[R6RS] Safe/unsafe mode question

William D Clinger will at ccs.neu.edu
Mon Jul 10 12:18:07 EDT 2006


Kent wrote:
> > The only way for us to specify a truly portable semantics
> > for safety checking is for us to try to specify all of the
> > global invariants and to assign specific responsibilities
> > for enforcing those invariants to different procedures and
> > modules.
> >
> > For us to attempt that would be foolhardy.
> 
> I don't agree with Will's assessment.  The safe/unsafe distinction matters
> only where we have already established requirements.  Furthermore, It's
> straightforward to specify and implement a model in which raising
> exceptions having to do with a primitive's actual parameters---by far the
> majority of the exceptions we have specified---is the responsibility of
> that primitive and to allow the exception not to be raised if the
> primitive is obtained via a reference to a library name that is within the
> scope of an unsafe declaration.

That would give us a semantics that is usable for settling
perhaps 80% of the safe/unsafe questions, which would be
an improvement over the approximately 20% solution of your
original semantics.

> A lexically scoped safe/unsafe mode allows a macro to produce code in
> which (some of) the calls it introduces are treated as unsafe without
> affecting the calls in the input forms.  With Will's model, this is not
> the case, at least without careful crafting of the output code.

My concern is that the semantics of safe/unsafe declarations
allow programmers to figure out what they can rely upon, and
what they cannot rely upon.  In my opinion, a semantics that
simply ignores roughly 20% of their questions is unreasonable.
If you think your 80% semantics can easily be extended to a
semantics that provides the kind of guidance programmers need,
then I look forward to seeing your semantics.

For the record, the semantics I prefer for unsafe code is
simply this:

If unsafe code does not do anything that might generate an
exception or cause unspecified behavior had the unsafe
declarations been absent, then the behavior of unsafe mode
is the same as some legal behavior for safe mode (but not
necessarily the same behavior you would get for safe mode
in the particular implementation you're using).

If unsafe code does something that might generate an
exception or cause unspecified behavior, then all bets are
off.

Will



More information about the R6RS mailing list