Add `-fplugin-trustworthy` to avoid marking modules as unsafe

By default, when a module is compiled with plugins, it will be marked as unsafe. With this flag passed, all plugins are treated as trustworthy and the safety inference will no longer be affected. This fixes Trac #16260.
author: Zejun Wu <watashi@fb.com> 2019-01-30 22:13:42 -0800
committer: Marge Bot <ben+marge-bot@smart-cactus.org> 2019-02-04 11:04:22 -0500
commit: 406e43af2f12756c80d583b86326f760f2f584cc (patch)
tree: c0cafcc79b93aa398287704dd1fd6780f6c6f5c1
parent: ef25b59a97f419a2ad6457f696e32aef9ffb3a0f (diff)
download: haskell-406e43af2f12756c80d583b86326f760f2f584cc.tar.gz
10 files changed, 54 insertions, 4 deletions
diff --git a/compiler/main/DynFlags.hs b/compiler/main/DynFlags.hs
index 28d8bf8eed..a9b4a03962 100644
--- a/compiler/main/DynFlags.hs
+++ b/compiler/main/DynFlags.hs
@@ -648,6 +648,7 @@ data GeneralFlag
    -- safe haskell flags
    | Opt_DistrustAllPackages
    | Opt_PackageTrust
+   | Opt_PluginTrustworthy
 
    | Opt_G_NoStateHack
    | Opt_G_NoOptCoercion
@@ -3512,6 +3513,8 @@ dynamic_flags_deps = [
 
         ------ Plugin flags ------------------------------------------------
   , make_ord_flag defGhcFlag "fplugin-opt" (hasArg addPluginModuleNameOption)
+  , make_ord_flag defGhcFlag "fplugin-trustworthy"
+      (NoArg (setGeneralFlag Opt_PluginTrustworthy))
   , make_ord_flag defGhcFlag "fplugin"     (hasArg addPluginModuleName)
   , make_ord_flag defGhcFlag "fclear-plugins" (noArg clearPluginModuleNames)
   , make_ord_flag defGhcFlag "ffrontend-opt" (hasArg addFrontendPluginOption)
diff --git a/compiler/main/Plugins.hs b/compiler/main/Plugins.hs
index de04415244..585eab1e45 100644
--- a/compiler/main/Plugins.hs
+++ b/compiler/main/Plugins.hs
@@ -91,7 +91,7 @@ data Plugin = Plugin {
     -- `HsGroup` has been renamed.
   , typeCheckResultAction :: [CommandLineOption] -> ModSummary -> TcGblEnv
                                -> TcM TcGblEnv
-    -- ^ Modify the module when it is type checked. This is called add the
+    -- ^ Modify the module when it is type checked. This is called at the
     -- very end of typechecking.
   , spliceRunAction :: [CommandLineOption] -> LHsExpr GhcTc
                          -> TcM (LHsExpr GhcTc)
@@ -178,8 +178,10 @@ impurePlugin _args = return ForceRecompile
 flagRecompile =
   return . MaybeRecompile . fingerprintFingerprints . map fingerprintString . sort
 
--- | Default plugin: does nothing at all! For compatibility reasons
--- you should base all your plugin definitions on this default value.
+-- | Default plugin: does nothing at all, except for marking that safe
+-- inference has failed unless @-fplugin-trustworthy@ is passed. For
+-- compatibility reaso you should base all your plugin definitions on this
+-- default value.
 defaultPlugin :: Plugin
 defaultPlugin = Plugin {
         installCoreToDos      = const return
diff --git a/compiler/typecheck/TcRnDriver.hs b/compiler/typecheck/TcRnDriver.hs
index 36ec8dcd2e..c76a48631b 100644
--- a/compiler/typecheck/TcRnDriver.hs
+++ b/compiler/typecheck/TcRnDriver.hs
@@ -2901,7 +2901,8 @@ runTypecheckerPlugin sum hsc_env gbl_env = do
       gbl_env
 
 mark_plugin_unsafe :: DynFlags -> TcM ()
-mark_plugin_unsafe dflags = recordUnsafeInfer pluginUnsafe
+mark_plugin_unsafe dflags = unless (gopt Opt_PluginTrustworthy dflags) $
+  recordUnsafeInfer pluginUnsafe
   where
     unsafeText = "Use of plugins makes the module unsafe"
     pluginUnsafe = unitBag ( mkPlainWarnMsg dflags noSrcSpan
diff --git a/docs/users_guide/extending_ghc.rst b/docs/users_guide/extending_ghc.rst
index 04bb2dfb1e..b1f7b6034c 100644
--- a/docs/users_guide/extending_ghc.rst
+++ b/docs/users_guide/extending_ghc.rst
@@ -216,6 +216,16 @@ be reset with the :ghc-flag:`-fclear-plugins` option.
     Give arguments to a plugin module; module must be specified with
     :ghc-flag:`-fplugin=⟨module⟩`.
 
