[commit: base] master: Update base for new Safe Haskell design (447448a)
Simon Marlow
marlowsd at gmail.com
Thu Oct 27 10:12:17 CEST 2011
On 26/10/2011 21:45, David Terei wrote:
> Hi Duncan,
>
> On 26 October 2011 06:05, Duncan Coutts<duncan.coutts at googlemail.com> wrote:
>> I don't understand this. Is it required that we mark Data.Trace as
>> unsafe? Why is it not just left unmarked?
>>
>> My previous understanding was that Unsafe was for modules that don't
>> break the language but rather break the encapsulation of abatract
>> datatypes, ie for Blah.Internals modules.
>>
>> Data.Trace and indeed System.IO.Unsafe are not like this. They are
>> simply not -XSafe because they use unsafePerformIO or ghc primitives.
>
> Yes and no. We infer safety now. So 'default' is hard to define but if
> anything the default is actually more towards safe. The inference
> tracks if a module imports any unsafe modules and if so marks it as
> unsafe. We've never built into the Safe Haskell implementation any
> specific knowledge of things like unsafePerformIO and GHC.*
> primitives. Instead we handle these with the trust tracking mechanism.
> So we do need to mark some of the base / root modules as Unsafe so
> that this propagates through the rest of the module system.
>
> If we marked no modules at all as Unsafe (including the GHC.* ones)
> then you'd have a lot of modules being inferred safe when they aren't.
I thought that making GHC.Prim Unsafe would do everything for us? As a
result virtually everything becomes Unsafe, and we have to use explicit
Trustworthy pragmas to introduce safety.
>> So according to my previous understanding, these modules do not need to
>> be marked at all. Has that changed with the new design?
>>
>> If the Unsafe marking is not necessary here then I think they should
>> *not* be marked. Rather than clarifying I think it adds confusion. It
>> suggests that things have to be marked unsafe, rather than just things
>> being unsafe by default (which is the usual security approach: default
>> untrusted, mark what is audited to be safe).
>
> In the case of Data.Trace and basically all the public modules in
> base, we could remove the -XUnsafe flag and rely on the fact that they
> import from GHC.* and will be inferred unsafe. I prefer explicitly
> marking them as unsafe though. Yes this is a different story than what
> the public facing use case of -XUnsafe is but base isn't a standard
> package and I think its fine to require people hacking on it have some
> understand of the implementation mechanics of Safe Haskell.
If Data.Trace were not automatically inferred as Unsafe we'd be in big
trouble. I agree with Duncan - marking it as Unsafe feels wrong (like
it could be hiding a bug). Perhaps we want
{-# LANGUAGE VerifyUnsafe #-}
or something.
Cheers,
Simon
More information about the Cvs-ghc
mailing list