Abort execution of template renders that overwhelm the system

[bdraco]

Proposed change

This only affects templates render requests from the websocket api that request a timeout.

jinja attempts to detect these type of templates in advance and will
raise OverflowError for cases it knows will overwhelm the system,
however it cannot detect all cases.

Example: OverflowError: Range too big. The sandbox blocks ranges larger than MAX_RANGE (100000).

This solution pre-tests each initial render request to ensure a template
can be rendered in requested timeout in seconds. If the template
takes too long, execution is canceled and the subscription is not
setup.

Pasting

{% for var in range(10000) -%}
  {% for var in range(10000) -%}
    {{ var }}
  {%- endfor %}
{%- endfor %}

into the template developer tools before this change would cause
the entire system to lock up and run out of memory.

25440 root 20 0 9834.1m 5.171g 100.7 26.7 1:00.92 R python3 -m homeassistant --config /config

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Example entry for configuration.yaml:

# Example configuration.yaml

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request:

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• The code has been formatted using Black (black --fast homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• Untested files have been added to .coveragerc.

The integration reached or maintains the following Integration Quality Scale:

• No score or internal
• 🥈 Silver
• 🥇 Gold
• 🏆 Platinum

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[probot-home-assistant]

Hey there @home-assistant/core, mind taking a look at this pull request as its been labeled with an integration (websocket_api) you are listed as a codeowner for? Thanks!
_{^{(message by CodeOwnersMention)}}

[bdraco]

We can't actual cancel the job once it starts running.

There doesn't seem to be a clean way to do that

[KevinCathcart]

Shame there isn't a cleaner way. This approach should work, and it is not like there are not thousands of projects doing this same sort of thread killing, but still rather unfortunate. The fact that the templates are immutable/pure, is the main reason I'm not particularly concerned by this approach.

There are some other tricks that might be nicer, but won't necessarily handle every case. For the given example, using .generate() instead of .render() on the template, and manually concating the strings would allow you to check and stop on timeouts. But only because each loop iteration outputs something. If there was no output each loop iteration, then this would not help at all. Similarly it would not help with long runner filter pipelines.

If we were using async mode of jinja, it feels like there might be some trick we can play by using a custom event loop, but once again not convinced that could handle everything a thread abort approach can.