Provided by: tcl8.5-doc_8.5.19-4_all 
NAME
interp - Create and manipulate Tcl interpreters
SYNOPSIS
interp subcommand ?arg arg ...?
_________________________________________________________________________________________________
DESCRIPTION
This command makes it possible to create one or more new Tcl interpreters that co-exist
with the creating interpreter in the same application. The creating interpreter is called
the master and the new interpreter is called a slave. A master can create any number of
slaves, and each slave can itself create additional slaves for which it is master,
resulting in a hierarchy of interpreters.
Each interpreter is independent from the others: it has its own name space for commands,
procedures, and global variables. A master interpreter may create connections between its
slaves and itself using a mechanism called an alias. An alias is a command in a slave
interpreter which, when invoked, causes a command to be invoked in its master interpreter
or in another slave interpreter. The only other connections between interpreters are
through environment variables (the env variable), which are normally shared among all
interpreters in the application, and by resource limit exceeded callbacks. Note that the │
name space for files (such as the names returned by the open command) is no longer shared
between interpreters. Explicit commands are provided to share files and to transfer
references to open files from one interpreter to another.
The interp command also provides support for safe interpreters. A safe interpreter is a
slave whose functions have been greatly restricted, so that it is safe to execute
untrusted scripts without fear of them damaging other interpreters or the application's
environment. For example, all IO channel creation commands and subprocess creation
commands are made inaccessible to safe interpreters. See SAFE INTERPRETERS below for more
information on what features are present in a safe interpreter. The dangerous
functionality is not removed from the safe interpreter; instead, it is hidden, so that
only trusted interpreters can obtain access to it. For a detailed explanation of hidden
commands, see HIDDEN COMMANDS, below. The alias mechanism can be used for protected
communication (analogous to a kernel call) between a slave interpreter and its master.
See ALIAS INVOCATION, below, for more details on how the alias mechanism works.
A qualified interpreter name is a proper Tcl lists containing a subset of its ancestors in
the interpreter hierarchy, terminated by the string naming the interpreter in its
immediate master. Interpreter names are relative to the interpreter in which they are
used. For example, if a is a slave of the current interpreter and it has a slave a1, which
in turn has a slave a11, the qualified name of a11 in a is the list a1 a11.
The interp command, described below, accepts qualified interpreter names as arguments; the
interpreter in which the command is being evaluated can always be referred to as {} (the
empty list or string). Note that it is impossible to refer to a master (ancestor)
interpreter by name in a slave interpreter except through aliases. Also, there is no
global name by which one can refer to the first interpreter created in an application.
Both restrictions are motivated by safety concerns.
THE INTERP COMMAND
The interp command is used to create, delete, and manipulate slave interpreters, and to
share or transfer channels between interpreters. It can have any of several forms,
depending on the subcommand argument:
interp alias srcPath srcToken
Returns a Tcl list whose elements are the targetCmd and args associated with the
alias represented by srcToken (this is the value returned when the alias was
created; it is possible that the name of the source command in the slave is
different from srcToken).
interp alias srcPath srcToken {}
Deletes the alias for srcToken in the slave interpreter identified by srcPath.
srcToken refers to the value returned when the alias was created; if the source
command has been renamed, the renamed command will be deleted.
interp alias srcPath srcCmd targetPath targetCmd ?arg arg ...?
This command creates an alias between one slave and another (see the alias slave
command below for creating aliases between a slave and its master). In this
command, either of the slave interpreters may be anywhere in the hierarchy of
interpreters under the interpreter invoking the command. SrcPath and srcCmd
identify the source of the alias. SrcPath is a Tcl list whose elements select a
particular interpreter. For example, “a b” identifies an interpreter b, which is a
slave of interpreter a, which is a slave of the invoking interpreter. An empty
list specifies the interpreter invoking the command. srcCmd gives the name of a
new command, which will be created in the source interpreter. TargetPath and
targetCmd specify a target interpreter and command, and the arg arguments, if any,
specify additional arguments to targetCmd which are prepended to any arguments
specified in the invocation of srcCmd. TargetCmd may be undefined at the time of
this call, or it may already exist; it is not created by this command. The alias
arranges for the given target command to be invoked in the target interpreter
whenever the given source command is invoked in the source interpreter. See ALIAS
INVOCATION below for more details. The command returns a token that uniquely
identifies the command created srcCmd, even if the command is renamed afterwards.
