File: unsafep.el.html
This is a simplistic implementation that does not allow any modification of
buffers or global variables. It does no dataflow analysis, so functions
like funcall and setcar are completely disallowed. It is designed
for "pure Lisp" formulas, like those in spreadsheets, that don't make any
use of the text editing capabilities of Emacs.
A formula is safe if:
1. It's an atom.
2. It's a function call to a safe function and all arguments are safe
formulas.
3. It's a special form whose arguments are like a function's (and,
catch, if, or, prog1, prog2, progn, while, unwind-protect).
4. It's a special form or macro that creates safe temporary bindings
(condition-case, dolist, dotimes, lambda, let, let*).
4. It's one of (cond, quote) that have special parsing.
5. It's one of (add-to-list, setq, push, pop) and the assignment variable
is safe.
6. It's one of (apply, mapc, mapcar, mapconcat) and its first arg is a
quoted safe function.
A function is safe if:
1. It's a lambda containing safe formulas.
2. It's a member of list safe-functions, so the user says it's safe.
3. It's a symbol with the side-effect-free property, defined by the
byte compiler or function author.
4. It's a symbol with the safe-function property, defined here or by
the function author. Value t indicates a function that is safe but
has innocuous side effects. Other values will someday indicate
functions with side effects that are not always safe.
The side-effect-free and safe-function properties are provided for
built-in functions and for functions and macros defined in subr.el.
A temporary binding is unsafe if its symbol:
1. Has the risky-local-variable property.
2. Has a name that ends with -command, font-lock-keywords(-[0-9]+)?,
font-lock-syntactic-keywords, -form, -forms, -frame-alist, -function,
-functions, -history, -hook, -hooks, -map, -map-alist, -mode-alist,
-predicate, or -program.
An assignment variable is unsafe if:
1. It would be unsafe as a temporary binding.
2. It doesn't already have a temporary or buffer-local binding.
There are unsafe forms that unsafep cannot detect. Beware of these:
1. The form's result is a string with a display property containing a
form to be evaluated later, and you insert this result into a
buffer. Always remove display properties before inserting!
2. The form alters a risky variable that was recently added to Emacs and
is not yet marked with the risky-local-variable property.
3. The form uses undocumented features of built-in functions that have
the side-effect-free property. For example, in Emacs-20 if you
passed a circular list to assoc, Emacs would crash. Historically,
problems of this kind have been few and short-lived.
Defined variables (2)
safe-functions | A list of assumed-safe functions, or t to disable ‘unsafep’. |
unsafep-vars | Dynamically-bound list of variables with lexical bindings at this point |
Defined functions (5)
unsafep | (FORM &optional VARS) |
unsafep-function | (FUN) |
unsafep-let | (CLAUSE) |
unsafep-progn | (LIST) |
unsafep-variable | (SYM TO-BIND) |