... | @@ -209,22 +209,20 @@ On the command line, several new options control which packages are trusted: |
... | @@ -209,22 +209,20 @@ On the command line, several new options control which packages are trusted: |
|
|
|
|
|
### Interaction of Options
|
|
### Interaction of Options
|
|
|
|
|
|
**Note:** Incomplete
|
|
|
|
|
|
|
|
|
|
The `-XSafe`, `-XTrustworthy`, `-XSafeLanguage` and `-XSafeImport` GHC LANGUAGE options are all order independent. When they are used they disable certain other GHC LANGUAGE and OPTIONS_GHC options. There are some options though that while disabled for source file pragmas are allowed when used on the command line. The idea behind this is that in source pragmas are generally specified by the module author, who is untrusted, while command line options are specified by the client since they are compiling the module, who has to be trusted. In the case of Cabal files, while they are specified by the untrusted module author, since it is a single source file it is easy to validate by hand. Below follow the new SafeHaskell options and what they disallow:
|
|
The `-XSafe`, `-XTrustworthy`, `-XSafeLanguage` and `-XSafeImport` GHC LANGUAGE options are all order independent. When they are used they disable certain other GHC LANGUAGE and OPTIONS_GHC options. There are some options though that while disabled for source file pragmas are allowed when used on the command line. The idea behind this is that in source pragmas are generally specified by the module author, who is untrusted, while command line options are specified by the client since they are compiling the module, who has to be trusted. Below follow the new SafeHaskell options and what they disallow:
|
|
|
|
|
|
|
|
- **`-XSafe`**:
|
|
- **`-XSafe`**:
|
|
|
|
|
|
- **Disallowed completely**: `StandaloneDeriving`, `GeneralizedNewtypeDeriving`, `RULES`, `SPECIALIZE`, `-fglasgow-exts`, `-XSafeLanguage`
|
|
- **Disallowed completely**: `GeneralizedNewtypeDeriving`, `RULES`, `SPECIALIZE`, `-XSafeLanguage`
|
|
- **Only allowed on command line**: `TemplateHaskell`, `-cpp`, `-pgm{L,P,lo,lc,m,s,a,l,dll,F,windres}`, `-opt{L,P,lo,lc,m,s,a,l,dll,F,windres}`, `-F`, `-l''lib''`, `-framework`, `-L''dir''`, `-framework-path''dir''`, `-main-is`, `-package-name`, `-D''symbol''`, `-U''symbol''`, `-I''dir''`
|
|
- **Only allowed on command line**: `TemplateHaskell`, `-cpp`, `-pgm{L,P,lo,lc,m,s,a,l,dll,F,windres}`, `-opt{L,P,lo,lc,m,s,a,l,dll,F,windres}`, `-F`, `-l''lib''`, `-framework`, `-L''dir''`, `-framework-path''dir''`, `-main-is`, `-package-name`, `-D''symbol''`, `-U''symbol''`, `-I''dir''`, `-with-rts-opts`, `-dylib-install-name`, `-hcsuf`, `-hidir`, `-hisuf`, `-o`, `-odir`, `-ohi`, `-osuf`, `-stubdir`, `-outputdir`, `-tmpdir`
|
|
- **Restricted functionality**:
|
|
- **Restricted functionality**:
|
|
|
|
|
|
- `OverlappingInstances` (requires that Overlapping instance declarations must either all reside in modules compiled without -XSafe, or else all reside in the same module.)
|
|
- `OverlappingInstances` (requires that Overlapping instance declarations must either all reside in modules compiled without -XSafe, or else all reside in the same module.)
|
|
- `ForeignFunctionInterface` (foreign imports must have an `IO` return type)
|
|
- `ForeignFunctionInterface` (foreign imports must have an `IO` return type)
|
|
- **Doesn't Matter**: `-v`, `-vn`, `-fasm`, `-fllvm`, `-fvia-C`, `-fno-code`, `-fobject-code`, `-fbyte-code`, `-c`, `-split-objs`, `-shared`, `-hcsuf`, `-hidir`, `-o`, `-odir`, `-ohi`, `-osuf`, `-stubdir`, `-outputdir`, `-keep-*`, `-tmpdir`, `-ddump-*`, `-fforce-recomp`, `-no-auto-link-packages`, `-XSafeImports`
|
|
- **Doesn't Matter**: all remaining flags.
|
|
|
|
|
|
- **`-XTrustworthy`** mostly has no special interactions, except for
|
|
- **`-XTrustworthy`** has no special interactions, except for
|
|
|
|
|
|
- If `-XSafeLanguage`: See summary of SafeHaskell options at bottom of [Safe Language & Imports (Without Trust)](safe-haskell#safe-language-&-imports-(without-trust))
|
|
- If `-XSafeLanguage`: See summary of SafeHaskell options at bottom of [Safe Language & Imports (Without Trust)](safe-haskell#safe-language-&-imports-(without-trust))
|
|
|
|
|
... | @@ -257,8 +255,6 @@ The following aspects of Haskell can be used to violate the safety goal, and thu |
... | @@ -257,8 +255,6 @@ The following aspects of Haskell can be used to violate the safety goal, and thu |
|
|
|
|
|
- `OPTIONS_GHC` is dangerous in unfiltered form. Among other things, it could use `-trust` to trust packages the invoking user doesn't in fact trust.
|
|
- `OPTIONS_GHC` is dangerous in unfiltered form. Among other things, it could use `-trust` to trust packages the invoking user doesn't in fact trust.
|
|
|
|
|
|
- The `StandaloneDeriving` extension can be used to violate constructor access control by defining instances of `Read` and `Show` to examine and construct data values with inaccessible constructors.
|
|
|
|
|
|
|
|
- Similarly, `GeneralizedNewtypeDeriving` can violate constructor access control, by allowing untrusted code to manipulate protected data types in ways the data type author did not intend.
|
|
- Similarly, `GeneralizedNewtypeDeriving` can violate constructor access control, by allowing untrusted code to manipulate protected data types in ways the data type author did not intend.
|
|
|
|
|
|
## Implementation details
|
|
## Implementation details
|
... | @@ -284,7 +280,7 @@ Currently, in any given run of the compiler, GHC classifies each package as eith |
... | @@ -284,7 +280,7 @@ Currently, in any given run of the compiler, GHC classifies each package as eith |
|
|
|
|
|
- `GHC.Prim` will need to be made (or just kept) unsafe.
|
|
- `GHC.Prim` will need to be made (or just kept) unsafe.
|
|
|
|
|
|
- `-XSafe` should disallow the `TemplateHaskell`, `StandaloneDeriving`, `GeneralizedNewtypeDeriving`, and `CPP` language extensions, as well as the `RULES` and `SPECIALIZE` pragmas. (See [Of Options](safe-haskell#) above for details).
|
|
- `-XSafe` should disallow the `TemplateHaskell`, `GeneralizedNewtypeDeriving`, and `CPP` language extensions, as well as the `RULES` and `SPECIALIZE` pragmas. (See [Of Options](safe-haskell#) above for details).
|
|
|
|
|
|
- Overlapping instance declarations must either all reside in modules compiled without `-XSafe`, or else all reside in the same module. It violates semantic consistency to allow Safe code to change the instance definition associated with a particular type.
|
|
- Overlapping instance declarations must either all reside in modules compiled without `-XSafe`, or else all reside in the same module. It violates semantic consistency to allow Safe code to change the instance definition associated with a particular type.
|
|
|
|
|
... | | ... | |