[swift-evolution] [Review] SE-0159: Fix Private Access Levels

Matthew Johnson matthew at anandabits.com
Sun Mar 26 14:10:14 CDT 2017


> On Mar 26, 2017, at 12:26 PM, John McCall <rjmccall at apple.com> wrote:
> 
>> On Mar 26, 2017, at 8:30 AM, Matthew Johnson <matthew at anandabits.com <mailto:matthew at anandabits.com>> wrote:
>> On Mar 26, 2017, at 4:13 AM, John McCall via swift-evolution <swift-evolution at swift.org <mailto:swift-evolution at swift.org>> wrote:
>> 
>>>> On Mar 26, 2017, at 4:27 AM, Goffredo Marocchi <panajev at gmail.com <mailto:panajev at gmail.com>> wrote:
>>>> On 26 Mar 2017, at 06:54, John McCall via swift-evolution <swift-evolution at swift.org <mailto:swift-evolution at swift.org>> wrote:
>>>> 
>>>>>> On Mar 25, 2017, at 2:11 AM, Carl Brown1 via swift-evolution <swift-evolution at swift.org <mailto:swift-evolution at swift.org>> wrote:
>>>>>> Yes, it would change my opinion of it. I wouldn't become a strong supporter because I don't see any value in it, but a rigorous proof that this proposal could not possibly introduce regressions to any existing codebases would change my opinion from "strongly against" to "doesn't matter to me, I'll stop arguing against it and go get my real work done".
>>>>>> 
>>>>> Speaking just for myself, this was a key part of why I was attracted to this proposal: it seemed to me to be extremely unlikely to cause regressions in behavior.  Even without any special behavior in the migrator, code will mostly work exactly as before: things that would have been invalid before will become valid, but not the other way around.  The exception is that old-private declarations from scopes in the same file can now be found by lookups in different scopes (but still only within the same file).  It should be quite straightforward for the migrator to detect when this has happened and report it as something for the programmer to look at.  The proposal causes a small regression in functionality, in that there's no longer any way to protect scopes from accesses within the file, but (1) it's okay for Swift to be opinionated about file size and (2) it seems to me that a workable sub-module proposal should solve that more elegantly while simultaneously addressing the concerns of the people who dislike acknowledging the existence of files.
>>>> 
>>>> The opinionated flag sometimes, like being Swifty, is being used to swath away disagreement, but opinions should be reasonable and pragmatic too... opinionated as "you will code this way and you will like it" seems hardly ideal too if abused constantly. Programming is a creative endeavour too.
>>>> 
>>>> Also, removing a feature that is used and is useful because "maybe" a year or more away there could be a feature that may address the concerns of the people we are stripping away the current feature from seems quite harsh and unfriendly at best... not very logical either.
>>> 
>>> Scoped-private is not some awesomely expressive feature.  It's an access restriction.  The "opinion" I'm talking about hardly prevents you from coding however you like.  It's just this: organizing your code into smaller, more self-contained components separated by file is good practice anyway, and when you do that, Swift will let you enforce that each component is properly encapsulated.
>> 
>> This does not address the case where we have a small helper type that is only 10s of lines long, is not visible outside the file, and encapsulates an important part of the implementation using scoped private.  The whole file is usually only a couple hundred lines.  This is not an excessively long file and already contains a single component that is presented to the rest of the program.
> 
> I acknowledge that this case exists, but by definition, it's a tiny amount of code being "protected" from an almost equally tiny amount of code.

Sure, but I’ve seen cases where it can be used to avoid problems that arise in real projects with experienced programmers.  Compiler verification provides a useful “reminder” to both maintainers and reviewers about the correct thing to do.  This can be especially helpful when somebody is new to a project or when revisiting code you haven’t looked at in quite some time.

I would never argue that this is as important as many other features in Swift but that isn’t the standard that has been set.  The standard that has been set for breaking changes is one of “actively harmful”.  As I have stated before, I think one can make a reasonable case that the current names `fileprivate` and `private` are actively harmful.  However, I don’t think a strong case can be made that scoped access in itself is actively harmful.  Instead, I think a reasonably strong case has been made that it is actively harmful to remove it.  If that were not the case we wouldn’t see roughly half of the responses to this thread saying no to this proposal.  People are benefiting from this feature.

