safe vs. unsafe (Was: Haskell Platform proposal: Add the vector package)
lemming at henning-thielemann.de
Wed Jul 11 20:49:06 CEST 2012
On Wed, 11 Jul 2012, Johan Tibell wrote:
>> Trustworthy obviously doesn't mean no-bugs. It just means that the
>> module author claims that the API of the module can't be used to
>> violate certain guarantees. Whether you trust his claim and how to
>> establish this trust is up to you. For some applications it will be
>> enough to know that the author is a Haskell hacker with a good
>> track-record, for other applications a complete formal-proof of the
>> module is required.
> I claim this is completely orthogonal to SH. I already today have to
> trust that e.g. Bryan didn't make unsafe use of unsafePerformIO in
> text such that my application is susceptible to e.g. buffer overflows.
I think the difference is that currently we have to know the set of unsafe
functions like unsafePerformIO and search for them in an imported package.
This work is now done by the compiler which tells me if there is something
suspicious in the package. If a package does not call any unsafe function
the compiler can tell me. By searching for unsafePerformIO and friends I
could miss something.
I think that the SafeHaskell extension is also worth because some
programmers do not seem to care about the use of unsafePerformIO. I hope
that compiler checks about the use unsafe functions will more discourage
the use of unsafePerformIO.
> I guess I wasn't explicit enough here. I believe Simon's argument is
> that we should have .Safe modules so people don't have to trust code.
> However, rewriting a function in C would require it to be moved from
> the .Safe module to some other module, breaking clients.
I think the idea was to have Unsafe modules and move the unsafe functions
Are there really so many unsafe functions that must be moved? I mean, a
unsafePerformIO :: IO a -> a
is unsafe and should be in an Unsafe module. However, a function like
gamma :: Double -> Double
gamma x = unsafePerformIO (GSL.gamma x)
should not be unsafe, but trustworthy. The function is safe to use, but
the compiler cannot check it. (I hope I do not mix up the terms here.)
Are there so many functions like unsafePerformIO, inlinePerformIO,
unsafeInterleaveIO in packages on Hackage?
More information about the Libraries