safe vs. unsafe (Was: Haskell Platform proposal: Add the vector package)

Johan Tibell johan.tibell at gmail.com
Wed Jul 11 23:43:45 CEST 2012


On Wed, Jul 11, 2012 at 11:49 AM, Henning Thielemann
<lemming at henning-thielemann.de> wrote:
> I think the difference is that currently we have to know the set of unsafe
> functions like unsafePerformIO and search for them in an imported package.
> This work is now done by the compiler which tells me if there is something
> suspicious in the package. If a package does not call any unsafe function
> the compiler can tell me. By searching for unsafePerformIO and friends I
> could miss something.
>
> I think that the SafeHaskell extension is also worth because some
> programmers do not seem to care about the use of unsafePerformIO. I hope
> that compiler checks about the use unsafe functions will more discourage the
> use of unsafePerformIO.

I don't find trusting the authors of the packages I use to be a
burden. I already have to trust them with writing correct code and fix
bugs when they fail to do so. If they use unsafe functions I trust
they do so for good reasons. What would I do with the information that
text uses unsafePerformIO somewhere? Most likely nothing.

> I think the idea was to have Unsafe modules and move the unsafe functions
> there. :-)

This would break everything. Every single user of the vector library
would break. Same goes for many other libraries. I cannot stress how
dangerous an idea is from a software engineering and Haskell adoption
perspective. You don't break widely used APIs. Look at Python 3. They
broken a few things (not all libraries!) and several years down the
road most people still don't use Python 3 because of it.

> Are there really so many unsafe functions that must be moved? I mean, a
> function like
>
>   unsafePerformIO :: IO a -> a
>
>  is unsafe and should be in an Unsafe module. However, a function like
>
>   gamma :: Double -> Double
>   gamma x = unsafePerformIO (GSL.gamma x)
>
>  should not be unsafe, but trustworthy. The function is safe to use, but the
> compiler cannot check it. (I hope I do not mix up the terms here.)
>
> Are there so many functions like unsafePerformIO, inlinePerformIO,
> unsafeInterleaveIO in packages on Hackage?

No, all functions that use unsafe functions need to be moved to an
.Unsafe module if the former is to be marked as Safe (which is what's
being proposed.) Every time a function changes to/from using an unsafe
function (even if indirectly) it needs to be juggled back and forth
between the two different modules. Some libraries use IO in their core
implementation (e.g. bytestring) and cannot be marked as Safe.
Packages depending on bytestring cannot be marked as Safe either.

-- Johan



More information about the Libraries mailing list