[R6RS] draft statement on safety

William D Clinger will at ccs.neu.edu
Wed Aug 2 12:11:06 EDT 2006 

Draft statement of what the R6RS might say about safety.

The standard libraries whose exports are described by this
document are said to be \defining{safe libraries}.  Libraries
that import only from safe libraries, and do not contain any
{\cf (safe 0)} or {\cf unsafe} declarations, are also said
to be safe libraries.  A script is said to be safe if and
only if its library part is a safe library.

As defined by this document, the Scheme programming language
is safe in the following sense:
If a Scheme script is said to be safe, then its execution
cannot go so badly wrong as to behave in ways that are
inconsistent with the semantics described in this document,
unless said execution first encounters some implementation
restriction or other defect in the implementation of Scheme
that is executing the script.

Violations of an implementation restriction must raise an
{\cf &implementation-restriction} exception, as must all
violations and errors that would otherwise threaten system
integrity in ways that might result in execution that is
inconsistent with the semantics described in this document.

The above safety properties are guaranteed only for scripts
and libraries that are said to be safe.  Implementations
may provide access to unsafe libraries, and may interpret
{\cf (safe 0)} and {\cf unsafe} declarations in ways that
cannot guarantee safety.


Draft statement of what the R6RS might say about the default
exception handlers.  (This might replace the fifth paragraph
of the current section 9.1.)

When a safe script begins its execution, the current
exception handler is expected to handle all {\cf &serious}
conditions by interrupting execution, reporting that an
exception has been raised, and displaying information
about the condition object that was provided.  The handler
may then exit, or may provide a choice of other options.
Moreover, the exception handler is expected to return when
passed any other (``non-serious'') condition.
Interpretation of these expectations necessarily depends
upon the nature of the system in which scripts are executed,
but the intent is that users perceive the raising of an
exception as a controlled escape from the situation that
raised the exception, not as a crash.

Will

More information about the R6RS mailing list