Homepage: https://www.gnu.org/software/emacs
Author: Jonathan Yavner
Determine whether a Lisp form is safe to evaluate
This is a simplistic implementation that does not allow any modification of
buffers or global variables. It does no dataflow analysis, so functions
like `funcall' and `setcar' are completely disallowed. It is designed
for "pure Lisp" formulas, like those in spreadsheets, that don't make any
use of the text editing capabilities of Emacs.
A formula is safe if:
1. It's an atom.
2. It's a function call to a safe function and all arguments are safe
formulas.
3. It's a special form whose arguments are like a function's (and,
catch, if, or, prog1, prog2, progn, while, unwind-protect).
4. It's a special form or macro that creates safe temporary bindings
(condition-case, dolist, dotimes, lambda, let, let*).
4. It's one of (cond, quote) that have special parsing.
5. It's one of (add-to-list, setq, push, pop) and the assignment variable
is safe.
6. It's one of (apply, mapc, mapcar, mapconcat) and its first arg is a
quoted safe function.
A function is safe if:
1. It's a lambda containing safe formulas.
2. It's a member of list `safe-functions', so the user says it's safe.
3. It's a symbol with the `side-effect-free' property, defined by the
byte compiler or function author.
4. It's a symbol with the `safe-function' property, defined here or by
the function author. Value t indicates a function that is safe but
has innocuous side effects. Other values will someday indicate
functions with side effects that are not always safe.
The `side-effect-free' and `safe-function' properties are provided for
built-in functions and for functions and macros defined in subr.el.
A temporary binding is unsafe if its symbol:
1. Has the `risky-local-variable' property.
2. Has a name that ends with -command, font-lock-keywords(-[0-9]+)?,
font-lock-syntactic-keywords, -form, -forms, -frame-alist, -function,
-functions, -history, -hook, -hooks, -map, -map-alist, -mode-alist,
-predicate, or -program.
An assignment variable is unsafe if:
1. It would be unsafe as a temporary binding.
2. It doesn't already have a temporary or buffer-local binding.
There are unsafe forms that `unsafep' cannot detect. Beware of these:
1. The form's result is a string with a display property containing a
form to be evaluated later, and you insert this result into a
buffer. Always remove display properties before inserting!
2. The form alters a risky variable that was recently added to Emacs and
is not yet marked with the `risky-local-variable' property.
3. The form uses undocumented features of built-in functions that have
the `side-effect-free' property. For example, in Emacs-20 if you
passed a circular list to `assoc', Emacs would crash. Historically,
problems of this kind have been few and short-lived.