AST in JSON format

Breton Slivka zen at zenpsycho.com
Tue Dec 8 19:30:25 PST 2009


On Wed, Dec 9, 2009 at 6:28 AM, Oliver Hunt <oliver at apple.com> wrote:
>
> On Dec 8, 2009, at 2:18 AM, David-Sarah Hopwood wrote:
>
>> Oliver Hunt wrote:

> I have also yet to see an actual developer centric use case -- the most frequently repeated use cases seem to be analysis tools used to ensure code can be run on a standard ES implementation while essentially being a stricter subset of ES.  The developer scenario for that is "developer wishes to use 'safe' subset of ES", not "developer wants to perform their own analysis"
>
> --Oliver

Run time mashups? As a developer, I now have access in some browsers
to a cross domain enabled getJSON method. Suppose I wanted to use that
to retrieve a javascript program from another server (perhaps some
kind of module repository), but since I don't trust external code, I
want to validate it before I compile it to a JS function, or run it.
This is, as you say, a code analysis task. However, in this case, the
developer wants to ensure that someone else is using a safe subset of
js, rather than as you put it, the developer simply wanting to ensure
their own code is in the safe subset.

Right now there are projects to do this (caja, adsafe), but to do a
runtime check requires that the user download a full JS parser, and
validator. If part of the parsing task was built into the browser,
there would be less code to download, and the verification would run
much faster. This has real implications for users and developers, and
would enable new and novel uses for JS in a browser, and distributed
code modules.

Perhaps most of this is possible with just a hermetic eval, or some
kind of worker inspired api as crockford suggested once, however
consider this:

There is a nice function in js called map which takes a function. If
that function could be guaranteed to have certain properties (such as
being referentially transparent), then map could be safely broken up
into parts and run in parallel, with perhaps a worker api
implementation.  You could do that now, but it requires some degree of
faith that the provided function doesn't do anything naughty. You
would not be able to accept such a function from a user, or from an
external server.

Anyway, I'm sure there's other uses. Just a thought.


More information about the es-discuss mailing list