I would like to start a discussion on the role of unsafe functions in Haskell: unsafePerformIO :: IO a -> a unsafeInterleaveIO :: IO a -> IO a unsafeInterleaveST :: ST s a -> ST s a unsafeIOToST :: IO a -> ST s a unsafeIOToSTM :: IO a -> STM a unsafeFreeze, unsafeThaw, unsafePreservingMatrix, unsafeRenderPrimitive perhaps also unsafeForeignPtrToPtr :: ForeignPtr a -> Ptr a (which is already under Foreign.*) hGetContents :: Handle -> IO String (which is lazy rather than unsafe per se) * Do you use these, and what for? * Is there safe functionality that can currently only be obtained with them? * Do you think they should be standardised, and how? I'm thinking the unsafe functions should be moved from System.IO.Unsafe and elsewhere to Unsafe, similar to Foreign.*, to better separate them from "real Haskell" conceptually. Also, I would add: unsafeCoerce :: a -> b -- Ashley Yakeley, Seattle WA WWEWDD? http://www.cs.utexas.edu/users/EWD/
ashley:
I would like to start a discussion on the role of unsafe functions in Haskell:
unsafePerformIO :: IO a -> a unsafeInterleaveIO :: IO a -> IO a unsafeInterleaveST :: ST s a -> ST s a unsafeIOToST :: IO a -> ST s a unsafeIOToSTM :: IO a -> STM a unsafeFreeze, unsafeThaw, unsafePreservingMatrix, unsafeRenderPrimitive
perhaps also
unsafeForeignPtrToPtr :: ForeignPtr a -> Ptr a (which is already under Foreign.*) hGetContents :: Handle -> IO String (which is lazy rather than unsafe per se)
* Do you use these, and what for?
unsafePerformIO, for making pure functions from foreign library bindings. unsafeInterleaveIO, less common, sometimes used to implement low level Chan-like constructs using foreign IO primitives.
* Is there safe functionality that can currently only be obtained with them?
Foreign library bindings, as in Text.Regex, use unsafePerformIO extensively.
* Do you think they should be standardised, and how?
I'm thinking the unsafe functions should be moved from System.IO.Unsafe and elsewhere to Unsafe, similar to Foreign.*, to better separate them from "real Haskell" conceptually. Also, I would add:
unsafeCoerce :: a -> b
Something like: Unsafe.IO Unsafe.ST ? This came up recently when discussing why peek and poke aren't 'unsafe' but Data.Array.Base.unsafeRead/Write are. It would make it easier to control the system in program like lambdabot, which evaluate arbitrary user code, and thus need to restrict the namespace to a trusted base that can't contain any unsafe* functions. Checking that functions (particularly Array) don't export anything unsafe was a bit tedious. -- Don
Donald Bruce Stewart wrote:
Something like: Unsafe.IO Unsafe.ST ?
Possibly even migrating Foreign to Unsafe.Foreign.
This came up recently when discussing why peek and poke aren't 'unsafe' but Data.Array.Base.unsafeRead/Write are.
It would make it easier to control the system in program like lambdabot, which evaluate arbitrary user code, and thus need to restrict the namespace to a trusted base that can't contain any unsafe* functions. Checking that functions (particularly Array) don't export anything unsafe was a bit tedious.
Yes, I was thinking of this too. It would be nice to be able to deal securely with untrusted code in general, but of course that depends what format the code is in anyway. -- Ashley Yakeley, Seattle WA WWEWDD? http://www.cs.utexas.edu/users/EWD/
Am Mittwoch, 26. April 2006 03:26 schrieb Ashley Yakeley:
Donald Bruce Stewart wrote:
Something like: Unsafe.IO Unsafe.ST ?
Possibly even migrating Foreign to Unsafe.Foreign. [...]
... to confuse people, make existing tutorials useless for beginners and forcing tons of code to be modified just for a cosmetic namespace change? Definitely not. Stuff in "Foreign" is by default not safe in the Haskell sense. Cheers, S.
Sven Panne wrote:
Am Mittwoch, 26. April 2006 03:26 schrieb Ashley Yakeley:
Donald Bruce Stewart wrote:
Something like: Unsafe.IO Unsafe.ST ?
Possibly even migrating Foreign to Unsafe.Foreign. [...]
... to confuse people, make existing tutorials useless for beginners and forcing tons of code to be modified just for a cosmetic namespace change? Definitely not. Stuff in "Foreign" is by default not safe in the Haskell sense.
OK, that's fine. All I'm hoping for is a rule to determine whether a given symbol is safe or not. As you pointed out, "unsafe*" doesn't work. -- Ashley Yakeley, Seattle WA WWEWDD? http://www.cs.utexas.edu/users/EWD/
Am Mittwoch, 26. April 2006 01:02 schrieb Ashley Yakeley:
I would like to start a discussion on the role of unsafe functions in Haskell:
[...] unsafePreservingMatrix, unsafeRenderPrimitive [...]
These two functions are not "unsafe" in the sense the other functions are. The prefix only indicates that the action passed to them should not throw an exception. Cheers, S.
participants (3)
-
Ashley Yakeley -
dons@cse.unsw.edu.au -
Sven Panne