safe vs. unsafe (Was: Haskell Platform proposal: Add the vector package)

Henning Thielemann lemming at
Wed Jul 11 20:49:06 CEST 2012

On Wed, 11 Jul 2012, Johan Tibell wrote:

>> Trustworthy obviously doesn't mean no-bugs. It just means that the
>> module author claims that the API of the module can't be used to
>> violate certain guarantees. Whether you trust his claim and how to
>> establish this trust is up to you. For some applications it will be
>> enough to know that the author is a Haskell hacker with a good
>> track-record, for other applications a complete formal-proof of the
>> module is required.
> I claim this is completely orthogonal to SH. I already today have to
> trust that e.g. Bryan didn't make unsafe use of unsafePerformIO in
> text such that my application is susceptible to e.g. buffer overflows.

I think the difference is that currently we have to know the set of unsafe 
functions like unsafePerformIO and search for them in an imported package. 
This work is now done by the compiler which tells me if there is something 
suspicious in the package. If a package does not call any unsafe function 
the compiler can tell me. By searching for unsafePerformIO and friends I 
could miss something.

I think that the SafeHaskell extension is also worth because some 
programmers do not seem to care about the use of unsafePerformIO. I hope 
that compiler checks about the use unsafe functions will more discourage 
the use of unsafePerformIO.

> I guess I wasn't explicit enough here. I believe Simon's argument is
> that we should have .Safe modules so people don't have to trust code.
> However, rewriting a function in C would require it to be moved from
> the .Safe module to some other module, breaking clients.

I think the idea was to have Unsafe modules and move the unsafe functions 
there. :-)

Are there really so many unsafe functions that must be moved? I mean, a 
function like

   unsafePerformIO :: IO a -> a

  is unsafe and should be in an Unsafe module. However, a function like

   gamma :: Double -> Double
   gamma x = unsafePerformIO (GSL.gamma x)

  should not be unsafe, but trustworthy. The function is safe to use, but 
the compiler cannot check it. (I hope I do not mix up the terms here.)

Are there so many functions like unsafePerformIO, inlinePerformIO, 
unsafeInterleaveIO in packages on Hackage?

More information about the Libraries mailing list