[R6RS] Safe/unsafe mode

dyb at cs.indiana.edu dyb at cs.indiana.edu
Tue Jul 11 17:59:27 EDT 2006


> For the record, I define unsafe code as
>
>   * all code within a library that contains a (safe 0)
>     or unsafe declaration at its head, excepting nested
>     bodies that contain a safe or (safe n) declaration,
>     where n > 0, at their head;
>   * all code within a body that contains a (safe 0) or
>     unsafe declaration at its head, excepting nested
>     bodies that contain a safe or (safe n) declaration,
>     where n > 0, at their head.

I'm not sure what you mean by "within a library" or "within a body". 
Assume no (safe 0) declarations appear outside of the following
definition of foo.

  (define (foo x)
    (let-syntax ([define-cell
                  (syntax-rules ()
                    [(_ name init)
                     (begin
                       (define v (vector init))
                       (define-syntax name
                         (syntax-rules ()
                           [(_)
                            (let ()
                              (declare (safe 0))
                              (vector-ref v 0))]
                           [(_ e)
                            (let ()
                              (declare (safe 0))
                              (vector-set! v 0 e))])))])])
      (let ()
        (declare (safe 1))
        (define-cell frob 82)
        (frob (car x))
        (frob))))

Is the call (car x) unsafe code?

> For the record, the semantics I prefer for unsafe code is
> simply this:
>
> If unsafe code does not do anything that might generate an
> exception or cause unspecified behavior had the unsafe
> declarations been absent, then the behavior of unsafe code
> is the same as some legal behavior for safe code.
>
> If unsafe code does something that might generate an
> exception or cause unspecified behavior, then all bets are
> off.

I think I understand what you mean here, but to clarify, assume there are
no (safe 0) declarations outside of the following definition of map.

  (define map
    (lambda (p ls)
      (declare (safe 0))
      (type-check procedure? p "procedure")
      (type-check list? ls "list")
      (let f ([ls ls])
        (if (null? ls)
            '()
            (cons (p (car ls)) (f (cdr ls)))))))

If map is passed the procedure - and the list (a), from code that is not
unsafe code, and the two calls to type-check return without doing
anything, must the call to - resulting from (p (car ls)) raise an
exception because - receives a nonnumeric argument, or are all bets off?

Kent



More information about the R6RS mailing list