[R6RS] Safe/unsafe mode

Michael Sperber sperber at informatik.uni-tuebingen.de
Thu Jul 13 13:07:29 EDT 2006

William D Clinger <will at ccs.neu.edu> writes:

> Mike wrote:
>> Could we please get a bit more detail with remarks like this?
> Sorry.  The MLton compiler performs a whole-program
> flow analysis to determine every lambda expression
> whose value could possibly flow to a call site.  It
> then represents the closure by a record that contains
> an integer identifying the lambda expression, together
> with the values of its free variables.  The caller
> performs the call by executing a case dispatch on the
> integer, executing the lambda expression's code inline
> or via a jump to out-of-line code.
> The relevance of this technique to our discussion is
> that it divides the responsibility between caller and
> callee in a way that Kent probably has not considered.
> The importance of that relevance is much easier to see
> by considering a simple example.

Thanks for the explanation.  I'm still a bit confused about your
conclusion: Presumably, for safe executing, the arity and
argument-type checking happens in the individual cases of the case
dispatch.  As I understand Kent's model, the closure representing the
safe version of something (say, +) will be different from the closure
representing the unsafe version---thus, you get two cases in the
dispatch if both the safe and the unsafe version flow into the
application.  I don't see the conflict between this and Kent's
semantics (as described after you wrote this post).

> Now for an example:
>     (let ((f -))
>       (declare unsafe)
>       (f '(a)))
> With my preferred semantics, and with the mental model
> I sketched above, the unsafe call to f is allowed to
> use the unsafe entry point when it calls the - procedure,
> so all bets are off.  My preferred semantics allows the
> compiler optimization known as copy propagation, so the
> example above is equivalent to
>     (let ()
>       (declare unsafe)
>       (- '(a)))

The way I understand Kent's semantics, the first piece of code
essentially gets translated into:

(let ((f -/safe))
  (declare unsafe)
  (call/unsafe f '(a)))

(Kent, could you confirm or deny?  I'm sure your explanation actually
answers these questions, but I keep getting lost in the long chain of

This indeed requires saying whose responsibility it is to check arity
and types.  (I would say the responsibility for types should lie with
the callee.  The arity is not so clear.)

Anyway, copy propagation gets you:

(call/unsafe -/safe '(a))

... and it's a matter to specify what the interaction between an
unsafe application and a safe procedure is.  (Or leaving that bit

Sorry if I'm being dense---I'm just trying to get a mental handle on
the issues.

Cheers =8-} Mike
Friede, Völkerverständigung und überhaupt blabla

More information about the R6RS mailing list