[R6RS] Safe/unsafe mode question

[Michael Sperber]

I'm getting really confused here---my brain hurts.

William D Clinger <will at ccs.neu.edu> writes:

> That would give us a semantics that is usable for settling
> perhaps 80% of the safe/unsafe questions, which would be
> an improvement over the approximately 20% solution of your
> original semantics.

It's probably possible to figure out which 20% you're referring to by
going back in the e-mail history and boiling down the list in your
notes to Kent's proposal---but could you give one or two examples?

One thing that bothers me about the discussion so far, and that keeps
getting buried, is that the concept of unsafety seems to be getting
hardwired into the compiler, and through the somewhat arbitrary scope
of R6RS has arbitrary scope as well. ("Scope" referring to the
colloquial meaning here, not anything lexical.)  Or I'm
misunderstanding---help me out if that's the case.

In both Will's and Kent's proposals, the safe/unsafe mode seems to
apply to a caller:  If I run the following code in unsafe mode:

(+ 'foo 'bar)

... then all bets are off.  Thus, the Scheme system essentially
provides two versions of +, but the choice gets made by running the
*caller* in safe or unsafe mode, rather than making it clear that two
versions of + exist.  How does a programmer declare safe/unsafe
distinctions for the stuff exported from her own code?

In C, the local equivalent of safety may be declared via various
compiler flags.  In effect, however, I can generate safe and unsafe
versions of a certain module, and then pick by linking against one or
the other.  (And code can express distinctions via the preprocessor.)
This has many practical downsides, but has the appeal of being fairly
easy to undertand in principle, and reasonably easy to handle in
practice.  Is there a strong reason why the same concept won't work
for us---without the caveats if possible?

-- 
Cheers =8-} Mike
Friede, Völkerverständigung und überhaupt blabla