[R6RS] Safe/unsafe mode question

dyb at cs.indiana.edu dyb at cs.indiana.edu
Mon Jul 10 09:20:38 EDT 2006

> The only way for us to specify a truly portable semantics
> for safety checking is for us to try to specify all of the
> global invariants and to assign specific responsibilities
> for enforcing those invariants to different procedures and
> modules.
> For us to attempt that would be foolhardy.

I don't agree with Will's assessment.  The safe/unsafe distinction matters
only where we have already established requirements.  Furthermore, It's
straightforward to specify and implement a model in which raising
exceptions having to do with a primitive's actual parameters---by far the
majority of the exceptions we have specified---is the responsibility of
that primitive and to allow the exception not to be raised if the
primitive is obtained via a reference to a library name that is within the
scope of an unsafe declaration.  If the compiler is able to recognize a
primitive for what it is on the calling side, it will also know if it is
the safe or unsafe version, so it has all the flexibility it needs to
handle both safe and unsafe calls appropriately either at the call site
or at the entry point.

A lexically scoped safe/unsafe mode allows a macro to produce code in
which (some of) the calls it introduces are treated as unsafe without
affecting the calls in the input forms.  With Will's model, this is not
the case, at least without careful crafting of the output code.


More information about the R6RS mailing list