Deprecating Safe Haskell, or heavily investing in it?

Viktor Dukhovni ietf-dane at
Tue Dec 27 23:03:30 UTC 2022

On Tue, Dec 27, 2022 at 10:31:07PM +0100, Jaro Reinders wrote:

> The bytestring package does have run time bounds checks. So maybe Safe
> Haskell is safer than you think?

No.  The safety depends on careful Safe/Unsafe marking of an
unmanageable and growing set of modules.  How does GHC know
that "Data.ByteString.Unsafe" is actually "unsafe" in the
sense of "Safe" Haskell?

    λ> BS.index x 10
    *** Exception: Data.ByteString.index: index too large: 10, length = 6
    CallStack (from HasCallStack):
      error, called at libraries/bytestring/Data/ByteString.hs:2026:23 in bytestring-
      moduleError, called at libraries/bytestring/Data/ByteString.hs:1232:24 in bytestring-
      index, called at <interactive>:7:1 in interactive:Ghci3
    λ> import Data.ByteString.Unsafe as UBS
    λ> UBS.unsafeIndex x 30000
    λ> UBS.unsafeIndex x 1000000
    λ> UBS.unsafeIndex x 10000000
    λ> UBS.unsafeIndex x 100000000
    Segmentation fault (core dumped)

This is too brittle to be safe on an ongoing basis in practice.


More information about the ghc-devs mailing list