11

We can evaluate the two expression in two possible ways:

   set a 1
   set b 1
   puts [expr $a + $b ]
   puts [expr {$a + $b } ]

But why hate experienced Tclers the first one, and consider it as bad practice? Does the first usage of expr has some security concern?

Johannes Kuhn
  • 14,778
  • 4
  • 49
  • 73
made_in_india
  • 2,109
  • 5
  • 40
  • 63

3 Answers3

18

The "problem" with expr is that it implements its own "mini language", which includes, among other things, variable substitution (replacing those $a-s with their values) and command substitution (replacing those [command ...] things with the results of running commands), so basically the process of evaluating expr $a + $b goes like this:

  1. The Tcl interpreter parses out four words — expr, $a, + and $b out of the source string. Since two of these words begin with $, variable substitution takes place so really there will be expr, 1, +, and 2.
  2. As usually, the first word is taken to be the name of a command, and others are arguments to it, so the Tcl interpreter looks up a command named expr, and executes it passing it the three arguments: 1, +, and 2.
  3. The implementation if expr then concatenates all the arguments passed to it interpreting them as strings, obtaining a string 1 + 2.
  4. This string is then parsed again — this time by the expr machinery, according to its own rules which include variable- and command substitutions, as already mentioned.

What follows:

  • If you brace your expressions, like in expr {$a + $b}, grouping provided by those curly braces inhibits interpretation by the Tcl interpreter1 of the script intended to be parsed by expr itself. This means in our toy example the expr command would see exactly one argument, $a + $b, and will perform substitutions itself.

  • "Double parsing" explained above might lead to security problems.

    For example, in the following code

    set a {[exec echo rm -rf $::env(HOME)]}
set b 2
expr $a + $b

    The expr command will itself parse a string [exec echo rm -rf $::env(HOME)] + 2. Its evaluation will fail, but by that time, the contents of your home directory will be supposedly gone. (Note that a kind Tcler placed echo in front of rm in a later edit to my answer in an attempt to save the necks of random copypasters, so the command as written won't call rm but if you remove echo from it, it will.)

  • Double parsing inhibits certain optimisations the Tcl engine can do when dealing with calls to expr.

1 Well, almost — "backslash+newline" sequences are still processed even inside {...} blocks.

kostix
  • 51,517
  • 14
  • 93
  • 176
  • +1 really interesting read. I didn't know about this in such detail! – Jerry Jul 03 '13 at 17:47
  • 2
    'certain optimizations' like a massive speedup 80% of your code. (according to http://wiki.tcl.tk/10225 ) – schlenk Jul 03 '13 at 18:47
  • 2
    The longer the expression, the more the speedup. – Donal Fellows Jul 03 '13 at 19:32
  • Is there a solution for when the entire epxression including operator is in a variable e.g`set a 55 set b 66 set c "$a == $b" expr {$c}` – TrojanName Feb 03 '22 at 17:02
  • @TrojanName, I think you're confused a bit. The problem has nothing to do with "the entire expression being in a variable"—rather, it's with using double-quoted strings to create the string to be put into that variable: when you do `set c "$a == $b"`, you do not get the string `$a == $b` in the variable, instead, you get `55 == 66` because the interpreter had interpolated `$a` and `$b` in `"..."`. If you'd do `set c {$a == $b}` instead, there would be no problem with doing `expr $c` directly. – kostix Feb 03 '22 at 17:46
  • Hi @kostix, thanks but I'm still confused. The output of expr in this case should be a boolean. So, I know that expr returns 1 or 0 when evaluating boolean expressions, so I would expect `expr {$c}` to return either 1 or 0. It works fine if I don't use the curlies. – TrojanName Feb 03 '22 at 22:54
  • @TrojanName, no this is a rather basic misunderstanding ;-) When you do `expr {$c}`, Tcl first expands those curlies, and passes the string `$c`, verbatim, as the sole argument to the command `expr`. The latter then processes that string as a script in its own mini-language and does what it says, and it basically says "perform variable expansion and return the result". Notice that it's not "perform variable expansion and interpret its result as another `expr`-script to evaluate"! – kostix Feb 04 '22 at 11:20
12

It most certainly has security issues. In particular, it will treat the variables' contents as expression fragments rather than values, and this lets all sort of problems occur. If that's not enough, the same problems also totally slay performance because there is no way to generate reasonably optimal code for it: the bytecode generated will be far less efficient since all it can do is assemble the expression string and send it for a second round of parsing.

