[Draft] A Consistent Foundation For Access Control: Scope-Bounded Capabilities


(Paweł Wojtkowiak) #1

Why not add a scope which allows access to the variables and functions only for the type itself and its extensions, but only within the current module? This would result in limitation of visibility from the outside (the same way private does) except for the fact that extensions could actually change these variables/functions. Also, restricting it to the module at the same time would not allow access to them and doing extensions like xWrapper (mentioned in one of the mails), unless it was in the same module, but even then it is just easier to change the type itself instead of doing wrapper extensions since the developer has access to it anyway.

I think this would be convenient because outside of the type and its internal extensions these entities would not appear as for public use.

···

Sent from my iPhone

On 3 Mar 2017, at 20:24, Matthew Johnson <matthew@anandabits.com> wrote:

On Mar 2, 2017, at 10:30 PM, Jaden Geller <jaden.geller@gmail.com> wrote:

On Mar 2, 2017, at 7:51 PM, Matthew Johnson <matthew@anandabits.com> wrote:

Sent from my iPad

On Mar 2, 2017, at 3:35 PM, Jaden Geller <jaden.geller@gmail.com> wrote:

Hi Matthew,

Overall, I think this is a great simplification of the access control mechanism! I really appreciate the focus on both “simple made easy” and safe defaults.

Thanks Jaden! I appreciate your thoughtful feedback!

I have a few comments and questions:

(1) It seems odd to use `scope` as both an access control modifier alone and as a function-like attribute. Perhaps something like `access(set, scope)` would be better than `scope(set)`. As it is, we're conflating scope with meaning visibility and lexical scope—I found that very confusing.

This is good feedback. The reason I designed it this way is because it is intended to work like the existing access modifiers which can be parameterized or stand alone. The idea is that it is analogous to a function with default arguments and we treat the unbound function as if it had been called with no explicit arguments (using the defaults). There is an example of this in the playground prototype I included.

That said, there is a difference - the existing modifiers don't accept a scope argument. I can see how this could make it more confusing. In the current design `scope(set, lexical)` is already valid and is similar to the `access(set, scope)` idea you suggested.

One thing I want to be very careful about is making the syntax read well if possible. In the playground I even used argument labels `scope(of: set, is: lexical)`. I think that would be too verbose in real code but I think it's important that this read like a sentence in our minds at least.

One option would be to simply remove the default scope argument and require it to be provided explicitly when lexical scope is intended. I'm not sure how I feel about that. I'm going to spend some time thinking about this further. I definitely don't want the shorthand (without arguments) to be a source of confusion.

I think this would be an improvement.

As a sidenote, if there were to be an alias for lexical access control, think the pseudo-adjective `scoped` aligns better with the adjective `public`, `internal`, and `private`. The noun `scope` seems out of place.

Interesting that you say this. I had suggested `scoped` earlier and had second thoughts about that because a verb feels a little bit out of place next to `public`, `internal` and `private`. But I think you’re right that `scoped` does read more similar to them. I will go this route.

(2) I think that the attribute should be spelled `@access` like other attributes in Swift, `@availability` for example. This seems more consistent.

If it were an attribute I would agree. But it's not, it's an access modifier. Those don't have the `@`.

I guess I’m suggesting that it might be better expressed as an attribute. The attribute `@available` is already used to specify symbol visibility (based on platform, version, etc.), so it seem best to align access control by using an attribute as well. I agree that the aliases like `private` shouldn’t require an `@` for concision…

Do we have any cases where we have both an attribute and a declaration modifier that both have the same semantics? I don’t think so. That seems a little bit strange to me. I can see why you would associate this with `@available` but I think it’s better to define it as a declaration modifier.

(Does Swift have a hard-and-fast rule for which modifiers should use attributes and which should use keywords? Or even a more hand-wavey rule? It seems almost arbitrary to me…)

As far as I know declaration modifiers never have `@` and attributes do. I don’t have a good sense of how we decide when something is better expressed as an attribute vs being a declaration modifier. Maybe somebody from the core team can comment on this.

Another benefit is that there’s stylistic precedent for attribute declarations to be placed on the line before the declaration. This works well with wordier restrictions.

I don’t think style should influence whether we use `@` or not. We are free to establish a common style that places longer declaration modifiers on a previous line. I think the community will eventually converge on a reasonable style regardless of how it looks.

(3) Speaking of `@availability`, how do you suppose access control ought to interact with that? Can I somehow mark that the setter was public in a previous version but is now private?

This is a good question. I am not familiar enough with `@availability` to answer off the top of my head. Do you think this is something that needs to be addressed by this proposal?

I’m not entirely sure. It _probably_ doesn’t need to be addressed just yet. I don’t think `@availability` currently has such features, so it would be additive.

Sounds good.

(4) The function-like access control attribute as you proposed it has very odd semantics, especially compared to Swift functions. For example, both `scope(get, file)` and `scope(file)` are valid spellings, as if `get` was a default argument, but Swift does not allow default arguments in that position without labels. Obviously this isn’t a parsing problem since we’re using keywords, but I find it very confusing. Either swap the order of the arguments or, I would prefer, add labels. With my `@access` spelling, we might have `@access(get, in: file)` and `@access(in: file)`.

I actually used labels in the playground and thought about including them in the proposal. I decided against it on the grounds that access modifiers are pervasive and the labels could quickly be seen as noise. If others feel they are important I have no objection.

I like labels, but I can understand the preference for concision. It just confuses my mental model when the semantics cannot be implemented in Swift. In your playground, try removing your labels—the function becomes impossible to call without specifying the capability argument!

I think the default for the capability and the sequence of arguments are both pretty important aspects of the design. The former because we often want to bound *all* capabilities in the same way and bounding the default capability does this. It reads more clearly to only specify the scope. The sequence of arguments is important because I think it reads much better: “access to the setter is bounded to the file”. I think it also reduces the chance that a reader misses the capability and only notices the scope.

We should have a bikeshed discussion about whether labels should be required, optional, or not allowed. I would be happy to let community consensus decide this.

(Sidenote: Why doesn’t Swift warn on function declarations that provide unusable default arguments??)

For the record, `@available` does not use labels. It even omits commas in places I might expect them… `@available(swift 3.0.2)`.

(5) It seems odd that `call` is the name of the default visibility for functions. I agree with the semantics, but the naming seems to imply that I could still refer to the value `let foo = myFunction` but not call it.

Some of these names were pretty tough to decide on. I wholeheartedly embrace bikeshedding here. I wouldn't be surprised if community input can improve on the names I have used. :slight_smile:

I agree that we should eventually bikeshed, but I’m trying to focus on the semantics first :slight_smile:

Yes, that’s a good call. I just wanted to make it clear that I’m not fixated on the naming and acknowledge that it’s a hard problem. :slight_smile:

I chose `call` because if you can see a function you can call it. It isn't possible to see it, bind it to a name, etc without being able to call it and it probably shouldn't ever be.

For Types and Protocols, `use` seems like a very generic word to, well uh, use. Perhaps `visible` would make more sense (though it is not a verb like the others…)?

I agree. This was the most difficult name to decide on. The notion I tried to capture is that if you can see a type you can work with values of of that type (as well as access it's static members). I would be very happy if we could identify a better name.

Perhaps `constrain`?

This is also something you can always do when you can see a protocol, but you can also use it as an existential (thinking ahead to generalized existentials) so you can also work with values of the protocol existential type.

I was potentially recommending constrain for types too. `let x: Int` constrains `x` to be type `Int`, and `let y: Hashable` constraints `y` to be the (existential) type `Hashable`, or at least will once that’s possible. I’m not sure this is a good spelling, just throwing it out there…

Ahh, that’s an interesting perspective.

I think the name `switch` for enums is also not particularly great, but this probably isn’t the time to bikeshed naming.

I used `switchExhaustively` in an earlier draft but thought it was too verbose. Maybe the verbosity is necessary?

Well, I think that the name `switch` is misleading, but I don’t love this more verbose name either. I was thinking `closed` maybe? …since it guarantees that no more cases can be added. Not sure.

Misleading because you can always `switch`, it just might not be exhaustive? That makes sense but maybe it’s not that big a deal because it would be documented as meaning exhaustive. I’m not sure.

I don’t think `closed` is the best name for this because I think the names should focus on the *capability*. `closed` focuses on the restriction placed on future versions of the library.

(6) Do closed protocols fit into this model? The `conform` capability allows API users to add additional conformances, but there’s no capability to promise that the API maintainer itself won’t add additional conformances. Obviously adding this features is out of the scope of this proposal, but I want to know how it might be spelled in this scheme.

Yes. I think this would use the same capability name as enums that support exhaustive switch.

One interesting point is that this would introduce the notion of mutually exclusive capabilities. You can't have both `public(conform)` and `public(switch)`.

(7) It isn’t immediately clear to me the “hierarchy” of additional capabilities. Obviously `set` is a refinement of `get`, but is `override` a refinement on `set` or `get`? Or are they entirely separate? Can you use both? It would be useful to formalize what happens when the access level is specified for multiple additional capabilities.

Great question. I'll add clarification on this point in the next draft. The short answer is that the bounds of additional capabilities are usually independent of each other.

That said, as noted above, in some cases they could be mutually exclusive. It's also possible that they could have other kinds of relationships. This really depends on the semantics of the declaration providing the capabilities.

I think we really ought to formalize these relationships. It’s difficult to reason about otherwise.

The only relationship that exists is currently the relationship between the basic capability and additional capabilities. The scope of the basic capability implicitly bounds that of the additional capabilities and if the scope of an additional capability is wider than `internal` when no explicit bound is provided for the basic capability the bound of the basic capability is widened accordingly.

I have given some thought to formalizing semantic relationships between capabilities but I think it adds complexity to the model for not much gain at the moment. The two simple rules above suffice. We can formalize additional semantic relationships if / when that becomes necessary. Does that make sense? If not, can you offer elaborate on what you would like to see? I want to facilitate reasoning as much as possible without adding unnecessary complexity to the initial model.

(8) It may be useful to clarify the hierarchy of scopes. Each name is mentioned, but it isn’t intuitively obvious how it works. Does `TypeName` essentially allow me to make friend classes, via `@access(set, in: Foo)`, a la C++. If so, that’s pretty cool! I’m assuming `extension` gives visibility in extensions to this type? What about subclasses—is there a sort of `protected` scope?

Great question. I'll clarify this further in an updated draft.

In the meantime, I'm afraid I'm going to have to let you down a bit on this point. Scopes form a strictly nested hierarchy. This means that you can only reference an ancestor scope.

For types, this simply follows the lexical nesting of types and member declarations. A declaration may reference the scope of a type that contains it by using the name of the type. The capability is available to any declarations within the lexical scope of the type declaration, including other types. But it is intentionally *not* like `friend` in C++.

Unfortunate. If the community found this desirable, would it be additive to add this in the future? I don’t necessary want friend types, but I like that this syntax would make them much, much, much more intuitive than in C++. You wouldn’t even have to read the docs to understand the feature—just read the declaration!

They syntax could certainly be extended to support something like this but it doesn’t really work semantically. This is not a limitation of this model. Instead it is a limitation of any type-based access control. Types don’t facilitate a real encapsulation boundary, especially in a language like Swift where a type can be extended in any scope that can see the type. The core team has repeatedly opposed type-based access control for precisely this reason. I don’t expect that to change but if it did, this syntax could certainly be extended to support such a feature.

`extension` is simply a way to reference the lexical scope created by an extension that contains a declaration. It does not provide access to extensions of the type containing the declaration.

The purpose of access control is compiler verified encapsulation. Since anybody can add an extension anywhere the compiler can't really offer any useful verification of encapsulation. I don't think it would be a good idea for access control to have a feature like this. The same is true of protected and any other type-based access control scheme.

I’m not really understanding what you’re saying here. I think we might be saying the same thing. My understanding was

struct Foo {
  scope(extension) var x: Int
}

means that I can write

extension Foo {
  func bar() {
    x += 1
  }
}

unlike if I had chose Swift 3.0 private.

Nope. This is an example of what it means:

extension Foo {
    struct Bar {
        access(extension) var int = 42
    }
    // Bar.int is available here but not outside the scope of this extension
}

If extensions could have names we wouldn’t need `extension` as a scope specifier. Since they don’t, we do.

The example you gave has all of the problems associated with any type-based access control. It is kind of pointless to have a access control like that because it doesn’t offer any real guarantees. Anybody can come along and do this:

extension Foo {
    public var xWrapper: Int { get { return x } set { x = newValue } }
}

This is why I think symbol groups are a more appropriate solution to this use case. They don’t pretend you are really limiting availability in any way but they do allow you to hide the symbol unless an explicit request is made:

import FoosModule including FooExtensions

This makes all symbols in the symbol group `FooExtensions` available. It required explicit opt-in to availability solving the accidental use problem without pretending to really limit the availability of the symbols. I haven’t thought enough about it yet to have an idea of how it might work within the same module but I think this is the right direction for this use case.

Swift's access control system has always followed the idea of strictly hierarchical scopes, it just hasn't allowed us to name most of them. I think this was a really good principle that we should continue to embrace.

That said, I do have some thoughts about ways to address the kinds of use cases people have in mind for "extensions or subclasses of the type" visibility. The idea I have been exploring is what I have been calling "symbol groups". I have been thinking about this in the context of imported symbols and haven't given any thought as to how it might apply outside that context. The way it looks with an import is this:

import UIKit including UIGestureRecognizerSubclasses

The idea here is that the symbols reside in the same (sub)module as the other symbols they are related to but are not imported unless the symbol group name is explicitly stated. This solves the problem of unintentional or inappropriate symbol availability and accidental misuse without offering promises of encapsulation that can't really be followed through on (as is the case with `protected`).

This is obviously well outside the scope of this proposal but is something I think would be worth pursuing at some point.

Thanks for the great proposal, Matthew!

Thanks Jaden! I'm really happy that you like it. I was pretty uncertain about how it would be received. It's encouraging to see that others like the idea. :slight_smile:

Definitely! I appreciate your hard work! I realize how time-consuming it is to write these proposals, not to mention thinking through them!

Thanks! It always seems to take a lot more time than I expect when I first start working on a proposal.

Cheers,
Jaden Geller

On Mar 2, 2017, at 11:58 AM, Matthew Johnson via swift-evolution <swift-evolution@swift.org> wrote:

I’ve been continuing to think about how to provide clear and consistent semantics for access control in Swift. This draft represents what I think is the best way to accomplish that. It eliminates the current inconsistencies and establishes a principled basis for the features we have today as well as the enhancements we may need in the future. It does this with minimal breaking changes.

The draft is included below and can also be found here: https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md.

I’m looking forward to everyone’s feedback.

Matthew

A Consistent Foundation For Access Control: Scope-Bounded Capabilities
Proposal: SE-NNNN
Authors: Matthew Johnson
Review Manager: TBD
Status: Awaiting review
Introduction

This proposal introduces a consistent foundation for all access control in Swift: scope-bounded capabilities. The existing access control features are generalized with a single mechanism that unifies their semantics. This unified mechanism eliminates the inessential complexity and inconsistency of the current system while expanding its utility.

Swift-evolution thread: Discussion thread topic for that proposal

Motivation

The new access control features in Swift 3 have proven to be extremely controversial. The most common refrain is that we need a more simple system. In order to accomplish this we need to do more than tweak the system we already have. We need to revisit the foundation of the system itself.

Simple Made Easy

Rich Hickey gave a fantastic talk called [Simple Made Easy])(https://www.infoq.com/presentations/Simple-Made-Easy). In this talk Rich explores the etymology and relationship of the words "simple", "complex", and "easy". The meanings he explores are:

Complex: entangled, intertwined, interleaved, braided together
Simple: one strand, single focus, disentangled
Easy: familiar, nearby, readily at hand
The central point Rich makes in this talk is that when a design entangles two orthogonal concepts complexity is the result. He coins the term "complect" to refer to this kind of inessential complexity. This complexity can be removed by disentangling the concepts. Instead of "complecting" independent concerns we can compose them.

The result is a simpler system. It is simpler because independent concepts can be considered and understood independently of each other.

The composition of independent concerns also results in a more flexible system. When orthogonal concepts are entangled it is more difficult to extend the system to meet future needs. One concept cannot be extended independently of the other. It is not possible to make independent decisions about what should be orthogonal aspects of the design.

Rich believes that the programming community is often too quick to reach for an immediately "easy" solution. Unfortunately, the "easy" solution often entangles concepts and are therefor actually complex. He suggests that we firstdesign a simple (i.e. disentangled) solution and then layer ease of use and familiarity on top, thus the title "Simple Made Easy".

Two orthogonal concepts

The access control system in Swift 3 incorporates two orthogonal concepts: availability and capability. Availability is what immediately comes to mind when one thinks of access control: a symbol is either available or it is not. Capability is more nuanced. It refers to what you can do with that symbol.

Each declaration supports a basic capability which is always available when the symbol itself is available. Many declarations also offer additional capabiities (such as the ability to inherit, override, set a property, etc). These additional capabilities may be less available than the symbol itself.

In Swift, availability is always specified in terms of a scope. Swift does not currently have a consistent way to talk about capabilities. Thus far we have introduced new syntax every time we wish to distinguish the availabiltiy of an additionalcapability from that of the symbol itself:

open vs public access modifiers classes and methods
Access modifier parameterization for setter availability: private(set)
The @closed attribute which has been discussed as a way to specify non-resilient enums in Swift 4*
It is clear that we need to be able to talk about not just basic availability, but also capabilities. It would be very nice if we had one consistent way to do this. This can be accomplished by composing the concepts of availability and capability into the notion of a scope-bounded capability.

*@closed would lie outside the access control system proper. It is included for the sake of completeness. It is also included to demonstrate how the language currently lacks a clear and obvious way to specify new capability bounds when they are arise.

Problems with Swift's access control system

Swift's current access control system can has several problems.

Inconsistency

As noted above, the ways additional capabilities are bounded is inconsistent. The semantics of public are also inconsistent.

Internal default

The Swift evolution community has adopted the principle that nothing should be available outside a module without an explicit declaration of intent by a library author. This is an excellent default which protects library authors against making an error of omission that would require a breaking change to correct. Unfortunately this principle has not been consistently applied.

public

In most cases public only provides access to the basic capability a declaration offers. This is true by definition for declarations do not offer additional capabilities but it is also true for classes (with respect to inheritance) and class methods (with respect to overrides).

However, there are three cases where public currently provides access to additional capabilities:

public var allows access to the setter
public enum allows exhaustive switch
public protocol allows new conformances to be introduced
It is not currently possible to declare resilient enums or closed protocols but both have received significant discussion. Further, resilient enums need to be supported before ABI stability is declared. A consistent access control system would treat these as independent capabilities that are not made available with a simple public declaration.

private and fileprivate

The most heavily debated aspect of the changes to the access control system in Swift 3 is without question the change in meaning of private to be the current lexical scope and the renaming of the file-level scope to fileprivate. This change was made with the idea that a lexically scoped private would prove to be a good "soft default" for a less-than-module availability bound. While many users appreciate the semantics of a scope-based access modifier it has not proven to be a good "soft default" and therefore does not deserve the name private.

Extensions

In languages without extensions lexically scoped availability is equivalent to type-based availability for members of a type. In such a language it could make a reasonable default. Swift is not such a language.

Using several extensions on the same type within the same file is an extremely common Swift idiom. This idiom is not well supported by a "soft default" of scope-based availability. The tension between a pervasive idiom and the "soft default" leads to confusion about when scope-based a availability is appropriate, and often an overuse of the feature. It also leads to the need to use fileprivate much more frequently than is desirable for such an awkward keyword.

Types and members

A "soft default" should not have subtle behavior that has the potential to confuse beginners. Most beginners would expect Foo and bar in the following example to have the same visibility. This was true in Swift 2 but it is not true in Swift 3.

private struct Foo {
    private var bar = 42
}
An advanced feature

Lexically scoped availability has important uses such as preserving invariants. All access to invariant-related state can be routed through basis methods which access the state carefully without violating invariants, even when that access happens in an extension in the same file. We should not abandon this tool but it should not be the "soft default". It is best reserved for specific use cases where the guarantee it offers is important to correctess of the software.

Essential and inessential complexity

The inconsistencies noted above and a bad "soft default" of private are all forms of inessential complexity. This makes Swift's access control system more difficult to understand and use than it needs to be and causes confusion.

At the same time the essential complexity of capabilities that are bounded independent of basic symbol availability is not explicitly acknowledged and embraced. This also makes the access control system more difficult to understand and use than it should be. Users are not taught to think in terms of independently bounded capabilities. This is a concept that could be learned once and applied generally if it was more visible in the language.

Proposed solution

The proposed solution is to establish a semantic foundation for access control that is simple in the sense of composing rather than interleaving independent concerns. The solution is made easy by defining familiar names in terms of this foundation while preserving the semantics Swift users expect them to have. It is consistent in its use of a single mechanism for bounding capabilities and its default of internal for all capabilities.

Scope-bounded capabilities

All access control is defined in terms of a parameterized access modifier that allows the user to specify a capability and a scope that bounds that capability.

// The scope of the setter is the current file.
scope(set, file) var foo = 42
Each parameter has a default argument. The default argument for the capability is simply the basic capability the declaration provides. For a variable this is the getter, for a method it is the ability to call the method, for a type it is the ability to use the type and so on. The default argument for the scope is the current lexical scope.

// The scope of the getter is the current lexical scope.
// This is equivalent to `private var foo = 42` in Swift 3.
scope var foo = 42

// The scope of the getter is the current file.
scope(file) var bar = 42

// The scope of the setter is the current lexical scope.
scope(set) var baz = 42
The scope of the basic capability implicitly bounds additional capabilities: if basic use of a symbol is not available it is not possible to anything with that symbol. This is similar to the existing rule that a type implicitly bounds the availability of all symbols declared within its scope: a public property of an internal type is not available outside the module because the type itself is not available.

Aliases

This modifier is simple (in the sense defined above), general and powerful. However it is also unfamiliar, often slightly verbose, and offers a very wide configuration space. Familiar aliases are provided as "soft defaults" which are recommended for common use cases.

These aliases introduce no additional semantics. Once a user understand scopes, capabilities and how they compose to produce scope-bounded capabilities the user also has the ability to understand all aliases we introduce. Tools could even make the definition of the alias available to remind the user of its underlying meaning (similarly to they way Xcode allows a user to command-click to see a symbol definition).

These aliases are defined in terms of the parameterized scope modifier:

private(capability) = scope(capability, file)
internal(capability) = scope(capability, submodule)
public(capability) = scope(capability, everywhere)
open = scope(inherit, everywhere)
open = scope(override, everywhere)
final = scope(inherit, nowhere)
final = scope(override, nowhere)
total = scope(switch, everywhere)
private reverts to the Swift 2 semantics. scope with no parameters has semantics equivalent to that of private in Swift 3.

internal is specified in terms of submodule and is equivalent to module scope until submodules are introduced. It is specified this way to indicate the intent of the author should submodules be added.

total is a placholder subject to bikeshedding. total enum provides semantics equivalent to public enum. public enum receives the semantics of resilient enums. If a suitable shorthand is not identified the slightly longer public(switch) enum can be used to specify an enum which supports exhaustive switch outside the module.

open, final and closed are overloaded based on the kind of declaration they are applied to.

Scopes

The hierarchy of scopes is as follows:

nowhere
lexical
TypeName
extension
file
submodule
SubmoduleName
module
everywhere
The name of any ancestor type or submodule of a declaration, including the immediately containing type or submodule, form the set of valid user-defined scope references.

Including nowhere allows us to define final in terms of this system. It also allows us to model all properties and functions with the same set of capabilities: the setter of a read only property is automatically bounded to nowhere and the override capability of a function that is not a class method is automatically bounded to nowhere.

Allowing users to reference any ancestor scope introduces affords advanced users a degree of control that is not possible in the current access control system. If submodules are introduced into Swift this additional control will be especially useful as a means to facilitate bounded collaboration between peer submodules allowing them to communicate in ways not available to the rest of the module.

