proposal: add 'unsafeCoerce'
Donald Bruce Stewart
dons at cse.unsw.edu.au
Fri Nov 10 21:47:36 EST 2006
robdockins:
> On Friday 10 November 2006 17:43, Samuel Bronson wrote:
> > On 11/10/06, Ashley Yakeley <ashley at semantic.org> wrote:
> > > kahl at cas.mcmaster.ca wrote:
> > > > I'd much prefer Data.Unsafe.
> > >
> > > I'd like to see all unsafe function in an Unsafe.* hierarchy (possibly
> > > consisting only of the single module Unsafe). Thus one could avoid
> > > unsafety altogether by avoiding the Unsafe and Foreign hierarchies.
> >
> > Couldn't you just avoid using functions having "unsafe" as a name
> > prefix? Its not like they have names like "inocuousPerformIO" or
> > anything!
>
> It would be nice to be able to disallow all unsafe code by managing module
> imports.
yes! this was *critical* in lambdabot, for allowing random users to run
pure h98 expressions. A lot of time went in to working out the trusted
module import base (so not stToIo, , unsafe* and so on).
Currently unsafe things are scattered around System.*, Data.Array.*
Control.*.
This isn't ideal.
> Suppose I want to run untrusted code. If I can verify that it doesn't use
> FFI, that it uses no unsafe primitives, and that it typechecks, then I know
> it is _unconditionally_ typesafe. If I can disallow unsafe primitives by
> just limiting the Unsafe.* and Foreign.* modules, that's a big win. If I
> instead have to keep a list of unsafe functions, that's not so good.
>
> So, I guess count this as another vote for Unsafe.*
-- Don
More information about the Libraries
mailing list