- About these Docs
- Synopsis
- Assertion Testing
- Buffer
- C/C++ Addons
- Child Processes
- Cluster
- Console
- Crypto
- Debugger
- DNS
- Domain
- Errors
- Events
- File System
- Globals
- HTTP
- HTTPS
- Modules
- Net
- OS
- Path
- Process
- Punycode
- Query Strings
- Readline
- REPL
- Stream
- String Decoder
- Timers
- TLS/SSL
- TTY
- UDP/Datagram
- URL
- Utilities
- V8
- VM
- ZLIB
Node.js v4.2.6 Documentation
Table of Contents
Executing JavaScript#
Stability: 2 - Stable
You can access this module with:
const vm = require('vm');
JavaScript code can be compiled and run immediately or compiled, saved, and run later.
Class: Script#
A class for holding precompiled scripts, and running them in specific sandboxes.
new vm.Script(code, options)#
Creating a new Script
compiles code
but does not run it. Instead, the
created vm.Script
object represents this compiled code. This script can be run
later many times using methods below. The returned script is not bound to any
global object. It is bound before each run, just for that run.
The options when creating a script are:
filename
: allows you to control the filename that shows up in any stack traces produced from this script.lineOffset
: allows you to add an offset to the line number that is displayed in stack tracescolumnOffset
: allows you to add an offset to the column number that is displayed in stack tracesdisplayErrors
: whether or not to print any errors to stderr, with the line of code that caused them highlighted, before throwing an exception. Applies only to syntax errors compiling the code; errors while running the code are controlled by the options to the script's methods.timeout
: a number of milliseconds to executecode
before terminating execution. If execution is terminated, anError
will be thrown.
script.runInContext(contextifiedSandbox[, options])#
Similar to vm.runInContext
but a method of a precompiled Script
object.
script.runInContext
runs script
's compiled code in contextifiedSandbox
and returns the result. Running code does not have access to local scope.
script.runInContext
takes the same options as script.runInThisContext
.
Example: compile code that increments a global variable and sets one, then execute the code multiple times. These globals are contained in the sandbox.
const util = require('util');
const vm = require('vm');
var sandbox = {
animal: 'cat',
count: 2
};
var context = new vm.createContext(sandbox);
var script = new vm.Script('count += 1; name = "kitty"');
for (var i = 0; i < 10; ++i) {
script.runInContext(context);
}
console.log(util.inspect(sandbox));
// { animal: 'cat', count: 12, name: 'kitty' }
Note that running untrusted code is a tricky business requiring great care.
script.runInContext
is quite useful, but safely running untrusted code
requires a separate process.
script.runInNewContext([sandbox][, options])#
Similar to vm.runInNewContext
but a method of a precompiled Script
object.
script.runInNewContext
contextifies sandbox
if passed or creates a new
contextified sandbox if it's omitted, and then runs script
's compiled code
with the sandbox as the global object and returns the result. Running code does
not have access to local scope.
script.runInNewContext
takes the same options as script.runInThisContext
.
Example: compile code that sets a global variable, then execute the code multiple times in different contexts. These globals are set on and contained in the sandboxes.
const util = require('util');
const vm = require('vm');
const sandboxes = [{}, {}, {}];
const script = new vm.Script('globalVar = "set"');
sandboxes.forEach((sandbox) => {
script.runInNewContext(sandbox);
});
console.log(util.inspect(sandboxes));
// [{ globalVar: 'set' }, { globalVar: 'set' }, { globalVar: 'set' }]
Note that running untrusted code is a tricky business requiring great care.
script.runInNewContext
is quite useful, but safely running untrusted code
requires a separate process.
script.runInThisContext([options])#
Similar to vm.runInThisContext
but a method of a precompiled Script
object.
script.runInThisContext
runs script
's compiled code and returns the result.
Running code does not have access to local scope, but does have access to the
current global
object.
Example of using script.runInThisContext
to compile code once and run it
multiple times:
const vm = require('vm');
global.globalVar = 0;
const script = new vm.Script('globalVar += 1', { filename: 'myfile.vm' });
for (var i = 0; i < 1000; ++i) {
script.runInThisContext();
}
console.log(globalVar);
// 1000
The options for running a script are:
filename
: allows you to control the filename that shows up in any stack traces produced.lineOffset
: allows you to add an offset to the line number that is displayed in stack tracescolumnOffset
: allows you to add an offset to the column number that is displayed in stack tracesdisplayErrors
: whether or not to print any errors to stderr, with the line of code that caused them highlighted, before throwing an exception. Applies only to runtime errors executing the code; it is impossible to create aScript
instance with syntax errors, as the constructor will throw.timeout
: a number of milliseconds to execute the script before terminating execution. If execution is terminated, anError
will be thrown.
vm.createContext([sandbox])#
If given a sandbox
object, will "contextify" that sandbox so that it can be
used in calls to vm.runInContext
or script.runInContext
. Inside scripts run
as such, sandbox
will be the global object, retaining all its existing
properties but also having the built-in objects and functions any standard
global object has. Outside of scripts run by the vm module, sandbox
will
be unchanged.
