A TCB should be dozens of lines, not thousands. More code means more places for more bugs to hide.
My experience in Safe Haskell was that, if you have to ask each module individually whether it has a safety property, then you've already created too much work for yourself. Instead, require every module to structurally encode the desired invariant.
Or, in fewer words: If you want memory safety, don't have `unsafe` blocks.
My experience in Safe Haskell was that, if you have to ask each module individually whether it has a safety property, then you've already created too much work for yourself. Instead, require every module to structurally encode the desired invariant.
Or, in fewer words: If you want memory safety, don't have `unsafe` blocks.