On Wed, Jun 29, 2011 at 10:55 PM, Matthew Flatt <[email protected]> wrote: >> >> 8 minutes ago, Carl Eastlund wrote: >> >> > On Wed, Jun 29, 2011 at 9:19 PM, Matthew Flatt <[email protected]> >> >> > wrote: >> >> > > Things you need to know: >> >> > > >> >> > > * When writing a macro (without `syntax-rules', `define-syntax-rule', >> >> > > or `syntax-id-rules'), apply `syntax-protect' to the macro's result >> >> > > syntax object to protect it from abuse. The `syntax-rules', etc., >> >> > > forms use `syntax-protect' automatically. >> >> > >> >> > Does this mean we should be updating all our old macros now, and >> >> > adding syntax-protect as boilerplate to (nearly) all of our new >> >> > macros? How often is a manual syntax-protect necessary? > > I think you want to use `syntax-protect' on any exported macro. > > It only actually matters if some untrusted code is going to use a > trusted instance of your library. Macros exported by `racket' are > surely in that category, but maybe it doesn't matter for most > libraries. > >> >> > It's great >> >> > to have a system we can reason about, but the nice thing about >> >> > certificates was that they were invisible most of the time. It >> >> > looks like you're suggesting that at least the use of syntax-protect >> >> > is going to become ubiquitous in this new system. > > Having to decorate trustworthy libraries with `syntax-protect' is > definitely a drawback. > >> On Wed, Jun 29, 2011 at 10:10 PM, Eli Barzilay <[email protected]> wrote: >> > An attempt to clarify what's unclear to me: if I'm supposed to almost >> > always "arm" the result of a transformer, then why not have the >> > expander do that for me, and add some new thing so in the exceptional >> > cases I could do >> > >> > (define-syntax (foo stx) >> > (dont-arm ...blah...)) >> > >> > ? > > Sorry --- that point was buried too deeply in my message (first > sub-bullet for the last bullet in the third set of bullets). > > The problem with having the macro transformer add `syntax-protect' for > > (define-syntax bar > (lambda (stx) ...)) > > is that some other transformer can say > > ((syntax-local-value #'bar) stx) > > to get the transformer's result without `syntax-protect' --- which was > a gaping hole that Ryan noticed in the certificate system. > > We considered ways of automating `syntax-protect' for all macros, but > the ways we found seemed to create more problems than they solved.
Thank you, that greatly clarifies the issue for me. Of course I would like to see syntax-case and syntax-parse have options to automatically syntax-protect as well; that will cover a lot more common cases for me. But now I can see where the trade-offs are that resulted in this design. --Carl _________________________________________________ For list-related administrative tasks: http://lists.racket-lang.org/listinfo/dev
