是否有被认为“安全”的GHC扩展名列表？ [英] Is there a list of GHC extensions that are considered 'safe'?

问题描述

偶尔，如果没有至少一种语言扩展名，我想要写的代码是不合法的。当试图在研究论文中实现想法时尤其如此，在撰写论文时可以使用GHC的任何漂亮的，超级扩展版本，但没有明确说明实际需要哪些扩展。

结果是，我经常在我的.hs文件的顶部得到类似这样的东西：

  { - ＃LANGUAGE TypeFamilies 
，MultiParamTypeClasses 
，FunctionalDependencies 
，FlexibleContexts 
，FlexibleInstances 
，UndecidableInstances 
，OverlappingInstances＃ - } 
  

我不介意，但我常常觉得自己盲目牺牲安抚GHC的伟大的上帝。它抱怨说，如果没有语言扩展X，某段代码是无效的，所以我为X添加了一个编译指示。然后它要求我启用Y，因此我为Y添加了一个编译指示。到此结束时，我已经启用三个或四个我并不真正了解的语言扩展，我不知道哪些是'安全'的。

解释我的意思是安全 ：

• 我知道 UndecidableInstances 是安全的，导致编译器不终止，只要代码编译它不会有意想不到的副作用。




• 另一方面， OverlappingInstances 显然是不安全的，因为它使我很容易意外地编写出现运行时错误的代码。




所以我的问题是：






是否有GHCextensions列表被认为是安全的，哪些是不安全'？







解决方案

最好看一看 SafeHaskell 允许：
$ b




安全语言





安全语言（通过 -XSafe 启用）以两种不同方式限制事情：





1. 完全禁止某些GHC LANGUAGE扩展名。


2. 某些GHC LANGUAGE扩展功能受到限制。



下面是正确的标志和扩展属于每个类别：





• 完全禁止： GeneralizedNewtypeDiving ， TemplateHaskell


• 受限功能： OverlappingInstances ， ForeignFunctionInterface ， RULES ， Data.Typeable
  
  
  
  
  • 请参阅下面的限制功能
  
  


• 不重要：所有剩余的标志。







限制和禁用GHC Haskell功能



在安全语言方言中，我们限制以下Haskell语言功能：





• ForeignFunctionInterface ：这大多是安全的，但不允许导入具有非IO类型功能的外部导入声明。所有FFI导入都必须驻留在IO Monad中。


• RULES ：由于它们可以以意想不到的方式改变可信代码的行为，违反语义一致性，它们在功能上受到限制。特别是用 -XSafe M 中定义的任何 RULES >被丢弃。在 M 导入的可信模块中定义的 RULES 仍然有效，并且将照常启动。


• OverlappingInstances ：此扩展可用于违反语义一致性，因为恶意代码可能重新定义类型实例（通过包含更具体实例定义），以改变导入不可信模块的代码的行为。对于使用 -XSafe 编译但限制的模块 M ，扩展未禁用。虽然 M 可以定义重叠的实例声明，但它们只能用于 M 中。如果在导入 M 的模块 N 中，在使用类型类函数的调用站点上有一个选项哪个实例要使用（即重叠），最具体的选择是从 M （或其他任何安全编译模块），那么编译将失败。如果模块 N 被认为是安全的或者可信的或者两者都不是。


• Data.Typeable ：我们允许 Data.Typeable 的实例成为派生，但我们不允许手工制作实例。衍生的实例是由GHC生成的机器，应该是完全安全的，但手工制作的实例可以说谎它们的类型，并允许不同类型之间的不安全强制。这符合SYB原创设计的精神。







在安全语言方言中，我们彻底禁用以下Haskell语言功能：





• GeneralizedNewtypeDeriving ：它可以用来违反构造函数的访问控制，允许不受信任的代码以数据类型作者的方式处理受保护的数据类型不打算。 I.e可以用来打破数据结构的不变量。


• TemplateHaskell ：特别危险，因为它甚至会在编译时引起副作用，并可用于访问抽象数据类型。与TH打破模块界限是很容易的。






回想一下， FunctionalDependencies 和 UndecidableInstances 也可能是不安全的，因为除了允许无限的上下文堆栈深度 UndecidableInstances 也提升所谓的覆盖条件（第7.6.3.2节），但目前我找不到这个引用。





编辑2015-10- 27：自从GHC获得对类型角色的支持后， GeneralizedNewtypeDeriving 不再不安全。 （我不确定还有什么可能改变。）




Occasionally, a piece of code I want to write isn't legal without at least one language extension. This is particularly true when trying to implement ideas in research papers, which tend to use whichever spiffy, super-extended version of GHC was available at the time the paper was written, without making it clear which extensions are actually required.

