Don't have C-x = bug out in a "C" locale with non-ASCII chars
[emacs.git] / lisp / emacs-lisp / unsafep.el
blobe7077140e5459771942de37b9c36be8d1e585a0a
1 ;;;; unsafep.el -- Determine whether a Lisp form is safe to evaluate
3 ;; Copyright (C) 2002-2020 Free Software Foundation, Inc.
5 ;; Author: Jonathan Yavner <jyavner@member.fsf.org>
6 ;; Keywords: safety lisp utility
8 ;; This file is part of GNU Emacs.
10 ;; GNU Emacs is free software: you can redistribute it and/or modify
11 ;; it under the terms of the GNU General Public License as published by
12 ;; the Free Software Foundation, either version 3 of the License, or
13 ;; (at your option) any later version.
15 ;; GNU Emacs is distributed in the hope that it will be useful,
16 ;; but WITHOUT ANY WARRANTY; without even the implied warranty of
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 ;; GNU General Public License for more details.
20 ;; You should have received a copy of the GNU General Public License
21 ;; along with GNU Emacs. If not, see <https://www.gnu.org/licenses/>.
23 ;;; Commentary:
25 ;; This is a simplistic implementation that does not allow any modification of
26 ;; buffers or global variables. It does no dataflow analysis, so functions
27 ;; like `funcall' and `setcar' are completely disallowed. It is designed
28 ;; for "pure Lisp" formulas, like those in spreadsheets, that don't make any
29 ;; use of the text editing capabilities of Emacs.
31 ;; A formula is safe if:
32 ;; 1. It's an atom.
33 ;; 2. It's a function call to a safe function and all arguments are safe
34 ;; formulas.
35 ;; 3. It's a special form whose arguments are like a function's (and,
36 ;; catch, if, or, prog1, prog2, progn, while, unwind-protect).
37 ;; 4. It's a special form or macro that creates safe temporary bindings
38 ;; (condition-case, dolist, dotimes, lambda, let, let*).
39 ;; 4. It's one of (cond, quote) that have special parsing.
40 ;; 5. It's one of (add-to-list, setq, push, pop) and the assignment variable
41 ;; is safe.
42 ;; 6. It's one of (apply, mapc, mapcar, mapconcat) and its first arg is a
43 ;; quoted safe function.
45 ;; A function is safe if:
46 ;; 1. It's a lambda containing safe formulas.
47 ;; 2. It's a member of list `safe-functions', so the user says it's safe.
48 ;; 3. It's a symbol with the `side-effect-free' property, defined by the
49 ;; byte compiler or function author.
50 ;; 4. It's a symbol with the `safe-function' property, defined here or by
51 ;; the function author. Value t indicates a function that is safe but
52 ;; has innocuous side effects. Other values will someday indicate
53 ;; functions with side effects that are not always safe.
54 ;; The `side-effect-free' and `safe-function' properties are provided for
55 ;; built-in functions and for functions and macros defined in subr.el.
57 ;; A temporary binding is unsafe if its symbol:
58 ;; 1. Has the `risky-local-variable' property.
59 ;; 2. Has a name that ends with -command, font-lock-keywords(-[0-9]+)?,
60 ;; font-lock-syntactic-keywords, -form, -forms, -frame-alist, -function,
61 ;; -functions, -history, -hook, -hooks, -map, -map-alist, -mode-alist,
62 ;; -predicate, or -program.
64 ;; An assignment variable is unsafe if:
65 ;; 1. It would be unsafe as a temporary binding.
66 ;; 2. It doesn't already have a temporary or buffer-local binding.
68 ;; There are unsafe forms that `unsafep' cannot detect. Beware of these:
69 ;; 1. The form's result is a string with a display property containing a
70 ;; form to be evaluated later, and you insert this result into a
71 ;; buffer. Always remove display properties before inserting!
72 ;; 2. The form alters a risky variable that was recently added to Emacs and
73 ;; is not yet marked with the `risky-local-variable' property.