If not given a sandbox object, returns a new, empty contextified sandbox object you can use.
This function is useful for creating a sandbox that can be used to run multiple
scripts, e.g. if you were emulating a web browser it could be used to create a
single sandbox representing a window's global object, then run all <script>
tags together inside that sandbox.
vm.isContext(sandbox)#
Returns whether or not a sandbox object has been contextified by calling
vm.createContext
on it.
vm.runInContext(code, contextifiedSandbox[, options])#
vm.runInContext
compiles code
, then runs it in contextifiedSandbox
and
returns the result. Running code does not have access to local scope. The
contextifiedSandbox
object must have been previously contextified via
vm.createContext
; it will be used as the global object for code
.
vm.runInContext
takes the same options as vm.runInThisContext
.
Example: compile and execute different scripts in a single existing context.
const util = require('util');
const vm = require('vm');
const sandbox = { globalVar: 1 };
vm.createContext(sandbox);
for (var i = 0; i < 10; ++i) {
vm.runInContext('globalVar *= 2;', sandbox);
}
console.log(util.inspect(sandbox));
// { globalVar: 1024 }
Note that running untrusted code is a tricky business requiring great care.
vm.runInContext
is quite useful, but safely running untrusted code requires a
separate process.
vm.runInDebugContext(code)#
vm.runInDebugContext
compiles and executes code
inside the V8 debug context.
The primary use case is to get access to the V8 debug object:
const Debug = vm.runInDebugContext('Debug');
Debug.scripts().forEach(function(script) { console.log(script.name); });
Note that the debug context and object are intrinsically tied to V8's debugger implementation and may change (or even get removed) without prior warning.
The debug object can also be exposed with the --expose_debug_as=
switch.
vm.runInNewContext(code[, sandbox][, options])#
vm.runInNewContext
compiles code
, contextifies sandbox
if passed or
creates a new contextified sandbox if it's omitted, and then runs the code with
the sandbox as the global object and returns the result.
vm.runInNewContext
takes the same options as vm.runInThisContext
.
Example: compile and execute code that increments a global variable and sets a new one. These globals are contained in the sandbox.
const util = require('util');
const vm = require('vm');
const sandbox = {
animal: 'cat',
count: 2
};
vm.runInNewContext('count += 1; name = "kitty"', sandbox);
console.log(util.inspect(sandbox));
// { animal: 'cat', count: 3, name: 'kitty' }
Note that running untrusted code is a tricky business requiring great care.
vm.runInNewContext
is quite useful, but safely running untrusted code requires
a separate process.
vm.runInThisContext(code[, options])#
vm.runInThisContext()
compiles code
, runs it and returns the result. Running
code does not have access to local scope, but does have access to the current
global
object.
Example of using vm.runInThisContext
and eval
to run the same code:
const vm = require('vm');
var localVar = 'initial value';
const vmResult = vm.runInThisContext('localVar = "vm";');
console.log('vmResult: ', vmResult);
console.log('localVar: ', localVar);
const evalResult = eval('localVar = "eval";');
console.log('evalResult: ', evalResult);
console.log('localVar: ', localVar);
// vmResult: 'vm', localVar: 'initial value'
// evalResult: 'eval', localVar: 'eval'
vm.runInThisContext
does not have access to the local scope, so localVar
is
unchanged. eval
does have access to the local scope, so localVar
is changed.
In this way vm.runInThisContext
is much like an indirect eval
call,
e.g. (0,eval)('code')
. However, it also has the following additional options:
filename
: allows you to control the filename that shows up in any stack traces produced.lineOffset
: allows you to add an offset to the line number that is displayed in stack tracescolumnOffset
: allows you to add an offset to the column number that is displayed in stack tracesdisplayErrors
: whether or not to print any errors to stderr, with the line of code that caused them highlighted, before throwing an exception. Will capture both syntax errors from compilingcode
and runtime errors thrown by executing the compiled code. Defaults totrue
.timeout
: a number of milliseconds to executecode
before terminating execution. If execution is terminated, anError
will be thrown.