<div dir="auto">Are you sure? </div><div dir="auto"><br></div><div dir="auto">It also says <span style="font-family:".SFUI-Regular""> "The use of Safe to compile Danger restricts the features of Haskell that can be used to a safe subset. This includes disallowing unsafePerformIO, Template Haskell, pure FFI functions, RULES and restricting the operation of Overlapping Instances."</span></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr"><br></div><div dir="ltr" class="gmail_attr">On Tue, May 4, 2021 at 8:32 AM Oleg Grenrus <<a href="mailto:oleg.grenrus@iki.fi">oleg.grenrus@iki.fi</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">The GHC manual says [1]<br>
<br>
RULES — Rewrite rules defined in a module M compiled with Safe are<br>
dropped. Rules defined in Trustworthy modules that M imports are still<br>
valid and will fire as usual.<br>
<br>
So rules are still in use, and e.g. list fusion works. Library authors<br>
cannot define their own RULES in Safe modules, but they are (always, no<br>
need to -Wall) warned about the fact that these rules are ignored. I<br>
don't see a possibility for silent performance regressions.<br>
<br>
- Oleg<br>
<br>
[1]:<br>
<a href="https://downloads.haskell.org/ghc/9.0.1/docs/html/users_guide/exts/safe_haskell.html#building-secure-systems-restricted-io-monads" rel="noreferrer" target="_blank">https://downloads.haskell.org/ghc/9.0.1/docs/html/users_guide/exts/safe_haskell.html#building-secure-systems-restricted-io-monads</a><br>
<br>
On 4.5.2021 15.10, Carter Schonwald wrote:<br>
<br>
> Default safety isn’t quite what you want in normal packages, because<br>
> that disables all user land rewrite rules! It may have other<br>
> implications too, but short of augmenting ghc with a proof system for<br>
> correctness of rewrite rules, default safehaskell is at odds with<br>
> optimized builds. <br>
><br>
> On Mon, May 3, 2021 at 10:28 AM Richard Eisenberg <<a href="mailto:rae@richarde.dev" target="_blank">rae@richarde.dev</a><br>
> <mailto:<a href="mailto:rae@richarde.dev" target="_blank">rae@richarde.dev</a>>> wrote:<br>
><br>
><br>
><br>
>> On May 3, 2021, at 7:40 AM, Tom Smeding <<a href="mailto:x@tomsmeding.com" target="_blank">x@tomsmeding.com</a><br>
>> <mailto:<a href="mailto:x@tomsmeding.com" target="_blank">x@tomsmeding.com</a>>> wrote:<br>
>><br>
>> But perhaps I'm being ignorant of other existing cases where this<br>
>> already matters, and I've been living in an idealised world until<br>
>> now.<br>
><br>
> Sad to say it, but order does matter here.<br>
><br>
> In the very simple case, if you have {-# LANGUAGE<br>
> FlexibleContexts, NoFlexibleContexts #-}, that's different from<br>
> {-# LANGUAGE NoFlexibleContexts, FlexibleContexts #-} -- later<br>
> extensions override earlier ones. This problem becomes more<br>
> confounding when we recognize that some extensions imply others.<br>
> For example {-# LANGUAGE TypeFamilies, NoMonoLocalBinds #-} means<br>
> something different from {-# LANGUAGE NoMonoLocalBinds,<br>
> TypeFamilies #-} because TypeFamilies implies MonoLocalBinds.<br>
> Perhaps even worse, {-# LANGUAGE CUSKs, StandaloneKindSignatures<br>
> #-} differs from {-# LANGUAGE StandaloneKindSignatures, CUSKs #-}<br>
> because StandaloneKindSignatures implies NoCUSKs.<br>
><br>
> Returning to Safe Haskell:<br>
><br>
> It's true that Safe cannot be overridden locally. This is<br>
> implemented by the fact that NoSafe does not exist. To me, this<br>
> design makes sense, because it means that compiling with `ghc<br>
> -XSafe` is guaranteed to use Safe Haskell. So we would need<br>
> something like a default-safety field in Cabal, that could be<br>
> overridden locally.<br>
><br>
> But, still, this may be easier than the status quo.<br>
><br>
> Do we think this would work? Specifically:<br>
><br>
> * Introduce a new flag -fdefault-safety={safe,trustworthy,unsafe}<br>
> that changes the module-level default. This default names the<br>
> safety level in effect for any module that declares none of Safe,<br>
> Trustworthy, or Unsafe.<br>
> * If -fdefault-safety is not specified at the command line, it is<br>
> as if the user wrote -fdefault-safety=unsafe.<br>
><br>
> And that's it.<br>
><br>
> Consequence: Safe-inference would never take place, because every<br>
> module would have a declared level of Safety. The Safe-inference<br>
> code could thus be removed.<br>
><br>
> Further work: Introduce default-safety in Cabal, but that's not<br>
> really necessary to make the changes above.<br>
><br>
> What do we think?<br>
><br>
> Richard<br>
> _______________________________________________<br>
> Haskell-Cafe mailing list<br>
> To (un)subscribe, modify options or view archives go to:<br>
> <a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe" rel="noreferrer" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe</a><br>
> Only members subscribed via the mailman list are allowed to post.<br>
><br>
><br>
> _______________________________________________<br>
> Haskell-Cafe mailing list<br>
> To (un)subscribe, modify options or view archives go to:<br>
> <a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe" rel="noreferrer" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe</a><br>
> Only members subscribed via the mailman list are allowed to post.<br>
_______________________________________________<br>
Haskell-Cafe mailing list<br>
To (un)subscribe, modify options or view archives go to:<br>
<a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe" rel="noreferrer" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe</a><br>
Only members subscribed via the mailman list are allowed to post.</blockquote></div></div>