The result is that I often end up with something like this at the top of my .hs files:

{-# LANGUAGE TypeFamilies
           , MultiParamTypeClasses
           , FunctionalDependencies
           , FlexibleContexts
           , FlexibleInstances
           , UndecidableInstances
           , OverlappingInstances #-}

I don't mind that, but often I feel as though I'm making blind sacrifices to appease the Great God of GHC. It complains that a certain piece of code isn't valid without language extension X, so I add a pragma for X. Then it demands that I enable Y, so I add a pragma for Y. By the time this finishes, I've enable three or four language extensions that I don't really understand, and I have no idea which ones are 'safe'.

To explain what I mean by 'safe':

• I understand that UndecidableInstances is safe, because although it may cause the compiler to not terminate, as long as the code compiles it won't have unexpected side effects.

• On the other hand, OverlappingInstances is clearly unsafe, because it makes it very easy for me to accidentally write code that gives runtime errors.

So my question is:

Is there a list of GHCextensions which are considered 'safe' and which are 'unsafe'?

解决方案

It's probably best to look at what SafeHaskell allows:

Safe Language

The Safe Language (enabled through -XSafe) restricts things in two different ways:

1. Certain GHC LANGUAGE extensions are disallowed completely.
2. Certain GHC LANGUAGE extensions are restricted in functionality.

Below is precisely what flags and extensions fall into each category:

• Disallowed completely: GeneralizedNewtypeDeriving, TemplateHaskell
• Restricted functionality: OverlappingInstances, ForeignFunctionInterface, RULES, Data.Typeable
  • See Restricted Features below
• Doesn't Matter: all remaining flags.

Restricted and Disabled GHC Haskell Features

In the Safe language dialect we restrict the following Haskell language features:

• ForeignFunctionInterface: This is mostly safe, but foreign import declarations that import a function with a non-IO type are be disallowed. All FFI imports must reside in the IO Monad.
• RULES: As they can change the behaviour of trusted code in unanticipated ways, violating semantic consistency they are restricted in function. Specifically any RULES defined in a module M compiled with -XSafe are dropped. RULES defined in trustworthy modules that M imports are still valid and will fire as usual.
• OverlappingInstances: This extension can be used to violate semantic consistency, because malicious code could redefine a type instance (by containing a more specific instance definition) in a way that changes the behaviour of code importing the untrusted module. The extension is not disabled for a module M compiled with -XSafe but restricted. While M can define overlapping instance declarations, they can only be used in M. If in a module N that imports M, at a call site that uses a type-class function there is a choice of which instance to use (i.e overlapping) and the most specific choice is from M (or any other Safe compiled module), then compilation will fail. It is irrelevant if module N is considered Safe, or Trustworthy or neither.
• Data.Typeable: We allow instances of Data.Typeable to be derived but we don't allow hand crafted instances. Derived instances are machine generated by GHC and should be perfectly safe but hand crafted ones can lie about their type and allow unsafe coercions between types. This is in the spirit of the original design of SYB.

In the Safe language dialect we disable completely the following Haskell language features:

• GeneralizedNewtypeDeriving: It can be used to violate constructor access control, by allowing untrusted code to manipulate protected data types in ways the data type author did not intend. I.e can be used to break invariants of data structures.
• TemplateHaskell: Is particularly dangerous, as it can cause side effects even at compilation time and can be used to access abstract data types. It is very easy to break module boundaries with TH.

I recall having read that the interaction of FunctionalDependencies and UndecidableInstances can also be unsafe, because beyond allowing an unlimited context stack depth UndecidableInstances also lifts the so-called coverage condition (section 7.6.3.2), but I can't find a cite for this at the moment.

EDIT 2015-10-27: Ever since GHC gained support for type roles, GeneralizedNewtypeDeriving is no longer unsafe. (I'm not sure what else might have changed.)

这篇关于是否有被认为“安全”的GHC扩展名列表？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！