Haskell Platform proposal: Add the vector package

Roman Leshchinskiy rl at cse.unsw.edu.au
Fri Jul 13 16:10:56 BST 2012


Simon,

I'm still trying to figure out if there is a sane way to support Safe
Haskell's module structure in vector. I'll post my thoughts later. Here
are a couple of quick questions and observations, though.

Simon Marlow wrote:
> Myth #1 seems to be that Safe Haskell excludes large amounts of Haskell
> code that people want to write. Not at all! Normally when you use an
> unsafe feature, the purpose is to use it to implement a safe API - if
> that's the case, all you have to do is add Trustworthy to your language
> pragma, and the API is available to use from Safe code.  99% of Hackage
> should be either Safe or Trustworthy.  We know that 27% is already
> inferred Safe (see the paper), and a lot of the rest is just waiting for
> other libraries to add Trustworthy where necessary.

Is "inferred Safe" the same as being marked "Safe-Infered" on Hackage? It
does say that for Data.Vector.Unboxed, for instance, but that module
certainly contains unsafe functions.

>> Despite none of them having had a thorough security review.
>> In practice Trustworthy language pragmas on top of modules to make
>> code compile. There are 139 modules in base marked as Trustworthy. I
>> seriously doubt that they all are.
>
> Whether you believe those claims or not is entirely up to you.  Someone
> who is relying on Haskell for security has to trust a lot of things -
> GHC itself, the RTS, not to mention the hardware.  Safe Haskell just
> makes it a bit clearer what you have to trust, and allows GHC to
> automate some of the checking.

FWIW, I went looking through the libraries and GHC does indeed come with a
Trustworthy unsafePerformIO out of the box (it's in
Data.Binary.Builder.Internal). Now, I'm not trying to knock the binary
package. I think it just shows that unsafe functions *will* slip through
the net, even in code written by absolute experts, so Johan's concerns are
quite warranted.

>> SH is much more invasive than your typical language extension. It
>> requires maintainers of libraries who don't care about SH to change
>> their APIs (!)
>
> It will be very rare for this to happen.  The vast majority of packages
> do not expose unsafe APIs, so at most all that will be needed is some
> Trustworthy pragmas, and in many cases no changes at all are needed.  In
> the very few cases where there is a mixed safe/unsafe API, and we really
> care about Safe access to the safe parts, then the unsafe parts should
> be moved into a .Unsafe module.

It seems that anything array-related would have to be split up in this
way, just like it was in base.

FWIW, I think Debug.Trace should be split up, too, since traceIO and
especially traceEventIO are perfectly safe and useful.

What about floating point arithmetic? Is it safe if I turn on FP exceptions?

> I don't think adding a few Trustworthy pragmas is very onerous, and
> arguably it's good documentation anyway.

One problem I noticed here is Haskell's treatment of instances. It just
isn't always obvious what exactly your module exports. It's easy to say
that a particular function is safe. It is much harder to say the same for
a whole module because you might be importing and hence exporting unsafe
instances without realising. I think more language support would be needed
here.

> Of course it's your prerogative as a library maintainer to decide
> whether to use Trustworthy or not.  For the platform I think the bar is
> a little higher, and cleanly separating safe from unsafe APIs is
> warranted.

Independent of vector, I'm against making Safe Haskell compliance a
prerequisite for anything at this point. If it proves itself and if enough
people start using it and relying on it - sure. But right now, it an
experimental language extension with a very small user base.

Roman






More information about the Haskell-platform mailing list