lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]



Maybe there should be yet another kind of hook, which string and gsub libraries etc. would trigger from their internal loops.

Or maybe the execution time limit should be completely detached from the debug API.

It's fairly easy to make a portable "this function gives the execution time" setting for Lua compilation. But what and when should be done about that is another issue. The same mechanism could actually be used as a "performance counter" of sorts in Lua.

-asko


David Given kirjoitti 25.2.2009 kello 2:25:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alexander Gladysh wrote:
[...]
("xyzzy"):rep(1e7):gsub("(z+)", "Z")

This one takes 4 seconds on my box, and has just 9 instructions.

While one can take away IO from untrusted code, string library is
usually a requirement...

Of course, this *does* use an unreasonable amount of memory, which in
such an environment is probably going to managed (apart from anything
else, Lua makes this very easy).

It's an important point, though. I wonder what the *most* malicious code
it's possible to write in a instruction-and-memory-limited Lua VM,
assuming no IO, of course? Could you, for example, persuade gsub to
continuously insert an empty string, or something similar?

- --
┌─── dg@cowlark.com ───── http://www.cowlark.com ─────
│ "People who think they know everything really annoy those of us who
│ know we don't." --- Bjarne Stroustrup
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJpI/2f9E0noFvlzgRArGMAKDe8VmLplNvM39pwwd56rhvdowOVgCfQhmg
876+UbAQX37aFM6g9hIjdMM=
=rPZ3
-----END PGP SIGNATURE-----