Re: proposal: add 'unsafeCoerce'

robdockins:

On Friday 10 November 2006 17:43, Samuel Bronson wrote:

...

On 11/10/06, Ashley Yakeley wrote:

...

kahl@cas.mcmaster.ca wrote:

...

I'd much prefer Data.Unsafe.

I'd like to see all unsafe function in an Unsafe.* hierarchy (possibly consisting only of the single module Unsafe). Thus one could avoid unsafety altogether by avoiding the Unsafe and Foreign hierarchies.

Couldn't you just avoid using functions having "unsafe" as a name prefix? Its not like they have names like "inocuousPerformIO" or anything!

It would be nice to be able to disallow all unsafe code by managing module imports.

yes! this was *critical* in lambdabot, for allowing random users to run pure h98 expressions. A lot of time went in to working out the trusted module import base (so not stToIo, , unsafe* and so on). Currently unsafe things are scattered around System.*, Data.Array.* Control.*. This isn't ideal.

Suppose I want to run untrusted code. If I can verify that it doesn't use FFI, that it uses no unsafe primitives, and that it typechecks, then I know it is _unconditionally_ typesafe. If I can disallow unsafe primitives by just limiting the Unsafe.* and Foreign.* modules, that's a big win. If I instead have to keep a list of unsafe functions, that's not so good.

So, I guess count this as another vote for Unsafe.*

-- Don