> 
> Access control is primarily communicative.  A person who adds unwanted uses of a private property can also just as easily change the access restriction.  The point of private access control is to communicate that you've thought about it and that people should think before assuming that it's okay to use something.  When you're talking about about tiny amounts of code, that level of communication really is good enough.  

I largely agree.  But I think the value in having the compiler catch accidental misuse is greater than most of the supporters of this proposal are acknowledging.  The value is nowhere near the value of using Optional to model null, but scoped access control is able to catch bugs statically that would otherwise slip through to runtime.  Most importantly, it can help catch “bugs" that might behave correctly today but will not behave correctly after a future change to the invariants preserved by the methods the rest of the file is supposed to be using.

> It has to be, because access control is never going to be sufficiently expressive to express constraints like "this method can only be called from this other method" — we actively would not want to encourage programmers to engage in that level of pedantry, because some of them will, and they'll make themselves miserable and accomplish nothing of value, and they'll blame Swift (correctly) for implying that it was important.

I acknowledge that there is a degree of pedantry that becomes unhelpful.  I don’t think scoped access crosses the line.  Clearly others do.  

I greatly value the ability to state intent directly in the language and have that intent be verified by the compiler, particularly in areas where that verification can be leveraged to statically prevent bugs.  There are a nontrivial amount of use cases where scoped access is able to do that very well and any other solution is going to end up feeling clunky at best or be impossible at worst.

>> Some designs of submodules might allow us to properly encapsulate everything but if that requires us to put a small helper type in a separate file that would be a very unfortunate and inflexible constraint on how we are able to organize our code. 
>> 
>>  I don't want encapsulation concerns dictating how I physically organize my code.  That is significant and unnecessary complexity if you ask me.  It forces a tradeoff between desired physical organization and desired encapsulation.  We should not force users to make this tradeoff.
> 
> See, you say this, and you're apparently talking talking about the burdens of maintaining a 200-line file.  

In ideal cases yes.  Sometimes files grow to be 400-500 lines.  Scoped access can reduce the amount of code to which protected state is visible by 90-95% or more in files (even in the 200 line range).  This is an important benefit IMO.

> Someone else says it, and their files are 10,000 lines long.  

I don’t think we should remove a feature from the language just because some people abuse it.  I’m sure we can find good examples of most features in Swift being abused.

> I'm going to be opinionated and say that, no, physical organization is inherently linked to encapsulation because of the implicit outer scope of the file, and that if you care about encapsulation, you should also be organizing your code to minimize that outer scope, which will also make it trivial to understand how a private declaration is used and recognize in code reviews for changes that touch that file that they're accessing something they shouldn’t.

I don’t think touching a separate file makes is substantially easier to recognize in code reviews than a modified access level.

There are many factors involved in deciding which file a piece of code goes in.  If I have 300 lines of code that are all tightly related they should be in the same file to facilitate ease of reading and editing that code.  Physical proximity matters not for logical reasons, but for pragmatic reasons.  Maybe someday our tools will have features that make it easier to work with code that spans several files but alas we’re not there yet.  This means that encapsulation should not be the only consideration.  Pragmatism demands we consider human factors as well.

The implicit outer scope at the file boundary is one that only exists because it was introduced in Swift 2.  It has precedent in the implementation related history of translation units and header files but that does not necessarily mean it is the best solution for Swift.  Interestingly, if future tools succeed in making file boundaries matter less than they do today this implicit boundary would start to seem pretty strange and logical scopes would take on increased importance.  This isn’t an argument against keeping file scopes - they are pragmatically important right now for a number of reasons - but it is an argument against removing the tool we have for referring to the current lexical scope.

There is significant demand for submodules specifically because people want to be able to have smaller files without exposing things to the whole module.  Again we see the language forcing a tradeoff between physical code organization and logical bounding of access to a member.  I would be very surprised if scoped access bears more responsibility for large Swift files than the choice of files as the largest scope addressable by access control that is smaller than the module itself.  If you want to encourage people to have smaller files this is the place to start.

I don’t think tradeoffs between encapsulation and physical organization should be ignored.  As noted in the previous paragraph, coupling them is partly responsible for the large file problem we have.  I think the tradeoffs and the problems arising from them should be carefully considered.  If they are not, they will continue popping up and people will continue asking for changes to the language.  The best way to do this (IMO) is to defer the entire topic of access control until we can step back and revisit it holistically.  