Let's drill down to the details

% tcl::unsupported::disassemble lambda {{} {
    set a 1; set b 2
    puts [expr {$a + $b}]
    puts [expr $a + $b]
}}
ByteCode 0x0x50910, refCt 1, epoch 3, interp 0x0x31c10 (epoch 3)
  Source "\n    set a 1; set b 2\n    puts [expr {$a + $b}]\n    put"
  Cmds 6, src 72, inst 65, litObjs 5, aux 0, stkDepth 6, code/src 0.00
  Proc 0x0x6d750, refCt 1, args 0, compiled locals 2
      slot 0, scalar, "a"
      slot 1, scalar, "b"
  Commands 6:
      1: pc 0-4, src 5-11          2: pc 5-18, src 14-20
      3: pc 19-37, src 26-46       4: pc 21-34, src 32-45
      5: pc 38-63, src 52-70       6: pc 40-61, src 58-69
  Command 1: "set a 1"
    (0) push1 0     # "1"
    (2) storeScalar1 %v0    # var "a"
    (4) pop 
  Command 2: "set b 2"
    (5) startCommand +13 1  # next cmd at pc 18
    (14) push1 1    # "2"
    (16) storeScalar1 %v1   # var "b"
    (18) pop 
  Command 3: "puts [expr {$a + $b}]"
    (19) push1 2    # "puts"
  Command 4: "expr {$a + $b}"
    (21) startCommand +14 1     # next cmd at pc 35
    (30) loadScalar1 %v0    # var "a"
    (32) loadScalar1 %v1    # var "b"
    (34) add 
    (35) invokeStk1 2 
    (37) pop 
  Command 5: "puts [expr $a + $b]"
    (38) push1 2    # "puts"
  Command 6: "expr $a + $b"
    (40) startCommand +22 1     # next cmd at pc 62
    (49) loadScalar1 %v0    # var "a"
    (51) push1 3    # " "
    (53) push1 4    # "+"
    (55) push1 3    # " "
    (57) loadScalar1 %v1    # var "b"
    (59) concat1 5 
    (61) exprStk 
    (62) invokeStk1 2 
    (64) done

In particular, look at the addresses 30–34 (the compilation of expr {$a + $b}) and compare with addresses 49–61 (the compilation of expr $a + $b). The optimal code reads the values out of the two variables and just adds them; the unbraced code has to read the variables and concatenate with the literal parts of the expression, and then fires the result into exprStk which is the “evaluate an expression string” operation. (The relative number of bytecodes isn't the problem; the problem is the runtime evaluation.)

For how fundamental these differences could be, consider setting a to 1 || 0 and b to [exit 1]. In the case of the precompiled version, Tcl will just try to treat both sides as numbers to add (neither of which is actually numeric; you'll get an error). In the case of the dynamic version… well, can you predict it by inspection?

So what do you do?

Optimal Tcl code should always limit the amount of runtime evaluation of expressions it performs; you can usually get it down to nothing at all unless you're doing something that takes an expression defined by the user or something like that. Where you have to have it, try to generate a single expression string in a variable and then just use expr $thatVar rather than anything more complex. If you're wanting to do adding a list of numbers (or generally applying any operator to combine them), consider using this:

set sum [tcl::mathop::+ {*}$theList]

instead of:

set sum [expr [join $theList "+"]]

(Also, never use a dynamic expression with if, for or while as that will suppress a lot of compilation.)

Remember, with Tcl it's (usually) the case that safe code is fast code. You want fast and safe code, right?

Donal Fellows
  • 133,037
  • 18
  • 149
  • 215
4
  • Without the braces, the parameters of expr are converted first to string, and then back again to numbers.
  • Without braces, they are prone to injection attacks very similar to SQL injection attacks.
  • You can get rounding errors you wouldn't want if you don't use braces.
  • With the braces, the expressions can be compiled.

I based this on Johannes Kuhn's answer which was posted a while back, and you can find out in numbers, how the braced functions are more efficient on the wiki, along with other interesting stuff about the differences and where you can omit the braces to actually get the results you want.

Community
  • 1
  • 1
Jerry
  • 70,495
  • 13
  • 100
  • 144