Generalized Newtype Deriving not allowed in Safe Haskell

Simon Peyton Jones simonpj at microsoft.com
Mon Apr 13 07:10:59 UTC 2015 

David

If you would like to lead a debate, and drive it to a conclusion, that would be most helpful.  

Usually it's constructive to write a wiki page that sets out the design choices, with examples to illustrate their consequences, to set the terms of the debate.  Otherwise you risk misunderstandings, with red herrings being discussed repeatedly.

Thanks

Simon

|  -----Original Message-----
|  From: davidterei at gmail.com [mailto:davidterei at gmail.com] On Behalf Of
|  David Terei
|  Sent: 12 April 2015 09:52
|  To: Simon Peyton Jones
|  Cc: Omari Norman; ghc-devs at haskell.org; haskell Cafe
|  Subject: Re: Generalized Newtype Deriving not allowed in Safe Haskell
|  
|  On 10 April 2015 at 01:48, Simon Peyton Jones <simonpj at microsoft.com>
|  wrote:
|  > |  prefer, such as only exporting the Coerce instance if all the
|  > | constructors are exported, it seems that the ship sailed on these
|  >
|  > Coercible is relatively recent; I don't think we should regard it as
|  cast in stone.
|  >
|  > But yes, the Coerbible instance of a newtype is only available when
|  the data constructor for the newtype is lexically in scope.
|  
|  Yes, so as you point out in the paper, this is done to preserve
|  abstractions, but the same rule isn't applied to data types since some
|  types like IORef don't even have constructors that can be in scope.
|  
|  Ideally I'd like to find a way forward that works for everyone and
|  isn't just a Safe Haskell mode setting.
|  
|  I think the first question is, are there situations where you'd want to
|  use `coerce` internally to a module but disallow it externally? The
|  role mechanism is a little awkward as it doesn't allow this (although
|  it does for newtype's). If yes, then I think we should start there.
|  
|  If it seems we don't need external vs internal control, then we could
|  simply change the default to be that GHC sets referential type
|  parameters to nominal and allows them to be weakened to referential
|  through role annotations. We could use hackage to test how much
|  breakage this would cause.
|  
|  The third option is something Safe Haskell specific, so probably
|  applying the newtype constructor rule to data types.
|  
|  >
|  > Simon
|  >
|  > |  -----Original Message-----
|  > |  From: davidterei at gmail.com [mailto:davidterei at gmail.com] On Behalf
|  > | Of  David Terei
|  > |  Sent: 10 April 2015 09:38
|  > |  To: Simon Peyton Jones
|  > |  Cc: Omari Norman; haskell Cafe; ghc-devs at haskell.org
|  > |  Subject: Re: Generalized Newtype Deriving not allowed in Safe
|  > | Haskell
|  > |
|  > |  I'll prepare a patch for the userguide soon.
|  > |
|  > |  As for something better, yes I think we can and should. It's on my
|  > | todo  list :) Basically, the new-GND design has all the mechanisms
|  > | to be  safe, but sadly the defaults are rather worrying. Without
|  > | explicit  annotations from the user, module abstractions are
|  broken.
|  > | This is why  we left GND out of Safe Haskell for the moment as it
|  is
|  > | a subtle and  easy mistake to make.
|  > |
|  > |  If the module contained explicit role annotations then it could be
|  > | allowed. The discussion in
|  > |  https://ghc.haskell.org/trac/ghc/ticket/8827 has other solutions
|  > | that I  prefer, such as only exporting the Coerce instance if all
|  > | the  constructors are exported, it seems that the ship sailed on
|  > | these  bigger changes sadly.
|  > |
|  > |  Cheers,
|  > |  David
|  > |
|  > |  On 9 April 2015 at 00:56, Simon Peyton Jones
|  > | <simonpj at microsoft.com>
|  > |  wrote:
|  > |  > There is a long discussion on
|  > |  > https://ghc.haskell.org/trac/ghc/ticket/8827
|  > |  > about whether the new Coercible story makes GND ok for Safe
|  Haskell.
|  > |  > At a type-soundness level, definitely yes.  But there are other
|  > | > less-clear-cut issues like “breaking abstractions” to consider.
|  > | The  > decision on the ticket  > (comment:36) seems to be: GND
|  stays
|  > | out of Safe Haskell for now, but  > there is room for a better
|  > | proposal.
|  > |  >
|  > |  >
|  > |  >
|  > |  > I don’t have an opinion myself. David Terei and David Mazieres
|  > | are in  > the driving seat, but I’m sure they’ll be responsive to
|  user input.
|  > |  >
|  > |  >
|  > |  >
|  > |  > However, I think the user manual may not have kept up with
|  #8827.
|  > |  The
|  > |  > sentence “GeneralizedNewtypeDeriving — It can be used to violate
|  > | > constructor access control, by allowing untrusted code to
|  > | manipulate  > protected data types in ways the data type author did
|  > | not intend,  > breaking invariants they have established.”
|  vanished
|  > | from the 7.8  > user manual (links below).  Maybe it should be
|  restored.
|  > |  >
|  > |  >
|  > |  >
|  > |  > Safe Haskell aficionados, would you like to offer a patch for
|  the
|  > | manual?
|  > |  > And maybe also a less drastic remedy than omitting GND
|  altogether?
|  > |  >
|  > |  >
|  > |  >
|  > |  > Simon
|  > |  >
|  > |  >
|  > |  >
|  > |  > From: Omari Norman [mailto:omari at smileystation.com]  > Sent: 09
|  > | April 2015 02:44  > To: haskell Cafe  > Subject: Generalized
|  Newtype
|  > | Deriving not allowed in Safe Haskell  >  >  >  > When compiling
|  code
|  > | with Generalized Newtype Deriving and the  > -fwarn-unsafe flag, I
|  > | get  >  >  >  > -XGeneralizedNewtypeDeriving is not allowed in Safe
|  > | Haskell  >  >  >  > This happens both in GHC 7.8 and GHC 7.10.
|  > |  >
|  > |  >
|  > |  >
|  > |  > I thought I remembered reading somewhere that GNTD is now part
|  of
|  > | the  > safe language?  The GHC manual used to state that GNTD is
|  not
|  > | allowed  > in Safe  > Haskell:
|  > |  >
|  > |  >
|  > |  >
|  > |  >
|  > |
|  https://downloads.haskell.org/~ghc/7.6.3/docs/html/users_guide/safe-
|  > |  ha
|  > |  > skell.html#safe-language
|  > |  >
|  > |  >
|  > |  >
|  > |  > But this language on GNTD not being part of the safe language
|  was
|  > | > removed in the 7.8 manual:
|  > |  >
|  > |  >
|  > |  >
|  > |  >
|  > |
|  https://downloads.haskell.org/~ghc/7.8.2/docs/html/users_guide/safe-
|  > |  ha
|  > |  > skell.html#safe-language
|  > |  >
|  > |  >
|  > |  >
|  > |  > The GHC release notes don't say anything about this one way or
|  > | the  other.
|  > |  > Thoughts?
|  > |  >
|  > |  >
|  > |  > _______________________________________________
|  > |  > ghc-devs mailing list
|  > |  > ghc-devs at haskell.org
|  > |  > http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs
|  > |  >
|  > _______________________________________________
|  > ghc-devs mailing list
|  > ghc-devs at haskell.org
|  > http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

More information about the ghc-devs mailing list