A "safe" subsection of the library

[MatthewDaggitt]

As discussed in #122 it is currently impossible to typecheck a development relying on the standard library with the --safe option because it does not isolate properly its uses of unsafe features.

The agreed upon course of action is that there will be a Safe.* subset of modules. The current module names will be kept the same and will re-export exactly what they currently contain, ensuring full backwards compatibility whilst making it possible to only rely on the subset that is recognised as being safe by Agda.

[gallais]

I have come across something fairly nasty: Agda.Builtin.Int depends upon Agda.Builtin.String which uses a postulate to declare the String type. As a consequence any module importing Agda.Builtin.Int cannot be accepted by the current --safe option Agda has.

In other words either all Data.Integer.* and any other module depending upon them have to be in the unsafe part of the library or Agda needs to provide e.g. Safe.Agda.Builtin.Int without primShowInteger (and therefore without any dependence on Agda.Builtin.String).

[UlfNorell]

It sounds like maybe we should relax the requirements of --safe to accept postulates of type Set.

[gallais]

I don't understand why Agda.Primitive doesn't trigger an error given that it does use postulate all over the place.

[gallais]

All the tests are green. I think the branch is more or less ready to be merged (and I'd like to avoid it diverging too much from master before merge because that's a lot of changes to maintain!). When / If Agda gets more liberal in terms of what it accepts as safe, we can move more things into Safe/. It should all be transparent from the users' point of view anyway.

The main issues I see are:

Wider Use

Do we want to ask people on the agda ML to try to check their developments with the current safe branch to make sure it doesn't break anything (e.g. we haven't forgotten to re-export any names anywhere)?

Or would it be enough to run Agda's stdlib-based test suite on the modified one? In which case I guess it's simply a matter of creating a dummy branch on agda/agda where we update the submodule to point to the safe branch.

Stylistic Issue

Do we want {-# OPTIONS --safe #-} as a header in all of the Safe/ modules or are we just happy with having travis check Safe/index.agda with the appropriate command line options? At the moment we have both the header and the travis separate check (the latter is necessary even though we have the headers because of agda/agda#2487).

[MatthewDaggitt]

Just had a look at the branch. What's the plan for maintaining this? Is every safe change to the non-safe part going to have to be copied over to the safe part manually?

Or is there some way of regenerating the safe part automatically?

[gallais]

The idea is to replace master with safe. Given that each unsafe module re-exports the content of its safe counterpart, it should be completely transparent for end users.

New definitions can be added either to the safe module if they are innocuous, or to the unsafe one if they're not. Data.Nat.Base is a pretty good example: pretty much all of its former content is now in Safe.Data.Nat.Base except for erase which is in Data.Nat.Base.

[MatthewDaggitt]

Oh yes. Apologies, hadn't noticed that all the non-safe versions contents had been moved.

Given that each unsafe module re-exports the content of its safe counterpart, it should be completely transparent for end users.

Until they go browsing through it!

I'm a little worried about what this is going to do to library usability. For instance looking for the decidability of the divides relation _∣_, would currently only involve looking through Data.Nat.Divisibility. However it is now going to require browsing both Safe.Data.Nat.Divisibility and Data.Nat.Divisibility which are deep in different parts of the heirarchy. What's more you can't off-hand predict which one it's going to belong to.

This seems like a big impact on the average user who's not that concerned about rigorous safety. Can users who are concerned about safety not just type-check it on the command line using the --safe option? Won't that automatically highlight the unsafe terms used? Or does it over-estimate, and mark otherwise safe terms unsafe if they share a file with unsafe terms?

[gallais]

However it is now going to require browsing both Safe.Data.Nat.Divisibility and Data.Nat.Divisibility which are deep in different parts of the heirarchy. What's more you can't off-hand predict which one it's going to belong to.

The doc for the unsafe module systematically links to the safe one because it imports it.

Can users who are concerned about safety not just type-check it on the command line using the --safe option?

--safe only succeeds if all of the definitions in a module (and all the module it depends upon) are safe. Hence the need for a split: it is currently near impossible to typecheck a development relying on the standard library with the --safe option. I'm actually surprised that after 100+ articles using Agda published, no reviewer seems to have complained about this.

[MatthewDaggitt]

The doc for the unsafe module systematically links to the safe one because it imports it.

Hmm... I guess so.

--safe only succeeds if all of the definitions in a module (and all the module it depends upon) are safe.

Whereas what it should ideally do is only check the definitions in other modules that are actually used. From my position of complete ignorance, this seems like it should be doable using some sort of flow analysis. I'm not sure if it is or not! If it is possible, wouldn't this be a far better solution than partitioning the standard library in two?

I guess its kind of the dual to agda/agda#2487. File options should be more strict with respect to imported definitions, and command line options need to be less strict....

[gallais]

Whereas what it should ideally do is only check the definitions in other modules that are actually used.

But then you'd have to call agda --safe on every single module attached to a paper to make sure the whole development is not using any dirty tricks. Right now you can simply generate an Everything.agda and typecheck that.

Edit: I should perhaps mention the existence of C-c C-z to search through definitions in scope. Which ought to be more efficient than navigating files when looking for a specific result.

[MatthewDaggitt]

But then you'd have to call agda --safe on every single module attached to a paper to make sure the whole development is not using any dirty tricks

Aren't you going to have to do that anyway? Even if you've only used modules from the Safe hierarchy in the standard library, you still need to check that your own modules don't use any dirty tricks.