Re: Bringing setTimeout to ECMAScript

Sat, 19 Mar 2011 17:21:50 -0700 

* No clamping. Time runs as fast as the platform lets it run.
* The return value is not an integer but a unique unforgeable object for canceling the event. No one without 
that object can cancel that event.



This last point is something I was about to raise when starting to think 
about extending the Q API.
setTimeout returns a number, so a malicious could loop through numbers 
and call clearTimeout on them. An
unforgeable object sounds like the correct response to this issue. Have 
you considered wrapping
setTimeout&friends in SES with this solution? It wouldn't break code 
which do not rely on the returned value

being a number (but would break code which does, of course).



Caja does exactly this. So far we haven't found any code that this 
actually breaks. All uses we've encountered[1]
treat the return value of setTimeout/setInterval as simply something they 
can remember and later pass to

clearTimeout/clearInterval.


[1] That I'm aware of. Caja users should speak up if they've hit a 
counter-example. Or anyone else that has seen

code in the wild that actually counts on these values being numbers.



I have a number of different projects where I've used timers (mostly 
intervals rather than timeouts), where the logic that I used relied on being 
able to tell if a value was falsy or not, to know if there's a timer 
attached to some variable (so that you only set the interval once, and not 
multiple times).



So, for instance, a variable like foo = false`, when an interval is set, 
`foo = setInterval(...)`, and when that interval is cleared, I not only call 
`clearInterval(foo)` but I also call `foo = false` again to signal that the 
interval has been cleared (there is no `checkInterval(foo)` API to check 
this). Then, the next time I want to set the interval, I first check to see 
if `foo` is truthy or falsy, and only set if it's indeed falsy. So, all this 
is to say, I rely in those tests on whether the value is truthy or falsy. 
Not exactly relying on its data type, but it's important not to assume that 
noone ever checks those values -- in many cases, I do.




--Kyle


_______________________________________________
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

























					Reply via email to