
The root of all eval - jsnell
http://strangelyconsistent.org/blog/the-root-of-all-eval
======
malft
"It's just a normal function." No, it has magical access to the lexical scope.

~~~
adrianm
Isn't eval required to run in the null lexical environment? Or is that only
true in Lisp?

~~~
hdhzy
In JavaScript it depends on how it is invoked: eval(a) has access to scope
variables but x=eval;x(a) does not.

~~~
Gaelan
I am surprised that JavaScript can still surprise me.

~~~
hdhzy
I suggest reading the spec. 5.1 [0] although dated is written in very easy to
understand language (well, most parts).

After that, fragments like this suddenly make sense:

    
    
        n = 1
        /1*"\/\//.test(n + '"//')
    
    

[0]: [https://www.ecma-international.org/ecma-262/5.1/](https://www.ecma-
international.org/ecma-262/5.1/)

~~~
Gaelan
My favorite bit of wat.js is this:

    
    
        [1,2,3] + [4,5,6] // => "1,2,34,5,6"
    

I mean, it makes some degree of logical sense (toString -> concat) but there
is no reason that would ever be the intended behavior.

As for that expression, meh. You can write intentionally obtuse code in any
language. The problem with JS is the behavior that is different from what
you'd expect.

------
mijoharas
My biggest question about this is did the guy not understand why the flag was
called `MONKEY-SEE-NO-EVAL`? Because that name was my favourite part of the
article...

~~~
kmill
The article is called "The root of all eval." I think the author gets it.

~~~
jwilk
To me it looks like the author is oblivious of the pun in MOKNEY-SEE-NO-EVAL,
even though he made the same pun in the title.

~~~
tragic
His point is merely that either this is a seriously bad idea that you should
never do, in which case you should not attempt to communicate it through a
silly pun, or it is acceptable, in which case it shouldn't be hidden behind a
compiler pragma.

------
keeperofdakeys
It's worth noting that eval in perl5 can be used with a codeblock to give
basic exception handling, in perl6 this functionality has been moved to try.
So while it's quite common to use eval in perl5, I'd expect much less usage in
perl6. The name change is probably a good reminder of this.

------
shakna
Perl6 has blocks, so eval already implicitly receives an environment from
within which to evaluate.

Why jump up and down screaming eval is super bad, when instead you could have
allowed users to specify the context of eval, _and made it safe to use_?

~~~
hyperpape
Is it really going to be safe to use? I don't know Perl that well, but it
feels like there's enough language features to make a safe eval harder than
writing your own parser for a DSL. That's certainly the case for Python:
[https://nedbatchelder.com/blog/201206/eval_really_is_dangero...](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)

~~~
shakna
Python's eval is crippled, it can't take a full environment.

Suppose for a moment that the scope of eval was truly an environment:

And you don't supply the resulting environment with anything but the functions
you want.

Not even the dot operator, let alone magic builtins.

Python's eval suddenly becomes much safer. Unfortunately such an eval is
harder to implement in Python, because every object carries it's magic methods
with it, rather than looking them up elsewhere.

~~~
hyperpape
Interesting. Is there any language you or the sibling have used that does this
with eval, and does it find much use?

~~~
BuuQu9hu
E and Monte have safe eval() as a consequence of being object-based
capability-safe languages; there's no way to cause any effect outside eval()
worse than an infinite loop.

To the second part of your question: as you have undoubtedly noticed, you've
never heard of E nor Monte.

~~~
hyperpape
Funny that you say that. When I sat down at my machine at work, one of the 100
or so chrome tabs I had open was a page about The Vat:
[http://www.erights.org/elib/concurrency/vat.html](http://www.erights.org/elib/concurrency/vat.html).

~~~
BuuQu9hu
We have vat documentation too:
[http://monte.readthedocs.io/en/latest/vats.html](http://monte.readthedocs.io/en/latest/vats.html)

------
tshadwell
So in order to use a function that exposes the software to serious undue
security risk unless used correctly, the engineer is pushed to do research?
That really doesn't seem like a bad thing...

------
jes5199
expecting perl not to use silly names for things is like expecting clowns not
to wear big shoes

~~~
ch_sm
I lol'd.