The token may but does not have to be equal to srcCmd.
interp aliases ?path?
This command returns a Tcl list of the tokens of all the source commands for
aliases defined in the interpreter identified by path. The tokens correspond to the
values returned when the aliases were created (which may not be the same as the
current names of the commands).
interp bgerror path ?cmdPrefix?
This command either gets or sets the current background error handler for the │
interpreter identified by path. If cmdPrefix is absent, the current background │
error handler is returned, and if it is present, it is a list of words (of minimum │
length one) that describes what to set the interpreter's background error to. See │
the BACKGROUND ERROR HANDLING section for more details.
interp create ?-safe? ?--? ?path?
Creates a slave interpreter identified by path and a new command, called a slave
command. The name of the slave command is the last component of path. The new slave
interpreter and the slave command are created in the interpreter identified by the
path obtained by removing the last component from path. For example, if path is a b
c then a new slave interpreter and slave command named c are created in the
interpreter identified by the path a b. The slave command may be used to
manipulate the new interpreter as described below. If path is omitted, Tcl creates
a unique name of the form interpx, where x is an integer, and uses it for the
interpreter and the slave command. If the -safe switch is specified (or if the
master interpreter is a safe interpreter), the new slave interpreter will be
created as a safe interpreter with limited functionality; otherwise the slave will
include the full set of Tcl built-in commands and variables. The -- switch can be
used to mark the end of switches; it may be needed if path is an unusual value
such as -safe. The result of the command is the name of the new interpreter. The
name of a slave interpreter must be unique among all the slaves for its master; an
error occurs if a slave interpreter by the given name already exists in this
master. The initial recursion limit of the slave interpreter is set to the current
recursion limit of its parent interpreter.
interp debug path ?-frame ?bool??
Controls whether frame-level stack information is captured in the slave interpreter
identified by path. If no arguments are given, option and current setting are
returned. If -frame is given, the debug setting is set to the given boolean if
provided and the current setting is returned. This only effects the output of info
frame, in that exact frame-level information for command invocation at the bytecode
level is only captured with this setting on.
For example, with code like
proc mycontrol {... script} {
...
uplevel 1 $script
...
}
proc dosomething {...} {
...
mycontrol {
somecode
}
}
the standard setting will provide a relative line number for the command somecode
and the relevant frame will be of type eval. With frame-debug active on the other
hand the tracking extends so far that the system will be able to determine the file
and absolute line number of this command, and return a frame of type source. This
more exact information is paid for with slower execution of all commands.
interp delete ?path ...?
Deletes zero or more interpreters given by the optional path arguments, and for
each interpreter, it also deletes its slaves. The command also deletes the slave
command for each interpreter deleted. For each path argument, if no interpreter by
that name exists, the command raises an error.
interp eval path arg ?arg ...?
This command concatenates all of the arg arguments in the same fashion as the
concat command, then evaluates the resulting string as a Tcl script in the slave
interpreter identified by path. The result of this evaluation (including all return
options, such as -errorinfo and -errorcode information, if an error occurs) is
returned to the invoking interpreter. Note that the script will be executed in the
current context stack frame of the path interpreter; this is so that the
implementations (in a master interpreter) of aliases in a slave interpreter can
execute scripts in the slave that find out information about the slave's current
state and stack frame.
interp exists path
Returns 1 if a slave interpreter by the specified path exists in this master, 0
otherwise. If path is omitted, the invoking interpreter is used.
interp expose path hiddenName ?exposedCmdName?
Makes the hidden command hiddenName exposed, eventually bringing it back under a
new exposedCmdName name (this name is currently accepted only if it is a valid
global name space name without any ::), in the interpreter denoted by path. If an
exposed command with the targeted name already exists, this command fails. Hidden
commands are explained in more detail in HIDDEN COMMANDS, below.
interp hide path exposedCmdName ?hiddenCmdName?
Makes the exposed command exposedCmdName hidden, renaming it to the hidden command
hiddenCmdName, or keeping the same name if hiddenCmdName is not given, in the
interpreter denoted by path. If a hidden command with the targeted name already
exists, this command fails. Currently both exposedCmdName and hiddenCmdName can
not contain namespace qualifiers, or an error is raised. Commands to be hidden by
interp hide are looked up in the global namespace even if the current namespace is
not the global one. This prevents slaves from fooling a master interpreter into
hiding the wrong command, by making the current namespace be different from the
global one. Hidden commands are explained in more detail in HIDDEN COMMANDS,
below.
interp hidden path
Returns a list of the names of all hidden commands in the interpreter identified by
path.
interp invokehidden path ?-option ...? hiddenCmdName ?arg ...?