Capabilities

The capabilities available depend on the kind of declaration an access modifier is applied to. All declarations offer a basiccapability that is always available when the declaration itself is available. The basic capability is specified by default when the scope modifier or a parameterized alias is used without an explicit capability argument. Some declarations also offer additional capabilities which may have an independent bound applied to them.

Properties and subscripts

get (the basic capability)
set (for readwrite properties only)
override (for class properties only)
Functions and initializers

call (the basic capability)
override (for class methods only)
Types

use (the basic capability)
inherit (for classes)
switch (for enums)
Protocols

use (the basic capability)
conform
Extensions and typealiases

use (the basic capability)
Scalable in the future

As the language grows the mechanism of scope-bounded capabilities can be extended in an obvious way to meet the needs of future declarations and capabilities. Users are only required to learn about the new declaration or capability that was introduced. Their existing knowledge of the scope-bounded capability access control system is immediately applicable.

Detailed design

Rules

The rules which make up the essential complexity in Swift's access control system are:

The default scope for all capabilites a declaration offers is module-wide (or submodule-wide in the future).
The scope of a capability may be modified by an explicit access modifier.
The scope of an additional capability is implicitly bounded by the scope of the basic capability.
The scope of an additional capability may not be explicitly specified as greater than that of the basic capability.
If no scope is explicitly provided for the basic capability and an additional capability is specified to be available outside the (sub)module the basic capability is also given the same availability.
The scope of a declaration (including all capabilities) may be bounded by the declaration of ancestor.
The scope of a declaration may not be greater than the scope of the capabilities necessary to use that declaration: if you can't see a parameter type you can't call the function.
Most of these rules already exist in Swift's access control system. There is one change and one addition:

The first rule changes the availability of the additional capability of public readwrite properties, protocols and enums.
The fifth rule affords shorthand for implicitly making the basic capability public when an additional capability is also made public.
Grammar

The changes to the access modifier grammar are as follows:

access-level-modifier → scope­ | scope­(­ capability-specifier ­)­ | scope­(­ scope-specifier ­)­ | scope­( capability-specifier ­, scope-specifier ­)­
access-level-modifier → private­ | private­(­ capability-specifier ­)­
access-level-modifier → internal­ | internal­(­ capability-specifier ­)­
access-level-modifier → public­ | public­(­ capability-specifier ­)­
access-level-modifier → open­
access-level-modifier → final
access-level-modifier → total

scope-specifier → nowhere | extension | file | submodule | module | everywhere | identifier
capability-specifier → set | inherit | override | conform | switch
Playground

A Swift playground that includes a prototype of the basic scope-bounded capability access modifier as well as the aliases is availabe here.

Future possibilities

Scope-bounded capabilities are able to express set-only properties and override-only methods with a minor change to the rules of the system. These features have been requested on the list in the past. In the case of override-only methods there are known examples in Apple's frameworks. Allowing support for these would add some complexity to the model and is not essential to establishing a consistent basis for the existing access control feature.

Source compatibility

This proposal will not cause any Swift 3 source to fail to compile but will produce different behavior in three cases. In all cases a mechanical migration is possible.

public var

This proposal removes the availability of the setter of a public var outside the module, requiring public(set) var to expose the setter. This requires a migration of existing code. We could ease this transition with a deprecation warning in one release and then introduce the semantic change in the following release.

public enum

This proposal removes the availability of exhaustive switch from public enums. Non-resilient enums will need to be declared as a total enum (or the equivalent keyword chose after bikeshedding) or public(switch) enum if we choose not to introduce an alias for this semantic. As with public var, a deprecation warning and deferred semantic change could be used to ease the transition.

public protocol

This proposal requires protocols conformable outside the module to use the open protocol alias rather than public protocol. Visible but not conformable protocols are out of scope for Swift 4. This means that in Swift 4 open protocoland public protocol could share the same semantics with a deprecation warning on public protocol telling users to use open and that the semantics of public protocol will be different in the future. We could remove support for public protocol in a point release, reserving it until we introduce the ability for a protocol to be visible but not conformable.

Effect on ABI stability

If this proposal impacts ABI stability it would be in the area of runtime metadata or introspection. Input on this topic is welcome.

Effect on API resilience

This proposal does not impact API reslience. The proposed solution recasts some existing features but does so in a way that should be backwards compatible. No existing semantics are changed, only how those semantics are stated syntactically.

Alternatives considered

The primary alternative is to continue using the ad-hoc approach to meeting our access control needs. There have been many different ideas about how we might be able to simplify the current system by removing or slightly tweaking some of the existing features. The author believes this approach will not be able to meet future needs well and will continue to be burdened by the accumulation of inessential complexity. This situation will get worse, not better, as new features are added to the language.
_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org
https://lists.swift.org/mailman/listinfo/swift-evolution


(Jaden Geller) #2

Why not add a scope which allows access to the variables and functions only for the type itself and its extensions, but only within the current module?

Because this is really identical to module-wide visibility. Any file in the whole module can contain an extension of the type. See my earlier responses to Jaden for more details.

Yes, but you can also change the original source to change the visibility too, so I don't find this argument compelling. I could also add code in the other file too… Disallowing this control level simplify restricts code organization.

The idea is this visibility expresses that it is an implementation detail of the type while recognizing that extensions might need access to it. Perhaps you can implement an extension more efficiently if you're not restricted to going through the public abstraction.

···

On Mar 3, 2017, at 3:08 PM, Matthew Johnson <matthew@anandabits.com> wrote:

On Mar 3, 2017, at 5:02 PM, Paweł Wojtkowiak <neframair@gmail.com> wrote:

This would result in limitation of visibility from the outside (the same way private does) except for the fact that extensions could actually change these variables/functions. Also, restricting it to the module at the same time would not allow access to them and doing extensions like xWrapper (mentioned in one of the mails), unless it was in the same module, but even then it is just easier to change the type itself instead of doing wrapper extensions since the developer has access to it anyway.

I think this would be convenient because outside of the type and its internal extensions these entities would not appear as for public use.

This falls into the same category as protected. If you read through my earlier responses to Jaden you’ll see that I think there is a better way to handle this kind of use case.

Sent from my iPhone

On 3 Mar 2017, at 20:24, Matthew Johnson <matthew@anandabits.com> wrote:

On Mar 2, 2017, at 10:30 PM, Jaden Geller <jaden.geller@gmail.com> wrote:

On Mar 2, 2017, at 7:51 PM, Matthew Johnson <matthew@anandabits.com> wrote:

Sent from my iPad

On Mar 2, 2017, at 3:35 PM, Jaden Geller <jaden.geller@gmail.com> wrote:

Hi Matthew,

Overall, I think this is a great simplification of the access control mechanism! I really appreciate the focus on both “simple made easy” and safe defaults.

Thanks Jaden! I appreciate your thoughtful feedback!

I have a few comments and questions:

(1) It seems odd to use `scope` as both an access control modifier alone and as a function-like attribute. Perhaps something like `access(set, scope)` would be better than `scope(set)`. As it is, we're conflating scope with meaning visibility and lexical scope—I found that very confusing.

This is good feedback. The reason I designed it this way is because it is intended to work like the existing access modifiers which can be parameterized or stand alone. The idea is that it is analogous to a function with default arguments and we treat the unbound function as if it had been called with no explicit arguments (using the defaults). There is an example of this in the playground prototype I included.

That said, there is a difference - the existing modifiers don't accept a scope argument. I can see how this could make it more confusing. In the current design `scope(set, lexical)` is already valid and is similar to the `access(set, scope)` idea you suggested.

One thing I want to be very careful about is making the syntax read well if possible. In the playground I even used argument labels `scope(of: set, is: lexical)`. I think that would be too verbose in real code but I think it's important that this read like a sentence in our minds at least.

One option would be to simply remove the default scope argument and require it to be provided explicitly when lexical scope is intended. I'm not sure how I feel about that. I'm going to spend some time thinking about this further. I definitely don't want the shorthand (without arguments) to be a source of confusion.

I think this would be an improvement.

As a sidenote, if there were to be an alias for lexical access control, think the pseudo-adjective `scoped` aligns better with the adjective `public`, `internal`, and `private`. The noun `scope` seems out of place.

Interesting that you say this. I had suggested `scoped` earlier and had second thoughts about that because a verb feels a little bit out of place next to `public`, `internal` and `private`. But I think you’re right that `scoped` does read more similar to them. I will go this route.

(2) I think that the attribute should be spelled `@access` like other attributes in Swift, `@availability` for example. This seems more consistent.

If it were an attribute I would agree. But it's not, it's an access modifier. Those don't have the `@`.

I guess I’m suggesting that it might be better expressed as an attribute. The attribute `@available` is already used to specify symbol visibility (based on platform, version, etc.), so it seem best to align access control by using an attribute as well. I agree that the aliases like `private` shouldn’t require an `@` for concision…

Do we have any cases where we have both an attribute and a declaration modifier that both have the same semantics? I don’t think so. That seems a little bit strange to me. I can see why you would associate this with `@available` but I think it’s better to define it as a declaration modifier.

(Does Swift have a hard-and-fast rule for which modifiers should use attributes and which should use keywords? Or even a more hand-wavey rule? It seems almost arbitrary to me…)

As far as I know declaration modifiers never have `@` and attributes do. I don’t have a good sense of how we decide when something is better expressed as an attribute vs being a declaration modifier. Maybe somebody from the core team can comment on this.

Another benefit is that there’s stylistic precedent for attribute declarations to be placed on the line before the declaration. This works well with wordier restrictions.

I don’t think style should influence whether we use `@` or not. We are free to establish a common style that places longer declaration modifiers on a previous line. I think the community will eventually converge on a reasonable style regardless of how it looks.

(3) Speaking of `@availability`, how do you suppose access control ought to interact with that? Can I somehow mark that the setter was public in a previous version but is now private?

This is a good question. I am not familiar enough with `@availability` to answer off the top of my head. Do you think this is something that needs to be addressed by this proposal?

I’m not entirely sure. It _probably_ doesn’t need to be addressed just yet. I don’t think `@availability` currently has such features, so it would be additive.

Sounds good.

(4) The function-like access control attribute as you proposed it has very odd semantics, especially compared to Swift functions. For example, both `scope(get, file)` and `scope(file)` are valid spellings, as if `get` was a default argument, but Swift does not allow default arguments in that position without labels. Obviously this isn’t a parsing problem since we’re using keywords, but I find it very confusing. Either swap the order of the arguments or, I would prefer, add labels. With my `@access` spelling, we might have `@access(get, in: file)` and `@access(in: file)`.

I actually used labels in the playground and thought about including them in the proposal. I decided against it on the grounds that access modifiers are pervasive and the labels could quickly be seen as noise. If others feel they are important I have no objection.

I like labels, but I can understand the preference for concision. It just confuses my mental model when the semantics cannot be implemented in Swift. In your playground, try removing your labels—the function becomes impossible to call without specifying the capability argument!

I think the default for the capability and the sequence of arguments are both pretty important aspects of the design. The former because we often want to bound *all* capabilities in the same way and bounding the default capability does this. It reads more clearly to only specify the scope. The sequence of arguments is important because I think it reads much better: “access to the setter is bounded to the file”. I think it also reduces the chance that a reader misses the capability and only notices the scope.

We should have a bikeshed discussion about whether labels should be required, optional, or not allowed. I would be happy to let community consensus decide this.

(Sidenote: Why doesn’t Swift warn on function declarations that provide unusable default arguments??)

For the record, `@available` does not use labels. It even omits commas in places I might expect them… `@available(swift 3.0.2)`.

(5) It seems odd that `call` is the name of the default visibility for functions. I agree with the semantics, but the naming seems to imply that I could still refer to the value `let foo = myFunction` but not call it.

Some of these names were pretty tough to decide on. I wholeheartedly embrace bikeshedding here. I wouldn't be surprised if community input can improve on the names I have used. :slight_smile:

I agree that we should eventually bikeshed, but I’m trying to focus on the semantics first :slight_smile:

Yes, that’s a good call. I just wanted to make it clear that I’m not fixated on the naming and acknowledge that it’s a hard problem. :slight_smile:

I chose `call` because if you can see a function you can call it. It isn't possible to see it, bind it to a name, etc without being able to call it and it probably shouldn't ever be.

For Types and Protocols, `use` seems like a very generic word to, well uh, use. Perhaps `visible` would make more sense (though it is not a verb like the others…)?

I agree. This was the most difficult name to decide on. The notion I tried to capture is that if you can see a type you can work with values of of that type (as well as access it's static members). I would be very happy if we could identify a better name.

Perhaps `constrain`?

This is also something you can always do when you can see a protocol, but you can also use it as an existential (thinking ahead to generalized existentials) so you can also work with values of the protocol existential type.

I was potentially recommending constrain for types too. `let x: Int` constrains `x` to be type `Int`, and `let y: Hashable` constraints `y` to be the (existential) type `Hashable`, or at least will once that’s possible. I’m not sure this is a good spelling, just throwing it out there…

Ahh, that’s an interesting perspective.

I think the name `switch` for enums is also not particularly great, but this probably isn’t the time to bikeshed naming.

I used `switchExhaustively` in an earlier draft but thought it was too verbose. Maybe the verbosity is necessary?

Well, I think that the name `switch` is misleading, but I don’t love this more verbose name either. I was thinking `closed` maybe? …since it guarantees that no more cases can be added. Not sure.

Misleading because you can always `switch`, it just might not be exhaustive? That makes sense but maybe it’s not that big a deal because it would be documented as meaning exhaustive. I’m not sure.

I don’t think `closed` is the best name for this because I think the names should focus on the *capability*. `closed` focuses on the restriction placed on future versions of the library.

(6) Do closed protocols fit into this model? The `conform` capability allows API users to add additional conformances, but there’s no capability to promise that the API maintainer itself won’t add additional conformances. Obviously adding this features is out of the scope of this proposal, but I want to know how it might be spelled in this scheme.

Yes. I think this would use the same capability name as enums that support exhaustive switch.

One interesting point is that this would introduce the notion of mutually exclusive capabilities. You can't have both `public(conform)` and `public(switch)`.

(7) It isn’t immediately clear to me the “hierarchy” of additional capabilities. Obviously `set` is a refinement of `get`, but is `override` a refinement on `set` or `get`? Or are they entirely separate? Can you use both? It would be useful to formalize what happens when the access level is specified for multiple additional capabilities.

Great question. I'll add clarification on this point in the next draft. The short answer is that the bounds of additional capabilities are usually independent of each other.

That said, as noted above, in some cases they could be mutually exclusive. It's also possible that they could have other kinds of relationships. This really depends on the semantics of the declaration providing the capabilities.

I think we really ought to formalize these relationships. It’s difficult to reason about otherwise.

The only relationship that exists is currently the relationship between the basic capability and additional capabilities. The scope of the basic capability implicitly bounds that of the additional capabilities and if the scope of an additional capability is wider than `internal` when no explicit bound is provided for the basic capability the bound of the basic capability is widened accordingly.

I have given some thought to formalizing semantic relationships between capabilities but I think it adds complexity to the model for not much gain at the moment. The two simple rules above suffice. We can formalize additional semantic relationships if / when that becomes necessary. Does that make sense? If not, can you offer elaborate on what you would like to see? I want to facilitate reasoning as much as possible without adding unnecessary complexity to the initial model.

(8) It may be useful to clarify the hierarchy of scopes. Each name is mentioned, but it isn’t intuitively obvious how it works. Does `TypeName` essentially allow me to make friend classes, via `@access(set, in: Foo)`, a la C++. If so, that’s pretty cool! I’m assuming `extension` gives visibility in extensions to this type? What about subclasses—is there a sort of `protected` scope?

Great question. I'll clarify this further in an updated draft.

In the meantime, I'm afraid I'm going to have to let you down a bit on this point. Scopes form a strictly nested hierarchy. This means that you can only reference an ancestor scope.

For types, this simply follows the lexical nesting of types and member declarations. A declaration may reference the scope of a type that contains it by using the name of the type. The capability is available to any declarations within the lexical scope of the type declaration, including other types. But it is intentionally *not* like `friend` in C++.

Unfortunate. If the community found this desirable, would it be additive to add this in the future? I don’t necessary want friend types, but I like that this syntax would make them much, much, much more intuitive than in C++. You wouldn’t even have to read the docs to understand the feature—just read the declaration!

They syntax could certainly be extended to support something like this but it doesn’t really work semantically. This is not a limitation of this model. Instead it is a limitation of any type-based access control. Types don’t facilitate a real encapsulation boundary, especially in a language like Swift where a type can be extended in any scope that can see the type. The core team has repeatedly opposed type-based access control for precisely this reason. I don’t expect that to change but if it did, this syntax could certainly be extended to support such a feature.

`extension` is simply a way to reference the lexical scope created by an extension that contains a declaration. It does not provide access to extensions of the type containing the declaration.

The purpose of access control is compiler verified encapsulation. Since anybody can add an extension anywhere the compiler can't really offer any useful verification of encapsulation. I don't think it would be a good idea for access control to have a feature like this. The same is true of protected and any other type-based access control scheme.

I’m not really understanding what you’re saying here. I think we might be saying the same thing. My understanding was

struct Foo {
  scope(extension) var x: Int
}

means that I can write

extension Foo {
  func bar() {
    x += 1
  }
}

unlike if I had chose Swift 3.0 private.

Nope. This is an example of what it means:

extension Foo {
    struct Bar {
        access(extension) var int = 42
    }
    // Bar.int is available here but not outside the scope of this extension
}

If extensions could have names we wouldn’t need `extension` as a scope specifier. Since they don’t, we do.

The example you gave has all of the problems associated with any type-based access control. It is kind of pointless to have a access control like that because it doesn’t offer any real guarantees. Anybody can come along and do this:

extension Foo {
    public var xWrapper: Int { get { return x } set { x = newValue } }
}

This is why I think symbol groups are a more appropriate solution to this use case. They don’t pretend you are really limiting availability in any way but they do allow you to hide the symbol unless an explicit request is made:

import FoosModule including FooExtensions

This makes all symbols in the symbol group `FooExtensions` available. It required explicit opt-in to availability solving the accidental use problem without pretending to really limit the availability of the symbols. I haven’t thought enough about it yet to have an idea of how it might work within the same module but I think this is the right direction for this use case.

Swift's access control system has always followed the idea of strictly hierarchical scopes, it just hasn't allowed us to name most of them. I think this was a really good principle that we should continue to embrace.

That said, I do have some thoughts about ways to address the kinds of use cases people have in mind for "extensions or subclasses of the type" visibility. The idea I have been exploring is what I have been calling "symbol groups". I have been thinking about this in the context of imported symbols and haven't given any thought as to how it might apply outside that context. The way it looks with an import is this:

import UIKit including UIGestureRecognizerSubclasses

The idea here is that the symbols reside in the same (sub)module as the other symbols they are related to but are not imported unless the symbol group name is explicitly stated. This solves the problem of unintentional or inappropriate symbol availability and accidental misuse without offering promises of encapsulation that can't really be followed through on (as is the case with `protected`).

This is obviously well outside the scope of this proposal but is something I think would be worth pursuing at some point.

Thanks for the great proposal, Matthew!

Thanks Jaden! I'm really happy that you like it. I was pretty uncertain about how it would be received. It's encouraging to see that others like the idea. :slight_smile:

Definitely! I appreciate your hard work! I realize how time-consuming it is to write these proposals, not to mention thinking through them!

Thanks! It always seems to take a lot more time than I expect when I first start working on a proposal.

Cheers,
Jaden Geller

On Mar 2, 2017, at 11:58 AM, Matthew Johnson via swift-evolution <swift-evolution@swift.org> wrote:

I’ve been continuing to think about how to provide clear and consistent semantics for access control in Swift. This draft represents what I think is the best way to accomplish that. It eliminates the current inconsistencies and establishes a principled basis for the features we have today as well as the enhancements we may need in the future. It does this with minimal breaking changes.

The draft is included below and can also be found here: https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md.

I’m looking forward to everyone’s feedback.

Matthew

A Consistent Foundation For Access Control: Scope-Bounded Capabilities
Proposal: SE-NNNN
Authors: Matthew Johnson
Review Manager: TBD
Status: Awaiting review
Introduction

This proposal introduces a consistent foundation for all access control in Swift: scope-bounded capabilities. The existing access control features are generalized with a single mechanism that unifies their semantics. This unified mechanism eliminates the inessential complexity and inconsistency of the current system while expanding its utility.

Swift-evolution thread: Discussion thread topic for that proposal

Motivation

The new access control features in Swift 3 have proven to be extremely controversial. The most common refrain is that we need a more simple system. In order to accomplish this we need to do more than tweak the system we already have. We need to revisit the foundation of the system itself.

Simple Made Easy

Rich Hickey gave a fantastic talk called [Simple Made Easy])(https://www.infoq.com/presentations/Simple-Made-Easy). In this talk Rich explores the etymology and relationship of the words "simple", "complex", and "easy". The meanings he explores are:

Complex: entangled, intertwined, interleaved, braided together
Simple: one strand, single focus, disentangled
Easy: familiar, nearby, readily at hand
The central point Rich makes in this talk is that when a design entangles two orthogonal concepts complexity is the result. He coins the term "complect" to refer to this kind of inessential complexity. This complexity can be removed by disentangling the concepts. Instead of "complecting" independent concerns we can compose them.

The result is a simpler system. It is simpler because independent concepts can be considered and understood independently of each other.

The composition of independent concerns also results in a more flexible system. When orthogonal concepts are entangled it is more difficult to extend the system to meet future needs. One concept cannot be extended independently of the other. It is not possible to make independent decisions about what should be orthogonal aspects of the design.

Rich believes that the programming community is often too quick to reach for an immediately "easy" solution. Unfortunately, the "easy" solution often entangles concepts and are therefor actually complex. He suggests that we firstdesign a simple (i.e. disentangled) solution and then layer ease of use and familiarity on top, thus the title "Simple Made Easy".

Two orthogonal concepts

The access control system in Swift 3 incorporates two orthogonal concepts: availability and capability. Availability is what immediately comes to mind when one thinks of access control: a symbol is either available or it is not. Capability is more nuanced. It refers to what you can do with that symbol.

Each declaration supports a basic capability which is always available when the symbol itself is available. Many declarations also offer additional capabiities (such as the ability to inherit, override, set a property, etc). These additional capabilities may be less available than the symbol itself.

In Swift, availability is always specified in terms of a scope. Swift does not currently have a consistent way to talk about capabilities. Thus far we have introduced new syntax every time we wish to distinguish the availabiltiy of an additionalcapability from that of the symbol itself:

open vs public access modifiers classes and methods
Access modifier parameterization for setter availability: private(set)
The @closed attribute which has been discussed as a way to specify non-resilient enums in Swift 4*
It is clear that we need to be able to talk about not just basic availability, but also capabilities. It would be very nice if we had one consistent way to do this. This can be accomplished by composing the concepts of availability and capability into the notion of a scope-bounded capability.

*@closed would lie outside the access control system proper. It is included for the sake of completeness. It is also included to demonstrate how the language currently lacks a clear and obvious way to specify new capability bounds when they are arise.

Problems with Swift's access control system

Swift's current access control system can has several problems.

Inconsistency

As noted above, the ways additional capabilities are bounded is inconsistent. The semantics of public are also inconsistent.

Internal default

The Swift evolution community has adopted the principle that nothing should be available outside a module without an explicit declaration of intent by a library author. This is an excellent default which protects library authors against making an error of omission that would require a breaking change to correct. Unfortunately this principle has not been consistently applied.

public

In most cases public only provides access to the basic capability a declaration offers. This is true by definition for declarations do not offer additional capabilities but it is also true for classes (with respect to inheritance) and class methods (with respect to overrides).

However, there are three cases where public currently provides access to additional capabilities:

public var allows access to the setter
public enum allows exhaustive switch
public protocol allows new conformances to be introduced
It is not currently possible to declare resilient enums or closed protocols but both have received significant discussion. Further, resilient enums need to be supported before ABI stability is declared. A consistent access control system would treat these as independent capabilities that are not made available with a simple public declaration.

private and fileprivate

The most heavily debated aspect of the changes to the access control system in Swift 3 is without question the change in meaning of private to be the current lexical scope and the renaming of the file-level scope to fileprivate. This change was made with the idea that a lexically scoped private would prove to be a good "soft default" for a less-than-module availability bound. While many users appreciate the semantics of a scope-based access modifier it has not proven to be a good "soft default" and therefore does not deserve the name private.

