Here is a recent example: Data.Array.Byte. The code was ported from Data.Primitive.ByteArray, so it should be as
Trustworthy as possible. I originally opposed to marking it as such, but was persuaded otherwise on the grounds that there is literally nothing unsafe you can do with the API provided, because, well, there is no API, right? And that’s how it got released.
stimes i arr
| itgr < 1 = emptyByteArray
| itgr <= (fromIntegral (maxBound :: Int)) = replicateByteArray (fromIntegral itgr) arr
| otherwise = error "Data.Array.Byte#stimes: cannot allocate the requested amount of memory"
where itgr = toInteger i :: Integer
The truth is that the code as written is gullible to integer overflow. Carefully chosen offsets allow any of your dependencies to modify memory of the main program, which defeats the very purpose of Safe Haskell.
Since that mishap I insist that code can be marked as
Trustworthy only if it was formally verified.