[darcs-devel] [patch1768] make it clear that coercing Repository is "unsafe"

Ben Franksen bugs at darcs.net
Tue Dec 4 10:51:49 UTC 2018


Ben Franksen <ben.franksen at online.de> added the comment:

Well, the obvious disadvantage is that unsafeCoerce is unsafe while coerce is 
safe.

With every use of unsafeCoerce comes a proof obligation that the types you 
cast between have the same run-time representation, otherwise you risk memory 
corruption. Using coerce you can rely on GHC to check that for you. I feel 
much more comfortable using coerce.

You want to disallow coerce to cast witnesses because it doesn't have 
"unsafe" in its name. Indeed, casting Repository witnesses is not "safe" in 
the sense that it allows to apply patches in the wrong context. However, this 
is unsafety at a whole other level than what can happen if you make a mistake 
using unsafeCoerce. This is why I think it is better to avoid unsafeCoerce 
where possible and instead rely on convention and common sense when it comes 
to casting Repository witnesses i.e. use only the coercion functions exported 
by D.R.InternalTypes, just as we do not use unsafeCoerce when casting 
witnesses for patches but only use the restricted versions exported from 
D.P.Witnesses.Unsafe.

__________________________________
Darcs bug tracker <bugs at darcs.net>
<http://bugs.darcs.net/patch1768>
__________________________________


More information about the darcs-devel mailing list