1 ;;;; unsafep.el -- Determine whether a Lisp form is safe to evaluate
3 ;; Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
5 ;; Author: Jonathan Yavner <jyavner@member.fsf.org>
6 ;; Maintainer: Jonathan Yavner <jyavner@member.fsf.org>
7 ;; Keywords: safety lisp utility
9 ;; This file is part of GNU Emacs.
11 ;; GNU Emacs is free software: you can redistribute it and/or modify
12 ;; it under the terms of the GNU General Public License as published by
13 ;; the Free Software Foundation, either version 3 of the License, or
14 ;; (at your option) any later version.
16 ;; GNU Emacs is distributed in the hope that it will be useful,
17 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
18 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 ;; GNU General Public License for more details.
21 ;; You should have received a copy of the GNU General Public License
22 ;; along with GNU Emacs. If not, see <http://www.gnu.org/licenses/>.
26 ;; This is a simplistic implementation that does not allow any modification of
27 ;; buffers or global variables. It does no dataflow analysis, so functions
28 ;; like `funcall' and `setcar' are completely disallowed. It is designed
29 ;; for "pure Lisp" formulas, like those in spreadsheets, that don't make any
30 ;; use of the text editing capabilities of Emacs.
32 ;; A formula is safe if:
34 ;; 2. It's a function call to a safe function and all arguments are safe
36 ;; 3. It's a special form whose arguments are like a function's (and,
37 ;; catch, if, or, prog1, prog2, progn, while, unwind-protect).
38 ;; 4. It's a special form or macro that creates safe temporary bindings
39 ;; (condition-case, dolist, dotimes, lambda, let, let*).
40 ;; 4. It's one of (cond, quote) that have special parsing.
41 ;; 5. It's one of (add-to-list, setq, push, pop) and the assignment variable
43 ;; 6. It's one of (apply, mapc, mapcar, mapconcat) and its first arg is a
44 ;; quoted safe function.
46 ;; A function is safe if:
47 ;; 1. It's a lambda containing safe formulas.
48 ;; 2. It's a member of list `safe-functions', so the user says it's safe.
49 ;; 3. It's a symbol with the `side-effect-free' property, defined by the
50 ;; byte compiler or function author.
51 ;; 4. It's a symbol with the `safe-function' property, defined here or by
52 ;; the function author. Value t indicates a function that is safe but
53 ;; has innocuous side effects. Other values will someday indicate
54 ;; functions with side effects that are not always safe.
55 ;; The `side-effect-free' and `safe-function' properties are provided for
56 ;; built-in functions and for functions and macros defined in subr.el.
58 ;; A temporary binding is unsafe if its symbol:
59 ;; 1. Has the `risky-local-variable' property.
60 ;; 2. Has a name that ends with -command, font-lock-keywords(-[0-9]+)?,
61 ;; font-lock-syntactic-keywords, -form, -forms, -frame-alist, -function,
62 ;; -functions, -history, -hook, -hooks, -map, -map-alist, -mode-alist,
63 ;; -predicate, or -program.
65 ;; An assignment variable is unsafe if:
66 ;; 1. It would be unsafe as a temporary binding.
67 ;; 2. It doesn't already have a temporary or buffer-local binding.
69 ;; There are unsafe forms that `unsafep' cannot detect. Beware of these:
70 ;; 1. The form's result is a string with a display property containing a
71 ;; form to be evaluated later, and you insert this result into a
72 ;; buffer. Always remove display properties before inserting!
73 ;; 2. The form alters a risky variable that was recently added to Emacs and
74 ;; is not yet marked with the `risky-local-variable' property.
75 ;; 3. The form uses undocumented features of built-in functions that have
76 ;; the `side-effect-free' property. For example, in Emacs-20 if you
77 ;; passed a circular list to `assoc', Emacs would crash. Historically,
78 ;; problems of this kind have been few and short-lived.
83 (require 'byte-opt
) ;Set up the `side-effect-free' properties
85 (defcustom safe-functions nil
86 "A list of assumed-safe functions, or t to disable `unsafep'."
88 :type
'(choice (const :tag
"No" nil
) (const :tag
"Yes" t
) hook
))
90 (defvar unsafep-vars nil
91 "Dynamically-bound list of variables with lexical bindings at this point
93 (put 'unsafep-vars
'risky-local-variable t
)
95 ;;Side-effect-free functions from subr.el
96 (dolist (x '(assoc-default assoc-ignore-case butlast last match-string
97 match-string-no-properties member-ignore-case remove remq
))
98 (put x
'side-effect-free t
))
100 ;;Other safe functions
101 (dolist (x '(;;Special forms
102 and catch if or prog1 prog2 progn while unwind-protect
103 ;;Safe subrs that have some side-effects
104 ding error message minibuffer-message random read-minibuffer
105 signal sleep-for string-match throw y-or-n-p yes-or-no-p
106 ;;Defsubst functions from subr.el
108 ;;Macros from subr.el
109 save-match-data unless when with-temp-message
110 ;;Functions from subr.el that have side effects
111 read-passwd split-string replace-regexp-in-string
113 (put x
'safe-function t
))
116 (defun unsafep (form &optional unsafep-vars
)
117 "Return nil if evaluating FORM couldn't possibly do any harm.
