[swift-evolution] [Discussion] A Problem With SE-0025?

Xiaodi Wu xiaodi.wu at gmail.com
Wed Jun 29 12:59:25 CDT 2016 

On Wed, Jun 29, 2016 at 12:20 PM, Jordan Rose <jordan_rose at apple.com> wrote:

>
> On Jun 29, 2016, at 09:59, Xiaodi Wu <xiaodi.wu at gmail.com> wrote:
>
> On Wed, Jun 29, 2016 at 11:31 AM, Jordan Rose <jordan_rose at apple.com>
> wrote:
>
>>
>> On Jun 29, 2016, at 08:49, Xiaodi Wu <xiaodi.wu at gmail.com> wrote:
>>
>> On Tue, Jun 28, 2016 at 9:06 PM, Jordan Rose via swift-evolution <
>> swift-evolution at swift.org> wrote:
>>
>>>
>>> On Jun 28, 2016, at 19:03, Matthew Judge <matthew.judge at gmail.com>
>>> wrote:
>>>
>>> Comments inline.
>>>
>>> On Jun 28, 2016, at 04:14, David Hart via swift-evolution <
>>> swift-evolution at swift.org> wrote:
>>>
>>> Hello everybody,
>>>
>>> I tried using the access rules defined in SE-0025 in some code of mine
>>> to see what effect it would have. I came out of the experiment more
>>> disappointed than I thought. Here are several reasons:
>>>
>>> 1) The new rules make `private` more prominent compared to `fileprivate`
>>> (the latter has a somewhat worse name). But at the same time, the Swift
>>> community has developed a style of coding where a type is defined through a
>>> set of extensions. To hide members from other types, but have access to
>>> them inside the type extensions, we have often used `private` and placed
>>> the type and its extensions in the same file. Because `private` is scoped,
>>> we are forced into using `fileprivate` pervasively (which is uglier), using
>>> `internal` instead (which is less safe) or moving the extension code into
>>> the type's scope (which is against the way Swift code is being written
>>> today). All of these options look worse to be than before SE-0025.
>>>
>>>
>>> If I understand SE-0025 (even with the amendment) you can still spell
>>> the access modifier to types as 'private' and get the same characteristics
>>> as the pre-SE-0025 meaning or private, so I'm not sure I understand the
>>> concern here. However (continued below)
>>>
>>>
>>> 2) The new amended rules look complicated to me. I think they have the
>>> risk of being confusing in practice, but we’ll have to see.
>>>
>>>
>>> I definitely agree that the amended rules look complicated. It seems to
>>> me that the amended set of rules is favoring simplifying the implementation
>>> over simplifying the mental model.
>>>
>>> My impression of what SE-0025 decided was that 'private' meant private
>>> to the enclosing scope. If the access modifying 'private' was applied to a
>>> type at the file scope, then it was synonymous with fileprivate and the
>>> default access of members of that type should be fileprivate.
>>>
>>> If a inner type was declared private, than the default access of members
>>> of that inner type should be private to the Outer type, not fileprivate.
>>> There is currently no way of expressing this access explicitly, but it does
>>> not seem like an especially useful thing to need to spell.
>>>
>>> Said in code, my impression of SE-0025 is that
>>>
>>> private class Outer { // exactly equivalent to fileprivate
>>>     var myVar = 0 // default: fileprivate
>>>     private class Inner { // private to Outer
>>>         var hiddenVar = 0 // default: private to Outer
>>>         private var reallyHiddenVar = 0 // default private to Inner
>>>     }
>>> }
>>>
>>>
>>> This is definitely one of the considered alternatives. Both Brent and I
>>> didn’t like the idea of an access level that you couldn’t actually spell,
>>> and even if we got past that, we’d still need a way to refer to it in
>>> documentation and diagnostics. I would count that as a larger change than
>>> just allowing ‘fileprivate’ in places that previously would have been
>>> called redundant.
>>>
>>
>> I'm late to the party here, but I share the feeling that perhaps the
>> amendment introduces a complicated mental model. But a lightbulb went off
>> reading the amendment, specifically this parenthetical statement:
>>
>> "(The members [defaulting to fileprivate inside a private type] still
>> cannot be accessed outside the enclosing lexical scope because the type
>> itself is still private, i.e. outside code will never encounter a value of
>> that type.)"
>>
>> Given that this is the case, wouldn't the same problem be entirely
>> obviated by the following change to the formal rules:
>> The default level of access control within any type (public, internal,
>> fileprivate, or private) is `internal`.
>>
>> In the case of fileprivate or private types, the `internal` members still
>> cannot be accessed where the containing type cannot be accessed.
>>
>>
>> That does seem simpler at first, but it doesn’t remove any of the later,
>> more complicated rules about *minimum* access, and when you can use a
>> less accessible type in a (formally but not in practice) more-accessible
>> declaration.
>>
>
> Your second rule as written is straight-up ungrammatical, so I can't say
> if it makes any sense or becomes any more or less complicated ("a
> member...may have `private` type"--huh?).
>
>
> It’s…compiler-grammar? We say something “has pointer type” fairly often
> within the compiler group. I’ll change it.
>
> “A method, initializer, subscript, property, or typealias
> with `fileprivate` access may have a type that references `private`
> declarations if (1) the declaration with `fileprivate` access is a member
> of a private type, and (2) all referenced `private` declarations are
> defined within an enclosing lexical scope. That is, it is legal for
> a `fileprivate` member within a `private` type to have a type that is
> formally `private` if it would be legal for a `private` declaration in the
> parent scope to have that type.”
>
> Is this clear, or still senseless?
>

That's very clear now.

