Type Safety in Collections: Remove generics from collection types #165
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Remove the generic types from the collection types in the SDK:
Vec<T>
=>Vec
Map<K, V>
=>Map
Why
It is convenient to represent the
Vec
andMap
types as homogeneous data structures, but in reality there is nothing in the data definition (XDR) or the runtime environment that guarantees they will be. The SDK misrepresents the underlying data by presenting the collections as homogeneous, and while this misrepresentation is convenient in the common case, it could also be a cause of vulnerabilities since developers could assume the types are backed by values of the same type when they are not. @graydon, @jonjove, and I have discussed several options, including making the types homogeneous in the XDR, and including runtime checks. However, since the SDK type system is likely to be a super set of the runtime environment there are edge cases the host would be unable to test against.Removing the generics from the types themselves and moving them to the functions so that the functions still aid with conversion seems like the most explicit way to make these types exhibit reality.
Related discussion https://discord.com/channels/897514728459468821/989953055829135380/993984627180056749
Close #152
Known limitations
This will introduce some ambiguity into contracts.
❗ A
Vec
will allow any type to be added to it, even if the developer intends only a specific type to be added.Vec<T>
as their field type, but instead justVec
. While this describes reality better, it is less effective at communicating the intent for what data should be placed in theVec
, and therefore this harms the developer experience. It seems better to harm the developer experience if the alternative is footgun code.TODO
The contract spec is not updated in this PR, and needs updating to remove the generic types from the specification of the collection types.