Ultimately, many programmers want both tight encapsulation and the ability to physically organize their code in a way that is both logical and pragmatic.  Is this too much to ask from the language (as a long-term goal)?  I hope not.



> 
> John.
> 
>> 
>>> 
>>> John.
>>> 
>>>> 
>>>>> 
>>>>> John.
>>>>>> -Carl
>>>>>> 
>>>>>> <graycol.gif>Xiaodi Wu ---03/25/2017 12:33:55 AM---Would it change your opinion on the proposal? On Sat, Mar 25, 2017 at 12:10 AM, Carl Brown1 <Carl.Br
>>>>>> 
>>>>>> From:  Xiaodi Wu <xiaodi.wu at gmail.com <mailto:xiaodi.wu at gmail.com>>
>>>>>> To:  Carl Brown1/US/IBM at IBM
>>>>>> Cc:  Drew Crawford <drew at sealedabstract.com <mailto:drew at sealedabstract.com>>, Jonathan Hull <jhull at gbis.com <mailto:jhull at gbis.com>>, swift-evolution <swift-evolution at swift.org <mailto:swift-evolution at swift.org>>
>>>>>> Date:  03/25/2017 12:33 AM
>>>>>> Subject:  Re: [swift-evolution] [Review] SE-0159: Fix Private Access Levels
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Would it change your opinion on the proposal?
>>>>>> 
>>>>>> 
>>>>>> On Sat, Mar 25, 2017 at 12:10 AM, Carl Brown1 <Carl.Brown1 at ibm.com <mailto:Carl.Brown1 at ibm.com>> wrote:
>>>>>> I would very much like to see your proof that the resultant code is unchanged in an arbitrary codebase. 
>>>>>> 
>>>>>> -Carl
>>>>>> 
>>>>>> <graycol.gif>Xiaodi Wu ---03/25/2017 12:01:26 AM---On Fri, Mar 24, 2017 at 11:55 PM, Carl Brown1 <Carl.Brown1 at ibm.com <mailto:Carl.Brown1 at ibm.com>> wrote: > Maybe this is the core
>>>>>> 
>>>>>> From: Xiaodi Wu <xiaodi.wu at gmail.com <mailto:xiaodi.wu at gmail.com>>
>>>>>> To: Carl Brown1/US/IBM at IBM
>>>>>> Cc: Drew Crawford <drew at sealedabstract.com <mailto:drew at sealedabstract.com>>, Jonathan Hull <jhull at gbis.com <mailto:jhull at gbis.com>>, swift-evolution <swift-evolution at swift.org <mailto:swift-evolution at swift.org>>
>>>>>> Date: 03/25/2017 12:01 AM
>>>>>> Subject: Re: [swift-evolution] [Review] SE-0159: Fix Private Access Levels
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Fri, Mar 24, 2017 at 11:55 PM, Carl Brown1 <Carl.Brown1 at ibm.com <mailto:Carl.Brown1 at ibm.com>> wrote: 
>>>>>> My point is that, in rolling back the specific portion of SE-0025, case-sensitive find-and-replace will be the trickiest thing in most codebases, save those that result in invalid redeclarations. The behavior of the resultant code is, unless I'm mistaken, provably unchanged.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> swift-evolution mailing list
>>>>>> swift-evolution at swift.org <mailto:swift-evolution at swift.org>
>>>>>> https://lists.swift.org/mailman/listinfo/swift-evolution <https://lists.swift.org/mailman/listinfo/swift-evolution>
>>>>> 
>>>>> _______________________________________________
>>>>> swift-evolution mailing list
>>>>> swift-evolution at swift.org <mailto:swift-evolution at swift.org>
>>>>> https://lists.swift.org/mailman/listinfo/swift-evolution <https://lists.swift.org/mailman/listinfo/swift-evolution>
>>> 
>>> _______________________________________________
>>> swift-evolution mailing list
>>> swift-evolution at swift.org <mailto:swift-evolution at swift.org>
>>> https://lists.swift.org/mailman/listinfo/swift-evolution <https://lists.swift.org/mailman/listinfo/swift-evolution>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.swift.org/pipermail/swift-evolution/attachments/20170326/af513b11/attachment.html>


More information about the swift-evolution mailing list