<div dir="ltr">I don't think that 2+3 is equivalent to 2', because an explicit import list or hiding list could've brought only some of the datatype's constructors into visibility.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 10, 2015 at 8:07 AM, Richard Eisenberg <span dir="ltr"><<a href="mailto:eir@cis.upenn.edu" target="_blank">eir@cis.upenn.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Here's an idea: For a module to be Safe, then for each exported datatype, one of the following must hold:<br>
1) The datatype comes with a role annotation.<br>
2) The module exports all of the datatype's constructors.<br>
3) If the datatype is defined in a place other than the current module, the current module exports no fewer data constructors than are exported in the datatype's defining module.<br>
<br>
Why?<br>
1) The role annotation, even if it has no effect, shows that the programmer has considered roles. Any mistake here is clearly the programmer's fault.<br>
2) This datatype is clearly meant not to be abstract. `Coercible` then gives clients no more power than they already have.<br>
3) This is subtler. It is a common idiom to export a datatype's constructors from a package-internal module, but then never to export the constructors beyond the package. If such a datatype has a role annotation (in its defining module, of course), then we're fine, even if it is exported abstractly later. However, suppose we are abstractly re-exporting a datatype that exports its constructors from its defining module. If there is no role annotation on the datatype, we're in trouble and should fail. BUT, if the datatype were exported abstractly in its defining module, then we don't need to fail on re-export, because nothing has changed.<br>
<br>
<br>
Actually, we could simplify the conditions. Change (2) to:<br>
<br>
2') The module exports all of the datatype's visible constructors.<br>
<br>
I think explaining in terms of separate rules (2) and (3) is a little clearer, because the re-export case is slightly subtle, and this subtlety can be lost in (2').<br>
<br>
This proposal would require tracking (in interface files, too) whether or not a datatype comes with a role annotation. This isn't hard, though. It might even help in pretty-printing.<br>
<br>
<br>
An alternative would be to have a way of setting roles differently on export than internally. I don't think this breaks the type system, but it's yet another thing to specify and support. And we'd have to consider the possibility that some module will import a datatype from multiple re-exporting modules, each with different ascribed role annotations. Is this an error? Does GHC take some sort of least upper bound? I prefer not to go here, but there's nothing terribly wrong with this approach.<br>
<span class="HOEnZb"><font color="#888888"><br>
Richard<br>
</font></span><span class="im HOEnZb"><br>
On Apr 10, 2015, at 9:37 AM, David Terei <<a href="mailto:dave.terei@gmail.com">dave.terei@gmail.com</a>> wrote:<br>
<br>
> I'll prepare a patch for the userguide soon.<br>
><br>
> As for something better, yes I think we can and should. It's on my<br>
> todo list :) Basically, the new-GND design has all the mechanisms to<br>
> be safe, but sadly the defaults are rather worrying. Without explicit<br>
> annotations from the user, module abstractions are broken. This is why<br>
> we left GND out of Safe Haskell for the moment as it is a subtle and<br>
> easy mistake to make.<br>
><br>
> If the module contained explicit role annotations then it could be<br>
> allowed. The discussion in<br>
> <a href="https://ghc.haskell.org/trac/ghc/ticket/8827" target="_blank">https://ghc.haskell.org/trac/ghc/ticket/8827</a> has other solutions that<br>
> I prefer, such as only exporting the Coerce instance if all the<br>
> constructors are exported, it seems that the ship sailed on these<br>