Extensions

In languages without extensions lexically scoped availability is equivalent to type-based availability for members of a type. In such a language it could make a reasonable default. Swift is not such a language.

Using several extensions on the same type within the same file is an extremely common Swift idiom. This idiom is not well supported by a "soft default" of scope-based availability. The tension between a pervasive idiom and the "soft default" leads to confusion about when scope-based a availability is appropriate, and often an overuse of the feature. It also leads to the need to use fileprivate much more frequently than is desirable for such an awkward keyword.

Types and members

A "soft default" should not have subtle behavior that has the potential to confuse beginners. Most beginners would expect Foo and bar in the following example to have the same visibility. This was true in Swift 2 but it is not true in Swift 3.

private struct Foo {
    private var bar = 42
}
An advanced feature

Lexically scoped availability has important uses such as preserving invariants. All access to invariant-related state can be routed through basis methods which access the state carefully without violating invariants, even when that access happens in an extension in the same file. We should not abandon this tool but it should not be the "soft default". It is best reserved for specific use cases where the guarantee it offers is important to correctess of the software.

Essential and inessential complexity

The inconsistencies noted above and a bad "soft default" of private are all forms of inessential complexity. This makes Swift's access control system more difficult to understand and use than it needs to be and causes confusion.

At the same time the essential complexity of capabilities that are bounded independent of basic symbol availability is not explicitly acknowledged and embraced. This also makes the access control system more difficult to understand and use than it should be. Users are not taught to think in terms of independently bounded capabilities. This is a concept that could be learned once and applied generally if it was more visible in the language.

Proposed solution

The proposed solution is to establish a semantic foundation for access control that is simple in the sense of composing rather than interleaving independent concerns. The solution is made easy by defining familiar names in terms of this foundation while preserving the semantics Swift users expect them to have. It is consistent in its use of a single mechanism for bounding capabilities and its default of internal for all capabilities.

Scope-bounded capabilities

All access control is defined in terms of a parameterized access modifier that allows the user to specify a capability and a scope that bounds that capability.

// The scope of the setter is the current file.
scope(set, file) var foo = 42
Each parameter has a default argument. The default argument for the capability is simply the basic capability the declaration provides. For a variable this is the getter, for a method it is the ability to call the method, for a type it is the ability to use the type and so on. The default argument for the scope is the current lexical scope.

// The scope of the getter is the current lexical scope.
// This is equivalent to `private var foo = 42` in Swift 3.
scope var foo = 42

// The scope of the getter is the current file.
scope(file) var bar = 42

// The scope of the setter is the current lexical scope.
scope(set) var baz = 42
The scope of the basic capability implicitly bounds additional capabilities: if basic use of a symbol is not available it is not possible to anything with that symbol. This is similar to the existing rule that a type implicitly bounds the availability of all symbols declared within its scope: a public property of an internal type is not available outside the module because the type itself is not available.

Aliases

This modifier is simple (in the sense defined above), general and powerful. However it is also unfamiliar, often slightly verbose, and offers a very wide configuration space. Familiar aliases are provided as "soft defaults" which are recommended for common use cases.

These aliases introduce no additional semantics. Once a user understand scopes, capabilities and how they compose to produce scope-bounded capabilities the user also has the ability to understand all aliases we introduce. Tools could even make the definition of the alias available to remind the user of its underlying meaning (similarly to they way Xcode allows a user to command-click to see a symbol definition).

These aliases are defined in terms of the parameterized scope modifier:

private(capability) = scope(capability, file)
internal(capability) = scope(capability, submodule)
public(capability) = scope(capability, everywhere)
open = scope(inherit, everywhere)
open = scope(override, everywhere)
final = scope(inherit, nowhere)
final = scope(override, nowhere)
total = scope(switch, everywhere)
private reverts to the Swift 2 semantics. scope with no parameters has semantics equivalent to that of private in Swift 3.

internal is specified in terms of submodule and is equivalent to module scope until submodules are introduced. It is specified this way to indicate the intent of the author should submodules be added.

total is a placholder subject to bikeshedding. total enum provides semantics equivalent to public enum. public enum receives the semantics of resilient enums. If a suitable shorthand is not identified the slightly longer public(switch) enum can be used to specify an enum which supports exhaustive switch outside the module.

open, final and closed are overloaded based on the kind of declaration they are applied to.

Scopes

The hierarchy of scopes is as follows:

nowhere
lexical
TypeName
extension
file
submodule
SubmoduleName
module
everywhere
The name of any ancestor type or submodule of a declaration, including the immediately containing type or submodule, form the set of valid user-defined scope references.

Including nowhere allows us to define final in terms of this system. It also allows us to model all properties and functions with the same set of capabilities: the setter of a read only property is automatically bounded to nowhere and the override capability of a function that is not a class method is automatically bounded to nowhere.

Allowing users to reference any ancestor scope introduces affords advanced users a degree of control that is not possible in the current access control system. If submodules are introduced into Swift this additional control will be especially useful as a means to facilitate bounded collaboration between peer submodules allowing them to communicate in ways not available to the rest of the module.

Capabilities

The capabilities available depend on the kind of declaration an access modifier is applied to. All declarations offer a basiccapability that is always available when the declaration itself is available. The basic capability is specified by default when the scope modifier or a parameterized alias is used without an explicit capability argument. Some declarations also offer additional capabilities which may have an independent bound applied to them.

Properties and subscripts

get (the basic capability)
set (for readwrite properties only)
override (for class properties only)
Functions and initializers

call (the basic capability)
override (for class methods only)
Types

use (the basic capability)
inherit (for classes)
switch (for enums)
Protocols

use (the basic capability)
conform
Extensions and typealiases

use (the basic capability)
Scalable in the future

As the language grows the mechanism of scope-bounded capabilities can be extended in an obvious way to meet the needs of future declarations and capabilities. Users are only required to learn about the new declaration or capability that was introduced. Their existing knowledge of the scope-bounded capability access control system is immediately applicable.

Detailed design

Rules

The rules which make up the essential complexity in Swift's access control system are:

The default scope for all capabilites a declaration offers is module-wide (or submodule-wide in the future).
The scope of a capability may be modified by an explicit access modifier.
The scope of an additional capability is implicitly bounded by the scope of the basic capability.
The scope of an additional capability may not be explicitly specified as greater than that of the basic capability.
If no scope is explicitly provided for the basic capability and an additional capability is specified to be available outside the (sub)module the basic capability is also given the same availability.
The scope of a declaration (including all capabilities) may be bounded by the declaration of ancestor.
The scope of a declaration may not be greater than the scope of the capabilities necessary to use that declaration: if you can't see a parameter type you can't call the function.
Most of these rules already exist in Swift's access control system. There is one change and one addition:

The first rule changes the availability of the additional capability of public readwrite properties, protocols and enums.
The fifth rule affords shorthand for implicitly making the basic capability public when an additional capability is also made public.
Grammar

The changes to the access modifier grammar are as follows:

access-level-modifier → scope­ | scope­(­ capability-specifier ­)­ | scope­(­ scope-specifier ­)­ | scope­( capability-specifier ­, scope-specifier ­)­
access-level-modifier → private­ | private­(­ capability-specifier ­)­
access-level-modifier → internal­ | internal­(­ capability-specifier ­)­
access-level-modifier → public­ | public­(­ capability-specifier ­)­
access-level-modifier → open­
access-level-modifier → final
access-level-modifier → total

scope-specifier → nowhere | extension | file | submodule | module | everywhere | identifier
capability-specifier → set | inherit | override | conform | switch
Playground

A Swift playground that includes a prototype of the basic scope-bounded capability access modifier as well as the aliases is availabe here.

Future possibilities

Scope-bounded capabilities are able to express set-only properties and override-only methods with a minor change to the rules of the system. These features have been requested on the list in the past. In the case of override-only methods there are known examples in Apple's frameworks. Allowing support for these would add some complexity to the model and is not essential to establishing a consistent basis for the existing access control feature.

Source compatibility

This proposal will not cause any Swift 3 source to fail to compile but will produce different behavior in three cases. In all cases a mechanical migration is possible.

public var

This proposal removes the availability of the setter of a public var outside the module, requiring public(set) var to expose the setter. This requires a migration of existing code. We could ease this transition with a deprecation warning in one release and then introduce the semantic change in the following release.

public enum

This proposal removes the availability of exhaustive switch from public enums. Non-resilient enums will need to be declared as a total enum (or the equivalent keyword chose after bikeshedding) or public(switch) enum if we choose not to introduce an alias for this semantic. As with public var, a deprecation warning and deferred semantic change could be used to ease the transition.

public protocol

This proposal requires protocols conformable outside the module to use the open protocol alias rather than public protocol. Visible but not conformable protocols are out of scope for Swift 4. This means that in Swift 4 open protocoland public protocol could share the same semantics with a deprecation warning on public protocol telling users to use open and that the semantics of public protocol will be different in the future. We could remove support for public protocol in a point release, reserving it until we introduce the ability for a protocol to be visible but not conformable.

Effect on ABI stability

If this proposal impacts ABI stability it would be in the area of runtime metadata or introspection. Input on this topic is welcome.

Effect on API resilience

This proposal does not impact API reslience. The proposed solution recasts some existing features but does so in a way that should be backwards compatible. No existing semantics are changed, only how those semantics are stated syntactically.

Alternatives considered

The primary alternative is to continue using the ad-hoc approach to meeting our access control needs. There have been many different ideas about how we might be able to simplify the current system by removing or slightly tweaking some of the existing features. The author believes this approach will not be able to meet future needs well and will continue to be burdened by the accumulation of inessential complexity. This situation will get worse, not better, as new features are added to the language.
_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org
https://lists.swift.org/mailman/listinfo/swift-evolution


(Matthew Johnson) #3

Why not add a scope which allows access to the variables and functions only for the type itself and its extensions, but only within the current module?

Because this is really identical to module-wide visibility. Any file in the whole module can contain an extension of the type. See my earlier responses to Jaden for more details.

This would result in limitation of visibility from the outside (the same way private does) except for the fact that extensions could actually change these variables/functions. Also, restricting it to the module at the same time would not allow access to them and doing extensions like xWrapper (mentioned in one of the mails), unless it was in the same module, but even then it is just easier to change the type itself instead of doing wrapper extensions since the developer has access to it anyway.

I think this would be convenient because outside of the type and its internal extensions these entities would not appear as for public use.

This falls into the same category as protected. If you read through my earlier responses to Jaden you’ll see that I think there is a better way to handle this kind of use case.

···

On Mar 3, 2017, at 5:02 PM, Paweł Wojtkowiak <neframair@gmail.com> wrote:

Sent from my iPhone

On 3 Mar 2017, at 20:24, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

On Mar 2, 2017, at 10:30 PM, Jaden Geller <jaden.geller@gmail.com <mailto:jaden.geller@gmail.com>> wrote:

On Mar 2, 2017, at 7:51 PM, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

Sent from my iPad

On Mar 2, 2017, at 3:35 PM, Jaden Geller <jaden.geller@gmail.com <mailto:jaden.geller@gmail.com>> wrote:

Hi Matthew,

Overall, I think this is a great simplification of the access control mechanism! I really appreciate the focus on both “simple made easy” and safe defaults.

Thanks Jaden! I appreciate your thoughtful feedback!

I have a few comments and questions:

(1) It seems odd to use `scope` as both an access control modifier alone and as a function-like attribute. Perhaps something like `access(set, scope)` would be better than `scope(set)`. As it is, we're conflating scope with meaning visibility and lexical scope—I found that very confusing.

This is good feedback. The reason I designed it this way is because it is intended to work like the existing access modifiers which can be parameterized or stand alone. The idea is that it is analogous to a function with default arguments and we treat the unbound function as if it had been called with no explicit arguments (using the defaults). There is an example of this in the playground prototype I included.

That said, there is a difference - the existing modifiers don't accept a scope argument. I can see how this could make it more confusing. In the current design `scope(set, lexical)` is already valid and is similar to the `access(set, scope)` idea you suggested.

One thing I want to be very careful about is making the syntax read well if possible. In the playground I even used argument labels `scope(of: set, is: lexical)`. I think that would be too verbose in real code but I think it's important that this read like a sentence in our minds at least.

One option would be to simply remove the default scope argument and require it to be provided explicitly when lexical scope is intended. I'm not sure how I feel about that. I'm going to spend some time thinking about this further. I definitely don't want the shorthand (without arguments) to be a source of confusion.

I think this would be an improvement.

As a sidenote, if there were to be an alias for lexical access control, think the pseudo-adjective `scoped` aligns better with the adjective `public`, `internal`, and `private`. The noun `scope` seems out of place.

Interesting that you say this. I had suggested `scoped` earlier and had second thoughts about that because a verb feels a little bit out of place next to `public`, `internal` and `private`. But I think you’re right that `scoped` does read more similar to them. I will go this route.

(2) I think that the attribute should be spelled `@access` like other attributes in Swift, `@availability` for example. This seems more consistent.

If it were an attribute I would agree. But it's not, it's an access modifier. Those don't have the `@`.

I guess I’m suggesting that it might be better expressed as an attribute. The attribute `@available` is already used to specify symbol visibility (based on platform, version, etc.), so it seem best to align access control by using an attribute as well. I agree that the aliases like `private` shouldn’t require an `@` for concision…

Do we have any cases where we have both an attribute and a declaration modifier that both have the same semantics? I don’t think so. That seems a little bit strange to me. I can see why you would associate this with `@available` but I think it’s better to define it as a declaration modifier.

(Does Swift have a hard-and-fast rule for which modifiers should use attributes and which should use keywords? Or even a more hand-wavey rule? It seems almost arbitrary to me…)

As far as I know declaration modifiers never have `@` and attributes do. I don’t have a good sense of how we decide when something is better expressed as an attribute vs being a declaration modifier. Maybe somebody from the core team can comment on this.

Another benefit is that there’s stylistic precedent for attribute declarations to be placed on the line before the declaration. This works well with wordier restrictions.

I don’t think style should influence whether we use `@` or not. We are free to establish a common style that places longer declaration modifiers on a previous line. I think the community will eventually converge on a reasonable style regardless of how it looks.

(3) Speaking of `@availability`, how do you suppose access control ought to interact with that? Can I somehow mark that the setter was public in a previous version but is now private?

This is a good question. I am not familiar enough with `@availability` to answer off the top of my head. Do you think this is something that needs to be addressed by this proposal?

I’m not entirely sure. It _probably_ doesn’t need to be addressed just yet. I don’t think `@availability` currently has such features, so it would be additive.

Sounds good.

(4) The function-like access control attribute as you proposed it has very odd semantics, especially compared to Swift functions. For example, both `scope(get, file)` and `scope(file)` are valid spellings, as if `get` was a default argument, but Swift does not allow default arguments in that position without labels. Obviously this isn’t a parsing problem since we’re using keywords, but I find it very confusing. Either swap the order of the arguments or, I would prefer, add labels. With my `@access` spelling, we might have `@access(get, in: file)` and `@access(in: file)`.

I actually used labels in the playground and thought about including them in the proposal. I decided against it on the grounds that access modifiers are pervasive and the labels could quickly be seen as noise. If others feel they are important I have no objection.

I like labels, but I can understand the preference for concision. It just confuses my mental model when the semantics cannot be implemented in Swift. In your playground, try removing your labels—the function becomes impossible to call without specifying the capability argument!

I think the default for the capability and the sequence of arguments are both pretty important aspects of the design. The former because we often want to bound *all* capabilities in the same way and bounding the default capability does this. It reads more clearly to only specify the scope. The sequence of arguments is important because I think it reads much better: “access to the setter is bounded to the file”. I think it also reduces the chance that a reader misses the capability and only notices the scope.

We should have a bikeshed discussion about whether labels should be required, optional, or not allowed. I would be happy to let community consensus decide this.

(Sidenote: Why doesn’t Swift warn on function declarations that provide unusable default arguments??)

For the record, `@available` does not use labels. It even omits commas in places I might expect them… `@available(swift 3.0.2)`.

(5) It seems odd that `call` is the name of the default visibility for functions. I agree with the semantics, but the naming seems to imply that I could still refer to the value `let foo = myFunction` but not call it.

Some of these names were pretty tough to decide on. I wholeheartedly embrace bikeshedding here. I wouldn't be surprised if community input can improve on the names I have used. :slight_smile:

I agree that we should eventually bikeshed, but I’m trying to focus on the semantics first :slight_smile:

Yes, that’s a good call. I just wanted to make it clear that I’m not fixated on the naming and acknowledge that it’s a hard problem. :slight_smile:

I chose `call` because if you can see a function you can call it. It isn't possible to see it, bind it to a name, etc without being able to call it and it probably shouldn't ever be.

For Types and Protocols, `use` seems like a very generic word to, well uh, use. Perhaps `visible` would make more sense (though it is not a verb like the others…)?

I agree. This was the most difficult name to decide on. The notion I tried to capture is that if you can see a type you can work with values of of that type (as well as access it's static members). I would be very happy if we could identify a better name.

Perhaps `constrain`?

This is also something you can always do when you can see a protocol, but you can also use it as an existential (thinking ahead to generalized existentials) so you can also work with values of the protocol existential type.

I was potentially recommending constrain for types too. `let x: Int` constrains `x` to be type `Int`, and `let y: Hashable` constraints `y` to be the (existential) type `Hashable`, or at least will once that’s possible. I’m not sure this is a good spelling, just throwing it out there…

Ahh, that’s an interesting perspective.

I think the name `switch` for enums is also not particularly great, but this probably isn’t the time to bikeshed naming.

I used `switchExhaustively` in an earlier draft but thought it was too verbose. Maybe the verbosity is necessary?

Well, I think that the name `switch` is misleading, but I don’t love this more verbose name either. I was thinking `closed` maybe? …since it guarantees that no more cases can be added. Not sure.

Misleading because you can always `switch`, it just might not be exhaustive? That makes sense but maybe it’s not that big a deal because it would be documented as meaning exhaustive. I’m not sure.

I don’t think `closed` is the best name for this because I think the names should focus on the *capability*. `closed` focuses on the restriction placed on future versions of the library.

(6) Do closed protocols fit into this model? The `conform` capability allows API users to add additional conformances, but there’s no capability to promise that the API maintainer itself won’t add additional conformances. Obviously adding this features is out of the scope of this proposal, but I want to know how it might be spelled in this scheme.

Yes. I think this would use the same capability name as enums that support exhaustive switch.

One interesting point is that this would introduce the notion of mutually exclusive capabilities. You can't have both `public(conform)` and `public(switch)`.

(7) It isn’t immediately clear to me the “hierarchy” of additional capabilities. Obviously `set` is a refinement of `get`, but is `override` a refinement on `set` or `get`? Or are they entirely separate? Can you use both? It would be useful to formalize what happens when the access level is specified for multiple additional capabilities.

Great question. I'll add clarification on this point in the next draft. The short answer is that the bounds of additional capabilities are usually independent of each other.

That said, as noted above, in some cases they could be mutually exclusive. It's also possible that they could have other kinds of relationships. This really depends on the semantics of the declaration providing the capabilities.

I think we really ought to formalize these relationships. It’s difficult to reason about otherwise.

The only relationship that exists is currently the relationship between the basic capability and additional capabilities. The scope of the basic capability implicitly bounds that of the additional capabilities and if the scope of an additional capability is wider than `internal` when no explicit bound is provided for the basic capability the bound of the basic capability is widened accordingly.

I have given some thought to formalizing semantic relationships between capabilities but I think it adds complexity to the model for not much gain at the moment. The two simple rules above suffice. We can formalize additional semantic relationships if / when that becomes necessary. Does that make sense? If not, can you offer elaborate on what you would like to see? I want to facilitate reasoning as much as possible without adding unnecessary complexity to the initial model.

(8) It may be useful to clarify the hierarchy of scopes. Each name is mentioned, but it isn’t intuitively obvious how it works. Does `TypeName` essentially allow me to make friend classes, via `@access(set, in: Foo)`, a la C++. If so, that’s pretty cool! I’m assuming `extension` gives visibility in extensions to this type? What about subclasses—is there a sort of `protected` scope?

Great question. I'll clarify this further in an updated draft.

In the meantime, I'm afraid I'm going to have to let you down a bit on this point. Scopes form a strictly nested hierarchy. This means that you can only reference an ancestor scope.

For types, this simply follows the lexical nesting of types and member declarations. A declaration may reference the scope of a type that contains it by using the name of the type. The capability is available to any declarations within the lexical scope of the type declaration, including other types. But it is intentionally *not* like `friend` in C++.

Unfortunate. If the community found this desirable, would it be additive to add this in the future? I don’t necessary want friend types, but I like that this syntax would make them much, much, much more intuitive than in C++. You wouldn’t even have to read the docs to understand the feature—just read the declaration!

They syntax could certainly be extended to support something like this but it doesn’t really work semantically. This is not a limitation of this model. Instead it is a limitation of any type-based access control. Types don’t facilitate a real encapsulation boundary, especially in a language like Swift where a type can be extended in any scope that can see the type. The core team has repeatedly opposed type-based access control for precisely this reason. I don’t expect that to change but if it did, this syntax could certainly be extended to support such a feature.

`extension` is simply a way to reference the lexical scope created by an extension that contains a declaration. It does not provide access to extensions of the type containing the declaration.

The purpose of access control is compiler verified encapsulation. Since anybody can add an extension anywhere the compiler can't really offer any useful verification of encapsulation. I don't think it would be a good idea for access control to have a feature like this. The same is true of protected and any other type-based access control scheme.

I’m not really understanding what you’re saying here. I think we might be saying the same thing. My understanding was

struct Foo {
  scope(extension) var x: Int
}

means that I can write

extension Foo {
  func bar() {
    x += 1
  }
}

unlike if I had chose Swift 3.0 private.

Nope. This is an example of what it means:

extension Foo {
    struct Bar {
        access(extension) var int = 42
    }
    // Bar.int is available here but not outside the scope of this extension
}

If extensions could have names we wouldn’t need `extension` as a scope specifier. Since they don’t, we do.

The example you gave has all of the problems associated with any type-based access control. It is kind of pointless to have a access control like that because it doesn’t offer any real guarantees. Anybody can come along and do this:

extension Foo {
    public var xWrapper: Int { get { return x } set { x = newValue } }
}

This is why I think symbol groups are a more appropriate solution to this use case. They don’t pretend you are really limiting availability in any way but they do allow you to hide the symbol unless an explicit request is made:

import FoosModule including FooExtensions

This makes all symbols in the symbol group `FooExtensions` available. It required explicit opt-in to availability solving the accidental use problem without pretending to really limit the availability of the symbols. I haven’t thought enough about it yet to have an idea of how it might work within the same module but I think this is the right direction for this use case.

Swift's access control system has always followed the idea of strictly hierarchical scopes, it just hasn't allowed us to name most of them. I think this was a really good principle that we should continue to embrace.

That said, I do have some thoughts about ways to address the kinds of use cases people have in mind for "extensions or subclasses of the type" visibility. The idea I have been exploring is what I have been calling "symbol groups". I have been thinking about this in the context of imported symbols and haven't given any thought as to how it might apply outside that context. The way it looks with an import is this:

import UIKit including UIGestureRecognizerSubclasses

The idea here is that the symbols reside in the same (sub)module as the other symbols they are related to but are not imported unless the symbol group name is explicitly stated. This solves the problem of unintentional or inappropriate symbol availability and accidental misuse without offering promises of encapsulation that can't really be followed through on (as is the case with `protected`).

This is obviously well outside the scope of this proposal but is something I think would be worth pursuing at some point.

Thanks for the great proposal, Matthew!

Thanks Jaden! I'm really happy that you like it. I was pretty uncertain about how it would be received. It's encouraging to see that others like the idea. :slight_smile:

Definitely! I appreciate your hard work! I realize how time-consuming it is to write these proposals, not to mention thinking through them!