Invokes the hidden command hiddenCmdName with the arguments supplied in the
interpreter denoted by path. No substitutions or evaluation are applied to the
arguments. Three -options are supported, all of which start with -: -namespace
(which takes a single argument afterwards, nsName), -global, and --. If the
-namespace flag is present, the hidden command is invoked in the namespace called
nsName in the target interpreter. If the -global flag is present, the hidden
command is invoked at the global level in the target interpreter; otherwise it is
invoked at the current call frame and can access local variables in that and outer
call frames. The -- flag allows the hiddenCmdName argument to start with a “-”
character, and is otherwise unnecessary. If both the -namespace and -global flags
are present, the -namespace flag is ignored. Note that the hidden command will be
executed (by default) in the current context stack frame of the path interpreter.
Hidden commands are explained in more detail in HIDDEN COMMANDS, below.
interp limit path limitType ?-option? ?value ...?
Sets up, manipulates and queries the configuration of the resource limit limitType │
for the interpreter denoted by path. If no -option is specified, return the │
current configuration of the limit. If -option is the sole argument, return the │
value of that option. Otherwise, a list of -option/value argument pairs must │
supplied. See RESOURCE LIMITS below for a more detailed explanation of what limits │
and options are supported.
interp issafe ?path?
Returns 1 if the interpreter identified by the specified path is safe, 0 otherwise.
interp marktrusted path
Marks the interpreter identified by path as trusted. Does not expose the hidden
commands. This command can only be invoked from a trusted interpreter. The command
has no effect if the interpreter identified by path is already trusted.
interp recursionlimit path ?newlimit?
Returns the maximum allowable nesting depth for the interpreter specified by path.
If newlimit is specified, the interpreter recursion limit will be set so that
nesting of more than newlimit calls to Tcl_Eval() and related procedures in that
interpreter will return an error. The newlimit value is also returned. The
newlimit value must be a positive integer between 1 and the maximum value of a non-
long integer on the platform.
The command sets the maximum size of the Tcl call stack only. It cannot by itself
prevent stack overflows on the C stack being used by the application. If your
machine has a limit on the size of the C stack, you may get stack overflows before
reaching the limit set by the command. If this happens, see if there is a mechanism
in your system for increasing the maximum size of the C stack.
interp share srcPath channelId destPath
Causes the IO channel identified by channelId to become shared between the
interpreter identified by srcPath and the interpreter identified by destPath. Both
interpreters have the same permissions on the IO channel. Both interpreters must
close it to close the underlying IO channel; IO channels accessible in an
interpreter are automatically closed when an interpreter is destroyed.
interp slaves ?path?
Returns a Tcl list of the names of all the slave interpreters associated with the
interpreter identified by path. If path is omitted, the invoking interpreter is
used.
interp target path alias
Returns a Tcl list describing the target interpreter for an alias. The alias is
specified with an interpreter path and source command name, just as in interp alias
above. The name of the target interpreter is returned as an interpreter path,
relative to the invoking interpreter. If the target interpreter for the alias is
the invoking interpreter then an empty list is returned. If the target interpreter
for the alias is not the invoking interpreter or one of its descendants then an
error is generated. The target command does not have to be defined at the time of
this invocation.
interp transfer srcPath channelId destPath
Causes the IO channel identified by channelId to become available in the
interpreter identified by destPath and unavailable in the interpreter identified by
srcPath.
SLAVE COMMAND
For each slave interpreter created with the interp command, a new Tcl command is created
in the master interpreter with the same name as the new interpreter. This command may be
used to invoke various operations on the interpreter. It has the following general form:
slave command ?arg arg ...?
Slave is the name of the interpreter, and command and the args determine the exact
behavior of the command. The valid forms of this command are:
slave aliases
Returns a Tcl list whose elements are the tokens of all the aliases in slave. The
tokens correspond to the values returned when the aliases were created (which may
not be the same as the current names of the commands).
slave alias srcToken
Returns a Tcl list whose elements are the targetCmd and args associated with the
alias represented by srcToken (this is the value returned when the alias was
created; it is possible that the actual source command in the slave is different
from srcToken).
slave alias srcToken {}
Deletes the alias for srcToken in the slave interpreter. srcToken refers to the
value returned when the alias was created; if the source command has been renamed,
the renamed command will be deleted.
slave alias srcCmd targetCmd ?arg ..?
