| uip | title | description | author | status | type | category | created |
|---|---|---|---|---|---|---|---|
0124 |
Computation Timeout Hint |
Introduce a `%jinx` hint to permit timeout of a computation which may not terminate. |
~lagrev-nocfep |
Draft |
Standards Track |
Kernel |
2024-05-09 |
We propose adding a %jinx hint to terminate computations automatically from the runtime.
> ~> %jinx.[~s5] (add 1 3)
4
> ~> %jinx.[~s5] (infinite-loop)
recover: dig: alrm
crud: %belt event failed
call: failed
> ~> %jinx.[~s4] =|(i=@ |-(?:(=(10.000.000 i) i $(i +(i)))))
10.000.000
> ~> %jinx.[~s3| =|(i=@ |-(?:(=(10.000.000 i) i $(i +(i)))))
recover: dig: alrm
crud: %belt event failed
call: failed
As a personal server, an Urbit instance may be called upon to evaluate arbitrary code. Per the halting problem, aside from trivial infinite loops we cannot conclude how long an arbitrary expression will take to evaluate—or if it will never complete. In certain environements, it is impossible or inconvenient to interrupt the runtime process. (In particular, interfaces using %eyre/HTTP or %lick may not be able to send a SIGINT to break execution.)
While the subject-oriented programming model provides some security, and userspace permissions will provide more, arbitrary code may result in intentional or inadvertent evaluation of long-running code or non-terminating code.
The %jinx hint is a dynamic hint accepting a timeout value and an expression. If the expression does not complete within the span of the timeout value, then the runtime should interrupt the process with a bail and slog the elapsed time to the console. The timeout value is specified in Urbit fracto-seconds but converted in the runtime to Unix milliseconds.
No changes need to be made to /sys/hoon or Arvo. Vere needs to be modified in nock.c to handle the hint. The currently unused timeout mechanism in u3m_soft will be reactivated with the head of the hint for the timeout and the tail of the hint for the product.
An implementation has been begun in sigilante/timeout, PR #648.
This is a new runtime hint. No backward compatibility issues found.
This should improve Urbit security for any instance in which arbitrary eval is allowed.
Copyright and related rights waived via CC0.