A call is a safe call if each of the following is either safe code or system code (other than system code that results from macro expansion of programmer code):
The following special cases require some elaboration:
(coerce
x 'function)
,
where x is a lambda expression,
the value of the optimize quality safety
in the global environment at the time the coerce
is executed applies to the resulting function.
ensure-generic-function
, the value of the
optimize quality safety
in the environment
object passed as the :environment argument applies
to the resulting generic function.
compile
with a lambda expression as the
argument, the value of the optimize quality safety
in the global environment at the time compile
is called
applies to the resulting compiled function.
compile
with only one argument, if the original definition
of the function was safe, then the resulting compiled function
must also be safe.
call-next-method
must be
considered safe if each of the following is
safe code or system code:
call-next-method
is established.
call-next-method
.
An unsafe call is a call that is not a safe call.
The informal intent is that the programmer can rely on a call
to be safe, even when system code is involved, if all reasonable
steps have been taken to ensure that the call is safe.
For example, if a programmer calls mapcar
from safe
code and supplies a function that was compiled
as safe, the implementation is required to ensure that
mapcar
makes a safe call as well.
If an error is signaled in a safe call, the exact point of the signal is implementation-dependent. In particular, it might be signaled at compile time or at run time, and if signaled at run time, it might be prior to, during, or after executing the call. However, it is always prior to the execution of the body of the function being called.
It is not permitted to supply too few arguments to a function. Too few arguments means fewer arguments than the number of required parameters for the function.
If this situation occurs in a safe call,
an error of type program-error
must be signaled;
and in an unsafe call the situation has undefined consequences.
It is not permitted to supply too many arguments to a function.
Too many arguments means more arguments than the number of required parameters
plus the number of optional parameters; however, if the function
uses &rest
or &key
, it is not possible for it to receive too many arguments.
If this situation occurs in a safe call,
an error of type program-error
must be signaled;
and in an unsafe call the situation has undefined consequences.
It is not permitted to supply a keyword argument to a function using a name that is not recognized by that function unless keyword argument checking is suppressed as described in Section 3.4.1.4.1 (Suppressing Keyword Argument Checking).
If this situation occurs in a safe call,
an error of type program-error
must be signaled;
and in an unsafe call the situation has undefined consequences.
It is not permitted to supply a keyword argument to a function using a name that is not a symbol.
If this situation occurs in a safe call,
an error of type program-error
must be signaled
unless keyword argument checking is suppressed as described
in Section 3.4.1.4.1 (Suppressing Keyword Argument Checking);
and in an unsafe call the situation has undefined consequences.
An odd number of arguments must not be supplied for the keyword parameters.
If this situation occurs in a safe call,
an error of type program-error
must be signaled
unless keyword argument checking is suppressed as described
in Section 3.4.1.4.1 (Suppressing Keyword Argument Checking);
and in an unsafe call the situation has undefined consequences.
When matching a destructuring lambda list against a form, the pattern and the form must have compatible tree structure, as described in Section 3.4.4 (Macro Lambda Lists).
Otherwise, in a safe call,
an error of type program-error
must be signaled;
and in an unsafe call the situation has undefined consequences.
If call-next-method
is called with arguments, the ordered
set of applicable methods for the changed set of arguments
for call-next-method
must be the same as the ordered set of
applicable methods for the original arguments to the
generic function, or else an error should be signaled.
The comparison between the set of methods applicable to the new arguments and the set applicable to the original arguments is insensitive to order differences among methods with the same specializers.
If call-next-method
is called with arguments that specify
a different ordered set of applicable methods and there is no
next method available, the test for different methods and the
associated error signaling (when present) takes precedence over calling
no-next-method
.