#8827: Inferring Safe mode with GeneralizedNewtypeDeriving is wrong -------------------------------------+------------------------------------ Reporter: goldfire | Owner: Type: bug | Status: new Priority: normal | Milestone: 7.8.1 Component: Compiler | Version: 7.8.1-rc2 Resolution: | Keywords: Operating System: Unknown/Multiple | Architecture: Unknown/Multiple Type of failure: None/Unknown | Difficulty: Unknown Test Case: | Blocked By: Blocking: | Related Tickets: 8226, 8745 -------------------------------------+------------------------------------ Changes (by dterei): * cc: mazieres-i58umkudjfnfpfdx6jbbn3ymzi@… (added) * status: closed => new * resolution: fixed => * related: => 8226, 8745 Comment: Reopening ticket for now. David Mazieres and I don't think that this is the right solution. It means that a developer now needs to understand beyond Haskell2010 and some subtle details just to get correctly working module export control. Including email DM sent describing our position: {{{ At any rate, David and I just discussed the new Coerce typeclass. Based on David's understanding of its behavior, it sounds pretty dangerous for Safe Haskell. At a minimum, the programmer is going to need to understand a lot more than Haskell 2010 to write secure code. Based on my possibly limited understanding of the new feature--automatically generating instances of the Coerce type seems very un-Haskell-like. By analogy, we could automatically generate instance of Read and Show (or add equivalent DebugRead/DebugShow classes) wherever possible, but this would similarly break abstraction by providing effective access to non-exported constructors. I understand why there is a need for something better than GeneralizedNewtypeDeriving. However, implementing Coerce as a typeclass has the very serious disadvantage that there is no Haskell mechanism for controlling instance exports. And if we are going to add a new mechanism (roles) to control such exports, exporting an instance that is never requested and that undermines modularity and abstraction is an unfortunate default. It may be too late for this, but a cleaner solution more in keeping with other extensions would be to have a -XDeriveCoerce extension that allows Coerce to be explicitly derived when safe. This could be combined with leaving the previous behavior of GeneralizedNewtypeDeriving and just deprecating the language feature. Though controlling instance exports does not have a precedent, another option might be to special-case the Coerce class and only export instances of Coerce when all constructors of a type are also exported. This would prevent anyone from using Coerce to do things they couldn't already do manually. }}} -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8827#comment:13 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler