Table of Contents

Update: I’ve added an update to the security section.

Today I released something I have been working on for a little while. It’s basically an IEx instance you can access from your browser.

The problem I was trying to solve is one I’ve had while learning Elixir myself: I would often be reading Dave Thomas’s Programming Elixir book on my iPad, and at somepoint I’d want to try out some Elixir code. Obviously on an iPad I can’t install the runtime, so I was left with no other option than to open my laptop. Hopefully this project will provide an alternative for people on mobile devices.

So, how was the project implemented? It’s actually quite simple. It’s a Phoenix app, without database, using CodeMirror on the frontend side of things for code editing.

But in order to bring the whole idea to completion, I had to solve the following problems:

  • Evaluate the code sent by the user
  • Capture and return all the output, including errors
  • Find a pretty domain
  • Code the frontend
  • Choose an online code editor
  • Implement a syntax highlighter

Let’s look at the first point.

IO in Elixir

With Elixir’s focus on distributed computing, it should come as no surprise that IO itself can be thought of as a distributed process.

So, how does IO work in Elixir?

Basically every IO function either implicitly or explicitly writes to an IO device. In the case of IO.inspect/2, for example, you do it implicitly; its counterpart IO.inspect/3 receives an additional argument: the device.

Some examples of devices are :stdio and :stderr, but a device can be any Elixir process, and can be passed around as a pid (which is a first-class data type in Elixir) or an atom representing a process.

Another example is IO.puts/2. If you look at its definition, you’ll see the first argument it accepts has a default value, group_leader().

In Erlang, a process is always part of a group, and a group always has a group leader. All IO from the group is sent to the group leader. The group leader is basically the default IO device, and it can be configured by calling :erlang.group_leader/2.

In our case, we want to somehow save all output, and then be able to return it to the browser. How do we go about doing that?

Turns out Elixir has a very nice module that exposes a string as an IO device. The module is aptly called StringIO, and it allows us to save and retrieve all data that has been sent to the device.

Combining these two concepts together, the group leader and StringIO, allows us to achieve our goal: redirect all output to a string, store it, and return it:

{:ok, device} = ""
:erlang.group_leader(device, self)

By the way, this stuff is explained quite well on this page of the documentation.

Evaluating code

The next interesting thing happening in this project is it has to evaluate the code that the user sends at runtime.

Again, Elixir offers a simple solution in the form of Code.eval_string/3. It has only one mandatory argument, the code as a string, and returns a tuple of the form {result, bindings}. We are only interested in the result.

result =
  |> Code.eval_string
  |> elem(0)

IO.inspect result

Note that we use IO.inspect here, instead of IO.puts, as that allows us to leverage the existing implementations of the Inspect protocol.

This gets us almost all the way there. But what happens if the user’s code causes an exception? Ideally, we should recover from the exception and output the error message, same as it would happen on IEx.

Let’s wrap our code in a try/rescue block:

    try do
      result =
        |> Code.eval_string
        |> elem(0)

      IO.inspect result
      exception -> IO.inspect Exception.message(exception)

And that’s all. With our backend code in place, let’s now move to the frontend.

Elixir syntax in CodeMirror

CodeMirror is an online editor for code. It is distributed via NPM in a modular way, each module in its own file. This meant that I could use bower for the package, and in my bower.json only require the files that I needed, thereby avoiding bloat and saving a lot of space in the final application.js:

  "name": "TryElixir",
  "dependencies": {
    "codemirror-elixir": "asymmetric/codemirror-elixir",
    "fetch": "^0.11.0",
    "es6-promise": "^3.2.1",
    "bootstrap": "^3.3.6",
    "hint.css": "^2.2.0"
  "overrides": {
    "codemirror": {
      "main": [
    "bootstrap": {
      "main": [
      "dependencies": {}

There was no syntax highlighter file for Elixir, so I had to build one. It’s still a work in progress, and PRs are very welcome. Actually, CodeMirror offes 2 ways of defining syntaxes (what it calls “modes”): one is RegEx based, and it’s very simple. The other one is to define a proper lexer (here is the one for Ruby for example) and although it’s the recommended way, it was definitely too much work for my use-case. But if you’re in that kind of thing, there’s an opportunity for you!


(Note: This section was updated on May 11 2016)

Given that this project allows you to execute arbitrary code, just how much risk is there?

Initially, I thought that Heroku’s ephemeral filesystem would be enough: users wouldn’t be able to permanently affect the application, even if they somehow managed to run “malicious” code.

And that’s true, but I was greatly underestimating the amount of damage that can be done when you can run arbitrary code.

For example, you can shut down the VM with :erlang.halt, or restart it with :init.reboot. Additionally, you can run code that will never stop executing, while stealing every CPU cycle available.

To address these problems, I’ve come up with two solutions: a blacklist of forbidden commands, and performing code evaluation inside an async Task .

Async tasks are particularly interesting. You can invoke one with Task.async(fn -> your_function() end), and afterwards call Task.yield(your_task, your_timeout) to send it off to do its work.

The key thing here is the timeout: after it expires, the Task is expected to have a value. If it has one, it’s returned; if it doesn’t, we can handle that however we want. In my case, I kill it brutally and just return a message to the user, informing them that the computation took too long.

Domain, hosting and DNS

I was very happy to have found a catchy TLD for the site. The registrar is Namecheap (affiliate link) and it only cost $0.89 for the first year!

The app is hosted on Heroku, and normally what you would do is point to But I wanted to get rid of the www. subdomain, and it turns out you can’t do that with a lot of DNS providers. The reason is that CNAME records can only be created for subdomains. Heroku does not provide each app with a fixed IP obviously, so you can’t just create an A record and call it a day.

Some providers though do offer so-called ANAME/ALIAS records, bust most of them cost an order of magnitude more than the domain itself. That’s why I was very surprised to find out that CloudFlare offers their DNS services for free! So I proceeded to hand over DNS resolution for my domain to them (which by the way took something like 5 minutes!), configure the root CNAME and that was it! Now the domain is availale without that ugly www.!


While I’m pretty happy with the result, there are definitely some ideas that are worth investigting.

It might be interesting to rewrite the app without Phoenix, as a barebones Plug app. The backend is extremely simple, the challenging part would be requiring frontend modules without using Brunch (or having to setup Brunch myself).

Another important thing to do would be to default to HTTPS, maybe using Let’s Encrypt.

And, last but not least, is the tutorial. Most other online interpreters double as intros to the language, with chapters, lessons and excercises. This is not the main focus of the project (as I said, I just wanted an easy way to try out code as I was learning), but if people find it useful, I might implement it.

And I think that’s all.

Have fun!