Creates an alias such that whenever srcCmd is invoked in slave, targetCmd is
invoked in the master. The arg arguments will be passed to targetCmd as additional
arguments, prepended before any arguments passed in the invocation of srcCmd. See
ALIAS INVOCATION below for details. The command returns a token that uniquely
identifies the command created srcCmd, even if the command is renamed afterwards.
The token may but does not have to be equal to srcCmd.
slave bgerror ?cmdPrefix?
This command either gets or sets the current background error handler for the slave │
interpreter. If cmdPrefix is absent, the current background error handler is │
returned, and if it is present, it is a list of words (of minimum length one) that │
describes what to set the interpreter's background error to. See the BACKGROUND │
ERROR HANDLING section for more details.
slave eval arg ?arg ..?
This command concatenates all of the arg arguments in the same fashion as the
concat command, then evaluates the resulting string as a Tcl script in slave. The
result of this evaluation (including all return options, such as -errorinfo and
-errorcode information, if an error occurs) is returned to the invoking
interpreter. Note that the script will be executed in the current context stack
frame of slave; this is so that the implementations (in a master interpreter) of
aliases in a slave interpreter can execute scripts in the slave that find out
information about the slave's current state and stack frame.
slave expose hiddenName ?exposedCmdName?
This command exposes the hidden command hiddenName, eventually bringing it back
under a new exposedCmdName name (this name is currently accepted only if it is a
valid global name space name without any ::), in slave. If an exposed command with
the targeted name already exists, this command fails. For more details on hidden
commands, see HIDDEN COMMANDS, below.
slave hide exposedCmdName ?hiddenCmdName?
This command hides the exposed command exposedCmdName, renaming it to the hidden
command hiddenCmdName, or keeping the same name if the argument is not given, in
the slave interpreter. If a hidden command with the targeted name already exists,
this command fails. Currently both exposedCmdName and hiddenCmdName can not
contain namespace qualifiers, or an error is raised. Commands to be hidden are
looked up in the global namespace even if the current namespace is not the global
one. This prevents slaves from fooling a master interpreter into hiding the wrong
command, by making the current namespace be different from the global one. For
more details on hidden commands, see HIDDEN COMMANDS, below.
slave hidden
Returns a list of the names of all hidden commands in slave.
slave invokehidden ?-option ...? hiddenName ?arg ..?
This command invokes the hidden command hiddenName with the supplied arguments, in
slave. No substitutions or evaluations are applied to the arguments. Three -options
are supported, all of which start with -: -namespace (which takes a single argument
afterwards, nsName), -global, and --. If the -namespace flag is given, the hidden
command is invoked in the specified namespace in the slave. If the -global flag is
given, the command is invoked at the global level in the slave; otherwise it is
invoked at the current call frame and can access local variables in that or outer
call frames. The -- flag allows the hiddenCmdName argument to start with a “-”
character, and is otherwise unnecessary. If both the -namespace and -global flags
are given, the -namespace flag is ignored. Note that the hidden command will be
executed (by default) in the current context stack frame of slave. For more
details on hidden commands, see HIDDEN COMMANDS, below.
slave issafe
Returns 1 if the slave interpreter is safe, 0 otherwise.
slave limit limitType ?-option? ?value ...?
Sets up, manipulates and queries the configuration of the resource limit limitType │
for the slave interpreter. If no -option is specified, return the current │
configuration of the limit. If -option is the sole argument, return the value of │
that option. Otherwise, a list of -option/value argument pairs must supplied. See │
RESOURCE LIMITS below for a more detailed explanation of what limits and options │
are supported.
slave marktrusted
Marks the slave interpreter as trusted. Can only be invoked by a trusted
interpreter. This command does not expose any hidden commands in the slave
interpreter. The command has no effect if the slave is already trusted.
slave recursionlimit ?newlimit?
Returns the maximum allowable nesting depth for the slave interpreter. If newlimit
is specified, the recursion limit in slave will be set so that nesting of more than
newlimit calls to Tcl_Eval() and related procedures in slave will return an error.
