Liquid Haskell is not safe wrt Safe Haskell

[oquechy]

Safe Haskell transitively infers safety of Haskell modules. It checks for usages of dangerous functions like unsafePerformIO. The safety of a module and its exported functions can be overridden with pragmas such as {-# LANGUAGE Trustworthy #-} which tells to count the module as safe despite usages of unsafe code.

Modules from liquid-base have different safety properties than modules from base. This makes it harder to transition from base to liquid-base for projects that care about safety. For example, safe import Prelude in such projects doesn't work with liquid Prelude while it works with Prelude from base. Then, the modules that import liquid Prelude without safe import can't be annotated with {-# LANGUAGE Safe #-}.

For comparison:

• https://hackage.haskell.org/package/base-4.14.1.0/docs/Prelude.html - Prelude from base is Trustworthy
• https://hackage.haskell.org/package/liquid-base-4.14.1.0/docs/Prelude.html - Liquid Prelude is None

Possible fixes:

• Remove unsafe dependencies such as GHC.Exts from LH where possible
• Annotate liquid analogs of safe modules from base with {-# LANGUAGE Trustworthy #-}

[kosmikus]

After discussion, we currently think that we should be able to fix most of the problems by just marking Prelude from liquid-base as Trustworthy. This one is getting inferred as None because it imports GHC.Exts (but doesn't re-export anything from it). Because Prelude from liquid-base is then imported implicitly by nearly every other module, everything is None. But with Prelude being marked Trustworthy, safety inference should be doing the right thing for most modules in the liquid-* package ecosystem.