Difference between revisions of "Safe Haskell"
m (Various formatting changes) |
m (...) |
||
| Line 26: | Line 26: | ||
* about ensuring that <code>IO</code>based code which is inferred safe cannot perform arbitrary I/O. |
* about ensuring that <code>IO</code>based code which is inferred safe cannot perform arbitrary I/O. |
||
| − | It ''does'' ensure that untrusted code inferred to be safe will (assuming its <code>Trustworthy</code> imports are ''indeed'' trustworthy!) obey the above five properties. As such, (again assuming <code> |
+ | It ''does'' ensure that untrusted code inferred to be safe will (assuming its <code>Trustworthy</code> imports are ''indeed'' trustworthy!) obey the above five properties. As such, (again assuming <code>Trustworthy</code> imports are indeed so) Safe Haskell infers that untrusted code inferred safe and ''not'' in <code>IO</code> can be run without fear (aside from fear of resource over-utilization/exhaustion). |
Most code that most people want to write is going to be Safe Haskell by default. As Simon Marlow has pointed out: |
Most code that most people want to write is going to be Safe Haskell by default. As Simon Marlow has pointed out: |
||
Revision as of 00:12, 5 August 2021
Introduction
Safe Haskell is a Haskell language extension. It is described in detail:
- The GHC user guide has a section about Safe Haskell here.
- In the Safe Haskell paper: : http://community.haskell.org/~simonmar/papers/safe-haskell.pdf
- Further technical discussion of Safe Haskell is on the GHC Wiki: : https://gitlab.haskell.org/ghc/ghc/wikis/safe-haskell
For a high-level overview, see this blog post: http://begriffs.com/posts/2015-05-24-safe-haskell.html.
In detail
As the Safe Haskell paper describes, it "hardens" the Haskell language by providing five properties:
- type safety
- referential transparency,
- strict module encapsulation
- modular reasoning
- semantic consistency.
What Safe Haskell isn't
It isn't:
magicomnimiscentidiot-proof.- about catching bugs.
- about ensuring that library authors who mark modules as
Trustworthyare not lying, or incorrect. - about ensuring that
IObased code which is inferred safe cannot perform arbitrary I/O.
It does ensure that untrusted code inferred to be safe will (assuming its Trustworthy imports are indeed trustworthy!) obey the above five properties. As such, (again assuming Trustworthy imports are indeed so) Safe Haskell infers that untrusted code inferred safe and not in IO can be run without fear (aside from fear of resource over-utilization/exhaustion).
Most code that most people want to write is going to be Safe Haskell by default. As Simon Marlow has pointed out:
Normally when you use an unsafe feature, the purpose is to use it to implement a safe API - if that's the case, all you have to do is add Trustworthy to your language pragma, and the API is available to use from Safe code. 99% of Hackage should be either Safe or Trustworthy. We know that 27% is already inferred Safe (see the paper), and a lot of the rest is just waiting for other libraries to add Trustworthy where necessary.
along with:
For typical Haskell programmers, using {-# LANGUAGE Safe #-} will be like -Wall: something that is considered good practice from a hygiene point of view. If you don't need access to unsafe features, then it's better to write in the safe subset, where you have stronger guarantees. Just like -Wall, you get to choose whether to use {-# LANGUAGE Safe #-} or not.