[R6RS] Safe/unsafe mode

William D Clinger will at ccs.neu.edu
Thu Jul 13 13:59:07 EDT 2006

Mike wrote:
> This indeed requires saying whose responsibility it is to check arity
> and types.  (I would say the responsibility for types should lie with
> the callee.  The arity is not so clear.)

I would say the responsibility for both type checking
and arity checking may be divided between caller and
callee in any way that an implementation may see fit.

If we provide only a single, safe version of standard
procedures, and also allow type checking to be turned
off, then the responsibility for type checking cannot
universally be the responsibility of the callee.

Safe primitives can be synthesized from unsafe, but
unsafe primitives cannot be synthesized from safe.
Hence the standard compiler technique is to use
unsafe primitives, which are then combined with
whatever run-time checks are required to ensure
safety.  When both the run-time checks and the
unsafe primitive are inlined in the caller's code,
the run-time checks are exposed to optimizations
that may remove redundant checking.

The mental model I suggested, of having both a safe
and an unsafe entry point for every procedure, is
an abstraction of that reality.  The effect of the
reality is to have arbitrarily many entry points,
bounded only by an exponential function of the number
of run-time checks that are performed for a procedure.
The safe entry point corresponds to performing all of
the checks, and the unsafe to performing none.

I wish to preserve the freedom to perform some of
those checks in unsafe code while omitting others,
even if the omitted checks aren't redundant in the
context of the call, based perhaps on such factors
as the context of the call and the priorities for
the fast, small, and debug qualities.  A semantics
that is truly based on having two versions of each
procedure, safe and unsafe, would not seem to allow
for such fine distinctions, and might therefore be
less safe in practice.


More information about the R6RS mailing list