[External] : Re: StringTemplates deferred evaluation

Sun Mar 17 22:19:51 UTC 2024


> On 17 Mar 2024, at 22:15, Ron Pressler <ron.pressler at oracle.com> wrote:
> 
> 
> 
>> On 17 Mar 2024, at 20:46, Justin Spindler <justin.spindler at gmail.com> wrote:
>> 
>> C# does allow shortcircuiting interpolation through a custom interpolation handler.  In that case none of the expressions are evaluated.  This is a general purpose mechanism, but the primary use case was logging frameworks.  Importantly, the code doesn't require the developer to do anything special, such as call a different overload or helper methods, it "just works" by default creating a pit of success.
> 
> I believe we’re talking about different things. If I’m not mistaken, C#’s feature for conditional evaluation of template arguments is only available in the special case of string interpolation. Whether or not such a capability is sufficient useful, even for logging — and if so, whether allowing library code to determine whether (possibly side-effecting) Java expressions are evaluated is a good idea and could be said to “just work” — is an open question.
> 
> Java’s string templates, however, don’t focus on string interpolation at all, but on the embedding of “code” such as SQL, JSON, or HTML, in a way that avoids code injection. This use case is more analogous to assigning a template to a FormattableString in C#, where — again, if I’m not mistaken — conditional evaluation is not needed.
> 
> However important string interpolation may be, I think it is safe to say that string templates’ focus is on a more important use-case — certainly one that is much harder to do correctly given existing mechanisms.
> 
>> 
>> In the Spring services I maintain, the only real use case I'd have for string templates would be logging.  As mentioned we've had several cases in the past where a developer accidentally included debug/trace level logging with a calculated value, like a stack trace, that caused observable performance regressions.  We try to guard against common cases with PMD and education, but sometimes it still slips through.
> 
> Different people may have different needs, but services do often have a need to generate SQL, JSON, or HTML, and the high prevalence and and damage of code-injection vulnerabilities makes it a high priority to allow libraries to offer APIs that are simple and pleasurable to use while at the same time being safe. If it *also* turns out that logging expressions that are costly to evaluate beyond the formatting of the message is a common-enough problem that the use of something like the `defer` merits attention, we could tackle that problem another day.
> 
> In any event, the easy confusion that arises from designs like C#’s between interpolating strings and safely embedding code is something we’d like to avoid.
> 
> — Ron


Sorry, where I wrote "conditional evaluation is not needed” I meant to write "not supported."