[GHC] #8827: Inferring Safe mode with GeneralizedNewtypeDeriving is wrong

GHC ghc-devs at haskell.org
Wed Mar 19 00:52:07 UTC 2014 

#8827: Inferring Safe mode with GeneralizedNewtypeDeriving is wrong
-------------------------------------+------------------------------------
        Reporter:  goldfire          |            Owner:
            Type:  bug               |           Status:  new
        Priority:  normal            |        Milestone:  7.8.1
       Component:  Compiler          |          Version:  7.8.1-rc2
      Resolution:                    |         Keywords:
Operating System:  Unknown/Multiple  |     Architecture:  Unknown/Multiple
 Type of failure:  None/Unknown      |       Difficulty:  Unknown
       Test Case:                    |       Blocked By:
        Blocking:                    |  Related Tickets:  8226, 8745
-------------------------------------+------------------------------------
Changes (by dterei):

 * cc: mazieres-i58umkudjfnfpfdx6jbbn3ymzi@… (added)
 * status:  closed => new
 * resolution:  fixed =>
 * related:   => 8226, 8745


Comment:

 Reopening ticket for now. David Mazieres and I don't think that this is
 the right solution. It means that a developer now needs to understand
 beyond Haskell2010 and some subtle details just to get correctly working
 module export control.

 Including email DM sent describing our position:
 {{{
 At any rate, David and I just discussed the new Coerce typeclass.
 Based on David's understanding of its behavior, it sounds pretty
 dangerous for Safe Haskell.  At a minimum, the programmer is going to
 need to understand a lot more than Haskell 2010 to write secure code.

 Based on my possibly limited understanding of the new
 feature--automatically generating instances of the Coerce type seems
 very un-Haskell-like.  By analogy, we could automatically generate
 instance of Read and Show (or add equivalent DebugRead/DebugShow
 classes) wherever possible, but this would similarly break abstraction
 by providing effective access to non-exported constructors.

 I understand why there is a need for something better than
 GeneralizedNewtypeDeriving.  However, implementing Coerce as a
 typeclass has the very serious disadvantage that there is no Haskell
 mechanism for controlling instance exports.  And if we are going to
 add a new mechanism (roles) to control such exports, exporting an
 instance that is never requested and that undermines modularity and
 abstraction is an unfortunate default.

 It may be too late for this, but a cleaner solution more in keeping
 with other extensions would be to have a -XDeriveCoerce extension that
 allows Coerce to be explicitly derived when safe.  This could be
 combined with leaving the previous behavior of
 GeneralizedNewtypeDeriving and just deprecating the language feature.

 Though controlling instance exports does not have a precedent, another
 option might be to special-case the Coerce class and only export
 instances of Coerce when all constructors of a type are also exported.
 This would prevent anyone from using Coerce to do things they couldn't
 already do manually.
 }}}

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/8827#comment:13>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

More information about the ghc-tickets mailing list