#8827: Inferring Safe mode with GeneralizedNewtypeDeriving is wrong -------------------------------------+------------------------------------- Reporter: goldfire | Owner: Type: bug | Status: new Priority: normal | Milestone: 7.12.1 Component: Compiler | Version: 7.9 Resolution: | Keywords: Operating System: Unknown/Multiple | Architecture: | Unknown/Multiple Type of failure: None/Unknown | Test Case: Blocked By: | Blocking: Related Tickets: #8226, #8745 | Differential Revisions: -------------------------------------+------------------------------------- Changes (by oerjan): * cc: oerjan (added) * related: 8226, 8745 => #8226, #8745 Comment: It seems to me that there have been several competing goals mentioned here. However, I do not think they are impossible to mostly satisfy simultaneously, except perhaps for simplicity of the design. (In particular, I think it requires reinstating the constructor check.) 1. Code that is ''not'' annotated with roles should still largely enjoy the same module encapsulation as in H2010, so that module writers do not need to consider the implications of `coerce` or GND if they are not actually using them. With Safe Haskell, `coerce` and GND should not be able to create code based on such a module that couldn't be written "by hand". 2. Even without role annotations, `coerce` and GND should still be possible to use in Safe Haskell for most code that ''can'' be written by hand. (Preferrably as much as today without Safe Haskell enabled). 3. Safe Haskell should be inferrable without changing the semantics of a module. 4. Exporting all the constructors of a type from an `Unsafe` "`Internal`" module should not prevent data encapsulation by not reexporting them from a `Trustworthy` one. 5. Explicit role annotations, when used, should overrule all automatic restrictions on `Safe` mode, since that means the author has explicitly stated their intent. Point 1 means that it is not ideal to make roles default to `representational` with no further checks. Point 2 means, similarly, that it is not ideal to make `nominal` the default. Point 4 means that any constructor export check cannot just be done by looking at the module defining the type. Given this, I ''hope'' the following is compatible with all the goals above: * Default inferred role remains `representational`. * Any use of `coerce` (including via GND) must respect roles etc. as currently without Safe Haskell. * If allowed in general, a "lifting" use of `coerce` is compatible with `Safe` if ''either'': * The type has an explicit role annotation, ''or'' * All of the type's data constructors are in scope. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8827#comment:39 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler