Annotations of Runtime Exceptions
=================================

We want operations that can fail at runtime to stand out, or at least be
visible in the source code.

Note: This is different from "unsafe" in other langauges. This simply means
that some piece of code can do the SLUL equivalent of "throwing exception".

Here are some risky operations:
- dereference of optional pointer
- (maybe also comparison of optional pointer?except for constant "none" value)
- array index
- division
- integer overflow
- integer underflow
- stack overflow?
-- module-local function which can call other module-local function which can (possibly indirectly) call the first function, or
-- module-local function which can call function in a module that (possibly indirectly) depends on this module,
--- how can the compiler know this without checking recursively?
--- perhaps a special flag for \depends?
- out of memory (=when allocating, but possibly also when accessing memory when using over-commit)

Syntax with "?":
 # optional ptr dereference
 b = bp?
 # array indexing
 # (this syntax is kind of hard/non-obvious)
 b = arr[?i]
 # (this syntax is ambiguous)
 b = arr[i]?
 # division
 r = p /? q
 r /?= q
 # addition
 r +?= 1

Syntax with blocks:
 # optional ptr dereference
 risky none_deref {
     b = bp
 }
 # array indexing
 risky array_out_of_bounds {
     b = arr[i]
 }
 # division
 risky div_by_zero {
     r = p / q
     r /= q
 }
 # addition
 risky integer_overflow {
     x += 1
 }
 # allocation
 risky alloc {
     obj = .new()
 }

I prefer the block syntax over "?", because it is more flexible/extensible,
and it also stands out much more.

This should *not* be added to functions, because that would cause a
"function color" problem, where "risky" functions cannot be called by non-
risky ones.
- also, all RuntimeException's in Java are unchecked exceptions.

What keyword is best?
- risky:  short, but maybe this sounds a bit too risky ;)
- throw:  this is good (for Java programmers at least)
- except: sounds wrong
- exception: but exceptions cannot be catched (except by creating a separate arena)
- canfail: most descriptive?

 exception integer_overflow {
    x += 1
 }