Thanks! It always seems to take a lot more time than I expect when I first start working on a proposal.

Cheers,
Jaden Geller

On Mar 2, 2017, at 11:58 AM, Matthew Johnson via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

I’ve been continuing to think about how to provide clear and consistent semantics for access control in Swift. This draft represents what I think is the best way to accomplish that. It eliminates the current inconsistencies and establishes a principled basis for the features we have today as well as the enhancements we may need in the future. It does this with minimal breaking changes.

The draft is included below and can also be found here: https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md.

I’m looking forward to everyone’s feedback.

Matthew

A Consistent Foundation For Access Control: Scope-Bounded Capabilities

Proposal: SE-NNNN <https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md>
Authors: Matthew Johnson <https://github.com/anandabits>
Review Manager: TBD
Status: Awaiting review
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#introduction>Introduction

This proposal introduces a consistent foundation for all access control in Swift: scope-bounded capabilities. The existing access control features are generalized with a single mechanism that unifies their semantics. This unified mechanism eliminates the inessential complexity and inconsistency of the current system while expanding its utility.

Swift-evolution thread: Discussion thread topic for that proposal <https://lists.swift.org/pipermail/swift-evolution/>
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#motivation>Motivation

The new access control features in Swift 3 have proven to be extremely controversial. The most common refrain is that we need a more simple system. In order to accomplish this we need to do more than tweak the system we already have. We need to revisit the foundation of the system itself.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#simple-made-easy>Simple Made Easy

Rich Hickey gave a fantastic talk called [Simple Made Easy])(https://www.infoq.com/presentations/Simple-Made-Easy). In this talk Rich explores the etymology and relationship of the words "simple", "complex", and "easy". The meanings he explores are:

Complex: entangled, intertwined, interleaved, braided together
Simple: one strand, single focus, disentangled
Easy: familiar, nearby, readily at hand
The central point Rich makes in this talk is that when a design entangles two orthogonal concepts complexity is the result. He coins the term "complect" to refer to this kind of inessential complexity. This complexity can be removed by disentangling the concepts. Instead of "complecting" independent concerns we can compose them.

The result is a simpler system. It is simpler because independent concepts can be considered and understood independently of each other.

The composition of independent concerns also results in a more flexible system. When orthogonal concepts are entangled it is more difficult to extend the system to meet future needs. One concept cannot be extended independently of the other. It is not possible to make independent decisions about what should be orthogonal aspects of the design.

Rich believes that the programming community is often too quick to reach for an immediately "easy" solution. Unfortunately, the "easy" solution often entangles concepts and are therefor actually complex. He suggests that we firstdesign a simple (i.e. disentangled) solution and then layer ease of use and familiarity on top, thus the title "Simple Made Easy".

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#two-orthogonal-concepts>Two orthogonal concepts

The access control system in Swift 3 incorporates two orthogonal concepts: availability and capability. Availability is what immediately comes to mind when one thinks of access control: a symbol is either available or it is not. Capability is more nuanced. It refers to what you can do with that symbol.

Each declaration supports a basic capability which is always available when the symbol itself is available. Many declarations also offer additional capabiities (such as the ability to inherit, override, set a property, etc). These additional capabilities may be less available than the symbol itself.

In Swift, availability is always specified in terms of a scope. Swift does not currently have a consistent way to talk about capabilities. Thus far we have introduced new syntax every time we wish to distinguish the availabiltiy of an additionalcapability from that of the symbol itself:

open vs public access modifiers classes and methods
Access modifier parameterization for setter availability: private(set)
The @closed attribute which has been discussed as a way to specify non-resilient enums in Swift 4*
It is clear that we need to be able to talk about not just basic availability, but also capabilities. It would be very nice if we had one consistent way to do this. This can be accomplished by composing the concepts of availability and capability into the notion of a scope-bounded capability.

*@closed would lie outside the access control system proper. It is included for the sake of completeness. It is also included to demonstrate how the language currently lacks a clear and obvious way to specify new capability bounds when they are arise.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#problems-with-swifts-access-control-system>Problems with Swift's access control system

Swift's current access control system can has several problems.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#inconsistency>Inconsistency

As noted above, the ways additional capabilities are bounded is inconsistent. The semantics of public are also inconsistent.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#internal-default>Internal default

The Swift evolution community has adopted the principle that nothing should be available outside a module without an explicit declaration of intent by a library author. This is an excellent default which protects library authors against making an error of omission that would require a breaking change to correct. Unfortunately this principle has not been consistently applied.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public>public

In most cases public only provides access to the basic capability a declaration offers. This is true by definition for declarations do not offer additional capabilities but it is also true for classes (with respect to inheritance) and class methods (with respect to overrides).

However, there are three cases where public currently provides access to additional capabilities:

public var allows access to the setter
public enum allows exhaustive switch
public protocol allows new conformances to be introduced
It is not currently possible to declare resilient enums or closed protocols but both have received significant discussion. Further, resilient enums need to be supported before ABI stability is declared. A consistent access control system would treat these as independent capabilities that are not made available with a simple public declaration.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#private-and-fileprivate>private and fileprivate

The most heavily debated aspect of the changes to the access control system in Swift 3 is without question the change in meaning of private to be the current lexical scope and the renaming of the file-level scope to fileprivate. This change was made with the idea that a lexically scoped private would prove to be a good "soft default" for a less-than-module availability bound. While many users appreciate the semantics of a scope-based access modifier it has not proven to be a good "soft default" and therefore does not deserve the name private.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#extensions>Extensions

In languages without extensions lexically scoped availability is equivalent to type-based availability for members of a type. In such a language it could make a reasonable default. Swift is not such a language.

Using several extensions on the same type within the same file is an extremely common Swift idiom. This idiom is not well supported by a "soft default" of scope-based availability. The tension between a pervasive idiom and the "soft default" leads to confusion about when scope-based a availability is appropriate, and often an overuse of the feature. It also leads to the need to use fileprivate much more frequently than is desirable for such an awkward keyword.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#types-and-members>Types and members

A "soft default" should not have subtle behavior that has the potential to confuse beginners. Most beginners would expect Foo and bar in the following example to have the same visibility. This was true in Swift 2 but it is not true in Swift 3.

private struct Foo {
    private var bar = 42
}
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#an-advanced-feature>An advanced feature

Lexically scoped availability has important uses such as preserving invariants. All access to invariant-related state can be routed through basis methods which access the state carefully without violating invariants, even when that access happens in an extension in the same file. We should not abandon this tool but it should not be the "soft default". It is best reserved for specific use cases where the guarantee it offers is important to correctess of the software.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#essential-and-inessential-complexity>Essential and inessential complexity

The inconsistencies noted above and a bad "soft default" of private are all forms of inessential complexity. This makes Swift's access control system more difficult to understand and use than it needs to be and causes confusion.

At the same time the essential complexity of capabilities that are bounded independent of basic symbol availability is not explicitly acknowledged and embraced. This also makes the access control system more difficult to understand and use than it should be. Users are not taught to think in terms of independently bounded capabilities. This is a concept that could be learned once and applied generally if it was more visible in the language.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#proposed-solution>Proposed solution

The proposed solution is to establish a semantic foundation for access control that is simple in the sense of composing rather than interleaving independent concerns. The solution is made easy by defining familiar names in terms of this foundation while preserving the semantics Swift users expect them to have. It is consistent in its use of a single mechanism for bounding capabilities and its default of internal for all capabilities.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scope-bounded-capabilities>Scope-bounded capabilities

All access control is defined in terms of a parameterized access modifier that allows the user to specify a capability and a scope that bounds that capability.

// The scope of the setter is the current file.
scope(set, file) var foo = 42
Each parameter has a default argument. The default argument for the capability is simply the basic capability the declaration provides. For a variable this is the getter, for a method it is the ability to call the method, for a type it is the ability to use the type and so on. The default argument for the scope is the current lexical scope.

// The scope of the getter is the current lexical scope.
// This is equivalent to `private var foo = 42` in Swift 3.
scope var foo = 42

// The scope of the getter is the current file.
scope(file) var bar = 42

// The scope of the setter is the current lexical scope.
scope(set) var baz = 42
The scope of the basic capability implicitly bounds additional capabilities: if basic use of a symbol is not available it is not possible to anything with that symbol. This is similar to the existing rule that a type implicitly bounds the availability of all symbols declared within its scope: a public property of an internal type is not available outside the module because the type itself is not available.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#aliases>Aliases

This modifier is simple (in the sense defined above), general and powerful. However it is also unfamiliar, often slightly verbose, and offers a very wide configuration space. Familiar aliases are provided as "soft defaults" which are recommended for common use cases.

These aliases introduce no additional semantics. Once a user understand scopes, capabilities and how they compose to produce scope-bounded capabilities the user also has the ability to understand all aliases we introduce. Tools could even make the definition of the alias available to remind the user of its underlying meaning (similarly to they way Xcode allows a user to command-click to see a symbol definition).

These aliases are defined in terms of the parameterized scope modifier:

private(capability) = scope(capability, file)
internal(capability) = scope(capability, submodule)
public(capability) = scope(capability, everywhere)
open = scope(inherit, everywhere)
open = scope(override, everywhere)
final = scope(inherit, nowhere)
final = scope(override, nowhere)
total = scope(switch, everywhere)
private reverts to the Swift 2 semantics. scope with no parameters has semantics equivalent to that of private in Swift 3.

internal is specified in terms of submodule and is equivalent to module scope until submodules are introduced. It is specified this way to indicate the intent of the author should submodules be added.

total is a placholder subject to bikeshedding. total enum provides semantics equivalent to public enum. public enum receives the semantics of resilient enums. If a suitable shorthand is not identified the slightly longer public(switch) enum can be used to specify an enum which supports exhaustive switch outside the module.

open, final and closed are overloaded based on the kind of declaration they are applied to.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scopes>Scopes

The hierarchy of scopes is as follows:

nowhere
lexical
TypeName
extension
file
submodule
SubmoduleName
module
everywhere
The name of any ancestor type or submodule of a declaration, including the immediately containing type or submodule, form the set of valid user-defined scope references.

Including nowhere allows us to define final in terms of this system. It also allows us to model all properties and functions with the same set of capabilities: the setter of a read only property is automatically bounded to nowhere and the override capability of a function that is not a class method is automatically bounded to nowhere.

Allowing users to reference any ancestor scope introduces affords advanced users a degree of control that is not possible in the current access control system. If submodules are introduced into Swift this additional control will be especially useful as a means to facilitate bounded collaboration between peer submodules allowing them to communicate in ways not available to the rest of the module.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#capabilities>Capabilities

The capabilities available depend on the kind of declaration an access modifier is applied to. All declarations offer a basiccapability that is always available when the declaration itself is available. The basic capability is specified by default when the scope modifier or a parameterized alias is used without an explicit capability argument. Some declarations also offer additional capabilities which may have an independent bound applied to them.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#properties-and-subscripts>Properties and subscripts

get (the basic capability)
set (for readwrite properties only)
override (for class properties only)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#functions-and-initializers>Functions and initializers

call (the basic capability)
override (for class methods only)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#types>Types

use (the basic capability)
inherit (for classes)
switch (for enums)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#protocols>Protocols

use (the basic capability)
conform
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#extensions-and-typealiases>Extensions and typealiases

use (the basic capability)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scalable-in-the-future>Scalable in the future

As the language grows the mechanism of scope-bounded capabilities can be extended in an obvious way to meet the needs of future declarations and capabilities. Users are only required to learn about the new declaration or capability that was introduced. Their existing knowledge of the scope-bounded capability access control system is immediately applicable.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#detailed-design>Detailed design

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#rules>Rules

The rules which make up the essential complexity in Swift's access control system are:

The default scope for all capabilites a declaration offers is module-wide (or submodule-wide in the future).
The scope of a capability may be modified by an explicit access modifier.
The scope of an additional capability is implicitly bounded by the scope of the basic capability.
The scope of an additional capability may not be explicitly specified as greater than that of the basic capability.
If no scope is explicitly provided for the basic capability and an additional capability is specified to be available outside the (sub)module the basic capability is also given the same availability.
The scope of a declaration (including all capabilities) may be bounded by the declaration of ancestor.
The scope of a declaration may not be greater than the scope of the capabilities necessary to use that declaration: if you can't see a parameter type you can't call the function.
Most of these rules already exist in Swift's access control system. There is one change and one addition:

The first rule changes the availability of the additional capability of public readwrite properties, protocols and enums.
The fifth rule affords shorthand for implicitly making the basic capability public when an additional capability is also made public.
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#grammar>Grammar

The changes to the access modifier grammar are as follows:

access-level-modifier → scope­ | scope­(­ capability-specifier ­)­ | scope­(­ scope-specifier ­)­ | scope­( capability-specifier ­, scope-specifier ­)­
access-level-modifier → private­ | private­(­ capability-specifier ­)­
access-level-modifier → internal­ | internal­(­ capability-specifier ­)­
access-level-modifier → public­ | public­(­ capability-specifier ­)­
access-level-modifier → open­
access-level-modifier → final
access-level-modifier → total

scope-specifier → nowhere | extension | file | submodule | module | everywhere | identifier
capability-specifier → set | inherit | override | conform | switch
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#playground>Playground

A Swift playground that includes a prototype of the basic scope-bounded capability access modifier as well as the aliases is availabe here <https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.playground.zip>.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#future-possibilities>Future possibilities

Scope-bounded capabilities are able to express set-only properties and override-only methods with a minor change to the rules of the system. These features have been requested on the list in the past. In the case of override-only methods there are known examples in Apple's frameworks. Allowing support for these would add some complexity to the model and is not essential to establishing a consistent basis for the existing access control feature.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#source-compatibility>Source compatibility

This proposal will not cause any Swift 3 source to fail to compile but will produce different behavior in three cases. In all cases a mechanical migration is possible.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-var>public var

This proposal removes the availability of the setter of a public var outside the module, requiring public(set) var to expose the setter. This requires a migration of existing code. We could ease this transition with a deprecation warning in one release and then introduce the semantic change in the following release.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-enum>public enum

This proposal removes the availability of exhaustive switch from public enums. Non-resilient enums will need to be declared as a total enum (or the equivalent keyword chose after bikeshedding) or public(switch) enum if we choose not to introduce an alias for this semantic. As with public var, a deprecation warning and deferred semantic change could be used to ease the transition.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-protocol>public protocol

This proposal requires protocols conformable outside the module to use the open protocol alias rather than public protocol. Visible but not conformable protocols are out of scope for Swift 4. This means that in Swift 4 open protocoland public protocol could share the same semantics with a deprecation warning on public protocol telling users to use open and that the semantics of public protocol will be different in the future. We could remove support for public protocol in a point release, reserving it until we introduce the ability for a protocol to be visible but not conformable.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#effect-on-abi-stability>Effect on ABI stability

If this proposal impacts ABI stability it would be in the area of runtime metadata or introspection. Input on this topic is welcome.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#effect-on-api-resilience>Effect on API resilience

This proposal does not impact API reslience. The proposed solution recasts some existing features but does so in a way that should be backwards compatible. No existing semantics are changed, only how those semantics are stated syntactically.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#alternatives-considered>Alternatives considered

The primary alternative is to continue using the ad-hoc approach to meeting our access control needs. There have been many different ideas about how we might be able to simplify the current system by removing or slightly tweaking some of the existing features. The author believes this approach will not be able to meet future needs well and will continue to be burdened by the accumulation of inessential complexity. This situation will get worse, not better, as new features are added to the language.
_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org <mailto:swift-evolution@swift.org>
https://lists.swift.org/mailman/listinfo/swift-evolution


(Matthew Johnson) #4

Why not add a scope which allows access to the variables and functions only for the type itself and its extensions, but only within the current module?

Because this is really identical to module-wide visibility. Any file in the whole module can contain an extension of the type. See my earlier responses to Jaden for more details.

Yes, but you can also change the original source to change the visibility too, so I don't find this argument compelling. I could also add code in the other file too… Disallowing this control level simplify restricts code organization.

The idea is this visibility expresses that it is an implementation detail of the type while recognizing that extensions might need access to it. Perhaps you can implement an extension more efficiently if you're not restricted to going through the public abstraction.

This is a reasonable point within the same module. I’m reluctant to deviate from the model of strictly hierarchical scopes that Swift has followed thus far. On the other hand, I am willing to keep an open mind about this as long as we’re only talking about code within the same module.

Compelling concrete examples of use cases for organizing code in this way would be useful. When would you benefit from organizing extensions in a way that strictly hierarchical scopes do not give you a reasonable bound on a symbol?

If we did want to support something like this we could allow `access` to accept something like an option set when the scope reference is a type name where options would include extensions and subclasses, and perhaps conforming types for members in protocol extensions. I wouldn’t want it to be the default (which should still be strictly hierarchical scopes) but it could extend the basic model.

···

On Mar 3, 2017, at 5:12 PM, jaden.geller@gmail.com wrote:
On Mar 3, 2017, at 3:08 PM, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

On Mar 3, 2017, at 5:02 PM, Paweł Wojtkowiak <neframair@gmail.com <mailto:neframair@gmail.com>> wrote:

This would result in limitation of visibility from the outside (the same way private does) except for the fact that extensions could actually change these variables/functions. Also, restricting it to the module at the same time would not allow access to them and doing extensions like xWrapper (mentioned in one of the mails), unless it was in the same module, but even then it is just easier to change the type itself instead of doing wrapper extensions since the developer has access to it anyway.

I think this would be convenient because outside of the type and its internal extensions these entities would not appear as for public use.

This falls into the same category as protected. If you read through my earlier responses to Jaden you’ll see that I think there is a better way to handle this kind of use case.

Sent from my iPhone

On 3 Mar 2017, at 20:24, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

On Mar 2, 2017, at 10:30 PM, Jaden Geller <jaden.geller@gmail.com <mailto:jaden.geller@gmail.com>> wrote:

On Mar 2, 2017, at 7:51 PM, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

Sent from my iPad

On Mar 2, 2017, at 3:35 PM, Jaden Geller <jaden.geller@gmail.com <mailto:jaden.geller@gmail.com>> wrote:

Hi Matthew,

Overall, I think this is a great simplification of the access control mechanism! I really appreciate the focus on both “simple made easy” and safe defaults.

Thanks Jaden! I appreciate your thoughtful feedback!

I have a few comments and questions:

(1) It seems odd to use `scope` as both an access control modifier alone and as a function-like attribute. Perhaps something like `access(set, scope)` would be better than `scope(set)`. As it is, we're conflating scope with meaning visibility and lexical scope—I found that very confusing.

This is good feedback. The reason I designed it this way is because it is intended to work like the existing access modifiers which can be parameterized or stand alone. The idea is that it is analogous to a function with default arguments and we treat the unbound function as if it had been called with no explicit arguments (using the defaults). There is an example of this in the playground prototype I included.

That said, there is a difference - the existing modifiers don't accept a scope argument. I can see how this could make it more confusing. In the current design `scope(set, lexical)` is already valid and is similar to the `access(set, scope)` idea you suggested.

One thing I want to be very careful about is making the syntax read well if possible. In the playground I even used argument labels `scope(of: set, is: lexical)`. I think that would be too verbose in real code but I think it's important that this read like a sentence in our minds at least.

One option would be to simply remove the default scope argument and require it to be provided explicitly when lexical scope is intended. I'm not sure how I feel about that. I'm going to spend some time thinking about this further. I definitely don't want the shorthand (without arguments) to be a source of confusion.

I think this would be an improvement.

As a sidenote, if there were to be an alias for lexical access control, think the pseudo-adjective `scoped` aligns better with the adjective `public`, `internal`, and `private`. The noun `scope` seems out of place.

Interesting that you say this. I had suggested `scoped` earlier and had second thoughts about that because a verb feels a little bit out of place next to `public`, `internal` and `private`. But I think you’re right that `scoped` does read more similar to them. I will go this route.

(2) I think that the attribute should be spelled `@access` like other attributes in Swift, `@availability` for example. This seems more consistent.

If it were an attribute I would agree. But it's not, it's an access modifier. Those don't have the `@`.

I guess I’m suggesting that it might be better expressed as an attribute. The attribute `@available` is already used to specify symbol visibility (based on platform, version, etc.), so it seem best to align access control by using an attribute as well. I agree that the aliases like `private` shouldn’t require an `@` for concision…

Do we have any cases where we have both an attribute and a declaration modifier that both have the same semantics? I don’t think so. That seems a little bit strange to me. I can see why you would associate this with `@available` but I think it’s better to define it as a declaration modifier.

(Does Swift have a hard-and-fast rule for which modifiers should use attributes and which should use keywords? Or even a more hand-wavey rule? It seems almost arbitrary to me…)

As far as I know declaration modifiers never have `@` and attributes do. I don’t have a good sense of how we decide when something is better expressed as an attribute vs being a declaration modifier. Maybe somebody from the core team can comment on this.

Another benefit is that there’s stylistic precedent for attribute declarations to be placed on the line before the declaration. This works well with wordier restrictions.

I don’t think style should influence whether we use `@` or not. We are free to establish a common style that places longer declaration modifiers on a previous line. I think the community will eventually converge on a reasonable style regardless of how it looks.

(3) Speaking of `@availability`, how do you suppose access control ought to interact with that? Can I somehow mark that the setter was public in a previous version but is now private?

This is a good question. I am not familiar enough with `@availability` to answer off the top of my head. Do you think this is something that needs to be addressed by this proposal?

I’m not entirely sure. It _probably_ doesn’t need to be addressed just yet. I don’t think `@availability` currently has such features, so it would be additive.

Sounds good.

(4) The function-like access control attribute as you proposed it has very odd semantics, especially compared to Swift functions. For example, both `scope(get, file)` and `scope(file)` are valid spellings, as if `get` was a default argument, but Swift does not allow default arguments in that position without labels. Obviously this isn’t a parsing problem since we’re using keywords, but I find it very confusing. Either swap the order of the arguments or, I would prefer, add labels. With my `@access` spelling, we might have `@access(get, in: file)` and `@access(in: file)`.

I actually used labels in the playground and thought about including them in the proposal. I decided against it on the grounds that access modifiers are pervasive and the labels could quickly be seen as noise. If others feel they are important I have no objection.

I like labels, but I can understand the preference for concision. It just confuses my mental model when the semantics cannot be implemented in Swift. In your playground, try removing your labels—the function becomes impossible to call without specifying the capability argument!

I think the default for the capability and the sequence of arguments are both pretty important aspects of the design. The former because we often want to bound *all* capabilities in the same way and bounding the default capability does this. It reads more clearly to only specify the scope. The sequence of arguments is important because I think it reads much better: “access to the setter is bounded to the file”. I think it also reduces the chance that a reader misses the capability and only notices the scope.

We should have a bikeshed discussion about whether labels should be required, optional, or not allowed. I would be happy to let community consensus decide this.

(Sidenote: Why doesn’t Swift warn on function declarations that provide unusable default arguments??)

For the record, `@available` does not use labels. It even omits commas in places I might expect them… `@available(swift 3.0.2)`.

(5) It seems odd that `call` is the name of the default visibility for functions. I agree with the semantics, but the naming seems to imply that I could still refer to the value `let foo = myFunction` but not call it.

Some of these names were pretty tough to decide on. I wholeheartedly embrace bikeshedding here. I wouldn't be surprised if community input can improve on the names I have used. :slight_smile:

I agree that we should eventually bikeshed, but I’m trying to focus on the semantics first :slight_smile:

Yes, that’s a good call. I just wanted to make it clear that I’m not fixated on the naming and acknowledge that it’s a hard problem. :slight_smile:

I chose `call` because if you can see a function you can call it. It isn't possible to see it, bind it to a name, etc without being able to call it and it probably shouldn't ever be.

For Types and Protocols, `use` seems like a very generic word to, well uh, use. Perhaps `visible` would make more sense (though it is not a verb like the others…)?

I agree. This was the most difficult name to decide on. The notion I tried to capture is that if you can see a type you can work with values of of that type (as well as access it's static members). I would be very happy if we could identify a better name.

Perhaps `constrain`?

This is also something you can always do when you can see a protocol, but you can also use it as an existential (thinking ahead to generalized existentials) so you can also work with values of the protocol existential type.

