Changes between Version 29 and Version 30 of SafeHaskell

Show
Ignore:
Timestamp:
01/19/11 00:21:31 (2 years ago)
Author:
simonpj
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • SafeHaskell

    v29 v30  
    6262 1. Two new GHC LANGUAGE options, `-XSafe` and `-XTrustworthy`.  Intuitively 
    6363    * `-XSafe` enables a "Safe" dialect of Haskell in which GHC rejects any source code that might produce unsafe effects or otherwise subvert the type system. 
    64     * `-XTrustworhty` means that, though a module may invoke unsafe functions internally, the module's author claims the set of exported symbols cannot be used in an unsafe way.  (There is a corresponding `-XUntrustworthy` option to enable the language extension but negate `-XTrustworthy`.) 
     64    * `-XTrustworthy` means that, though a module may invoke unsafe functions internally, the module's author claims that the set of exported symbols cannot be used in an unsafe way.  (There is a corresponding `-XUntrustworthy` option to enable the language extension but negate `-XTrustworthy`.  '''SLPJ: don't understand''') 
    6565 
    6666 2. A small extension to the syntax of import statements (enabled by `-XSafe` or `-XTrustworhty`), adding a `safe` keyword: 
     
    6868  impdecl -> `import` [`safe`] [`qualified`] modid [`as` modid] [impspec] 
    6969 
    70 The LANGUAGE extensions have the following effect.  When a client C compiles a module M 
     70The LANGUAGE extensions have the following effect.  When a client C compiles a module M: 
    7171   * Under `-XSafe` several potentially-unsafe language features, listed under "Threats" below, are disabled. 
    7272   * Under `-XSafe`, all M's `imports` must be trusted by C 
    7373   * Under `-XTrustworthy` or `-XUntrustworthy` (but not `-XSafe`) all M's `safe imports` must be trusted by C 
    74 Otherwise the module is rejected.   
    75  
    76 What does it mena for a module to be "trusted by C"?  Here is the definition: 
     74 
     75What does it mean for a module to be "trusted by C"?  Here is the definition: 
    7776 
    7877 * A '''client''' is someone running GHC, typically the person compiling the application. 
     
    120119Notice that C didn't need to trust package `Wuggle`; the machine checking is enough.  C only needs to trust packages that have `-XTrustworthy` modules in them. 
    121120 
    122 === Implementation details === 
    123  
    124 Determining trust requires two modifications to the way GHC manages modules.  First, the interface file format must change to record each module's trust dependency set.  Second, we need compiler options to specify which packages are trusted by an application. 
    125  
    126 We therefore extend the interface file format to record the trust dependency set of each module.  The set is represented as a list of ''trust dependencies'', each of which is a (package, module) pair. 
    127  
    128 Currently, in any given run of the compiler, GHC classifies each package as either exposed or hidden.  To incorporate trust, we add a second bit specifying whether each package is trusted or untrusted. This bit will be controllable by two new options to `ghc-pkg`, `trust` and `distrust`, which are analogous to `expose` and `hide`. 
     121=== Command line options === 
    129122 
    130123On the command line, several new options control which packages are trusted: 
     
    159152== Threats == 
    160153 
     154'''SLPJ note''': we should enumerate precisely what is and is not allowed with `-XSafe`.  '''End of note''' 
     155 
    161156The following aspects of Haskell can be used to violate the safety goal, and thus need to be disallowed or modified for the Safe dialect. ''Please add more issues to this list, as some are likely missing.'' 
    162157 
     
    184179 
    185180== Implementation details == 
     181 
     182-------------- 
     183'''SLPJ note''' I am uncertain whether these implementation notes are correct. We need to revisit them in the light of our new definitions. 
     184 
     185Determining trust requires two modifications to the way GHC manages modules.  First, the interface file format must change to record each module's trust dependency set.  Second, we need compiler options to specify which packages are trusted by an application. 
     186 
     187We therefore extend the interface file format to record the trust dependency set of each module.  The set is represented as a list of ''trust dependencies'', each of which is a (package, module) pair. 
     188 
     189Currently, in any given run of the compiler, GHC classifies each package as either exposed or hidden.  To incorporate trust, we add a second bit specifying whether each package is trusted or untrusted. This bit will be controllable by two new options to `ghc-pkg`, `trust` and `distrust`, which are analogous to `expose` and `hide`. 
     190 
     191-------------- 
    186192 
    187193 * {{{GHC.Prim}}} will need to be made (or just kept) unsafe.