Unsafe Functions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Unsafe Functions

Ashley Yakeley
I would like to start a discussion on the role of unsafe functions in
Haskell:

   unsafePerformIO :: IO a -> a
   unsafeInterleaveIO :: IO a -> IO a
   unsafeInterleaveST :: ST s a -> ST s a
   unsafeIOToST :: IO a -> ST s a
   unsafeIOToSTM :: IO a -> STM a
   unsafeFreeze, unsafeThaw,
   unsafePreservingMatrix, unsafeRenderPrimitive

perhaps also

   unsafeForeignPtrToPtr :: ForeignPtr a -> Ptr a
     (which is already under Foreign.*)
   hGetContents :: Handle -> IO String
     (which is lazy rather than unsafe per se)

* Do you use these, and what for?

* Is there safe functionality that can currently only be obtained with them?

* Do you think they should be standardised, and how?

I'm thinking the unsafe functions should be moved from System.IO.Unsafe
and elsewhere to Unsafe, similar to Foreign.*, to better separate them
from "real Haskell" conceptually. Also, I would add:

   unsafeCoerce :: a -> b

--
Ashley Yakeley, Seattle WA
WWEWDD? http://www.cs.utexas.edu/users/EWD/

_______________________________________________
Libraries mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/libraries
Reply | Threaded
Open this post in threaded view
|

Re: Unsafe Functions

Donald Bruce Stewart
ashley:

> I would like to start a discussion on the role of unsafe functions in
> Haskell:
>
>   unsafePerformIO :: IO a -> a
>   unsafeInterleaveIO :: IO a -> IO a
>   unsafeInterleaveST :: ST s a -> ST s a
>   unsafeIOToST :: IO a -> ST s a
>   unsafeIOToSTM :: IO a -> STM a
>   unsafeFreeze, unsafeThaw,
>   unsafePreservingMatrix, unsafeRenderPrimitive
>
> perhaps also
>
>   unsafeForeignPtrToPtr :: ForeignPtr a -> Ptr a
>     (which is already under Foreign.*)
>   hGetContents :: Handle -> IO String
>     (which is lazy rather than unsafe per se)
>
> * Do you use these, and what for?

    unsafePerformIO,    for making pure functions from foreign library bindings.
    unsafeInterleaveIO, less common, sometimes used to implement low
                        level Chan-like constructs using foreign IO primitives.

> * Is there safe functionality that can currently only be obtained with them?

    Foreign library bindings, as in Text.Regex, use unsafePerformIO extensively.
 
> * Do you think they should be standardised, and how?
>
> I'm thinking the unsafe functions should be moved from System.IO.Unsafe
> and elsewhere to Unsafe, similar to Foreign.*, to better separate them
> from "real Haskell" conceptually. Also, I would add:
>
>   unsafeCoerce :: a -> b

Something like:
    Unsafe.IO
    Unsafe.ST ?

This came up recently when discussing why peek and poke aren't 'unsafe'
but Data.Array.Base.unsafeRead/Write are.

It would make it easier to control the system in program like lambdabot,
which evaluate arbitrary user code, and thus need to restrict the
namespace to a trusted base that can't contain any unsafe* functions.
Checking that functions (particularly Array) don't export anything
unsafe was a bit tedious.

-- Don
_______________________________________________
Libraries mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/libraries
Reply | Threaded
Open this post in threaded view
|

Re: Unsafe Functions

Ashley Yakeley
Donald Bruce Stewart wrote:

> Something like:
>     Unsafe.IO
>     Unsafe.ST ?

Possibly even migrating Foreign to Unsafe.Foreign.

> This came up recently when discussing why peek and poke aren't 'unsafe'
> but Data.Array.Base.unsafeRead/Write are.
>
> It would make it easier to control the system in program like lambdabot,
> which evaluate arbitrary user code, and thus need to restrict the
> namespace to a trusted base that can't contain any unsafe* functions.
> Checking that functions (particularly Array) don't export anything
> unsafe was a bit tedious.

Yes, I was thinking of this too. It would be nice to be able to deal
securely with untrusted code in general, but of course that depends what
format the code is in anyway.

--
Ashley Yakeley, Seattle WA
WWEWDD? http://www.cs.utexas.edu/users/EWD/

_______________________________________________
Libraries mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/libraries
Reply | Threaded
Open this post in threaded view
|

Re: Unsafe Functions

Sven Panne
Am Mittwoch, 26. April 2006 03:26 schrieb Ashley Yakeley:
> Donald Bruce Stewart wrote:
> > Something like:
> >     Unsafe.IO
> >     Unsafe.ST ?
>
> Possibly even migrating Foreign to Unsafe.Foreign.
> [...]

... to confuse people, make existing tutorials useless for beginners and
forcing tons of code to be modified just for a cosmetic namespace change?
Definitely not. Stuff in "Foreign" is by default not safe in the Haskell
sense.

Cheers,
   S.
_______________________________________________
Libraries mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/libraries
Reply | Threaded
Open this post in threaded view
|

Re: Unsafe Functions

Sven Panne
In reply to this post by Ashley Yakeley
Am Mittwoch, 26. April 2006 01:02 schrieb Ashley Yakeley:
> I would like to start a discussion on the role of unsafe functions in
> Haskell:
>
> [...]
>    unsafePreservingMatrix, unsafeRenderPrimitive
> [...]

These two functions are not "unsafe" in the sense the other functions are. The
prefix only indicates that the action passed to them should not throw an
exception.

Cheers,
    S.
_______________________________________________
Libraries mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/libraries
Reply | Threaded
Open this post in threaded view
|

Re: Unsafe Functions

Ashley Yakeley
In reply to this post by Sven Panne
Sven Panne wrote:

> Am Mittwoch, 26. April 2006 03:26 schrieb Ashley Yakeley:
>
>>Donald Bruce Stewart wrote:
>>
>>>Something like:
>>>    Unsafe.IO
>>>    Unsafe.ST ?
>>
>>Possibly even migrating Foreign to Unsafe.Foreign.
>>[...]
>
>
> ... to confuse people, make existing tutorials useless for beginners and
> forcing tons of code to be modified just for a cosmetic namespace change?
> Definitely not. Stuff in "Foreign" is by default not safe in the Haskell
> sense.

OK, that's fine. All I'm hoping for is a rule to determine whether a
given symbol is safe or not. As you pointed out, "unsafe*" doesn't work.

--
Ashley Yakeley, Seattle WA
WWEWDD? http://www.cs.utexas.edu/users/EWD/

_______________________________________________
Libraries mailing list
[hidden email]
http://www.haskell.org/mailman/listinfo/libraries