On Wed, 11 Jul 2012, Johan Tibell wrote:
Trustworthy obviously doesn't mean no-bugs. It just means that the
module author claims that the API of the module can't be used to
violate certain guarantees. Whether you trust his claim and how to
establish this trust is up to you. For some applications it will be
enough to know that the author is a Haskell hacker with a good
track-record, for other applications a complete formal-proof of the
module is required.
I claim this is completely orthogonal to SH. I already today have to
trust that e.g. Bryan didn't make unsafe use of unsafePerformIO in
text such that my application is susceptible to e.g. buffer overflows.
I think the difference is that currently we have to know the set of unsafe
functions like unsafePerformIO and search for them in an imported package.
This work is now done by the compiler which tells me if there is something
suspicious in the package. If a package does not call any unsafe function
the compiler can tell me. By searching for unsafePerformIO and friends I
could miss something.
I think that the SafeHaskell extension is also worth because some
programmers do not seem to care about the use of unsafePerformIO. I hope
that compiler checks about the use unsafe functions will more discourage
the use of unsafePerformIO.
I guess I wasn't explicit enough here. I believe Simon's argument is
that we should have .Safe modules so people don't have to trust code.
However, rewriting a function in C would require it to be moved from
the .Safe module to some other module, breaking clients.
I think the idea was to have Unsafe modules and move the unsafe functions
there. :-)
Are there really so many unsafe functions that must be moved? I mean, a
function like
unsafePerformIO :: IO a -> a
is unsafe and should be in an Unsafe module. However, a function like
gamma :: Double -> Double
gamma x = unsafePerformIO (GSL.gamma x)
should not be unsafe, but trustworthy. The function is safe to use, but
the compiler cannot check it. (I hope I do not mix up the terms here.)
Are there so many functions like unsafePerformIO, inlinePerformIO,
unsafeInterleaveIO in packages on Hackage?
_______________________________________________
Haskell-platform mailing list
Haskell-platform@projects.haskell.org
http://projects.haskell.org/cgi-bin/mailman/listinfo/haskell-platform