The newlimit value is also returned. The newlimit value must be a positive integer
between 1 and the maximum value of a non-long integer on the platform.
The command sets the maximum size of the Tcl call stack only. It cannot by itself
prevent stack overflows on the C stack being used by the application. If your
machine has a limit on the size of the C stack, you may get stack overflows before
reaching the limit set by the command. If this happens, see if there is a mechanism
in your system for increasing the maximum size of the C stack.
SAFE INTERPRETERS
A safe interpreter is one with restricted functionality, so that is safe to execute an
arbitrary script from your worst enemy without fear of that script damaging the enclosing
application or the rest of your computing environment. In order to make an interpreter
safe, certain commands and variables are removed from the interpreter. For example,
commands to create files on disk are removed, and the exec command is removed, since it
could be used to cause damage through subprocesses. Limited access to these facilities
can be provided, by creating aliases to the master interpreter which check their arguments
carefully and provide restricted access to a safe subset of facilities. For example, file
creation might be allowed in a particular subdirectory and subprocess invocation might be
allowed for a carefully selected and fixed set of programs.
A safe interpreter is created by specifying the -safe switch to the interp create command.
Furthermore, any slave created by a safe interpreter will also be safe.
A safe interpreter is created with exactly the following set of built-in commands:
after append apply array
binary break catch chan
clock close concat continue
dict eof error eval
expr fblocked fcopy fileevent
flush for foreach format
gets global if incr
info interp join lappend
lassign lindex linsert list
llength lrange lrepeat lreplace
lsearch lset lsort namespace
package pid proc puts
read regexp regsub rename
return scan seek set
split string subst switch
tell time trace unset
update uplevel upvar variable
vwait while
The following commands are hidden by interp create when it creates a safe interpreter:
cd encoding exec exit
fconfigure file glob load
open pwd socket source
unload
These commands can be recreated later as Tcl procedures or aliases, or re-exposed by
interp expose.
The following commands from Tcl's library of support procedures are not present in a safe
interpreter:
auto_exec_ok auto_import auto_load
auto_load_index auto_qualify unknown
Note in particular that safe interpreters have no default unknown command, so Tcl's
default autoloading facilities are not available. Autoload access to Tcl's commands that
are normally autoloaded:
auto_mkindex auto_mkindex_old
auto_reset history
parray pkg_mkIndex
::pkg::create ::safe::interpAddToAccessPath
::safe::interpCreate ::safe::interpConfigure
::safe::interpDelete ::safe::interpFindInAccessPath
::safe::interpInit ::safe::setLogCmd
tcl_endOfWord tcl_findLibrary
tcl_startOfNextWord tcl_startOfPreviousWord
tcl_wordBreakAfter tcl_wordBreakBefore
can only be provided by explicit definition of an unknown command in the safe interpreter.
This will involve exposing the source command. This is most easily accomplished by
creating the safe interpreter with Tcl's Safe-Tcl mechanism. Safe-Tcl provides safe
versions of source, load, and other Tcl commands needed to support autoloading of commands
and the loading of packages.
In addition, the env variable is not present in a safe interpreter, so it cannot share
environment variables with other interpreters. The env variable poses a security risk,
because users can store sensitive information in an environment variable. For example, the
PGP manual recommends storing the PGP private key protection password in the environment
variable PGPPASS. Making this variable available to untrusted code executing in a safe
interpreter would incur a security risk.
If extensions are loaded into a safe interpreter, they may also restrict their own
functionality to eliminate unsafe commands. For a discussion of management of extensions
for safety see the manual entries for Safe-Tcl and the load Tcl command.
A safe interpreter may not alter the recursion limit of any interpreter, including itself.
ALIAS INVOCATION
The alias mechanism has been carefully designed so that it can be used safely when an
untrusted script is executing in a safe slave and the target of the alias is a trusted
master. The most important thing in guaranteeing safety is to ensure that information
passed from the slave to the master is never evaluated or substituted in the master; if
this were to occur, it would enable an evil script in the slave to invoke arbitrary
functions in the master, which would compromise security.