I was potentially recommending constrain for types too. `let x: Int` constrains `x` to be type `Int`, and `let y: Hashable` constraints `y` to be the (existential) type `Hashable`, or at least will once that’s possible. I’m not sure this is a good spelling, just throwing it out there…

Ahh, that’s an interesting perspective.

I think the name `switch` for enums is also not particularly great, but this probably isn’t the time to bikeshed naming.

I used `switchExhaustively` in an earlier draft but thought it was too verbose. Maybe the verbosity is necessary?

Well, I think that the name `switch` is misleading, but I don’t love this more verbose name either. I was thinking `closed` maybe? …since it guarantees that no more cases can be added. Not sure.

Misleading because you can always `switch`, it just might not be exhaustive? That makes sense but maybe it’s not that big a deal because it would be documented as meaning exhaustive. I’m not sure.

I don’t think `closed` is the best name for this because I think the names should focus on the *capability*. `closed` focuses on the restriction placed on future versions of the library.

(6) Do closed protocols fit into this model? The `conform` capability allows API users to add additional conformances, but there’s no capability to promise that the API maintainer itself won’t add additional conformances. Obviously adding this features is out of the scope of this proposal, but I want to know how it might be spelled in this scheme.

Yes. I think this would use the same capability name as enums that support exhaustive switch.

One interesting point is that this would introduce the notion of mutually exclusive capabilities. You can't have both `public(conform)` and `public(switch)`.

(7) It isn’t immediately clear to me the “hierarchy” of additional capabilities. Obviously `set` is a refinement of `get`, but is `override` a refinement on `set` or `get`? Or are they entirely separate? Can you use both? It would be useful to formalize what happens when the access level is specified for multiple additional capabilities.

Great question. I'll add clarification on this point in the next draft. The short answer is that the bounds of additional capabilities are usually independent of each other.

That said, as noted above, in some cases they could be mutually exclusive. It's also possible that they could have other kinds of relationships. This really depends on the semantics of the declaration providing the capabilities.

I think we really ought to formalize these relationships. It’s difficult to reason about otherwise.

The only relationship that exists is currently the relationship between the basic capability and additional capabilities. The scope of the basic capability implicitly bounds that of the additional capabilities and if the scope of an additional capability is wider than `internal` when no explicit bound is provided for the basic capability the bound of the basic capability is widened accordingly.

I have given some thought to formalizing semantic relationships between capabilities but I think it adds complexity to the model for not much gain at the moment. The two simple rules above suffice. We can formalize additional semantic relationships if / when that becomes necessary. Does that make sense? If not, can you offer elaborate on what you would like to see? I want to facilitate reasoning as much as possible without adding unnecessary complexity to the initial model.

(8) It may be useful to clarify the hierarchy of scopes. Each name is mentioned, but it isn’t intuitively obvious how it works. Does `TypeName` essentially allow me to make friend classes, via `@access(set, in: Foo)`, a la C++. If so, that’s pretty cool! I’m assuming `extension` gives visibility in extensions to this type? What about subclasses—is there a sort of `protected` scope?

Great question. I'll clarify this further in an updated draft.

In the meantime, I'm afraid I'm going to have to let you down a bit on this point. Scopes form a strictly nested hierarchy. This means that you can only reference an ancestor scope.

For types, this simply follows the lexical nesting of types and member declarations. A declaration may reference the scope of a type that contains it by using the name of the type. The capability is available to any declarations within the lexical scope of the type declaration, including other types. But it is intentionally *not* like `friend` in C++.

Unfortunate. If the community found this desirable, would it be additive to add this in the future? I don’t necessary want friend types, but I like that this syntax would make them much, much, much more intuitive than in C++. You wouldn’t even have to read the docs to understand the feature—just read the declaration!

They syntax could certainly be extended to support something like this but it doesn’t really work semantically. This is not a limitation of this model. Instead it is a limitation of any type-based access control. Types don’t facilitate a real encapsulation boundary, especially in a language like Swift where a type can be extended in any scope that can see the type. The core team has repeatedly opposed type-based access control for precisely this reason. I don’t expect that to change but if it did, this syntax could certainly be extended to support such a feature.

`extension` is simply a way to reference the lexical scope created by an extension that contains a declaration. It does not provide access to extensions of the type containing the declaration.

The purpose of access control is compiler verified encapsulation. Since anybody can add an extension anywhere the compiler can't really offer any useful verification of encapsulation. I don't think it would be a good idea for access control to have a feature like this. The same is true of protected and any other type-based access control scheme.

I’m not really understanding what you’re saying here. I think we might be saying the same thing. My understanding was

struct Foo {
  scope(extension) var x: Int
}

means that I can write

extension Foo {
  func bar() {
    x += 1
  }
}

unlike if I had chose Swift 3.0 private.

Nope. This is an example of what it means:

extension Foo {
    struct Bar {
        access(extension) var int = 42
    }
    // Bar.int is available here but not outside the scope of this extension
}

If extensions could have names we wouldn’t need `extension` as a scope specifier. Since they don’t, we do.

The example you gave has all of the problems associated with any type-based access control. It is kind of pointless to have a access control like that because it doesn’t offer any real guarantees. Anybody can come along and do this:

extension Foo {
    public var xWrapper: Int { get { return x } set { x = newValue } }
}

This is why I think symbol groups are a more appropriate solution to this use case. They don’t pretend you are really limiting availability in any way but they do allow you to hide the symbol unless an explicit request is made:

import FoosModule including FooExtensions

This makes all symbols in the symbol group `FooExtensions` available. It required explicit opt-in to availability solving the accidental use problem without pretending to really limit the availability of the symbols. I haven’t thought enough about it yet to have an idea of how it might work within the same module but I think this is the right direction for this use case.

Swift's access control system has always followed the idea of strictly hierarchical scopes, it just hasn't allowed us to name most of them. I think this was a really good principle that we should continue to embrace.

That said, I do have some thoughts about ways to address the kinds of use cases people have in mind for "extensions or subclasses of the type" visibility. The idea I have been exploring is what I have been calling "symbol groups". I have been thinking about this in the context of imported symbols and haven't given any thought as to how it might apply outside that context. The way it looks with an import is this:

import UIKit including UIGestureRecognizerSubclasses

The idea here is that the symbols reside in the same (sub)module as the other symbols they are related to but are not imported unless the symbol group name is explicitly stated. This solves the problem of unintentional or inappropriate symbol availability and accidental misuse without offering promises of encapsulation that can't really be followed through on (as is the case with `protected`).

This is obviously well outside the scope of this proposal but is something I think would be worth pursuing at some point.

Thanks for the great proposal, Matthew!

Thanks Jaden! I'm really happy that you like it. I was pretty uncertain about how it would be received. It's encouraging to see that others like the idea. :slight_smile:

Definitely! I appreciate your hard work! I realize how time-consuming it is to write these proposals, not to mention thinking through them!

Thanks! It always seems to take a lot more time than I expect when I first start working on a proposal.

Cheers,
Jaden Geller

On Mar 2, 2017, at 11:58 AM, Matthew Johnson via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

I’ve been continuing to think about how to provide clear and consistent semantics for access control in Swift. This draft represents what I think is the best way to accomplish that. It eliminates the current inconsistencies and establishes a principled basis for the features we have today as well as the enhancements we may need in the future. It does this with minimal breaking changes.

The draft is included below and can also be found here: https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md.

I’m looking forward to everyone’s feedback.

Matthew

A Consistent Foundation For Access Control: Scope-Bounded Capabilities

Proposal: SE-NNNN <https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md>
Authors: Matthew Johnson <https://github.com/anandabits>
Review Manager: TBD
Status: Awaiting review
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#introduction>Introduction

This proposal introduces a consistent foundation for all access control in Swift: scope-bounded capabilities. The existing access control features are generalized with a single mechanism that unifies their semantics. This unified mechanism eliminates the inessential complexity and inconsistency of the current system while expanding its utility.

Swift-evolution thread: Discussion thread topic for that proposal <https://lists.swift.org/pipermail/swift-evolution/>
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#motivation>Motivation

The new access control features in Swift 3 have proven to be extremely controversial. The most common refrain is that we need a more simple system. In order to accomplish this we need to do more than tweak the system we already have. We need to revisit the foundation of the system itself.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#simple-made-easy>Simple Made Easy

Rich Hickey gave a fantastic talk called [Simple Made Easy])(https://www.infoq.com/presentations/Simple-Made-Easy). In this talk Rich explores the etymology and relationship of the words "simple", "complex", and "easy". The meanings he explores are:

Complex: entangled, intertwined, interleaved, braided together
Simple: one strand, single focus, disentangled
Easy: familiar, nearby, readily at hand
The central point Rich makes in this talk is that when a design entangles two orthogonal concepts complexity is the result. He coins the term "complect" to refer to this kind of inessential complexity. This complexity can be removed by disentangling the concepts. Instead of "complecting" independent concerns we can compose them.

The result is a simpler system. It is simpler because independent concepts can be considered and understood independently of each other.

The composition of independent concerns also results in a more flexible system. When orthogonal concepts are entangled it is more difficult to extend the system to meet future needs. One concept cannot be extended independently of the other. It is not possible to make independent decisions about what should be orthogonal aspects of the design.

Rich believes that the programming community is often too quick to reach for an immediately "easy" solution. Unfortunately, the "easy" solution often entangles concepts and are therefor actually complex. He suggests that we firstdesign a simple (i.e. disentangled) solution and then layer ease of use and familiarity on top, thus the title "Simple Made Easy".

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#two-orthogonal-concepts>Two orthogonal concepts

The access control system in Swift 3 incorporates two orthogonal concepts: availability and capability. Availability is what immediately comes to mind when one thinks of access control: a symbol is either available or it is not. Capability is more nuanced. It refers to what you can do with that symbol.

Each declaration supports a basic capability which is always available when the symbol itself is available. Many declarations also offer additional capabiities (such as the ability to inherit, override, set a property, etc). These additional capabilities may be less available than the symbol itself.

In Swift, availability is always specified in terms of a scope. Swift does not currently have a consistent way to talk about capabilities. Thus far we have introduced new syntax every time we wish to distinguish the availabiltiy of an additionalcapability from that of the symbol itself:

open vs public access modifiers classes and methods
Access modifier parameterization for setter availability: private(set)
The @closed attribute which has been discussed as a way to specify non-resilient enums in Swift 4*
It is clear that we need to be able to talk about not just basic availability, but also capabilities. It would be very nice if we had one consistent way to do this. This can be accomplished by composing the concepts of availability and capability into the notion of a scope-bounded capability.

*@closed would lie outside the access control system proper. It is included for the sake of completeness. It is also included to demonstrate how the language currently lacks a clear and obvious way to specify new capability bounds when they are arise.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#problems-with-swifts-access-control-system>Problems with Swift's access control system

Swift's current access control system can has several problems.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#inconsistency>Inconsistency

As noted above, the ways additional capabilities are bounded is inconsistent. The semantics of public are also inconsistent.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#internal-default>Internal default

The Swift evolution community has adopted the principle that nothing should be available outside a module without an explicit declaration of intent by a library author. This is an excellent default which protects library authors against making an error of omission that would require a breaking change to correct. Unfortunately this principle has not been consistently applied.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public>public

In most cases public only provides access to the basic capability a declaration offers. This is true by definition for declarations do not offer additional capabilities but it is also true for classes (with respect to inheritance) and class methods (with respect to overrides).

However, there are three cases where public currently provides access to additional capabilities:

public var allows access to the setter
public enum allows exhaustive switch
public protocol allows new conformances to be introduced
It is not currently possible to declare resilient enums or closed protocols but both have received significant discussion. Further, resilient enums need to be supported before ABI stability is declared. A consistent access control system would treat these as independent capabilities that are not made available with a simple public declaration.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#private-and-fileprivate>private and fileprivate

The most heavily debated aspect of the changes to the access control system in Swift 3 is without question the change in meaning of private to be the current lexical scope and the renaming of the file-level scope to fileprivate. This change was made with the idea that a lexically scoped private would prove to be a good "soft default" for a less-than-module availability bound. While many users appreciate the semantics of a scope-based access modifier it has not proven to be a good "soft default" and therefore does not deserve the name private.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#extensions>Extensions

In languages without extensions lexically scoped availability is equivalent to type-based availability for members of a type. In such a language it could make a reasonable default. Swift is not such a language.

Using several extensions on the same type within the same file is an extremely common Swift idiom. This idiom is not well supported by a "soft default" of scope-based availability. The tension between a pervasive idiom and the "soft default" leads to confusion about when scope-based a availability is appropriate, and often an overuse of the feature. It also leads to the need to use fileprivate much more frequently than is desirable for such an awkward keyword.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#types-and-members>Types and members

A "soft default" should not have subtle behavior that has the potential to confuse beginners. Most beginners would expect Foo and bar in the following example to have the same visibility. This was true in Swift 2 but it is not true in Swift 3.

private struct Foo {
    private var bar = 42
}
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#an-advanced-feature>An advanced feature

Lexically scoped availability has important uses such as preserving invariants. All access to invariant-related state can be routed through basis methods which access the state carefully without violating invariants, even when that access happens in an extension in the same file. We should not abandon this tool but it should not be the "soft default". It is best reserved for specific use cases where the guarantee it offers is important to correctess of the software.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#essential-and-inessential-complexity>Essential and inessential complexity

The inconsistencies noted above and a bad "soft default" of private are all forms of inessential complexity. This makes Swift's access control system more difficult to understand and use than it needs to be and causes confusion.

At the same time the essential complexity of capabilities that are bounded independent of basic symbol availability is not explicitly acknowledged and embraced. This also makes the access control system more difficult to understand and use than it should be. Users are not taught to think in terms of independently bounded capabilities. This is a concept that could be learned once and applied generally if it was more visible in the language.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#proposed-solution>Proposed solution

The proposed solution is to establish a semantic foundation for access control that is simple in the sense of composing rather than interleaving independent concerns. The solution is made easy by defining familiar names in terms of this foundation while preserving the semantics Swift users expect them to have. It is consistent in its use of a single mechanism for bounding capabilities and its default of internal for all capabilities.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scope-bounded-capabilities>Scope-bounded capabilities

All access control is defined in terms of a parameterized access modifier that allows the user to specify a capability and a scope that bounds that capability.

// The scope of the setter is the current file.
scope(set, file) var foo = 42
Each parameter has a default argument. The default argument for the capability is simply the basic capability the declaration provides. For a variable this is the getter, for a method it is the ability to call the method, for a type it is the ability to use the type and so on. The default argument for the scope is the current lexical scope.

// The scope of the getter is the current lexical scope.
// This is equivalent to `private var foo = 42` in Swift 3.
scope var foo = 42

// The scope of the getter is the current file.
scope(file) var bar = 42

// The scope of the setter is the current lexical scope.
scope(set) var baz = 42
The scope of the basic capability implicitly bounds additional capabilities: if basic use of a symbol is not available it is not possible to anything with that symbol. This is similar to the existing rule that a type implicitly bounds the availability of all symbols declared within its scope: a public property of an internal type is not available outside the module because the type itself is not available.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#aliases>Aliases

This modifier is simple (in the sense defined above), general and powerful. However it is also unfamiliar, often slightly verbose, and offers a very wide configuration space. Familiar aliases are provided as "soft defaults" which are recommended for common use cases.

These aliases introduce no additional semantics. Once a user understand scopes, capabilities and how they compose to produce scope-bounded capabilities the user also has the ability to understand all aliases we introduce. Tools could even make the definition of the alias available to remind the user of its underlying meaning (similarly to they way Xcode allows a user to command-click to see a symbol definition).

These aliases are defined in terms of the parameterized scope modifier:

private(capability) = scope(capability, file)
internal(capability) = scope(capability, submodule)
public(capability) = scope(capability, everywhere)
open = scope(inherit, everywhere)
open = scope(override, everywhere)
final = scope(inherit, nowhere)
final = scope(override, nowhere)
total = scope(switch, everywhere)
private reverts to the Swift 2 semantics. scope with no parameters has semantics equivalent to that of private in Swift 3.

internal is specified in terms of submodule and is equivalent to module scope until submodules are introduced. It is specified this way to indicate the intent of the author should submodules be added.

total is a placholder subject to bikeshedding. total enum provides semantics equivalent to public enum. public enum receives the semantics of resilient enums. If a suitable shorthand is not identified the slightly longer public(switch) enum can be used to specify an enum which supports exhaustive switch outside the module.

open, final and closed are overloaded based on the kind of declaration they are applied to.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scopes>Scopes

The hierarchy of scopes is as follows:

nowhere
lexical
TypeName
extension
file
submodule
SubmoduleName
module
everywhere
The name of any ancestor type or submodule of a declaration, including the immediately containing type or submodule, form the set of valid user-defined scope references.

Including nowhere allows us to define final in terms of this system. It also allows us to model all properties and functions with the same set of capabilities: the setter of a read only property is automatically bounded to nowhere and the override capability of a function that is not a class method is automatically bounded to nowhere.

Allowing users to reference any ancestor scope introduces affords advanced users a degree of control that is not possible in the current access control system. If submodules are introduced into Swift this additional control will be especially useful as a means to facilitate bounded collaboration between peer submodules allowing them to communicate in ways not available to the rest of the module.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#capabilities>Capabilities

The capabilities available depend on the kind of declaration an access modifier is applied to. All declarations offer a basiccapability that is always available when the declaration itself is available. The basic capability is specified by default when the scope modifier or a parameterized alias is used without an explicit capability argument. Some declarations also offer additional capabilities which may have an independent bound applied to them.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#properties-and-subscripts>Properties and subscripts

get (the basic capability)
set (for readwrite properties only)
override (for class properties only)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#functions-and-initializers>Functions and initializers

call (the basic capability)
override (for class methods only)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#types>Types

use (the basic capability)
inherit (for classes)
switch (for enums)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#protocols>Protocols

use (the basic capability)
conform
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#extensions-and-typealiases>Extensions and typealiases

use (the basic capability)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scalable-in-the-future>Scalable in the future

As the language grows the mechanism of scope-bounded capabilities can be extended in an obvious way to meet the needs of future declarations and capabilities. Users are only required to learn about the new declaration or capability that was introduced. Their existing knowledge of the scope-bounded capability access control system is immediately applicable.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#detailed-design>Detailed design

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#rules>Rules

The rules which make up the essential complexity in Swift's access control system are:

The default scope for all capabilites a declaration offers is module-wide (or submodule-wide in the future).
The scope of a capability may be modified by an explicit access modifier.
The scope of an additional capability is implicitly bounded by the scope of the basic capability.
The scope of an additional capability may not be explicitly specified as greater than that of the basic capability.
If no scope is explicitly provided for the basic capability and an additional capability is specified to be available outside the (sub)module the basic capability is also given the same availability.
The scope of a declaration (including all capabilities) may be bounded by the declaration of ancestor.
The scope of a declaration may not be greater than the scope of the capabilities necessary to use that declaration: if you can't see a parameter type you can't call the function.
Most of these rules already exist in Swift's access control system. There is one change and one addition:

The first rule changes the availability of the additional capability of public readwrite properties, protocols and enums.
The fifth rule affords shorthand for implicitly making the basic capability public when an additional capability is also made public.
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#grammar>Grammar

The changes to the access modifier grammar are as follows:

access-level-modifier → scope­ | scope­(­ capability-specifier ­)­ | scope­(­ scope-specifier ­)­ | scope­( capability-specifier ­, scope-specifier ­)­
access-level-modifier → private­ | private­(­ capability-specifier ­)­
access-level-modifier → internal­ | internal­(­ capability-specifier ­)­
access-level-modifier → public­ | public­(­ capability-specifier ­)­
access-level-modifier → open­
access-level-modifier → final
access-level-modifier → total

scope-specifier → nowhere | extension | file | submodule | module | everywhere | identifier
capability-specifier → set | inherit | override | conform | switch
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#playground>Playground

A Swift playground that includes a prototype of the basic scope-bounded capability access modifier as well as the aliases is availabe here <https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.playground.zip>.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#future-possibilities>Future possibilities

Scope-bounded capabilities are able to express set-only properties and override-only methods with a minor change to the rules of the system. These features have been requested on the list in the past. In the case of override-only methods there are known examples in Apple's frameworks. Allowing support for these would add some complexity to the model and is not essential to establishing a consistent basis for the existing access control feature.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#source-compatibility>Source compatibility

This proposal will not cause any Swift 3 source to fail to compile but will produce different behavior in three cases. In all cases a mechanical migration is possible.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-var>public var

This proposal removes the availability of the setter of a public var outside the module, requiring public(set) var to expose the setter. This requires a migration of existing code. We could ease this transition with a deprecation warning in one release and then introduce the semantic change in the following release.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-enum>public enum

This proposal removes the availability of exhaustive switch from public enums. Non-resilient enums will need to be declared as a total enum (or the equivalent keyword chose after bikeshedding) or public(switch) enum if we choose not to introduce an alias for this semantic. As with public var, a deprecation warning and deferred semantic change could be used to ease the transition.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-protocol>public protocol

This proposal requires protocols conformable outside the module to use the open protocol alias rather than public protocol. Visible but not conformable protocols are out of scope for Swift 4. This means that in Swift 4 open protocoland public protocol could share the same semantics with a deprecation warning on public protocol telling users to use open and that the semantics of public protocol will be different in the future. We could remove support for public protocol in a point release, reserving it until we introduce the ability for a protocol to be visible but not conformable.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#effect-on-abi-stability>Effect on ABI stability

If this proposal impacts ABI stability it would be in the area of runtime metadata or introspection. Input on this topic is welcome.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#effect-on-api-resilience>Effect on API resilience

This proposal does not impact API reslience. The proposed solution recasts some existing features but does so in a way that should be backwards compatible. No existing semantics are changed, only how those semantics are stated syntactically.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#alternatives-considered>Alternatives considered

The primary alternative is to continue using the ad-hoc approach to meeting our access control needs. There have been many different ideas about how we might be able to simplify the current system by removing or slightly tweaking some of the existing features. The author believes this approach will not be able to meet future needs well and will continue to be burdened by the accumulation of inessential complexity. This situation will get worse, not better, as new features are added to the language.
_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org <mailto:swift-evolution@swift.org>
https://lists.swift.org/mailman/listinfo/swift-evolution


(Matthew Johnson) #5

Why not add a scope which allows access to the variables and functions only for the type itself and its extensions, but only within the current module?

Because this is really identical to module-wide visibility. Any file in the whole module can contain an extension of the type. See my earlier responses to Jaden for more details.

Yes, but you can also change the original source to change the visibility too, so I don't find this argument compelling. I could also add code in the other file too… Disallowing this control level simplify restricts code organization.

The idea is this visibility expresses that it is an implementation detail of the type while recognizing that extensions might need access to it. Perhaps you can implement an extension more efficiently if you're not restricted to going through the public abstraction.

Thinking about this further, I think my objection is primarily the open-endedness of type-based schemes. If a type-based scheme is *combined* with a strict scope specifier it isn’t problematic. In that case restricting access to a type and its extensions / subclasses / conformances is not actually open-ended. It is an additional bound.

We could consider this to be something like a predicate applied to scopes within the specified scope bound which would be true for all inner scopes by default. It might look something like this:

// restricts access to Foo and its extensions and subclasses
// but only those which are declared inside the same submodule as this declaration:
access(set, submodule, Foo(extensions, subclasses))

I wouldn’t have a problem with a scheme like this. The question in my mind is whether or not the complexity it adds can be sufficiently motivated. Do you have any good motivating examples?

An interesting observation is that if we did introduce this capability we could also introduce an alias `protected`:

protected(capability, scope) = access(capability, scope, Self(subclasses))

···

On Mar 3, 2017, at 5:12 PM, jaden.geller@gmail.com wrote:
On Mar 3, 2017, at 3:08 PM, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

On Mar 3, 2017, at 5:02 PM, Paweł Wojtkowiak <neframair@gmail.com <mailto:neframair@gmail.com>> wrote:

This would result in limitation of visibility from the outside (the same way private does) except for the fact that extensions could actually change these variables/functions. Also, restricting it to the module at the same time would not allow access to them and doing extensions like xWrapper (mentioned in one of the mails), unless it was in the same module, but even then it is just easier to change the type itself instead of doing wrapper extensions since the developer has access to it anyway.