+.. ghc-flag:: -fplugin-trustworthy
+    :shortdesc: Trust the used plugins and no longer mark the compiled module
+        as unsafe
+    :type: dynamic
+    :category: plugins
+
+    By default, when a module is compiled with plugins, it will be marked as
+    unsafe. With this flag passed, all plugins are treated as trustworthy
+    and the safety inference will no longer be affected.
+
 .. ghc-flag:: -fclear-plugins
     :shortdesc: Clear the list of active plugins
     :type: dynamic
diff --git a/testsuite/tests/plugins/Makefile b/testsuite/tests/plugins/Makefile
index d913ca5108..f58a771ef9 100644
--- a/testsuite/tests/plugins/Makefile
+++ b/testsuite/tests/plugins/Makefile
@@ -125,3 +125,8 @@ plugin-recomp-change-prof:
 .PHONY: T16104
 T16104:
 	"$(TEST_HC)" $(TEST_HC_OPTS) $(ghcPluginWayFlags) -v0 T16104.hs -package-db T16104-plugin/pkg.T16104-plugin/local.package.conf
+
+.PHONY: T16260
+T16260:
+	"$(TEST_HC)" $(TEST_HC_OPTS) $(ghcPluginWayFlags) -v0 T16260.hs -package-db simple-plugin/pkg.T16260/local.package.conf -fplugin Simple.TrustworthyPlugin
+	"$(TEST_HC)" $(TEST_HC_OPTS) $(ghcPluginWayFlags) -v0 T16260.hs -package-db simple-plugin/pkg.T16260/local.package.conf -fplugin Simple.TrustworthyPlugin -fplugin-trustworthy
diff --git a/testsuite/tests/plugins/T16260.hs b/testsuite/tests/plugins/T16260.hs
new file mode 100644
index 0000000000..9c1b9b3f93
--- /dev/null
+++ b/testsuite/tests/plugins/T16260.hs
@@ -0,0 +1 @@
+module T16260 where
diff --git a/testsuite/tests/plugins/T16260.stdout b/testsuite/tests/plugins/T16260.stdout
new file mode 100644
index 0000000000..ae9d3fb430
--- /dev/null
+++ b/testsuite/tests/plugins/T16260.stdout
@@ -0,0 +1,4 @@
+False
+None
+True
+Safe
diff --git a/testsuite/tests/plugins/all.T b/testsuite/tests/plugins/all.T
index 75709385ac..f53d9aa991 100644
--- a/testsuite/tests/plugins/all.T
+++ b/testsuite/tests/plugins/all.T
@@ -215,3 +215,9 @@ test('T16104',
       pre_cmd('$MAKE -s --no-print-directory -C T16104-plugin package.T16104-plugin TOP={top}')
      ],
      makefile_test, [])
+
+test('T16260',
+     [extra_files(['simple-plugin/']),
+      pre_cmd('$MAKE -s --no-print-directory -C simple-plugin package.T16260 TOP={top}')
+      ],
+     makefile_test, [])
diff --git a/testsuite/tests/plugins/simple-plugin/Simple/TrustworthyPlugin.hs b/testsuite/tests/plugins/simple-plugin/Simple/TrustworthyPlugin.hs
new file mode 100644
index 0000000000..c2b4568de3
--- /dev/null
+++ b/testsuite/tests/plugins/simple-plugin/Simple/TrustworthyPlugin.hs
@@ -0,0 +1,17 @@
+module Simple.TrustworthyPlugin (plugin) where
+
+import GhcPlugins
+import TcRnMonad
+
+plugin :: Plugin
+plugin = defaultPlugin
+  { renamedResultAction = keepRenamedSource
+  , typeCheckResultAction = printHaskellSafeMode
+  }
+  where
+    printHaskellSafeMode _ ms tcg = liftIO $ do
+      let dflags = ms_hspp_opts ms
+      safe <- finalSafeMode dflags tcg
+      print $ gopt Opt_PluginTrustworthy dflags
+      putStrLn $ showPpr dflags safe
+      return tcg
diff --git a/testsuite/tests/plugins/simple-plugin/simple-plugin.cabal b/testsuite/tests/plugins/simple-plugin/simple-plugin.cabal
index 0a3c49e988..e6f367100c 100644
--- a/testsuite/tests/plugins/simple-plugin/simple-plugin.cabal
+++ b/testsuite/tests/plugins/simple-plugin/simple-plugin.cabal
@@ -20,3 +20,4 @@ Library
         Simple.DataStructures
         Simple.SourcePlugin
         Simple.RemovePlugin
+        Simple.TrustworthyPlugin
author	Zejun Wu <watashi@fb.com>	2019-01-30 22:13:42 -0800
committer	Marge Bot <ben+marge-bot@smart-cactus.org>	2019-02-04 11:04:22 -0500
commit	406e43af2f12756c80d583b86326f760f2f584cc (patch)
tree	c0cafcc79b93aa398287704dd1fd6780f6c6f5c1
parent	ef25b59a97f419a2ad6457f696e32aef9ffb3a0f (diff)
download	haskell-406e43af2f12756c80d583b86326f760f2f584cc.tar.gz