QL Functions can run indefinitely

(Bug, Closed -> Fixed, Priority: Critical, Test Status: Unit tested , Reported By Justin du Coeur, )
QL, Security
Summary: Currently, it is fairly easy to write a QL expression that runs for Way Too Long -- far longer than the Gateway will allow. It's probably possible to write an infinite loop, although we try to avoid that. That's not okay.
Hypothetical design, that seems like it should work. We add a new startTime field to QLContext. When we initiate an operation, we set that; copies then inherit it. In InvocationValueImpl.flatMap, before invoking the next step, we check whether more than a certain amount of time has elapsed since the start, and force a timeout error if so.
This wouldn't quite make the maximum time deterministic, but it would be way, way better than what we now have. Since nearly all time is spent on the large number of operations, rather than in any single operation, it's probably the right approach.