74 ;; 3. The form uses undocumented features of built-in functions that have
75 ;; the `side-effect-free' property. For example, in Emacs-20 if you
76 ;; passed a circular list to `assoc', Emacs would crash. Historically,
77 ;; problems of this kind have been few and short-lived.
79 ;;; Code:
81 (provide 'unsafep)
82 (require 'byte-opt) ;Set up the `side-effect-free' properties
84 (defcustom safe-functions nil
85 "A list of assumed-safe functions, or t to disable `unsafep'."
86 :group 'lisp
87 :type '(choice (const :tag "No" nil) (const :tag "Yes" t) hook))
89 (defvar unsafep-vars nil
90 "Dynamically-bound list of variables with lexical bindings at this point
91 in the parse.")
92 (put 'unsafep-vars 'risky-local-variable t)
94 ;;Other safe functions
95 (dolist (x '(;;Special forms
96 and catch if or prog1 prog2 progn while unwind-protect
97 ;;Safe subrs that have some side-effects
98 ding error random signal sleep-for string-match throw
99 ;;Defsubst functions from subr.el
100 caar cadr cdar cddr
101 ;;Macros from subr.el
102 save-match-data unless when
103 ;;Functions from subr.el that have side effects
104 split-string replace-regexp-in-string play-sound-file))
105 (put x 'safe-function t))
107 ;;;###autoload
108 (defun unsafep (form &optional unsafep-vars)
109 "Return nil if evaluating FORM couldn't possibly do any harm.
110 Otherwise result is a reason why FORM is unsafe.
111 UNSAFEP-VARS is a list of symbols with local bindings."
112 (catch 'unsafep
113 (if (or (eq safe-functions t) ;User turned off safety-checking
114 (atom form)) ;Atoms are never unsafe
115 (throw 'unsafep nil))
116 (let* ((fun (car form))
117 (reason (unsafep-function fun))
118 arg)
119 (cond
120 ((not reason)
121 ;;It's a normal function - unsafe if any arg is
122 (unsafep-progn (cdr form)))
123 ((eq fun 'quote)
124 ;;Never unsafe
125 nil)
126 ((memq fun '(apply mapc mapcar mapconcat))
127 ;;Unsafe if 1st arg isn't a quoted lambda
128 (setq arg (cadr form))
129 (cond
130 ((memq (car-safe arg) '(quote function))
131 (setq reason (unsafep-function (cadr arg))))
132 ((eq (car-safe arg) 'lambda)
133 ;;Self-quoting lambda
134 (setq reason (unsafep arg unsafep-vars)))
136 (setq reason `(unquoted ,arg))))
137 (or reason (unsafep-progn (cddr form))))
138 ((eq fun 'lambda)
139 ;;First arg is temporary bindings
140 (mapc #'(lambda (x)
141 (or (memq x '(&optional &rest))
142 (let ((y (unsafep-variable x t)))
143 (if y (throw 'unsafep y))
144 (push x unsafep-vars))))
145 (cadr form))
146 (unsafep-progn (cddr form)))
147 ((eq fun 'let)
148 ;;Creates temporary bindings in one step
149 (setq unsafep-vars (nconc (mapcar #'unsafep-let (cadr form))
150 unsafep-vars))
151 (unsafep-progn (cddr form)))
152 ((eq fun 'let*)
153 ;;Creates temporary bindings iteratively
154 (dolist (x (cadr form))
155 (push (unsafep-let x) unsafep-vars))
156 (unsafep-progn (cddr form)))
157 ((eq fun 'setq)
158 ;;Safe if odd arguments are local-var syms, evens are safe exprs
159 (setq arg (cdr form))
160 (while arg
161 (setq reason (or (unsafep-variable (car arg) nil)
162 (unsafep (cadr arg) unsafep-vars)))
163 (if reason (throw 'unsafep reason))
164 (setq arg (cddr arg))))
165 ((eq fun 'pop)
166 ;;safe if arg is local-var sym
167 (unsafep-variable (cadr form) nil))
168 ((eq fun 'push)
169 ;;Safe if 2nd arg is a local-var sym
170 (or (unsafep (cadr form) unsafep-vars)
171 (unsafep-variable (nth 2 form) nil)))
172 ((eq fun 'add-to-list)
173 ;;Safe if first arg is a quoted local-var sym
174 (setq arg (cadr form))
175 (if (not (eq (car-safe arg) 'quote))
176 `(unquoted ,arg)
177 (or (unsafep-variable (cadr arg) nil)
178 (unsafep-progn (cddr form)))))
179 ((eq fun 'cond)
180 ;;Special form with unusual syntax - safe if all args are
181 (dolist (x (cdr form))
182 (setq reason (unsafep-progn x))
183 (if reason (throw 'unsafep reason))))
184 ((memq fun '(dolist dotimes))
185 ;;Safe if COUNT and RESULT are safe. VAR is bound while checking BODY.
