Safe stencils aren't completely safe

[lehins]

It was brought to my attention on gitter that invalid stencils can cause reading memory out of bounds.

updateStencil :: Massiv.Stencil Ix2 Position Position
updateStencil =
  Massiv.makeStencilDef Floor (Sz (3 :. 3)) (0 :. 0) $ \ get ->
    let
      chair = get (0 :. 0)
      isOcc c = fromEnum . (== Occupied) <$> (get c)
      occ :: Massiv.Value Int
      occ =
        (  isOcc (-1 :. -1) + isOcc (-1 :. 0) + isOcc (-1 :. 1) +
           isOcc ( 0 :. -1)                   + isOcc ( 0 :. 1) +
           isOcc ( 1 :. -1) + isOcc ( 1 :. 0) + isOcc ( 1 :. 1)
        )
    in
      liftA2 threshold chair occ
{-# inline updateStencil #-}


threshold :: Position -> Int -> Position
threshold p n | p == Floor = p
              | n == 0     = Occupied
              | n >= 4     = Empty
              | otherwise  = p

The important part for validation is that indexing with stencil does not depend on values contained in the array stencil being applied to, which is the whole reason for existence of Value type in the first place. But the threshold function does just that: when chair == Floor then occ does not get evaluated during validation and invalid index that goes outside the stencil window is not used, thus bypassing validation. I long suspected it, but this example really proved to me that this problem is undecidable.

The only sensible solution I see is making:

1. applyStencil is replaced with partial function applyStencil' that does no unsafe indexing, thus is slow, but safe
2. Add unsafeApplyStencil
3. remove validation completely and thus Value newtype

[lehins]

This is now fixed in massiv-0.6.0.0