Skip to main content

PyCon: Code Generation in Python: Dismantling Jinja

See the website.

See also bit.ly/codegeneration.

Is eval evil? How does it impact security and performance?

Use repr to get something safe to pass to eval for a given type.

Eval code in a different namespace to keep namespaces clean.

Using code generation results in faster code than writing a custom interpreter in Python.

Here is a little "Eval 101".

Here is how to compile a string to a code object:
code = compile('a = 1 + 2', '', 'exec')
ns = {}
exec code in ns # exec code, ns in Python 3.
ns['a'] == 3
In Python 2.3 or later, use "ast.parse('a = 1 + 2')", and then pass the result to the compile function.

You can modify the ast (abstract syntax tree).

You can assign line numbers.

You don't have to pass strings to eval and exec. You can handle the compilation to bytecode explicitly. You can also execute the code in an explicit namespace.

Jinja mostly has Python semantics, but not exactly. It uses different scoping rules.

Lexer -> Parser -> Identifier Analyzer -> Code Generator -> Python Source -> Bytecode -> Runtime

Everything before the runtime can be done ahead of time and cached.

Because WSGI uses generators, Jinja also uses generators for output.

You can run untrusted template code with Jinja. They restrict what the Python can do. (I'm skeptical.)

They have automatic escaping.

In the art of code generation, you must think in terms of low level vs. high level.

(I got a little confused at this point about whether Jinja generated bytecode, ASTs, or Python source. Later in the talk, it seemed like he was saying that Jinja always generated Python code because it was the only workable option at the time.)

Using the ast module only became an option later.

He thought about generating bytecode. However, that doesn't work on Google App Engine. Furthermore, it was too implementation specific.

Using the ast module is more limited. However, it's easier to debug. Furthermore, it does not segfault the interpreter (at least starting in Python 2.7).

Using pure source code generation always works. However, it's very limited, and it's hard to debug without hacks.

The ast module is much better.

Jinja is way faster than Django templates.

Code running in a function is faster than running at global scope because local variable lookup is faster.

They keep track of identifiers and track them through the source code.

The context object in Jinja2 is a data source (read only). In Django, it's a data store (read write).

What happens in the include stays in the include. An include can't change a variable in an outer scope.

Jinja looks at your template and generates more complicated code if your code needs more complicated code.

{% for item in sequence %} creates item in a context that's only valid in the for loop.

Jinja used manual code generation because it was the only option. AST compilation is new in Python 2.6.

A Markup object wraps a string, but has autoescaping. It uses operator overloading. Jinja can do some escaping at compile time.

Undefined variables in Jinja are replaced by undefined objects so that they print out as empty strings. However, doing an attribute lookup on such an object raises an exception.

He would use the ast module if he had to do it all over again.

Comments