I think this would be convenient because outside of the type and its internal extensions these entities would not appear as for public use.

This falls into the same category as protected. If you read through my earlier responses to Jaden you’ll see that I think there is a better way to handle this kind of use case.

Sent from my iPhone

On 3 Mar 2017, at 20:24, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

On Mar 2, 2017, at 10:30 PM, Jaden Geller <jaden.geller@gmail.com <mailto:jaden.geller@gmail.com>> wrote:

On Mar 2, 2017, at 7:51 PM, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

Sent from my iPad

On Mar 2, 2017, at 3:35 PM, Jaden Geller <jaden.geller@gmail.com <mailto:jaden.geller@gmail.com>> wrote:

Hi Matthew,

Overall, I think this is a great simplification of the access control mechanism! I really appreciate the focus on both “simple made easy” and safe defaults.

Thanks Jaden! I appreciate your thoughtful feedback!

I have a few comments and questions:

(1) It seems odd to use `scope` as both an access control modifier alone and as a function-like attribute. Perhaps something like `access(set, scope)` would be better than `scope(set)`. As it is, we're conflating scope with meaning visibility and lexical scope—I found that very confusing.

This is good feedback. The reason I designed it this way is because it is intended to work like the existing access modifiers which can be parameterized or stand alone. The idea is that it is analogous to a function with default arguments and we treat the unbound function as if it had been called with no explicit arguments (using the defaults). There is an example of this in the playground prototype I included.

That said, there is a difference - the existing modifiers don't accept a scope argument. I can see how this could make it more confusing. In the current design `scope(set, lexical)` is already valid and is similar to the `access(set, scope)` idea you suggested.

One thing I want to be very careful about is making the syntax read well if possible. In the playground I even used argument labels `scope(of: set, is: lexical)`. I think that would be too verbose in real code but I think it's important that this read like a sentence in our minds at least.

One option would be to simply remove the default scope argument and require it to be provided explicitly when lexical scope is intended. I'm not sure how I feel about that. I'm going to spend some time thinking about this further. I definitely don't want the shorthand (without arguments) to be a source of confusion.

I think this would be an improvement.

As a sidenote, if there were to be an alias for lexical access control, think the pseudo-adjective `scoped` aligns better with the adjective `public`, `internal`, and `private`. The noun `scope` seems out of place.

Interesting that you say this. I had suggested `scoped` earlier and had second thoughts about that because a verb feels a little bit out of place next to `public`, `internal` and `private`. But I think you’re right that `scoped` does read more similar to them. I will go this route.

(2) I think that the attribute should be spelled `@access` like other attributes in Swift, `@availability` for example. This seems more consistent.

If it were an attribute I would agree. But it's not, it's an access modifier. Those don't have the `@`.

I guess I’m suggesting that it might be better expressed as an attribute. The attribute `@available` is already used to specify symbol visibility (based on platform, version, etc.), so it seem best to align access control by using an attribute as well. I agree that the aliases like `private` shouldn’t require an `@` for concision…

Do we have any cases where we have both an attribute and a declaration modifier that both have the same semantics? I don’t think so. That seems a little bit strange to me. I can see why you would associate this with `@available` but I think it’s better to define it as a declaration modifier.

(Does Swift have a hard-and-fast rule for which modifiers should use attributes and which should use keywords? Or even a more hand-wavey rule? It seems almost arbitrary to me…)

As far as I know declaration modifiers never have `@` and attributes do. I don’t have a good sense of how we decide when something is better expressed as an attribute vs being a declaration modifier. Maybe somebody from the core team can comment on this.

Another benefit is that there’s stylistic precedent for attribute declarations to be placed on the line before the declaration. This works well with wordier restrictions.

I don’t think style should influence whether we use `@` or not. We are free to establish a common style that places longer declaration modifiers on a previous line. I think the community will eventually converge on a reasonable style regardless of how it looks.

(3) Speaking of `@availability`, how do you suppose access control ought to interact with that? Can I somehow mark that the setter was public in a previous version but is now private?

This is a good question. I am not familiar enough with `@availability` to answer off the top of my head. Do you think this is something that needs to be addressed by this proposal?

I’m not entirely sure. It _probably_ doesn’t need to be addressed just yet. I don’t think `@availability` currently has such features, so it would be additive.

Sounds good.

(4) The function-like access control attribute as you proposed it has very odd semantics, especially compared to Swift functions. For example, both `scope(get, file)` and `scope(file)` are valid spellings, as if `get` was a default argument, but Swift does not allow default arguments in that position without labels. Obviously this isn’t a parsing problem since we’re using keywords, but I find it very confusing. Either swap the order of the arguments or, I would prefer, add labels. With my `@access` spelling, we might have `@access(get, in: file)` and `@access(in: file)`.

I actually used labels in the playground and thought about including them in the proposal. I decided against it on the grounds that access modifiers are pervasive and the labels could quickly be seen as noise. If others feel they are important I have no objection.

I like labels, but I can understand the preference for concision. It just confuses my mental model when the semantics cannot be implemented in Swift. In your playground, try removing your labels—the function becomes impossible to call without specifying the capability argument!

I think the default for the capability and the sequence of arguments are both pretty important aspects of the design. The former because we often want to bound *all* capabilities in the same way and bounding the default capability does this. It reads more clearly to only specify the scope. The sequence of arguments is important because I think it reads much better: “access to the setter is bounded to the file”. I think it also reduces the chance that a reader misses the capability and only notices the scope.

We should have a bikeshed discussion about whether labels should be required, optional, or not allowed. I would be happy to let community consensus decide this.

(Sidenote: Why doesn’t Swift warn on function declarations that provide unusable default arguments??)

For the record, `@available` does not use labels. It even omits commas in places I might expect them… `@available(swift 3.0.2)`.

(5) It seems odd that `call` is the name of the default visibility for functions. I agree with the semantics, but the naming seems to imply that I could still refer to the value `let foo = myFunction` but not call it.

Some of these names were pretty tough to decide on. I wholeheartedly embrace bikeshedding here. I wouldn't be surprised if community input can improve on the names I have used. :slight_smile:

I agree that we should eventually bikeshed, but I’m trying to focus on the semantics first :slight_smile:

Yes, that’s a good call. I just wanted to make it clear that I’m not fixated on the naming and acknowledge that it’s a hard problem. :slight_smile:

I chose `call` because if you can see a function you can call it. It isn't possible to see it, bind it to a name, etc without being able to call it and it probably shouldn't ever be.

For Types and Protocols, `use` seems like a very generic word to, well uh, use. Perhaps `visible` would make more sense (though it is not a verb like the others…)?

I agree. This was the most difficult name to decide on. The notion I tried to capture is that if you can see a type you can work with values of of that type (as well as access it's static members). I would be very happy if we could identify a better name.

Perhaps `constrain`?

This is also something you can always do when you can see a protocol, but you can also use it as an existential (thinking ahead to generalized existentials) so you can also work with values of the protocol existential type.

I was potentially recommending constrain for types too. `let x: Int` constrains `x` to be type `Int`, and `let y: Hashable` constraints `y` to be the (existential) type `Hashable`, or at least will once that’s possible. I’m not sure this is a good spelling, just throwing it out there…

Ahh, that’s an interesting perspective.

I think the name `switch` for enums is also not particularly great, but this probably isn’t the time to bikeshed naming.

I used `switchExhaustively` in an earlier draft but thought it was too verbose. Maybe the verbosity is necessary?

Well, I think that the name `switch` is misleading, but I don’t love this more verbose name either. I was thinking `closed` maybe? …since it guarantees that no more cases can be added. Not sure.

Misleading because you can always `switch`, it just might not be exhaustive? That makes sense but maybe it’s not that big a deal because it would be documented as meaning exhaustive. I’m not sure.

I don’t think `closed` is the best name for this because I think the names should focus on the *capability*. `closed` focuses on the restriction placed on future versions of the library.

(6) Do closed protocols fit into this model? The `conform` capability allows API users to add additional conformances, but there’s no capability to promise that the API maintainer itself won’t add additional conformances. Obviously adding this features is out of the scope of this proposal, but I want to know how it might be spelled in this scheme.

Yes. I think this would use the same capability name as enums that support exhaustive switch.

One interesting point is that this would introduce the notion of mutually exclusive capabilities. You can't have both `public(conform)` and `public(switch)`.

(7) It isn’t immediately clear to me the “hierarchy” of additional capabilities. Obviously `set` is a refinement of `get`, but is `override` a refinement on `set` or `get`? Or are they entirely separate? Can you use both? It would be useful to formalize what happens when the access level is specified for multiple additional capabilities.

Great question. I'll add clarification on this point in the next draft. The short answer is that the bounds of additional capabilities are usually independent of each other.

That said, as noted above, in some cases they could be mutually exclusive. It's also possible that they could have other kinds of relationships. This really depends on the semantics of the declaration providing the capabilities.

I think we really ought to formalize these relationships. It’s difficult to reason about otherwise.

The only relationship that exists is currently the relationship between the basic capability and additional capabilities. The scope of the basic capability implicitly bounds that of the additional capabilities and if the scope of an additional capability is wider than `internal` when no explicit bound is provided for the basic capability the bound of the basic capability is widened accordingly.

I have given some thought to formalizing semantic relationships between capabilities but I think it adds complexity to the model for not much gain at the moment. The two simple rules above suffice. We can formalize additional semantic relationships if / when that becomes necessary. Does that make sense? If not, can you offer elaborate on what you would like to see? I want to facilitate reasoning as much as possible without adding unnecessary complexity to the initial model.

(8) It may be useful to clarify the hierarchy of scopes. Each name is mentioned, but it isn’t intuitively obvious how it works. Does `TypeName` essentially allow me to make friend classes, via `@access(set, in: Foo)`, a la C++. If so, that’s pretty cool! I’m assuming `extension` gives visibility in extensions to this type? What about subclasses—is there a sort of `protected` scope?

Great question. I'll clarify this further in an updated draft.

In the meantime, I'm afraid I'm going to have to let you down a bit on this point. Scopes form a strictly nested hierarchy. This means that you can only reference an ancestor scope.

For types, this simply follows the lexical nesting of types and member declarations. A declaration may reference the scope of a type that contains it by using the name of the type. The capability is available to any declarations within the lexical scope of the type declaration, including other types. But it is intentionally *not* like `friend` in C++.

Unfortunate. If the community found this desirable, would it be additive to add this in the future? I don’t necessary want friend types, but I like that this syntax would make them much, much, much more intuitive than in C++. You wouldn’t even have to read the docs to understand the feature—just read the declaration!

They syntax could certainly be extended to support something like this but it doesn’t really work semantically. This is not a limitation of this model. Instead it is a limitation of any type-based access control. Types don’t facilitate a real encapsulation boundary, especially in a language like Swift where a type can be extended in any scope that can see the type. The core team has repeatedly opposed type-based access control for precisely this reason. I don’t expect that to change but if it did, this syntax could certainly be extended to support such a feature.

`extension` is simply a way to reference the lexical scope created by an extension that contains a declaration. It does not provide access to extensions of the type containing the declaration.

The purpose of access control is compiler verified encapsulation. Since anybody can add an extension anywhere the compiler can't really offer any useful verification of encapsulation. I don't think it would be a good idea for access control to have a feature like this. The same is true of protected and any other type-based access control scheme.

I’m not really understanding what you’re saying here. I think we might be saying the same thing. My understanding was

struct Foo {
  scope(extension) var x: Int
}

means that I can write

extension Foo {
  func bar() {
    x += 1
  }
}

unlike if I had chose Swift 3.0 private.

Nope. This is an example of what it means:

extension Foo {
    struct Bar {
        access(extension) var int = 42
    }
    // Bar.int is available here but not outside the scope of this extension
}

If extensions could have names we wouldn’t need `extension` as a scope specifier. Since they don’t, we do.

The example you gave has all of the problems associated with any type-based access control. It is kind of pointless to have a access control like that because it doesn’t offer any real guarantees. Anybody can come along and do this:

extension Foo {
    public var xWrapper: Int { get { return x } set { x = newValue } }
}

This is why I think symbol groups are a more appropriate solution to this use case. They don’t pretend you are really limiting availability in any way but they do allow you to hide the symbol unless an explicit request is made:

import FoosModule including FooExtensions

This makes all symbols in the symbol group `FooExtensions` available. It required explicit opt-in to availability solving the accidental use problem without pretending to really limit the availability of the symbols. I haven’t thought enough about it yet to have an idea of how it might work within the same module but I think this is the right direction for this use case.

Swift's access control system has always followed the idea of strictly hierarchical scopes, it just hasn't allowed us to name most of them. I think this was a really good principle that we should continue to embrace.

That said, I do have some thoughts about ways to address the kinds of use cases people have in mind for "extensions or subclasses of the type" visibility. The idea I have been exploring is what I have been calling "symbol groups". I have been thinking about this in the context of imported symbols and haven't given any thought as to how it might apply outside that context. The way it looks with an import is this:

import UIKit including UIGestureRecognizerSubclasses

The idea here is that the symbols reside in the same (sub)module as the other symbols they are related to but are not imported unless the symbol group name is explicitly stated. This solves the problem of unintentional or inappropriate symbol availability and accidental misuse without offering promises of encapsulation that can't really be followed through on (as is the case with `protected`).

This is obviously well outside the scope of this proposal but is something I think would be worth pursuing at some point.

Thanks for the great proposal, Matthew!

Thanks Jaden! I'm really happy that you like it. I was pretty uncertain about how it would be received. It's encouraging to see that others like the idea. :slight_smile:

Definitely! I appreciate your hard work! I realize how time-consuming it is to write these proposals, not to mention thinking through them!

Thanks! It always seems to take a lot more time than I expect when I first start working on a proposal.

Cheers,
Jaden Geller

On Mar 2, 2017, at 11:58 AM, Matthew Johnson via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

I’ve been continuing to think about how to provide clear and consistent semantics for access control in Swift. This draft represents what I think is the best way to accomplish that. It eliminates the current inconsistencies and establishes a principled basis for the features we have today as well as the enhancements we may need in the future. It does this with minimal breaking changes.

The draft is included below and can also be found here: https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md.

I’m looking forward to everyone’s feedback.

Matthew

A Consistent Foundation For Access Control: Scope-Bounded Capabilities

Proposal: SE-NNNN <https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md>
Authors: Matthew Johnson <https://github.com/anandabits>
Review Manager: TBD
Status: Awaiting review
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#introduction>Introduction

This proposal introduces a consistent foundation for all access control in Swift: scope-bounded capabilities. The existing access control features are generalized with a single mechanism that unifies their semantics. This unified mechanism eliminates the inessential complexity and inconsistency of the current system while expanding its utility.

Swift-evolution thread: Discussion thread topic for that proposal <https://lists.swift.org/pipermail/swift-evolution/>
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#motivation>Motivation

The new access control features in Swift 3 have proven to be extremely controversial. The most common refrain is that we need a more simple system. In order to accomplish this we need to do more than tweak the system we already have. We need to revisit the foundation of the system itself.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#simple-made-easy>Simple Made Easy

Rich Hickey gave a fantastic talk called [Simple Made Easy])(https://www.infoq.com/presentations/Simple-Made-Easy). In this talk Rich explores the etymology and relationship of the words "simple", "complex", and "easy". The meanings he explores are:

Complex: entangled, intertwined, interleaved, braided together
Simple: one strand, single focus, disentangled
Easy: familiar, nearby, readily at hand
The central point Rich makes in this talk is that when a design entangles two orthogonal concepts complexity is the result. He coins the term "complect" to refer to this kind of inessential complexity. This complexity can be removed by disentangling the concepts. Instead of "complecting" independent concerns we can compose them.

The result is a simpler system. It is simpler because independent concepts can be considered and understood independently of each other.

The composition of independent concerns also results in a more flexible system. When orthogonal concepts are entangled it is more difficult to extend the system to meet future needs. One concept cannot be extended independently of the other. It is not possible to make independent decisions about what should be orthogonal aspects of the design.

Rich believes that the programming community is often too quick to reach for an immediately "easy" solution. Unfortunately, the "easy" solution often entangles concepts and are therefor actually complex. He suggests that we firstdesign a simple (i.e. disentangled) solution and then layer ease of use and familiarity on top, thus the title "Simple Made Easy".

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#two-orthogonal-concepts>Two orthogonal concepts

The access control system in Swift 3 incorporates two orthogonal concepts: availability and capability. Availability is what immediately comes to mind when one thinks of access control: a symbol is either available or it is not. Capability is more nuanced. It refers to what you can do with that symbol.

Each declaration supports a basic capability which is always available when the symbol itself is available. Many declarations also offer additional capabiities (such as the ability to inherit, override, set a property, etc). These additional capabilities may be less available than the symbol itself.

In Swift, availability is always specified in terms of a scope. Swift does not currently have a consistent way to talk about capabilities. Thus far we have introduced new syntax every time we wish to distinguish the availabiltiy of an additionalcapability from that of the symbol itself:

open vs public access modifiers classes and methods
Access modifier parameterization for setter availability: private(set)
The @closed attribute which has been discussed as a way to specify non-resilient enums in Swift 4*
It is clear that we need to be able to talk about not just basic availability, but also capabilities. It would be very nice if we had one consistent way to do this. This can be accomplished by composing the concepts of availability and capability into the notion of a scope-bounded capability.

*@closed would lie outside the access control system proper. It is included for the sake of completeness. It is also included to demonstrate how the language currently lacks a clear and obvious way to specify new capability bounds when they are arise.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#problems-with-swifts-access-control-system>Problems with Swift's access control system

Swift's current access control system can has several problems.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#inconsistency>Inconsistency

As noted above, the ways additional capabilities are bounded is inconsistent. The semantics of public are also inconsistent.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#internal-default>Internal default

The Swift evolution community has adopted the principle that nothing should be available outside a module without an explicit declaration of intent by a library author. This is an excellent default which protects library authors against making an error of omission that would require a breaking change to correct. Unfortunately this principle has not been consistently applied.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public>public

In most cases public only provides access to the basic capability a declaration offers. This is true by definition for declarations do not offer additional capabilities but it is also true for classes (with respect to inheritance) and class methods (with respect to overrides).

However, there are three cases where public currently provides access to additional capabilities:

public var allows access to the setter
public enum allows exhaustive switch
public protocol allows new conformances to be introduced
It is not currently possible to declare resilient enums or closed protocols but both have received significant discussion. Further, resilient enums need to be supported before ABI stability is declared. A consistent access control system would treat these as independent capabilities that are not made available with a simple public declaration.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#private-and-fileprivate>private and fileprivate

The most heavily debated aspect of the changes to the access control system in Swift 3 is without question the change in meaning of private to be the current lexical scope and the renaming of the file-level scope to fileprivate. This change was made with the idea that a lexically scoped private would prove to be a good "soft default" for a less-than-module availability bound. While many users appreciate the semantics of a scope-based access modifier it has not proven to be a good "soft default" and therefore does not deserve the name private.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#extensions>Extensions

In languages without extensions lexically scoped availability is equivalent to type-based availability for members of a type. In such a language it could make a reasonable default. Swift is not such a language.

Using several extensions on the same type within the same file is an extremely common Swift idiom. This idiom is not well supported by a "soft default" of scope-based availability. The tension between a pervasive idiom and the "soft default" leads to confusion about when scope-based a availability is appropriate, and often an overuse of the feature. It also leads to the need to use fileprivate much more frequently than is desirable for such an awkward keyword.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#types-and-members>Types and members

A "soft default" should not have subtle behavior that has the potential to confuse beginners. Most beginners would expect Foo and bar in the following example to have the same visibility. This was true in Swift 2 but it is not true in Swift 3.

private struct Foo {
    private var bar = 42
}
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#an-advanced-feature>An advanced feature

Lexically scoped availability has important uses such as preserving invariants. All access to invariant-related state can be routed through basis methods which access the state carefully without violating invariants, even when that access happens in an extension in the same file. We should not abandon this tool but it should not be the "soft default". It is best reserved for specific use cases where the guarantee it offers is important to correctess of the software.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#essential-and-inessential-complexity>Essential and inessential complexity

The inconsistencies noted above and a bad "soft default" of private are all forms of inessential complexity. This makes Swift's access control system more difficult to understand and use than it needs to be and causes confusion.

At the same time the essential complexity of capabilities that are bounded independent of basic symbol availability is not explicitly acknowledged and embraced. This also makes the access control system more difficult to understand and use than it should be. Users are not taught to think in terms of independently bounded capabilities. This is a concept that could be learned once and applied generally if it was more visible in the language.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#proposed-solution>Proposed solution

The proposed solution is to establish a semantic foundation for access control that is simple in the sense of composing rather than interleaving independent concerns. The solution is made easy by defining familiar names in terms of this foundation while preserving the semantics Swift users expect them to have. It is consistent in its use of a single mechanism for bounding capabilities and its default of internal for all capabilities.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scope-bounded-capabilities>Scope-bounded capabilities

All access control is defined in terms of a parameterized access modifier that allows the user to specify a capability and a scope that bounds that capability.

// The scope of the setter is the current file.
scope(set, file) var foo = 42
Each parameter has a default argument. The default argument for the capability is simply the basic capability the declaration provides. For a variable this is the getter, for a method it is the ability to call the method, for a type it is the ability to use the type and so on. The default argument for the scope is the current lexical scope.

// The scope of the getter is the current lexical scope.
// This is equivalent to `private var foo = 42` in Swift 3.
scope var foo = 42

// The scope of the getter is the current file.
scope(file) var bar = 42

// The scope of the setter is the current lexical scope.
scope(set) var baz = 42
The scope of the basic capability implicitly bounds additional capabilities: if basic use of a symbol is not available it is not possible to anything with that symbol. This is similar to the existing rule that a type implicitly bounds the availability of all symbols declared within its scope: a public property of an internal type is not available outside the module because the type itself is not available.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#aliases>Aliases

This modifier is simple (in the sense defined above), general and powerful. However it is also unfamiliar, often slightly verbose, and offers a very wide configuration space. Familiar aliases are provided as "soft defaults" which are recommended for common use cases.

These aliases introduce no additional semantics. Once a user understand scopes, capabilities and how they compose to produce scope-bounded capabilities the user also has the ability to understand all aliases we introduce. Tools could even make the definition of the alias available to remind the user of its underlying meaning (similarly to they way Xcode allows a user to command-click to see a symbol definition).

These aliases are defined in terms of the parameterized scope modifier:

private(capability) = scope(capability, file)
internal(capability) = scope(capability, submodule)
public(capability) = scope(capability, everywhere)
open = scope(inherit, everywhere)
open = scope(override, everywhere)
final = scope(inherit, nowhere)
final = scope(override, nowhere)
total = scope(switch, everywhere)
private reverts to the Swift 2 semantics. scope with no parameters has semantics equivalent to that of private in Swift 3.

internal is specified in terms of submodule and is equivalent to module scope until submodules are introduced. It is specified this way to indicate the intent of the author should submodules be added.

total is a placholder subject to bikeshedding. total enum provides semantics equivalent to public enum. public enum receives the semantics of resilient enums. If a suitable shorthand is not identified the slightly longer public(switch) enum can be used to specify an enum which supports exhaustive switch outside the module.

open, final and closed are overloaded based on the kind of declaration they are applied to.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scopes>Scopes

The hierarchy of scopes is as follows:

nowhere
lexical
TypeName
extension
file
submodule
SubmoduleName
module
everywhere
The name of any ancestor type or submodule of a declaration, including the immediately containing type or submodule, form the set of valid user-defined scope references.

Including nowhere allows us to define final in terms of this system. It also allows us to model all properties and functions with the same set of capabilities: the setter of a read only property is automatically bounded to nowhere and the override capability of a function that is not a class method is automatically bounded to nowhere.

