On 26/10/2011 21:45, David Terei wrote:
Hi Duncan,
On 26 October 2011 06:05, Duncan Coutts<[email protected]> wrote:
I don't understand this. Is it required that we mark Data.Trace as
unsafe? Why is it not just left unmarked?
My previous understanding was that Unsafe was for modules that don't
break the language but rather break the encapsulation of abatract
datatypes, ie for Blah.Internals modules.
Data.Trace and indeed System.IO.Unsafe are not like this. They are
simply not -XSafe because they use unsafePerformIO or ghc primitives.
Yes and no. We infer safety now. So 'default' is hard to define but if
anything the default is actually more towards safe. The inference
tracks if a module imports any unsafe modules and if so marks it as
unsafe. We've never built into the Safe Haskell implementation any
specific knowledge of things like unsafePerformIO and GHC.*
primitives. Instead we handle these with the trust tracking mechanism.
So we do need to mark some of the base / root modules as Unsafe so
that this propagates through the rest of the module system.
If we marked no modules at all as Unsafe (including the GHC.* ones)
then you'd have a lot of modules being inferred safe when they aren't.
I thought that making GHC.Prim Unsafe would do everything for us? As a
result virtually everything becomes Unsafe, and we have to use explicit
Trustworthy pragmas to introduce safety.
So according to my previous understanding, these modules do not need to
be marked at all. Has that changed with the new design?
If the Unsafe marking is not necessary here then I think they should
*not* be marked. Rather than clarifying I think it adds confusion. It
suggests that things have to be marked unsafe, rather than just things
being unsafe by default (which is the usual security approach: default
untrusted, mark what is audited to be safe).
In the case of Data.Trace and basically all the public modules in
base, we could remove the -XUnsafe flag and rely on the fact that they
import from GHC.* and will be inferred unsafe. I prefer explicitly
marking them as unsafe though. Yes this is a different story than what
the public facing use case of -XUnsafe is but base isn't a standard
package and I think its fine to require people hacking on it have some
understand of the implementation mechanics of Safe Haskell.
If Data.Trace were not automatically inferred as Unsafe we'd be in big
trouble. I agree with Duncan - marking it as Unsafe feels wrong (like
it could be hiding a bug). Perhaps we want
{-# LANGUAGE VerifyUnsafe #-}
or something.
Cheers,
Simon
_______________________________________________
Cvs-libraries mailing list
[email protected]
http://www.haskell.org/mailman/listinfo/cvs-libraries
