[darcs-devel] [patch1768] make it clear that coercing Repository is "unsafe"
Ben Franksen
bugs at darcs.net
Tue Dec 4 10:51:49 UTC 2018
Ben Franksen <ben.franksen at online.de> added the comment:
Well, the obvious disadvantage is that unsafeCoerce is unsafe while coerce is
safe.
With every use of unsafeCoerce comes a proof obligation that the types you
cast between have the same run-time representation, otherwise you risk memory
corruption. Using coerce you can rely on GHC to check that for you. I feel
much more comfortable using coerce.
You want to disallow coerce to cast witnesses because it doesn't have
"unsafe" in its name. Indeed, casting Repository witnesses is not "safe" in
the sense that it allows to apply patches in the wrong context. However, this
is unsafety at a whole other level than what can happen if you make a mistake
using unsafeCoerce. This is why I think it is better to avoid unsafeCoerce
where possible and instead rely on convention and common sense when it comes
to casting Repository witnesses i.e. use only the coercion functions exported
by D.R.InternalTypes, just as we do not use unsafeCoerce when casting
witnesses for patches but only use the restricted versions exported from
D.P.Witnesses.Unsafe.
__________________________________
Darcs bug tracker <bugs at darcs.net>
<http://bugs.darcs.net/patch1768>
__________________________________
More information about the darcs-devel
mailing list