Independent of the issue of the written text, though, the idea you are
expressing is very complicated and a special case for a generalizable
principle. That is, if you loosen the requirement so that a method, etc.,
can have an access level formally broader than that of its containing type
(in your example below, `Inner`), it should still be permissible for that
method to make use of a type with more restrictive access if that
restrictive access is at least as broad as that of the containing type.


>
> This rule is intended to allow this case:
>
> struct Outer {
>   private typealias Value = Int
>   private struct Inner {
>     /*fileprivate*/ var value: Value
>   }
> }
>
>
> while disallowing this case:
>
> struct Outer {
>   private struct Inner {
>     private typealias Value = Int
>     fileprivate var value: Value = 0
>   }
> }
>
>
> Do you think that should appear in the proposal text?
>

I think that would help.


>
>
>
> The rule about minimum access is needlessly complicated: `private` can
> never satisfy a protocol requirement or be used for a required initializer
> because of the very fact that it is private. We needn't say that
> `fileprivate` is the minimum access required since there's nothing about
> `fileprivate` that makes it the minimum. Thought experiment: if another
> access level were to be introduced between `private` and `fileprivate`,
> that could become the minimum access required. However, no matter what, it
> is inherent to the SE-0025 definition of `private` that it can never
> satisfy a requirement.
>
>
> I admit that I don’t think most people understand what the rules are for
> minimum access to satisfy a requirement: the minimum of the type’s access
> and the protocol’s access. But maybe it’s good enough to say “A private
> member may never satisfy a protocol requirement. Required initializers may
> not be private.” and not give further justification; the previous changes
> already allow that. (I already ducked out of justification by saying “to
> satisfy the spirit of existing requirements”, so this wouldn’t really be
> any worse.)
>
>
> The rule about members inside extensions with access modifiers is
> consistent with existing rules and doesn't need to be called out. That
> said, does a `private extension` make sense at all?
>
>
> I was inclined to write it explicitly after Adrian Z’s proposal to change
> the behavior of extensions, which implied to me that the current behavior
> was non-obvious. Since extensions just set the default access level, I
> could see *someone* doing this to enforce that access to all of their
> non-helper API was called out explicitly. I’m not a fan, but it doesn’t
> seem to hurt anything.
>

It raises a question. Is `foo` inside `private extension { func foo... }`
supposed to be exactly the same as that inside `extension { private func
foo... }` (i.e. not visible outside the extension)? That seems useless and
counterintuitive. However, if not, then `private extension { func foo... }`
is equivalent to `fileprivate extension { func foo... }`, which is both
confusing and redundant.


>
>
> Once those are in place, it seems better to use fileprivate, as the next
>> level up, so that we can still warn about mistaken uses of ‘internal’, and
>> so that we don’t have to special-case code later on in the pipeline that
>> uses visibility to optimize.
>>
>
> Mistaken explicit use of `internal` can still be warned on. In your
> proposal, `fileprivate` inside `private` still leaves room for optimization
> that would require special-casing, no? In my proposed formulation,
> `internal` simply takes on the practical meaning of "as visible to the
> module as can be given what it's contained in", which seems like a
> principled take that could be optimized without regarding it as
> "special-casing”.
>
>
> I don’t think there are any cases of ‘fileprivate' that can meaningfully
> be “optimized” down to ‘private’. Just because no one’s using something
> outside of the type *now* doesn’t mean it isn’t used at all. Maybe it’s
> being used on the other side of a #if branch.
>

Sorry, that's not what I meant. And since I don't have the best words, it
may take me a while to express my point.


>
>
>
>
>>
>> (Alternately, I don’t think that’s the part of the mental model people
>> are having trouble with.)
>>
>
> Maybe it's just me, but that's the first part of the mental model that's
> exploding my mind.
>
>
> Hm. I really didn’t expect this—to me, it’s just “fileprivate is allowed
> inside private types” and then “fix all the fallout so that the compiler
> only shouts at you when necessary”. Can you say what the model change is to
> you?
>

With respect to this particular rule, it's already been pointed out that
things are already complicated (public types have default internal members,
but internal types have default internal members and fileprivate types have
default fileprivate members). Granted, there is a very good rationale for
the behavior. However, add yet another subrule and you may has well just
have a table, because a general rule that applies to two things with two
different exceptions for two other things is essentially no general rule at
all. Since the point you're making is that we have to relax the rules about
access levels nested inside types anyway, the most consistent rule I can
think of is "the default access level is always internal". And I think it
would actually be workable.

Thanks for all the feedback.
> Jordan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.swift.org/pipermail/swift-evolution/attachments/20160629/dfba93cc/attachment.html>

More information about the swift-evolution mailing list