Proposal: GHC.Generics marked UNSAFE for SafeHaskell

Edward Kmett ekmett
Mon Oct 7 16:44:42 UTC 2013


I'd much rather have code that can compile as Safe rather than Trustworthy.
Trustworthy code is a pain to annotate the safety of correctly.

A one line change to GHC to ensure the safety of GHC.Generics and to
maximize the number of operations you can use safely seems entirely
reasonable.

Otherwise I have to mark perfectly Safe-by-construction code Trustworthy,
enlarging the trusted code base considerably. Using properly constructed
Generic instances is perfectly safe.

That library level fix has knock-on effects across the entire ecosystem for
anyone who cares about SafeHaskell. I tend to instantiate GHC.Generics for
any type in most of my packages. A quick grep finds 209 modules broken in
just the projects I have open in my working directory. That is a mixture of
public and private repos. The majority of which are public. So, I first
have to change a couple hundred import statements... conditionally on
compiler version, since I maintain wide support windows. This fix would
literally break SafeHaskell for me silently across almost everything I have
written, forcing me to run through tons of packages trying to figure out
what I have to change to get it back. I've done this song and dance before
trying to get lambdabot to build, since it uses lens these days. If I don't
get every one of them right lens builds as unsafe. There isn't a good
debugging process for this, as the only real way I have to know it worked
is to go through each one and make sure I didn't compromise safe haskell by
looking at the resulting haddocks for each case.

The code that *uses* GHC.Generics uses their internals and is safe by
construction. It is only the instance construction that is unsafe, so lets
mark it as such.

-Edward


On Mon, Oct 7, 2013 at 11:11 AM, Ryan Newton <rrnewton at gmail.com> wrote:

> On Mon, Oct 7, 2013 at 10:22 AM, Edward Kmett <ekmett at gmail.com> wrote:
>
>> Am I correct in understanding your issue arises from manually rolled
>> instances of Generic, not from Generic itself?
>>
>
> Exactly.
>
>
>> Wouldn't then perhaps the better fix be to resurrect the old rule for
>> derived Typeable instances and apply it to Generic and Generic1 instead?
>>
> The new rule would be that if you hand-implemented Generic or Generic1 in
>> your module it isn't Safe.
>>
>
> Ah... so you're proposing adding an extra rule to the GHC compiler itself?
>
> Isn't it simpler to do it just with a library-level fix?  I.e. my proposal
> is that GHC.Generics is marked as Unsafe.  And then if you really want you
> can mark your module as TrustWorthy even with manual instances.  (And then,
> yes, we'd need a GHC.Generics.Safe to pull the Generic symbol itself from
> when we just want to derive it.)
>
> That would make it so that derived Generic, Generic1 would be considered
>> Safe, and you wouldn't break literally every user of the library who care
>> about Safe Haskell.
>>
>
> Isn't that also accomplished just by "import GHC.Generic.Safe (Generic)"?
>  And the handful of hypothetical people that are using this right now can
> make that one-line fix.  I will *personally* make that fix for all those
> people if they would come forward and share the link to their code ;-).
>
> As it stands the things are damn-near impossible to get right
>> instantiating them by hand anyways, so I expect this would affect only 1 or
>> 2 users rather than all of them!
>>
>
> Exactly!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/libraries/attachments/20131007/fe155d18/attachment.html>




More information about the Libraries mailing list