Allowing users to reference any ancestor scope introduces affords advanced users a degree of control that is not possible in the current access control system. If submodules are introduced into Swift this additional control will be especially useful as a means to facilitate bounded collaboration between peer submodules allowing them to communicate in ways not available to the rest of the module.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#capabilities>Capabilities

The capabilities available depend on the kind of declaration an access modifier is applied to. All declarations offer a basiccapability that is always available when the declaration itself is available. The basic capability is specified by default when the scope modifier or a parameterized alias is used without an explicit capability argument. Some declarations also offer additional capabilities which may have an independent bound applied to them.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#properties-and-subscripts>Properties and subscripts

get (the basic capability)
set (for readwrite properties only)
override (for class properties only)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#functions-and-initializers>Functions and initializers

call (the basic capability)
override (for class methods only)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#types>Types

use (the basic capability)
inherit (for classes)
switch (for enums)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#protocols>Protocols

use (the basic capability)
conform
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#extensions-and-typealiases>Extensions and typealiases

use (the basic capability)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scalable-in-the-future>Scalable in the future

As the language grows the mechanism of scope-bounded capabilities can be extended in an obvious way to meet the needs of future declarations and capabilities. Users are only required to learn about the new declaration or capability that was introduced. Their existing knowledge of the scope-bounded capability access control system is immediately applicable.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#detailed-design>Detailed design

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#rules>Rules

The rules which make up the essential complexity in Swift's access control system are:

The default scope for all capabilites a declaration offers is module-wide (or submodule-wide in the future).
The scope of a capability may be modified by an explicit access modifier.
The scope of an additional capability is implicitly bounded by the scope of the basic capability.
The scope of an additional capability may not be explicitly specified as greater than that of the basic capability.
If no scope is explicitly provided for the basic capability and an additional capability is specified to be available outside the (sub)module the basic capability is also given the same availability.
The scope of a declaration (including all capabilities) may be bounded by the declaration of ancestor.
The scope of a declaration may not be greater than the scope of the capabilities necessary to use that declaration: if you can't see a parameter type you can't call the function.
Most of these rules already exist in Swift's access control system. There is one change and one addition:

The first rule changes the availability of the additional capability of public readwrite properties, protocols and enums.
The fifth rule affords shorthand for implicitly making the basic capability public when an additional capability is also made public.
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#grammar>Grammar

The changes to the access modifier grammar are as follows:

access-level-modifier → scope­ | scope­(­ capability-specifier ­)­ | scope­(­ scope-specifier ­)­ | scope­( capability-specifier ­, scope-specifier ­)­
access-level-modifier → private­ | private­(­ capability-specifier ­)­
access-level-modifier → internal­ | internal­(­ capability-specifier ­)­
access-level-modifier → public­ | public­(­ capability-specifier ­)­
access-level-modifier → open­
access-level-modifier → final
access-level-modifier → total

scope-specifier → nowhere | extension | file | submodule | module | everywhere | identifier
capability-specifier → set | inherit | override | conform | switch
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#playground>Playground

A Swift playground that includes a prototype of the basic scope-bounded capability access modifier as well as the aliases is availabe here <https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.playground.zip>.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#future-possibilities>Future possibilities

Scope-bounded capabilities are able to express set-only properties and override-only methods with a minor change to the rules of the system. These features have been requested on the list in the past. In the case of override-only methods there are known examples in Apple's frameworks. Allowing support for these would add some complexity to the model and is not essential to establishing a consistent basis for the existing access control feature.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#source-compatibility>Source compatibility

This proposal will not cause any Swift 3 source to fail to compile but will produce different behavior in three cases. In all cases a mechanical migration is possible.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-var>public var

This proposal removes the availability of the setter of a public var outside the module, requiring public(set) var to expose the setter. This requires a migration of existing code. We could ease this transition with a deprecation warning in one release and then introduce the semantic change in the following release.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-enum>public enum

This proposal removes the availability of exhaustive switch from public enums. Non-resilient enums will need to be declared as a total enum (or the equivalent keyword chose after bikeshedding) or public(switch) enum if we choose not to introduce an alias for this semantic. As with public var, a deprecation warning and deferred semantic change could be used to ease the transition.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-protocol>public protocol

This proposal requires protocols conformable outside the module to use the open protocol alias rather than public protocol. Visible but not conformable protocols are out of scope for Swift 4. This means that in Swift 4 open protocoland public protocol could share the same semantics with a deprecation warning on public protocol telling users to use open and that the semantics of public protocol will be different in the future. We could remove support for public protocol in a point release, reserving it until we introduce the ability for a protocol to be visible but not conformable.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#effect-on-abi-stability>Effect on ABI stability

If this proposal impacts ABI stability it would be in the area of runtime metadata or introspection. Input on this topic is welcome.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#effect-on-api-resilience>Effect on API resilience

This proposal does not impact API reslience. The proposed solution recasts some existing features but does so in a way that should be backwards compatible. No existing semantics are changed, only how those semantics are stated syntactically.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#alternatives-considered>Alternatives considered

The primary alternative is to continue using the ad-hoc approach to meeting our access control needs. There have been many different ideas about how we might be able to simplify the current system by removing or slightly tweaking some of the existing features. The author believes this approach will not be able to meet future needs well and will continue to be burdened by the accumulation of inessential complexity. This situation will get worse, not better, as new features are added to the language.
_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org <mailto:swift-evolution@swift.org>
https://lists.swift.org/mailman/listinfo/swift-evolution


(Matthew Johnson) #6

I like this way of thinking about it (an additional bound). I personally think that the I initial proposal ought to be as simple as possible, so this feature probably should be omitted.

Cool. I’ll mention this in future possibilities. I think the right name for it would be a scope “refinement”. Bound doesn’t feel quite right because there is no intrinsic order.

Thanks for continuing to push on this topic. It’s always cool to find a way to bring different perspectives together! (I hope we eventually find a solution that does this for submodules as well - it’s clear that there is no lack of diversity in opinions on that topic)

···

On Mar 3, 2017, at 5:59 PM, jaden.geller@gmail.com wrote:

On Mar 3, 2017, at 3:53 PM, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

On Mar 3, 2017, at 5:12 PM, jaden.geller@gmail.com <mailto:jaden.geller@gmail.com> wrote:

On Mar 3, 2017, at 3:08 PM, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

On Mar 3, 2017, at 5:02 PM, Paweł Wojtkowiak <neframair@gmail.com <mailto:neframair@gmail.com>> wrote:

Why not add a scope which allows access to the variables and functions only for the type itself and its extensions, but only within the current module?

Because this is really identical to module-wide visibility. Any file in the whole module can contain an extension of the type. See my earlier responses to Jaden for more details.

Yes, but you can also change the original source to change the visibility too, so I don't find this argument compelling. I could also add code in the other file too… Disallowing this control level simplify restricts code organization.

The idea is this visibility expresses that it is an implementation detail of the type while recognizing that extensions might need access to it. Perhaps you can implement an extension more efficiently if you're not restricted to going through the public abstraction.

Thinking about this further, I think my objection is primarily the open-endedness of type-based schemes. If a type-based scheme is *combined* with a strict scope specifier it isn’t problematic. In that case restricting access to a type and its extensions / subclasses / conformances is not actually open-ended. It is an additional bound.

We could consider this to be something like a predicate applied to scopes within the specified scope bound which would be true for all inner scopes by default. It might look something like this:

// restricts access to Foo and its extensions and subclasses
// but only those which are declared inside the same submodule as this declaration:
access(set, submodule, Foo(extensions, subclasses))

I wouldn’t have a problem with a scheme like this. The question in my mind is whether or not the complexity it adds can be sufficiently motivated. Do you have any good motivating examples?

An interesting observation is that if we did introduce this capability we could also introduce an alias `protected`:

protected(capability, scope) = access(capability, scope, Self(subclasses))

This would result in limitation of visibility from the outside (the same way private does) except for the fact that extensions could actually change these variables/functions. Also, restricting it to the module at the same time would not allow access to them and doing extensions like xWrapper (mentioned in one of the mails), unless it was in the same module, but even then it is just easier to change the type itself instead of doing wrapper extensions since the developer has access to it anyway.

I think this would be convenient because outside of the type and its internal extensions these entities would not appear as for public use.

This falls into the same category as protected. If you read through my earlier responses to Jaden you’ll see that I think there is a better way to handle this kind of use case.

Sent from my iPhone

On 3 Mar 2017, at 20:24, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

On Mar 2, 2017, at 10:30 PM, Jaden Geller <jaden.geller@gmail.com <mailto:jaden.geller@gmail.com>> wrote:

On Mar 2, 2017, at 7:51 PM, Matthew Johnson <matthew@anandabits.com <mailto:matthew@anandabits.com>> wrote:

Sent from my iPad

On Mar 2, 2017, at 3:35 PM, Jaden Geller <jaden.geller@gmail.com <mailto:jaden.geller@gmail.com>> wrote:

Hi Matthew,

Overall, I think this is a great simplification of the access control mechanism! I really appreciate the focus on both “simple made easy” and safe defaults.

Thanks Jaden! I appreciate your thoughtful feedback!

I have a few comments and questions:

(1) It seems odd to use `scope` as both an access control modifier alone and as a function-like attribute. Perhaps something like `access(set, scope)` would be better than `scope(set)`. As it is, we're conflating scope with meaning visibility and lexical scope—I found that very confusing.

This is good feedback. The reason I designed it this way is because it is intended to work like the existing access modifiers which can be parameterized or stand alone. The idea is that it is analogous to a function with default arguments and we treat the unbound function as if it had been called with no explicit arguments (using the defaults). There is an example of this in the playground prototype I included.

That said, there is a difference - the existing modifiers don't accept a scope argument. I can see how this could make it more confusing. In the current design `scope(set, lexical)` is already valid and is similar to the `access(set, scope)` idea you suggested.

One thing I want to be very careful about is making the syntax read well if possible. In the playground I even used argument labels `scope(of: set, is: lexical)`. I think that would be too verbose in real code but I think it's important that this read like a sentence in our minds at least.

One option would be to simply remove the default scope argument and require it to be provided explicitly when lexical scope is intended. I'm not sure how I feel about that. I'm going to spend some time thinking about this further. I definitely don't want the shorthand (without arguments) to be a source of confusion.

I think this would be an improvement.

As a sidenote, if there were to be an alias for lexical access control, think the pseudo-adjective `scoped` aligns better with the adjective `public`, `internal`, and `private`. The noun `scope` seems out of place.

Interesting that you say this. I had suggested `scoped` earlier and had second thoughts about that because a verb feels a little bit out of place next to `public`, `internal` and `private`. But I think you’re right that `scoped` does read more similar to them. I will go this route.

(2) I think that the attribute should be spelled `@access` like other attributes in Swift, `@availability` for example. This seems more consistent.

If it were an attribute I would agree. But it's not, it's an access modifier. Those don't have the `@`.

I guess I’m suggesting that it might be better expressed as an attribute. The attribute `@available` is already used to specify symbol visibility (based on platform, version, etc.), so it seem best to align access control by using an attribute as well. I agree that the aliases like `private` shouldn’t require an `@` for concision…

Do we have any cases where we have both an attribute and a declaration modifier that both have the same semantics? I don’t think so. That seems a little bit strange to me. I can see why you would associate this with `@available` but I think it’s better to define it as a declaration modifier.

(Does Swift have a hard-and-fast rule for which modifiers should use attributes and which should use keywords? Or even a more hand-wavey rule? It seems almost arbitrary to me…)

As far as I know declaration modifiers never have `@` and attributes do. I don’t have a good sense of how we decide when something is better expressed as an attribute vs being a declaration modifier. Maybe somebody from the core team can comment on this.

Another benefit is that there’s stylistic precedent for attribute declarations to be placed on the line before the declaration. This works well with wordier restrictions.

I don’t think style should influence whether we use `@` or not. We are free to establish a common style that places longer declaration modifiers on a previous line. I think the community will eventually converge on a reasonable style regardless of how it looks.

(3) Speaking of `@availability`, how do you suppose access control ought to interact with that? Can I somehow mark that the setter was public in a previous version but is now private?

This is a good question. I am not familiar enough with `@availability` to answer off the top of my head. Do you think this is something that needs to be addressed by this proposal?

I’m not entirely sure. It _probably_ doesn’t need to be addressed just yet. I don’t think `@availability` currently has such features, so it would be additive.

Sounds good.

(4) The function-like access control attribute as you proposed it has very odd semantics, especially compared to Swift functions. For example, both `scope(get, file)` and `scope(file)` are valid spellings, as if `get` was a default argument, but Swift does not allow default arguments in that position without labels. Obviously this isn’t a parsing problem since we’re using keywords, but I find it very confusing. Either swap the order of the arguments or, I would prefer, add labels. With my `@access` spelling, we might have `@access(get, in: file)` and `@access(in: file)`.

I actually used labels in the playground and thought about including them in the proposal. I decided against it on the grounds that access modifiers are pervasive and the labels could quickly be seen as noise. If others feel they are important I have no objection.

I like labels, but I can understand the preference for concision. It just confuses my mental model when the semantics cannot be implemented in Swift. In your playground, try removing your labels—the function becomes impossible to call without specifying the capability argument!

I think the default for the capability and the sequence of arguments are both pretty important aspects of the design. The former because we often want to bound *all* capabilities in the same way and bounding the default capability does this. It reads more clearly to only specify the scope. The sequence of arguments is important because I think it reads much better: “access to the setter is bounded to the file”. I think it also reduces the chance that a reader misses the capability and only notices the scope.

We should have a bikeshed discussion about whether labels should be required, optional, or not allowed. I would be happy to let community consensus decide this.

(Sidenote: Why doesn’t Swift warn on function declarations that provide unusable default arguments??)

For the record, `@available` does not use labels. It even omits commas in places I might expect them… `@available(swift 3.0.2)`.

(5) It seems odd that `call` is the name of the default visibility for functions. I agree with the semantics, but the naming seems to imply that I could still refer to the value `let foo = myFunction` but not call it.

Some of these names were pretty tough to decide on. I wholeheartedly embrace bikeshedding here. I wouldn't be surprised if community input can improve on the names I have used. :slight_smile:

I agree that we should eventually bikeshed, but I’m trying to focus on the semantics first :slight_smile:

Yes, that’s a good call. I just wanted to make it clear that I’m not fixated on the naming and acknowledge that it’s a hard problem. :slight_smile:

I chose `call` because if you can see a function you can call it. It isn't possible to see it, bind it to a name, etc without being able to call it and it probably shouldn't ever be.

For Types and Protocols, `use` seems like a very generic word to, well uh, use. Perhaps `visible` would make more sense (though it is not a verb like the others…)?

I agree. This was the most difficult name to decide on. The notion I tried to capture is that if you can see a type you can work with values of of that type (as well as access it's static members). I would be very happy if we could identify a better name.

Perhaps `constrain`?

This is also something you can always do when you can see a protocol, but you can also use it as an existential (thinking ahead to generalized existentials) so you can also work with values of the protocol existential type.

I was potentially recommending constrain for types too. `let x: Int` constrains `x` to be type `Int`, and `let y: Hashable` constraints `y` to be the (existential) type `Hashable`, or at least will once that’s possible. I’m not sure this is a good spelling, just throwing it out there…

Ahh, that’s an interesting perspective.

I think the name `switch` for enums is also not particularly great, but this probably isn’t the time to bikeshed naming.

I used `switchExhaustively` in an earlier draft but thought it was too verbose. Maybe the verbosity is necessary?

Well, I think that the name `switch` is misleading, but I don’t love this more verbose name either. I was thinking `closed` maybe? …since it guarantees that no more cases can be added. Not sure.

Misleading because you can always `switch`, it just might not be exhaustive? That makes sense but maybe it’s not that big a deal because it would be documented as meaning exhaustive. I’m not sure.

I don’t think `closed` is the best name for this because I think the names should focus on the *capability*. `closed` focuses on the restriction placed on future versions of the library.

(6) Do closed protocols fit into this model? The `conform` capability allows API users to add additional conformances, but there’s no capability to promise that the API maintainer itself won’t add additional conformances. Obviously adding this features is out of the scope of this proposal, but I want to know how it might be spelled in this scheme.

Yes. I think this would use the same capability name as enums that support exhaustive switch.

One interesting point is that this would introduce the notion of mutually exclusive capabilities. You can't have both `public(conform)` and `public(switch)`.

(7) It isn’t immediately clear to me the “hierarchy” of additional capabilities. Obviously `set` is a refinement of `get`, but is `override` a refinement on `set` or `get`? Or are they entirely separate? Can you use both? It would be useful to formalize what happens when the access level is specified for multiple additional capabilities.

Great question. I'll add clarification on this point in the next draft. The short answer is that the bounds of additional capabilities are usually independent of each other.

That said, as noted above, in some cases they could be mutually exclusive. It's also possible that they could have other kinds of relationships. This really depends on the semantics of the declaration providing the capabilities.

I think we really ought to formalize these relationships. It’s difficult to reason about otherwise.

The only relationship that exists is currently the relationship between the basic capability and additional capabilities. The scope of the basic capability implicitly bounds that of the additional capabilities and if the scope of an additional capability is wider than `internal` when no explicit bound is provided for the basic capability the bound of the basic capability is widened accordingly.

I have given some thought to formalizing semantic relationships between capabilities but I think it adds complexity to the model for not much gain at the moment. The two simple rules above suffice. We can formalize additional semantic relationships if / when that becomes necessary. Does that make sense? If not, can you offer elaborate on what you would like to see? I want to facilitate reasoning as much as possible without adding unnecessary complexity to the initial model.

(8) It may be useful to clarify the hierarchy of scopes. Each name is mentioned, but it isn’t intuitively obvious how it works. Does `TypeName` essentially allow me to make friend classes, via `@access(set, in: Foo)`, a la C++. If so, that’s pretty cool! I’m assuming `extension` gives visibility in extensions to this type? What about subclasses—is there a sort of `protected` scope?

Great question. I'll clarify this further in an updated draft.

In the meantime, I'm afraid I'm going to have to let you down a bit on this point. Scopes form a strictly nested hierarchy. This means that you can only reference an ancestor scope.

For types, this simply follows the lexical nesting of types and member declarations. A declaration may reference the scope of a type that contains it by using the name of the type. The capability is available to any declarations within the lexical scope of the type declaration, including other types. But it is intentionally *not* like `friend` in C++.

Unfortunate. If the community found this desirable, would it be additive to add this in the future? I don’t necessary want friend types, but I like that this syntax would make them much, much, much more intuitive than in C++. You wouldn’t even have to read the docs to understand the feature—just read the declaration!

They syntax could certainly be extended to support something like this but it doesn’t really work semantically. This is not a limitation of this model. Instead it is a limitation of any type-based access control. Types don’t facilitate a real encapsulation boundary, especially in a language like Swift where a type can be extended in any scope that can see the type. The core team has repeatedly opposed type-based access control for precisely this reason. I don’t expect that to change but if it did, this syntax could certainly be extended to support such a feature.

`extension` is simply a way to reference the lexical scope created by an extension that contains a declaration. It does not provide access to extensions of the type containing the declaration.

The purpose of access control is compiler verified encapsulation. Since anybody can add an extension anywhere the compiler can't really offer any useful verification of encapsulation. I don't think it would be a good idea for access control to have a feature like this. The same is true of protected and any other type-based access control scheme.

I’m not really understanding what you’re saying here. I think we might be saying the same thing. My understanding was

struct Foo {
  scope(extension) var x: Int
}

means that I can write

extension Foo {
  func bar() {
    x += 1
  }
}

unlike if I had chose Swift 3.0 private.

Nope. This is an example of what it means:

extension Foo {
    struct Bar {
        access(extension) var int = 42
    }
    // Bar.int is available here but not outside the scope of this extension
}

If extensions could have names we wouldn’t need `extension` as a scope specifier. Since they don’t, we do.

The example you gave has all of the problems associated with any type-based access control. It is kind of pointless to have a access control like that because it doesn’t offer any real guarantees. Anybody can come along and do this:

extension Foo {
    public var xWrapper: Int { get { return x } set { x = newValue } }
}

This is why I think symbol groups are a more appropriate solution to this use case. They don’t pretend you are really limiting availability in any way but they do allow you to hide the symbol unless an explicit request is made:

import FoosModule including FooExtensions

This makes all symbols in the symbol group `FooExtensions` available. It required explicit opt-in to availability solving the accidental use problem without pretending to really limit the availability of the symbols. I haven’t thought enough about it yet to have an idea of how it might work within the same module but I think this is the right direction for this use case.

Swift's access control system has always followed the idea of strictly hierarchical scopes, it just hasn't allowed us to name most of them. I think this was a really good principle that we should continue to embrace.

That said, I do have some thoughts about ways to address the kinds of use cases people have in mind for "extensions or subclasses of the type" visibility. The idea I have been exploring is what I have been calling "symbol groups". I have been thinking about this in the context of imported symbols and haven't given any thought as to how it might apply outside that context. The way it looks with an import is this:

import UIKit including UIGestureRecognizerSubclasses

The idea here is that the symbols reside in the same (sub)module as the other symbols they are related to but are not imported unless the symbol group name is explicitly stated. This solves the problem of unintentional or inappropriate symbol availability and accidental misuse without offering promises of encapsulation that can't really be followed through on (as is the case with `protected`).

This is obviously well outside the scope of this proposal but is something I think would be worth pursuing at some point.

Thanks for the great proposal, Matthew!

Thanks Jaden! I'm really happy that you like it. I was pretty uncertain about how it would be received. It's encouraging to see that others like the idea. :slight_smile:

Definitely! I appreciate your hard work! I realize how time-consuming it is to write these proposals, not to mention thinking through them!

Thanks! It always seems to take a lot more time than I expect when I first start working on a proposal.

Cheers,
Jaden Geller

On Mar 2, 2017, at 11:58 AM, Matthew Johnson via swift-evolution <swift-evolution@swift.org <mailto:swift-evolution@swift.org>> wrote:

I’ve been continuing to think about how to provide clear and consistent semantics for access control in Swift. This draft represents what I think is the best way to accomplish that. It eliminates the current inconsistencies and establishes a principled basis for the features we have today as well as the enhancements we may need in the future. It does this with minimal breaking changes.

The draft is included below and can also be found here: https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md.

I’m looking forward to everyone’s feedback.

Matthew

A Consistent Foundation For Access Control: Scope-Bounded Capabilities

Proposal: SE-NNNN <https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md>
Authors: Matthew Johnson <https://github.com/anandabits>
Review Manager: TBD
Status: Awaiting review
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#introduction>Introduction

This proposal introduces a consistent foundation for all access control in Swift: scope-bounded capabilities. The existing access control features are generalized with a single mechanism that unifies their semantics. This unified mechanism eliminates the inessential complexity and inconsistency of the current system while expanding its utility.

Swift-evolution thread: Discussion thread topic for that proposal <https://lists.swift.org/pipermail/swift-evolution/>
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#motivation>Motivation

The new access control features in Swift 3 have proven to be extremely controversial. The most common refrain is that we need a more simple system. In order to accomplish this we need to do more than tweak the system we already have. We need to revisit the foundation of the system itself.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#simple-made-easy>Simple Made Easy

Rich Hickey gave a fantastic talk called [Simple Made Easy])(https://www.infoq.com/presentations/Simple-Made-Easy). In this talk Rich explores the etymology and relationship of the words "simple", "complex", and "easy". The meanings he explores are:

Complex: entangled, intertwined, interleaved, braided together
Simple: one strand, single focus, disentangled
Easy: familiar, nearby, readily at hand
The central point Rich makes in this talk is that when a design entangles two orthogonal concepts complexity is the result. He coins the term "complect" to refer to this kind of inessential complexity. This complexity can be removed by disentangling the concepts. Instead of "complecting" independent concerns we can compose them.

The result is a simpler system. It is simpler because independent concepts can be considered and understood independently of each other.

The composition of independent concerns also results in a more flexible system. When orthogonal concepts are entangled it is more difficult to extend the system to meet future needs. One concept cannot be extended independently of the other. It is not possible to make independent decisions about what should be orthogonal aspects of the design.

Rich believes that the programming community is often too quick to reach for an immediately "easy" solution. Unfortunately, the "easy" solution often entangles concepts and are therefor actually complex. He suggests that we firstdesign a simple (i.e. disentangled) solution and then layer ease of use and familiarity on top, thus the title "Simple Made Easy".

