17

The documentation for Safe Haskell states:

[...] Unfortunately Template Haskell can be used to subvert module boundaries and so could be used gain access to this constructor. [...] The use of the -XSafe flag to compile the Danger module restricts the features of Haskell that can be used to a safe subset. This includes disallowing unsafePerfromIO, Template Haskell,[...]

Used as a macro system that translates an AST to another AST, should it not be possible to simply restrict TH to the safe subset of Haskell, and also restrict the resulting AST to this subset?

1 Answer 1

17

A bit further down on the page you linked:

TemplateHaskell — Is particularly dangerous, as it can cause side effects even at compilation time and can be used to access abstract data types. It is very easy to break module boundaries with TH.

The concern about side effects comes from the fact that TH allows you to run arbitrary IO computations at compile time using runIO. This would throw any hope of safety right out the window.

Breaking module boundaries means that using TH you can for example access data constructors even though a module did not export them.

See this repository for many examples of things that would be unsafe to allow in Safe Haskell, including an example of breaking module boundaries.

It might be possible that Template Haskell could be made safe if these features were disabled, however it would require significant changes to TH.

2
  • 2
    Ok, so [runIO] is the culprit. I guess there could be a TH without it?
    – user239558
    Aug 19, 2011 at 10:56
  • 1
    Even without runIO, you can use TH to access things that you're not supposed to be able to access. (I.e., you can access private functions which are not exported and shouldn't be accessible.) That defeats the whole point of Safe Haskell. To use TH, you'd have to figure out how to prevent unauthorised access like that. Feb 29, 2012 at 11:57

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.