JavaScript – Is eval the defmacro of JavaScript?

javascriptlisp

In Common Lisp, defmacro basically allows us to build our own DSL.

I read this page today and it explains something cleverly done:

But I wasn't about to write out all these boring predicates myself, so I defined a function that, given a list of words, builds up the text for such a predicate automatically, and then evals it to produce a function.

Which just looks like defmacro to me.

Is eval the defmacro of javascript? Could it be used as such?

Best Answer

It can, but it's more dangerous.

defmacro has three main features:

It runs at compile time;
It is a genuine in-place substitution; and
Because of the whole nature of Lisp syntax, it works at an AST level, not a source-code level.

By contrast, eval:

Executes at runtime;
Is not an in-place substitution; and
Works with strings.

Why does this matter?

First, eval has a speed penalty: because it has to evaluate its arguments every single time it's called, instead of just once at compile time, you'll have a speed hit on each run of the program.

Second, there is no compile-time validation that the eval is actually getting passed something sane. You can have a horrible syntax error in your eval argument (or, worse, a horrible syntax error only when called in certain ways), but it won't be caught until runtime far down the road. Because Lisp macros are compile-time, you can't have that. Your macro might not work, mind you, but it'll compile by definition to something valid.

Third, eval has serious safety issues compared to defmacro. Because Lisp macros work with the AST, there's a high degree of safety. No matter what argument you supply the macro at runtime, those arguments can't allow a malicious caller to "escape" the macro, or call malicious code. That's not true of eval: if you don't think through your string escapes very, very carefully, and you allow any form of user-generated input into the eval string, you're risking allowing malicious code to run.

Okay, but, whatever, I can hear you say. The user would have to do that to himself, and it's already his browser, so why care?

Because there are lots of ways to inject scripts in that situation. Cross-site script requests, for example, or forgetting to escape a string properly that you store in a database. There are lots of ways of getting malicious values into those macros--and the moment that happens, your users' data is toast.

Finally, even if all of that doesn't dissuade you, JavaScript's eval in particular is simply less powerful. There are odd ways that it interacts with the enclosing variable scope and the global variable scope, for example, and there's no sane way to do the equivalent of Common Lisp's gensym for variable hygiene.

Can you use eval in some of the places you might use defmacro? Sure. But they are hardly interchangeable, and I hope that the above explanation makes it clear why absolutely zero good JavaScript frameworks I know use eval.

Instead, if you really find yourself wanting macros, go find a compiles-to-JavaScript language that has them, such as ClojureScript. That way, you'll get the benefits of Lisp macros without the drawbacks of eval.

Related Solutions

Avoiding the New Operator in JavaScript – Better Alternatives

Firstly arguments.callee is deprecated in ES5 strict so we don't use it. The real solution is rather simple.

You don't use new at all.

var Make = function () {
  if (Object.getPrototypeOf(this) !== Make.prototype) {
    var o = Object.create(Make.prototype);
    o.constructor.apply(o, arguments);
    return o;
  }
  ...
}

That's a right pain in the ass right?

Try enhance

var Make = enhance(function () {
  ...
});

var enhance = function (constr) {
  return function () {
    if (Object.getPrototypeOf(this) !== constr.prototype) {
      var o = Object.create(constr.prototype);
      constr.apply(o, arguments);
      return o;
    }
    return constr.apply(this, arguments);
  }
}

Now of course this requires ES5, but everyone uses the ES5-shim right?

You may also be interested in alternative js OO patterns

As an aside you can replace option two with

var Make = function () {
  var that = Object.create(Make.prototype);
  // use that 

  return that;
}

In case you want your own ES5 Object.create shim then it's really easy

Object.create = function (proto) {
  var dummy = function () {};
  dummy.prototype = proto;
  return new dummy;
};

Javascript – Alternative for eval() in javascript for expression evaluation

What you are looking for is a simple expression language that can be evaluated from within ECMAScript (which is just another way of saying there exists an interpreter written in ECMAScript). Thankfully, such a language and interpreter already exists: Jexl.

Jexl is a simple ECMAScript expression language that features pretty much everything you listed:

unary and binary operators, mathematical, logical and string operations,
comparison operators,
a conditional operator, and
you can pass a context object whose properties can be accessed like global variables in the expression.

This last one is not exactly what you are asking about, because you were asking about accessing arbitrary ECMAScript identifiers, but it is arguably more safe: you can only access what is explicitly passed in. And if you really wanted to, you could pass in the context object { window: window } and then your expression has access to the global window object and can do every evil thing you never imagined.

It also has some features you didn't list:

collections with filter operations: listOfPeople[.name == "John"] will return a sub-array of listOfPeople with only those people whose name property is "John" and
transformation pipelines: "A;B;C"|lower|split(";") // => ["a", "b", "c"].

It sounds like this is exactly what you are looking for.

Best Answer

Related Solutions

Avoiding the New Operator in JavaScript – Better Alternatives

Javascript – Alternative for eval() in javascript for expression evaluation

Related Topic