell site, that's not the site I was thinking it was about. That's actually not too bad, not great, but hardly as annoying as the one I had in mind.



  • But it should have been laughed out of the planning meeting.

    "I want to run slow ass javascript on top of a slow ass JVM"

    blank stares



  • There's a reason JavaScript was named JavaScript... politics.



  • "Java? Oh yeah I've used Javascript, totally the same right?"

    I hate you



  • I guess it's a good tool to have around, but I'm having trouble thinking of a good time to use it. If the source of the code being eval'ed is coming from another part of your program, then isn't there a better way to do that using actual design patterns? And if it's coming from an external source, then how can you ever validate it with enough confidence?



  • Notice "eval()" is almost never used in a smart way

    [citation needed]



  • @Eldelshell said:

    At the time, Netscape was planning to produce a version of Netscape Navigator written fully in Java

    And of course, the best way to do that is to put all the relevant code in the language's standard library.

    It's not like you can make your own libraries or anything.



  • @anonymous234 said:

    And of course, the best way to do that is to put all the relevant code in the language's standard library.

    Rhino wasn't a part of Java until Java8 when it was taken over by a JSR as Nashorn.



  • @mrguyorama said:

    Notice "eval()" is almost never used in a smart way

    Dynamic SQL is basically eval(), and sometimes it's the best / only way to accomplish what you're trying to do.

    It's still spiteful, but at least there's some rationale sometimes.


  • Discourse touched me in a no-no place

    @ufmace said:

    If the source of the code being eval'ed is coming from another part of your program, then isn't there a better way to do that using actual design patterns? And if it's coming from an external source, then how can you ever validate it with enough confidence?

    We've got a product that uses Beanshell to run user programs as part of a larger overall program. The ability to include snippets that run in a limited environment is extremely useful, and the ability to embed that within a wider environment that captures other information. In this case, the beanshells are adding custom processing that connects with other parts such as access to web services, talking to databases, file handling and so on. The extra info captured is a bit like a souped up set -x — if you know bash — and allows for tracking what was done much more precisely. You could write a completely custom program to do it in the language du jour, but that would be a shit-ton of work (because the stuff this sort of system is used for automating is really complicated, especially when it comes to working with crappy websites, of which there are far too many).

    Is the code trustable in this case? Well, the user probably wrote it, or got it from someone they trusted, so yes, it's trustable by them. If you're going to argue that that's not good enough, go right ahead, but I'll ignore you with good reason…



  • @accalia said:

    just about the only thing Java did right, that.

    And what about parentheses matching? Imagine a language where this would be syntactically correct:

    c <-< (a + * b]}; -

  • SockDev

    that is, unless i miss my guess legal intercal.

    then again most line noise is legal intercal.



  • How often does line noise produce the sequence for "Please Do"?


  • SockDev

    given a sufficiently long sequence of normally distributed line noice.... EVERY TIME!



  • @accalia said:

    normally distributed

    That's the kind of line noise I like to hear!

    Also, even that wouldn't produce "Do"'s and "Please Do"'s in the correct quantity and ratio. Not across the entire length of noise at least


  • SockDev

    obviously a significant portion of the line noise would need to be discarded but given the apropriateparse tokens this is possible.



  • And given

    @accalia said:

    normally distributed
    line noise, possible with any and every language. Also your program could include a massively accurate declaration of Pi


  • SockDev

    i imagine it would, yes.



  • Obviously this is a breakthrough unlike any other. I believe we should patent this "line noise" before somebody else comes up with this. Imagine: Any possible program, pre-written and perfect in every way! We will make trillions!


  • Discourse touched me in a no-no place

    @PWolff said:

    And what about parentheses matching? Imagine a language where this would be syntactically correct:

    c <-< (a + * b]}; -</blockquote>
    

    Long ago, I wrote a language that used different sorts of non-matching brackets to indicate kinds of stream operators. It was really succinct and powerful for the sorts of processing we were doing at the time. My boss looked at it for a bit, said “that's nice” and then ordered me to find another way to do it without unmatched brackets. :smile:


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.