> bigger changes sadly.<br>
><br>
> Cheers,<br>
> David<br>
><br>
> On 9 April 2015 at 00:56, Simon Peyton Jones <<a href="mailto:simonpj@microsoft.com">simonpj@microsoft.com</a>> wrote:<br>
</span><div class="HOEnZb"><div class="h5">>> There is a long discussion on <a href="https://ghc.haskell.org/trac/ghc/ticket/8827" target="_blank">https://ghc.haskell.org/trac/ghc/ticket/8827</a><br>
>> about whether the new Coercible story makes GND ok for Safe Haskell. At a<br>
>> type-soundness level, definitely yes. But there are other less-clear-cut<br>
>> issues like “breaking abstractions” to consider. The decision on the ticket<br>
>> (comment:36) seems to be: GND stays out of Safe Haskell for now, but there<br>
>> is room for a better proposal.<br>
>><br>
>><br>
>><br>
>> I don’t have an opinion myself. David Terei and David Mazieres are in the<br>
>> driving seat, but I’m sure they’ll be responsive to user input.<br>
>><br>
>><br>
>><br>
>> However, I think the user manual may not have kept up with #8827. The<br>
>> sentence “GeneralizedNewtypeDeriving — It can be used to violate constructor<br>
>> access control, by allowing untrusted code to manipulate protected data<br>
>> types in ways the data type author did not intend, breaking invariants they<br>
>> have established.” vanished from the 7.8 user manual (links below). Maybe<br>
>> it should be restored.<br>
>><br>
>><br>
>><br>
>> Safe Haskell aficionados, would you like to offer a patch for the manual?<br>
>> And maybe also a less drastic remedy than omitting GND altogether?<br>
>><br>
>><br>
>><br>
>> Simon<br>
>><br>
>><br>
>><br>
>> From: Omari Norman [mailto:<a href="mailto:omari@smileystation.com">omari@smileystation.com</a>]<br>
>> Sent: 09 April 2015 02:44<br>
>> To: haskell Cafe<br>
>> Subject: Generalized Newtype Deriving not allowed in Safe Haskell<br>
>><br>
>><br>
>><br>
>> When compiling code with Generalized Newtype Deriving and the -fwarn-unsafe<br>
>> flag, I get<br>
>><br>
>><br>
>><br>
>> -XGeneralizedNewtypeDeriving is not allowed in Safe Haskell<br>
>><br>
>><br>
>><br>
>> This happens both in GHC 7.8 and GHC 7.10.<br>
>><br>
>><br>
>><br>
>> I thought I remembered reading somewhere that GNTD is now part of the safe<br>
>> language? The GHC manual used to state that GNTD is not allowed in Safe<br>
>> Haskell:<br>
>><br>
>><br>
>><br>
>> <a href="https://downloads.haskell.org/~ghc/7.6.3/docs/html/users_guide/safe-haskell.html#safe-language" target="_blank">https://downloads.haskell.org/~ghc/7.6.3/docs/html/users_guide/safe-haskell.html#safe-language</a><br>
>><br>
>><br>
>><br>
>> But this language on GNTD not being part of the safe language was removed in<br>
>> the 7.8 manual:<br>
>><br>
>><br>
>><br>
>> <a href="https://downloads.haskell.org/~ghc/7.8.2/docs/html/users_guide/safe-haskell.html#safe-language" target="_blank">https://downloads.haskell.org/~ghc/7.8.2/docs/html/users_guide/safe-haskell.html#safe-language</a><br>
>><br>
>><br>
>><br>
>> The GHC release notes don't say anything about this one way or the other.<br>
>> Thoughts?<br>
>><br>
>><br>
</div></div><div class="HOEnZb"><div class="h5">>> _______________________________________________<br>
>> ghc-devs mailing list<br>
>> <a href="mailto:ghc-devs@haskell.org">ghc-devs@haskell.org</a><br>
>> <a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs</a><br>
>><br>
> _______________________________________________<br>
> ghc-devs mailing list<br>
> <a href="mailto:ghc-devs@haskell.org">ghc-devs@haskell.org</a><br>
> <a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs</a><br>
><br>
<br>
_______________________________________________<br>
Haskell-Cafe mailing list<br>
<a href="mailto:Haskell-Cafe@haskell.org">Haskell-Cafe@haskell.org</a><br>
<a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">J. Douglas McClean<br><br>(781) 561-5540 (cell)</div>
</div>