When the source for an alias is invoked in the slave interpreter, the usual Tcl
substitutions are performed when parsing that command. These substitutions are carried
out in the source interpreter just as they would be for any other command invoked in that
interpreter. The command procedure for the source command takes its arguments and merges
them with the targetCmd and args for the alias to create a new array of arguments. If the
words of srcCmd were “srcCmd arg1 arg2 ... argN”, the new set of words will be “targetCmd
arg arg ... arg arg1 arg2 ... argN”, where targetCmd and args are the values supplied when
the alias was created. TargetCmd is then used to locate a command procedure in the target
interpreter, and that command procedure is invoked with the new set of arguments. An
error occurs if there is no command named targetCmd in the target interpreter. No
additional substitutions are performed on the words: the target command procedure is
invoked directly, without going through the normal Tcl evaluation mechanism.
Substitutions are thus performed on each word exactly once: targetCmd and args were
substituted when parsing the command that created the alias, and arg1 - argN are
substituted when the alias's source command is parsed in the source interpreter.
When writing the targetCmds for aliases in safe interpreters, it is very important that
the arguments to that command never be evaluated or substituted, since this would provide
an escape mechanism whereby the slave interpreter could execute arbitrary code in the
master. This in turn would compromise the security of the system.
HIDDEN COMMANDS
Safe interpreters greatly restrict the functionality available to Tcl programs executing
within them. Allowing the untrusted Tcl program to have direct access to this
functionality is unsafe, because it can be used for a variety of attacks on the
environment. However, there are times when there is a legitimate need to use the
dangerous functionality in the context of the safe interpreter. For example, sometimes a
program must be sourced into the interpreter. Another example is Tk, where windows are
bound to the hierarchy of windows for a specific interpreter; some potentially dangerous
functions, e.g. window management, must be performed on these windows within the
interpreter context.
The interp command provides a solution to this problem in the form of hidden commands.
Instead of removing the dangerous commands entirely from a safe interpreter, these
commands are hidden so they become unavailable to Tcl scripts executing in the
interpreter. However, such hidden commands can be invoked by any trusted ancestor of the
safe interpreter, in the context of the safe interpreter, using interp invoke. Hidden
commands and exposed commands reside in separate name spaces. It is possible to define a
hidden command and an exposed command by the same name within one interpreter.
Hidden commands in a slave interpreter can be invoked in the body of procedures called in
the master during alias invocation. For example, an alias for source could be created in a
slave interpreter. When it is invoked in the slave interpreter, a procedure is called in
the master interpreter to check that the operation is allowable (e.g. it asks to source a
file that the slave interpreter is allowed to access). The procedure then it invokes the
hidden source command in the slave interpreter to actually source in the contents of the
file. Note that two commands named source exist in the slave interpreter: the alias, and
the hidden command.
Because a master interpreter may invoke a hidden command as part of handling an alias
invocation, great care must be taken to avoid evaluating any arguments passed in through
the alias invocation. Otherwise, malicious slave interpreters could cause a trusted
master interpreter to execute dangerous commands on their behalf. See the section on ALIAS
INVOCATION for a more complete discussion of this topic. To help avoid this problem, no
substitutions or evaluations are applied to arguments of interp invokehidden.
Safe interpreters are not allowed to invoke hidden commands in themselves or in their
descendants. This prevents safe slaves from gaining access to hidden functionality in
themselves or their descendants.
The set of hidden commands in an interpreter can be manipulated by a trusted interpreter
using interp expose and interp hide. The interp expose command moves a hidden command to
the set of exposed commands in the interpreter identified by path, potentially renaming
the command in the process. If an exposed command by the targeted name already exists, the
operation fails. Similarly, interp hide moves an exposed command to the set of hidden
commands in that interpreter. Safe interpreters are not allowed to move commands between
the set of hidden and exposed commands, in either themselves or their descendants.
Currently, the names of hidden commands cannot contain namespace qualifiers, and you must
first rename a command in a namespace to the global namespace before you can hide it.
Commands to be hidden by interp hide are looked up in the global namespace even if the
current namespace is not the global one. This prevents slaves from fooling a master
interpreter into hiding the wrong command, by making the current namespace be different
from the global one.