118 Otherwise result is a reason why FORM is unsafe.
119 UNSAFEP-VARS is a list of symbols with local bindings."
121 (if (or (eq safe-functions t
) ;User turned off safety-checking
122 (atom form
)) ;Atoms are never unsafe
123 (throw 'unsafep nil
))
124 (let* ((fun (car form
))
125 (reason (unsafep-function fun
))
129 ;;It's a normal function - unsafe if any arg is
130 (unsafep-progn (cdr form
)))
134 ((memq fun
'(apply mapc mapcar mapconcat
))
135 ;;Unsafe if 1st arg isn't a quoted lambda
136 (setq arg
(cadr form
))
138 ((memq (car-safe arg
) '(quote function
))
139 (setq reason
(unsafep-function (cadr arg
))))
140 ((eq (car-safe arg
) 'lambda
)
141 ;;Self-quoting lambda
142 (setq reason
(unsafep arg unsafep-vars
)))
144 (setq reason
`(unquoted ,arg
))))
145 (or reason
(unsafep-progn (cddr form
))))
147 ;;First arg is temporary bindings
149 (or (memq x
'(&optional
&rest
))
150 (let ((y (unsafep-variable x t
)))
151 (if y
(throw 'unsafep y
))
152 (push x unsafep-vars
))))
154 (unsafep-progn (cddr form
)))
156 ;;Creates temporary bindings in one step
157 (setq unsafep-vars
(nconc (mapcar #'unsafep-let
(cadr form
))
159 (unsafep-progn (cddr form
)))
161 ;;Creates temporary bindings iteratively
162 (dolist (x (cadr form
))
163 (push (unsafep-let x
) unsafep-vars
))
164 (unsafep-progn (cddr form
)))
166 ;;Safe if odd arguments are local-var syms, evens are safe exprs
167 (setq arg
(cdr form
))
169 (setq reason
(or (unsafep-variable (car arg
) nil
)
170 (unsafep (cadr arg
) unsafep-vars
)))
171 (if reason
(throw 'unsafep reason
))
172 (setq arg
(cddr arg
))))
174 ;;safe if arg is local-var sym
175 (unsafep-variable (cadr form
) nil
))
177 ;;Safe if 2nd arg is a local-var sym
178 (or (unsafep (cadr form
) unsafep-vars
)
179 (unsafep-variable (nth 2 form
) nil
)))
180 ((eq fun
'add-to-list
)
181 ;;Safe if first arg is a quoted local-var sym
182 (setq arg
(cadr form
))
183 (if (not (eq (car-safe arg
) 'quote
))
185 (or (unsafep-variable (cadr arg
) nil
)
186 (unsafep-progn (cddr form
)))))
188 ;;Special form with unusual syntax - safe if all args are
189 (dolist (x (cdr form
))
190 (setq reason
(unsafep-progn x
))
191 (if reason
(throw 'unsafep reason
))))
192 ((memq fun
'(dolist dotimes
))
193 ;;Safe if COUNT and RESULT are safe. VAR is bound while checking BODY.
194 (setq arg
(cadr form
))
195 (or (unsafep-progn (cdr arg
))
196 (let ((unsafep-vars (cons (car arg
) unsafep-vars
)))
197 (unsafep-progn (cddr form
)))))
198 ((eq fun
'condition-case
)
199 ;;Special form with unusual syntax - safe if all args are
200 (or (unsafep-variable (cadr form
) t
)
201 (unsafep (nth 2 form
) unsafep-vars
)
202 (let ((unsafep-vars (cons (cadr form
) unsafep-vars
)))
203 ;;var is bound only during handlers
204 (dolist (x (nthcdr 3 form
))
205 (setq reason
(unsafep-progn (cdr x
)))
206 (if reason
(throw 'unsafep reason
))))))
208 ;;First unsafep-function call above wasn't nil, no special case applies
212 (defun unsafep-function (fun)
213 "Return nil if FUN is a safe function.
214 \(Either a safe lambda or a symbol that names a safe function).
215 Otherwise result is a reason code."
217 ((eq (car-safe fun
) 'lambda
)
218 (unsafep fun unsafep-vars
))
219 ((not (and (symbolp fun
)
220 (or (get fun
'side-effect-free
)
221 (eq (get fun
'safe-function
) t
)
222 (eq safe-functions t
)
223 (memq fun safe-functions
))))
226 (defun unsafep-progn (list)
227 "Return nil if all forms in LIST are safe.
228 Else, return the reason for the first unsafe form."
229 (catch 'unsafep-progn
232 (setq reason
(unsafep x unsafep-vars
))
233 (if reason
(throw 'unsafep-progn reason
))))))
235 (defun unsafep-let (clause)
236 "Check the safety of a let binding.
237 CLAUSE is a let-binding, either SYM or (SYM) or (SYM VAL).
238 Check VAL and throw a reason to `unsafep' if unsafe.
243 (setq sym
(car clause
)
244 reason
(unsafep (cadr clause
) unsafep-vars
)))
245 (setq reason
(or (unsafep-variable sym t
) reason
))
246 (if reason
(throw 'unsafep reason
))
249 (defun unsafep-variable (sym to-bind
)
250 "Return nil if SYM is safe to set or bind, or a reason why not.
251 If TO-BIND is nil, check whether SYM is safe to set.
252 If TO-BIND is t, check whether SYM is safe to bind."
256 ((risky-local-variable-p sym nil
)
257 `(risky-local-variable ,sym
))
259 (memq sym unsafep-vars
)
260 (local-variable-p sym
)))
261 `(global-variable ,sym
))))
263 ;; arch-tag: 6216f98b-eb8f-467a-9c33-7a7644f50658
264 ;;; unsafep.el ends here