[GHC] #8827: Inferring Safe mode with GeneralizedNewtypeDeriving is wrong

GHC ghc-devs at haskell.org
Thu Aug 13 23:15:05 UTC 2015 

#8827: Inferring Safe mode with GeneralizedNewtypeDeriving is wrong
-------------------------------------+-------------------------------------
        Reporter:  goldfire          |                   Owner:
            Type:  bug               |                  Status:  new
        Priority:  normal            |               Milestone:  7.12.1
       Component:  Compiler          |                 Version:  7.9
      Resolution:                    |                Keywords:
Operating System:  Unknown/Multiple  |            Architecture:
                                     |  Unknown/Multiple
 Type of failure:  None/Unknown      |               Test Case:
      Blocked By:                    |                Blocking:
 Related Tickets:  #8226, #8745      |  Differential Revisions:
-------------------------------------+-------------------------------------
Changes (by oerjan):

 * cc: oerjan (added)
 * related:  8226, 8745 => #8226, #8745


Comment:

 It seems to me that there have been several competing goals mentioned
 here.  However, I do not think they are impossible to mostly satisfy
 simultaneously, except perhaps for simplicity of the design. (In
 particular, I think it requires reinstating the constructor check.)

 1. Code that is ''not'' annotated with roles should still largely enjoy
 the same module encapsulation as in H2010, so that module writers do not
 need to consider the implications of `coerce` or GND if they are not
 actually using them.  With Safe Haskell, `coerce` and GND should not be
 able to create code based on such a module that couldn't be written "by
 hand".
 2. Even without role annotations, `coerce` and GND should still be
 possible to use in Safe Haskell for most code that ''can'' be written by
 hand. (Preferrably as much as today without Safe Haskell enabled).
 3. Safe Haskell should be inferrable without changing the semantics of a
 module.
 4. Exporting all the constructors of a type from an `Unsafe` "`Internal`"
 module should not prevent data encapsulation by not reexporting them from
 a `Trustworthy` one.
 5. Explicit role annotations, when used, should overrule all automatic
 restrictions on `Safe` mode, since that means the author has explicitly
 stated their intent.

 Point 1 means that it is not ideal to make roles default to
 `representational` with no further checks.  Point 2 means, similarly, that
 it is not ideal to make `nominal` the default.  Point 4 means that any
 constructor export check cannot just be done by looking at the module
 defining the type.

 Given this, I ''hope'' the following is compatible with all the goals
 above:

 * Default inferred role remains `representational`.
 * Any use of `coerce` (including via GND) must respect roles etc. as
 currently without Safe Haskell.
 * If allowed in general, a "lifting" use of `coerce` is compatible with
 `Safe` if ''either'':
   * The type has an explicit role annotation, ''or''
   * All of the type's data constructors are in scope.

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/8827#comment:39>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

More information about the ghc-tickets mailing list