RESOURCE LIMITS
Every interpreter has two kinds of resource limits that may be imposed by any master │
interpreter upon its slaves. Command limits (of type command) restrict the total number of │
Tcl commands that may be executed by an interpreter (as can be inspected via the info │
cmdcount command), and time limits (of type time) place a limit by which execution within │
the interpreter must complete. Note that time limits are expressed as absolute times (as │
in clock seconds) and not relative times (as in after) because they may be modified after │
creation. │
When a limit is exceeded for an interpreter, first any handler callbacks defined by master │
interpreters are called. If those callbacks increase or remove the limit, execution within │
the (previously) limited interpreter continues. If the limit is still in force, an error │
is generated at that point and normal processing of errors within the interpreter (by the │
catch command) is disabled, so the error propagates outwards (building a stack-trace as it │
goes) to the point where the limited interpreter was invoked (e.g. by interp eval) where │
it becomes the responsibility of the calling code to catch and handle. │
LIMIT OPTIONS │
Every limit has a number of options associated with it, some of which are common across │
all kinds of limits, and others of which are particular to the kind of limit.
-command
This option (common for all limit types) specifies (if non-empty) a Tcl script to │
be executed in the global namespace of the interpreter reading and writing the │
option when the particular limit in the limited interpreter is exceeded. The │
callback may modify the limit on the interpreter if it wishes the limited │
interpreter to continue executing. If the callback generates an error, it is │
reported through the background error mechanism (see BACKGROUND ERROR HANDLING). │
Note that the callbacks defined by one interpreter are completely isolated from the │
callbacks defined by another, and that the order in which those callbacks are │
called is undefined.
-granularity
This option (common for all limit types) specifies how frequently (out of the │
points when the Tcl interpreter is in a consistent state where limit checking is │
possible) that the limit is actually checked. This allows the tuning of how │
frequently a limit is checked, and hence how often the limit-checking overhead │
(which may be substantial in the case of time limits) is incurred.
-milliseconds
This option specifies the number of milliseconds after the moment defined in the │
-seconds option that the time limit will fire. It should only ever be specified in │
conjunction with the -seconds option (whether it was set previously or is being set │
this invocation.)
-seconds
This option specifies the number of seconds after the epoch (see clock seconds) │
that the time limit for the interpreter will be triggered. The limit will be │
triggered at the start of the second unless specified at a sub-second level using │
the -milliseconds option. This option may be the empty string, which indicates that │
a time limit is not set for the interpreter.
-value This option specifies the number of commands that the interpreter may execute │
before triggering the command limit. This option may be the empty string, which │
indicates that a command limit is not set for the interpreter. │
Where an interpreter with a resource limit set on it creates a slave interpreter, that │
slave interpreter will have resource limits imposed on it that are at least as restrictive │
as the limits on the creating master interpreter. If the master interpreter of the limited │
master wishes to relax these conditions, it should hide the interp command in the child │
and then use aliases and the interp invokehidden subcommand to provide such access as it │
chooses to the interp command to the limited master as necessary. │
BACKGROUND ERROR HANDLING │
When an error happens in a situation where it cannot be reported directly up the stack │
(e.g. when processing events in an update or vwait call) the error is instead reported │
through the background error handling mechanism. Every interpreter has a background error │
handler registered; the default error handler arranges for the bgerror command in the │
interpreter's global namespace to be called, but other error handlers may be installed and │
process background errors in substantially different ways. │
A background error handler consists of a non-empty list of words to which will be appended │
two further words at invocation time. The first word will be the error message string, and │
the second will a dictionary of return options (this is also the sort of information that │
can be obtained by trapping a normal error using catch of course.) The resulting list will │
then be executed in the interpreter's global namespace without further substitutions being │
performed.
CREDITS
The safe interpreter mechanism is based on the Safe-Tcl prototype implemented by Nathaniel
Borenstein and Marshall Rose.
EXAMPLES
Creating and using an alias for a command in the current interpreter:
interp alias {} getIndex {} lsearch {alpha beta gamma delta}
set idx [getIndex delta]
Executing an arbitrary command in a safe interpreter where every invocation of lappend is
logged:
set i [interp create -safe]
interp hide $i lappend
interp alias $i lappend {} loggedLappend $i
proc loggedLappend {i args} {
puts "logged invocation of lappend $args"
interp invokehidden $i lappend {*}$args
}
interp eval $i $someUntrustedScript
Setting a resource limit on an interpreter so that an infinite loop terminates. │
set i [interp create] │
interp limit $i command -value 1000 │
interp eval $i { │
set x 0 │
while {1} { │
puts "Counting up... [incr x]" │
} │
} │
SEE ALSO
bgerror(3tcl), load(3tcl), safe(3tcl), Tcl_CreateSlave(3tcl)
KEYWORDS
alias, master interpreter, safe interpreter, slave interpreter