186 (setq arg (cadr form))
187 (or (unsafep-progn (cdr arg))
188 (let ((unsafep-vars (cons (car arg) unsafep-vars)))
189 (unsafep-progn (cddr form)))))
190 ((eq fun 'condition-case)
191 ;;Special form with unusual syntax - safe if all args are
192 (or (unsafep-variable (cadr form) t)
193 (unsafep (nth 2 form) unsafep-vars)
194 (let ((unsafep-vars (cons (cadr form) unsafep-vars)))
195 ;;var is bound only during handlers
196 (dolist (x (nthcdr 3 form))
197 (setq reason (unsafep-progn (cdr x)))
198 (if reason (throw 'unsafep reason))))))
199 ((eq fun '\`)
200 ;; Backquoted form - safe if its expansion is.
201 (unsafep (cdr (backquote-process (cadr form)))))
203 ;;First unsafep-function call above wasn't nil, no special case applies
204 reason)))))
207 (defun unsafep-function (fun)
208 "Return nil if FUN is a safe function.
209 \(Either a safe lambda or a symbol that names a safe function).
210 Otherwise result is a reason code."
211 (cond
212 ((eq (car-safe fun) 'lambda)
213 (unsafep fun unsafep-vars))
214 ((not (and (symbolp fun)
215 (or (get fun 'side-effect-free)
216 (eq (get fun 'safe-function) t)
217 (eq safe-functions t)
218 (memq fun safe-functions))))
219 `(function ,fun))))
221 (defun unsafep-progn (list)
222 "Return nil if all forms in LIST are safe.
223 Else, return the reason for the first unsafe form."
224 (catch 'unsafep-progn
225 (let (reason)
226 (dolist (x list)
227 (setq reason (unsafep x unsafep-vars))
228 (if reason (throw 'unsafep-progn reason))))))
230 (defun unsafep-let (clause)
231 "Check the safety of a let binding.
232 CLAUSE is a let-binding, either SYM or (SYM) or (SYM VAL).
233 Check VAL and throw a reason to `unsafep' if unsafe.
234 Return SYM."
235 (let (reason sym)
236 (if (atom clause)
237 (setq sym clause)
238 (setq sym (car clause)
239 reason (unsafep (cadr clause) unsafep-vars)))
240 (setq reason (or (unsafep-variable sym t) reason))
241 (if reason (throw 'unsafep reason))
242 sym))
244 (defun unsafep-variable (sym to-bind)
245 "Return nil if SYM is safe to set or bind, or a reason why not.
246 If TO-BIND is nil, check whether SYM is safe to set.
247 If TO-BIND is t, check whether SYM is safe to bind."
248 (cond
249 ((not (symbolp sym))
250 `(variable ,sym))
251 ((risky-local-variable-p sym nil)
252 `(risky-local-variable ,sym))
253 ((not (or to-bind
254 (memq sym unsafep-vars)
255 (local-variable-p sym)))
256 `(global-variable ,sym))))
258 ;;; unsafep.el ends here