Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!hellgate.utah.edu!caen!zaphod.mps.ohio-state.edu!wuarchive!mit-eddie!uw-beaver!ubc-cs!manis From: manis@cs.ubc.ca (Vincent Manis) Newsgroups: comp.lang.scheme Subject: Re: EVAL in Scheme Message-ID: <1991Mar6.004022.26316@cs.ubc.ca> Date: 6 Mar 91 00:40:22 GMT References: <13781@asylum.SF.CA.US> Sender: news@cs.ubc.ca (Usenet News) Organization: Institute for Pure and Applied Eschatology Lines: 69 In article <13781@asylum.SF.CA.US> dab@asylum.SF.CA.US (Dave Bridgham) asks, apologetically: >Why is (eval s) not equivalent to ((lambda () s)) ? Two reasons: a) first, (lambda () s) is a procedure, which, when called, simply returns the value of the [free] variable s. No evaluation is implied here. Thus (define s '(list 'foo 'bar)) (lambda () s) => (list (quote foo) (quote bar)) b) Scheme, as defined in R^3.9999999999999S, has semantics which do not require an implementation to maintain the names of bindings, or to allow environments to be manipulated by the programmer. This was deliberately done, to allow Scheme programs to be compiled efficiently. There is *no* way to "trick" Scheme into evaluating lists as programs, unless the implementation provides an eval procedure. I generally regard a request from a programmer for eval with the same degree of suspicion that I would give a request from a civil engineer for a little bit of chewing gum to prop up one end of a bridge. eval is extremely dangerous in real programs, as the following hypothetical dialogue (from a system written in Scheme, but using eval) might demonstrate: Welcome to the nuclear reactor control system! You have been given VISITOR privileges. > Blow up reactor You are not authorized to do that. > -debug- Enter expression: (blow-up-nuclear-reactor!) Initiating destruct sequence... When you eval something, you are letting that expression have full access to the internal state of your program. If the form being evaled was typed in by a user, that user gets to do what s/he likes to your program. If the form being evaled wasn't written by a user, then you most likely can trivially restructure your program to eliminate eval, given Scheme's rich procedure composition facilities. eval allows people to do to your program what Robert Morris did to sendmail, using exactly the same technique as he used, namely "smuggling" a command into a system. I regard eval as the computational equivalent of unprotected sex, and treat it accordingly. Not including eval could potentially make an implementation much more efficient. However, almost all implementations do include eval, for such things as writing top levels, and loading in code (an implementation which really didn't want eval would have to be non-compliant in not supporting load and friends). The arguments against eval in these special circumstances are weak (if a user types in commands to wreck her/his session, then s/he will get what s/he deserves). Finally, if you really want to use eval in a portable program, write your own. Abelson and Sussman, as well as my forthcoming book, describe the subject of writing evaluators in great detail; a custom evaluator can do all sorts of error checking, and can restrict the user, in whatever ways you want. -- \ Vincent Manis "There is no law that vulgarity and \ Department of Computer Science literary excellence cannot coexist." /\ University of British Columbia -- A. Trevor Hodge / \ Vancouver, BC, Canada V6T 1W5 (604) 228-2394