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#two-orthogonal-concepts>Two orthogonal concepts

The access control system in Swift 3 incorporates two orthogonal concepts: availability and capability. Availability is what immediately comes to mind when one thinks of access control: a symbol is either available or it is not. Capability is more nuanced. It refers to what you can do with that symbol.

Each declaration supports a basic capability which is always available when the symbol itself is available. Many declarations also offer additional capabiities (such as the ability to inherit, override, set a property, etc). These additional capabilities may be less available than the symbol itself.

In Swift, availability is always specified in terms of a scope. Swift does not currently have a consistent way to talk about capabilities. Thus far we have introduced new syntax every time we wish to distinguish the availabiltiy of an additionalcapability from that of the symbol itself:

open vs public access modifiers classes and methods
Access modifier parameterization for setter availability: private(set)
The @closed attribute which has been discussed as a way to specify non-resilient enums in Swift 4*
It is clear that we need to be able to talk about not just basic availability, but also capabilities. It would be very nice if we had one consistent way to do this. This can be accomplished by composing the concepts of availability and capability into the notion of a scope-bounded capability.

*@closed would lie outside the access control system proper. It is included for the sake of completeness. It is also included to demonstrate how the language currently lacks a clear and obvious way to specify new capability bounds when they are arise.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#problems-with-swifts-access-control-system>Problems with Swift's access control system

Swift's current access control system can has several problems.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#inconsistency>Inconsistency

As noted above, the ways additional capabilities are bounded is inconsistent. The semantics of public are also inconsistent.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#internal-default>Internal default

The Swift evolution community has adopted the principle that nothing should be available outside a module without an explicit declaration of intent by a library author. This is an excellent default which protects library authors against making an error of omission that would require a breaking change to correct. Unfortunately this principle has not been consistently applied.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public>public

In most cases public only provides access to the basic capability a declaration offers. This is true by definition for declarations do not offer additional capabilities but it is also true for classes (with respect to inheritance) and class methods (with respect to overrides).

However, there are three cases where public currently provides access to additional capabilities:

public var allows access to the setter
public enum allows exhaustive switch
public protocol allows new conformances to be introduced
It is not currently possible to declare resilient enums or closed protocols but both have received significant discussion. Further, resilient enums need to be supported before ABI stability is declared. A consistent access control system would treat these as independent capabilities that are not made available with a simple public declaration.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#private-and-fileprivate>private and fileprivate

The most heavily debated aspect of the changes to the access control system in Swift 3 is without question the change in meaning of private to be the current lexical scope and the renaming of the file-level scope to fileprivate. This change was made with the idea that a lexically scoped private would prove to be a good "soft default" for a less-than-module availability bound. While many users appreciate the semantics of a scope-based access modifier it has not proven to be a good "soft default" and therefore does not deserve the name private.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#extensions>Extensions

In languages without extensions lexically scoped availability is equivalent to type-based availability for members of a type. In such a language it could make a reasonable default. Swift is not such a language.

Using several extensions on the same type within the same file is an extremely common Swift idiom. This idiom is not well supported by a "soft default" of scope-based availability. The tension between a pervasive idiom and the "soft default" leads to confusion about when scope-based a availability is appropriate, and often an overuse of the feature. It also leads to the need to use fileprivate much more frequently than is desirable for such an awkward keyword.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#types-and-members>Types and members

A "soft default" should not have subtle behavior that has the potential to confuse beginners. Most beginners would expect Foo and bar in the following example to have the same visibility. This was true in Swift 2 but it is not true in Swift 3.

private struct Foo {
    private var bar = 42
}
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#an-advanced-feature>An advanced feature

Lexically scoped availability has important uses such as preserving invariants. All access to invariant-related state can be routed through basis methods which access the state carefully without violating invariants, even when that access happens in an extension in the same file. We should not abandon this tool but it should not be the "soft default". It is best reserved for specific use cases where the guarantee it offers is important to correctess of the software.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#essential-and-inessential-complexity>Essential and inessential complexity

The inconsistencies noted above and a bad "soft default" of private are all forms of inessential complexity. This makes Swift's access control system more difficult to understand and use than it needs to be and causes confusion.

At the same time the essential complexity of capabilities that are bounded independent of basic symbol availability is not explicitly acknowledged and embraced. This also makes the access control system more difficult to understand and use than it should be. Users are not taught to think in terms of independently bounded capabilities. This is a concept that could be learned once and applied generally if it was more visible in the language.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#proposed-solution>Proposed solution

The proposed solution is to establish a semantic foundation for access control that is simple in the sense of composing rather than interleaving independent concerns. The solution is made easy by defining familiar names in terms of this foundation while preserving the semantics Swift users expect them to have. It is consistent in its use of a single mechanism for bounding capabilities and its default of internal for all capabilities.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scope-bounded-capabilities>Scope-bounded capabilities

All access control is defined in terms of a parameterized access modifier that allows the user to specify a capability and a scope that bounds that capability.

// The scope of the setter is the current file.
scope(set, file) var foo = 42
Each parameter has a default argument. The default argument for the capability is simply the basic capability the declaration provides. For a variable this is the getter, for a method it is the ability to call the method, for a type it is the ability to use the type and so on. The default argument for the scope is the current lexical scope.

// The scope of the getter is the current lexical scope.
// This is equivalent to `private var foo = 42` in Swift 3.
scope var foo = 42

// The scope of the getter is the current file.
scope(file) var bar = 42

// The scope of the setter is the current lexical scope.
scope(set) var baz = 42
The scope of the basic capability implicitly bounds additional capabilities: if basic use of a symbol is not available it is not possible to anything with that symbol. This is similar to the existing rule that a type implicitly bounds the availability of all symbols declared within its scope: a public property of an internal type is not available outside the module because the type itself is not available.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#aliases>Aliases

This modifier is simple (in the sense defined above), general and powerful. However it is also unfamiliar, often slightly verbose, and offers a very wide configuration space. Familiar aliases are provided as "soft defaults" which are recommended for common use cases.

These aliases introduce no additional semantics. Once a user understand scopes, capabilities and how they compose to produce scope-bounded capabilities the user also has the ability to understand all aliases we introduce. Tools could even make the definition of the alias available to remind the user of its underlying meaning (similarly to they way Xcode allows a user to command-click to see a symbol definition).

These aliases are defined in terms of the parameterized scope modifier:

private(capability) = scope(capability, file)
internal(capability) = scope(capability, submodule)
public(capability) = scope(capability, everywhere)
open = scope(inherit, everywhere)
open = scope(override, everywhere)
final = scope(inherit, nowhere)
final = scope(override, nowhere)
total = scope(switch, everywhere)
private reverts to the Swift 2 semantics. scope with no parameters has semantics equivalent to that of private in Swift 3.

internal is specified in terms of submodule and is equivalent to module scope until submodules are introduced. It is specified this way to indicate the intent of the author should submodules be added.

total is a placholder subject to bikeshedding. total enum provides semantics equivalent to public enum. public enum receives the semantics of resilient enums. If a suitable shorthand is not identified the slightly longer public(switch) enum can be used to specify an enum which supports exhaustive switch outside the module.

open, final and closed are overloaded based on the kind of declaration they are applied to.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scopes>Scopes

The hierarchy of scopes is as follows:

nowhere
lexical
TypeName
extension
file
submodule
SubmoduleName
module
everywhere
The name of any ancestor type or submodule of a declaration, including the immediately containing type or submodule, form the set of valid user-defined scope references.

Including nowhere allows us to define final in terms of this system. It also allows us to model all properties and functions with the same set of capabilities: the setter of a read only property is automatically bounded to nowhere and the override capability of a function that is not a class method is automatically bounded to nowhere.

Allowing users to reference any ancestor scope introduces affords advanced users a degree of control that is not possible in the current access control system. If submodules are introduced into Swift this additional control will be especially useful as a means to facilitate bounded collaboration between peer submodules allowing them to communicate in ways not available to the rest of the module.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#capabilities>Capabilities

The capabilities available depend on the kind of declaration an access modifier is applied to. All declarations offer a basiccapability that is always available when the declaration itself is available. The basic capability is specified by default when the scope modifier or a parameterized alias is used without an explicit capability argument. Some declarations also offer additional capabilities which may have an independent bound applied to them.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#properties-and-subscripts>Properties and subscripts

get (the basic capability)
set (for readwrite properties only)
override (for class properties only)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#functions-and-initializers>Functions and initializers

call (the basic capability)
override (for class methods only)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#types>Types

use (the basic capability)
inherit (for classes)
switch (for enums)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#protocols>Protocols

use (the basic capability)
conform
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#extensions-and-typealiases>Extensions and typealiases

use (the basic capability)
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#scalable-in-the-future>Scalable in the future

As the language grows the mechanism of scope-bounded capabilities can be extended in an obvious way to meet the needs of future declarations and capabilities. Users are only required to learn about the new declaration or capability that was introduced. Their existing knowledge of the scope-bounded capability access control system is immediately applicable.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#detailed-design>Detailed design

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#rules>Rules

The rules which make up the essential complexity in Swift's access control system are:

The default scope for all capabilites a declaration offers is module-wide (or submodule-wide in the future).
The scope of a capability may be modified by an explicit access modifier.
The scope of an additional capability is implicitly bounded by the scope of the basic capability.
The scope of an additional capability may not be explicitly specified as greater than that of the basic capability.
If no scope is explicitly provided for the basic capability and an additional capability is specified to be available outside the (sub)module the basic capability is also given the same availability.
The scope of a declaration (including all capabilities) may be bounded by the declaration of ancestor.
The scope of a declaration may not be greater than the scope of the capabilities necessary to use that declaration: if you can't see a parameter type you can't call the function.
Most of these rules already exist in Swift's access control system. There is one change and one addition:

The first rule changes the availability of the additional capability of public readwrite properties, protocols and enums.
The fifth rule affords shorthand for implicitly making the basic capability public when an additional capability is also made public.
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#grammar>Grammar

The changes to the access modifier grammar are as follows:

access-level-modifier → scope­ | scope­(­ capability-specifier ­)­ | scope­(­ scope-specifier ­)­ | scope­( capability-specifier ­, scope-specifier ­)­
access-level-modifier → private­ | private­(­ capability-specifier ­)­
access-level-modifier → internal­ | internal­(­ capability-specifier ­)­
access-level-modifier → public­ | public­(­ capability-specifier ­)­
access-level-modifier → open­
access-level-modifier → final
access-level-modifier → total

scope-specifier → nowhere | extension | file | submodule | module | everywhere | identifier
capability-specifier → set | inherit | override | conform | switch
<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#playground>Playground

A Swift playground that includes a prototype of the basic scope-bounded capability access modifier as well as the aliases is availabe here <https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.playground.zip>.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#future-possibilities>Future possibilities

Scope-bounded capabilities are able to express set-only properties and override-only methods with a minor change to the rules of the system. These features have been requested on the list in the past. In the case of override-only methods there are known examples in Apple's frameworks. Allowing support for these would add some complexity to the model and is not essential to establishing a consistent basis for the existing access control feature.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#source-compatibility>Source compatibility

This proposal will not cause any Swift 3 source to fail to compile but will produce different behavior in three cases. In all cases a mechanical migration is possible.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-var>public var

This proposal removes the availability of the setter of a public var outside the module, requiring public(set) var to expose the setter. This requires a migration of existing code. We could ease this transition with a deprecation warning in one release and then introduce the semantic change in the following release.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-enum>public enum

This proposal removes the availability of exhaustive switch from public enums. Non-resilient enums will need to be declared as a total enum (or the equivalent keyword chose after bikeshedding) or public(switch) enum if we choose not to introduce an alias for this semantic. As with public var, a deprecation warning and deferred semantic change could be used to ease the transition.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#public-protocol>public protocol

This proposal requires protocols conformable outside the module to use the open protocol alias rather than public protocol. Visible but not conformable protocols are out of scope for Swift 4. This means that in Swift 4 open protocoland public protocol could share the same semantics with a deprecation warning on public protocol telling users to use open and that the semantics of public protocol will be different in the future. We could remove support for public protocol in a point release, reserving it until we introduce the ability for a protocol to be visible but not conformable.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#effect-on-abi-stability>Effect on ABI stability

If this proposal impacts ABI stability it would be in the area of runtime metadata or introspection. Input on this topic is welcome.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#effect-on-api-resilience>Effect on API resilience

This proposal does not impact API reslience. The proposed solution recasts some existing features but does so in a way that should be backwards compatible. No existing semantics are changed, only how those semantics are stated syntactically.

<https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md#alternatives-considered>Alternatives considered

The primary alternative is to continue using the ad-hoc approach to meeting our access control needs. There have been many different ideas about how we might be able to simplify the current system by removing or slightly tweaking some of the existing features. The author believes this approach will not be able to meet future needs well and will continue to be burdened by the accumulation of inessential complexity. This situation will get worse, not better, as new features are added to the language.
_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org <mailto:swift-evolution@swift.org>
https://lists.swift.org/mailman/listinfo/swift-evolution


(Paweł Wojtkowiak) #7

I actually think that this is different than module-wide access, because the type and its extensions would not expose their internal API to other unrelated types in the code in scope of module, allowing for better visibility of the exposed API as opposed to the internals as well as safety - the developer can be sure that the specific internal variable was not mutated from any other place than related to that specific type or its extensions. Other than that, the benefits are the same as "internal" scope which is the ability to write cleaner code by freely extending the type or separating its concerns to improve readability.

···

Sent from my iPhone

On 4 Mar 2017, at 00:08, jaden.geller@gmail.com wrote:

I entirely agree with this idea. +1

On Mar 3, 2017, at 3:02 PM, Paweł Wojtkowiak <neframair@gmail.com> wrote:

Why not add a scope which allows access to the variables and functions only for the type itself and its extensions, but only within the current module? This would result in limitation of visibility from the outside (the same way private does) except for the fact that extensions could actually change these variables/functions. Also, restricting it to the module at the same time would not allow access to them and doing extensions like xWrapper (mentioned in one of the mails), unless it was in the same module, but even then it is just easier to change the type itself instead of doing wrapper extensions since the developer has access to it anyway.

I think this would be convenient because outside of the type and its internal extensions these entities would not appear as for public use.

Sent from my iPhone

On 3 Mar 2017, at 20:24, Matthew Johnson <matthew@anandabits.com> wrote:

On Mar 2, 2017, at 10:30 PM, Jaden Geller <jaden.geller@gmail.com> wrote:

On Mar 2, 2017, at 7:51 PM, Matthew Johnson <matthew@anandabits.com> wrote:

Sent from my iPad

On Mar 2, 2017, at 3:35 PM, Jaden Geller <jaden.geller@gmail.com> wrote:

Hi Matthew,

Overall, I think this is a great simplification of the access control mechanism! I really appreciate the focus on both “simple made easy” and safe defaults.

Thanks Jaden! I appreciate your thoughtful feedback!

I have a few comments and questions:

(1) It seems odd to use `scope` as both an access control modifier alone and as a function-like attribute. Perhaps something like `access(set, scope)` would be better than `scope(set)`. As it is, we're conflating scope with meaning visibility and lexical scope—I found that very confusing.

This is good feedback. The reason I designed it this way is because it is intended to work like the existing access modifiers which can be parameterized or stand alone. The idea is that it is analogous to a function with default arguments and we treat the unbound function as if it had been called with no explicit arguments (using the defaults). There is an example of this in the playground prototype I included.

That said, there is a difference - the existing modifiers don't accept a scope argument. I can see how this could make it more confusing. In the current design `scope(set, lexical)` is already valid and is similar to the `access(set, scope)` idea you suggested.

One thing I want to be very careful about is making the syntax read well if possible. In the playground I even used argument labels `scope(of: set, is: lexical)`. I think that would be too verbose in real code but I think it's important that this read like a sentence in our minds at least.

One option would be to simply remove the default scope argument and require it to be provided explicitly when lexical scope is intended. I'm not sure how I feel about that. I'm going to spend some time thinking about this further. I definitely don't want the shorthand (without arguments) to be a source of confusion.

I think this would be an improvement.

As a sidenote, if there were to be an alias for lexical access control, think the pseudo-adjective `scoped` aligns better with the adjective `public`, `internal`, and `private`. The noun `scope` seems out of place.

Interesting that you say this. I had suggested `scoped` earlier and had second thoughts about that because a verb feels a little bit out of place next to `public`, `internal` and `private`. But I think you’re right that `scoped` does read more similar to them. I will go this route.

(2) I think that the attribute should be spelled `@access` like other attributes in Swift, `@availability` for example. This seems more consistent.

If it were an attribute I would agree. But it's not, it's an access modifier. Those don't have the `@`.

I guess I’m suggesting that it might be better expressed as an attribute. The attribute `@available` is already used to specify symbol visibility (based on platform, version, etc.), so it seem best to align access control by using an attribute as well. I agree that the aliases like `private` shouldn’t require an `@` for concision…

Do we have any cases where we have both an attribute and a declaration modifier that both have the same semantics? I don’t think so. That seems a little bit strange to me. I can see why you would associate this with `@available` but I think it’s better to define it as a declaration modifier.

(Does Swift have a hard-and-fast rule for which modifiers should use attributes and which should use keywords? Or even a more hand-wavey rule? It seems almost arbitrary to me…)

As far as I know declaration modifiers never have `@` and attributes do. I don’t have a good sense of how we decide when something is better expressed as an attribute vs being a declaration modifier. Maybe somebody from the core team can comment on this.

Another benefit is that there’s stylistic precedent for attribute declarations to be placed on the line before the declaration. This works well with wordier restrictions.

I don’t think style should influence whether we use `@` or not. We are free to establish a common style that places longer declaration modifiers on a previous line. I think the community will eventually converge on a reasonable style regardless of how it looks.

(3) Speaking of `@availability`, how do you suppose access control ought to interact with that? Can I somehow mark that the setter was public in a previous version but is now private?

This is a good question. I am not familiar enough with `@availability` to answer off the top of my head. Do you think this is something that needs to be addressed by this proposal?

I’m not entirely sure. It _probably_ doesn’t need to be addressed just yet. I don’t think `@availability` currently has such features, so it would be additive.

Sounds good.

(4) The function-like access control attribute as you proposed it has very odd semantics, especially compared to Swift functions. For example, both `scope(get, file)` and `scope(file)` are valid spellings, as if `get` was a default argument, but Swift does not allow default arguments in that position without labels. Obviously this isn’t a parsing problem since we’re using keywords, but I find it very confusing. Either swap the order of the arguments or, I would prefer, add labels. With my `@access` spelling, we might have `@access(get, in: file)` and `@access(in: file)`.

I actually used labels in the playground and thought about including them in the proposal. I decided against it on the grounds that access modifiers are pervasive and the labels could quickly be seen as noise. If others feel they are important I have no objection.

I like labels, but I can understand the preference for concision. It just confuses my mental model when the semantics cannot be implemented in Swift. In your playground, try removing your labels—the function becomes impossible to call without specifying the capability argument!

I think the default for the capability and the sequence of arguments are both pretty important aspects of the design. The former because we often want to bound *all* capabilities in the same way and bounding the default capability does this. It reads more clearly to only specify the scope. The sequence of arguments is important because I think it reads much better: “access to the setter is bounded to the file”. I think it also reduces the chance that a reader misses the capability and only notices the scope.

We should have a bikeshed discussion about whether labels should be required, optional, or not allowed. I would be happy to let community consensus decide this.

(Sidenote: Why doesn’t Swift warn on function declarations that provide unusable default arguments??)

For the record, `@available` does not use labels. It even omits commas in places I might expect them… `@available(swift 3.0.2)`.

(5) It seems odd that `call` is the name of the default visibility for functions. I agree with the semantics, but the naming seems to imply that I could still refer to the value `let foo = myFunction` but not call it.

Some of these names were pretty tough to decide on. I wholeheartedly embrace bikeshedding here. I wouldn't be surprised if community input can improve on the names I have used. :slight_smile:

I agree that we should eventually bikeshed, but I’m trying to focus on the semantics first :slight_smile:

Yes, that’s a good call. I just wanted to make it clear that I’m not fixated on the naming and acknowledge that it’s a hard problem. :slight_smile:

I chose `call` because if you can see a function you can call it. It isn't possible to see it, bind it to a name, etc without being able to call it and it probably shouldn't ever be.

For Types and Protocols, `use` seems like a very generic word to, well uh, use. Perhaps `visible` would make more sense (though it is not a verb like the others…)?

I agree. This was the most difficult name to decide on. The notion I tried to capture is that if you can see a type you can work with values of of that type (as well as access it's static members). I would be very happy if we could identify a better name.

Perhaps `constrain`?

This is also something you can always do when you can see a protocol, but you can also use it as an existential (thinking ahead to generalized existentials) so you can also work with values of the protocol existential type.

I was potentially recommending constrain for types too. `let x: Int` constrains `x` to be type `Int`, and `let y: Hashable` constraints `y` to be the (existential) type `Hashable`, or at least will once that’s possible. I’m not sure this is a good spelling, just throwing it out there…

Ahh, that’s an interesting perspective.

I think the name `switch` for enums is also not particularly great, but this probably isn’t the time to bikeshed naming.

I used `switchExhaustively` in an earlier draft but thought it was too verbose. Maybe the verbosity is necessary?

Well, I think that the name `switch` is misleading, but I don’t love this more verbose name either. I was thinking `closed` maybe? …since it guarantees that no more cases can be added. Not sure.

Misleading because you can always `switch`, it just might not be exhaustive? That makes sense but maybe it’s not that big a deal because it would be documented as meaning exhaustive. I’m not sure.

I don’t think `closed` is the best name for this because I think the names should focus on the *capability*. `closed` focuses on the restriction placed on future versions of the library.

(6) Do closed protocols fit into this model? The `conform` capability allows API users to add additional conformances, but there’s no capability to promise that the API maintainer itself won’t add additional conformances. Obviously adding this features is out of the scope of this proposal, but I want to know how it might be spelled in this scheme.

Yes. I think this would use the same capability name as enums that support exhaustive switch.

One interesting point is that this would introduce the notion of mutually exclusive capabilities. You can't have both `public(conform)` and `public(switch)`.

(7) It isn’t immediately clear to me the “hierarchy” of additional capabilities. Obviously `set` is a refinement of `get`, but is `override` a refinement on `set` or `get`? Or are they entirely separate? Can you use both? It would be useful to formalize what happens when the access level is specified for multiple additional capabilities.

Great question. I'll add clarification on this point in the next draft. The short answer is that the bounds of additional capabilities are usually independent of each other.

That said, as noted above, in some cases they could be mutually exclusive. It's also possible that they could have other kinds of relationships. This really depends on the semantics of the declaration providing the capabilities.

I think we really ought to formalize these relationships. It’s difficult to reason about otherwise.

The only relationship that exists is currently the relationship between the basic capability and additional capabilities. The scope of the basic capability implicitly bounds that of the additional capabilities and if the scope of an additional capability is wider than `internal` when no explicit bound is provided for the basic capability the bound of the basic capability is widened accordingly.

I have given some thought to formalizing semantic relationships between capabilities but I think it adds complexity to the model for not much gain at the moment. The two simple rules above suffice. We can formalize additional semantic relationships if / when that becomes necessary. Does that make sense? If not, can you offer elaborate on what you would like to see? I want to facilitate reasoning as much as possible without adding unnecessary complexity to the initial model.

(8) It may be useful to clarify the hierarchy of scopes. Each name is mentioned, but it isn’t intuitively obvious how it works. Does `TypeName` essentially allow me to make friend classes, via `@access(set, in: Foo)`, a la C++. If so, that’s pretty cool! I’m assuming `extension` gives visibility in extensions to this type? What about subclasses—is there a sort of `protected` scope?

Great question. I'll clarify this further in an updated draft.

In the meantime, I'm afraid I'm going to have to let you down a bit on this point. Scopes form a strictly nested hierarchy. This means that you can only reference an ancestor scope.

For types, this simply follows the lexical nesting of types and member declarations. A declaration may reference the scope of a type that contains it by using the name of the type. The capability is available to any declarations within the lexical scope of the type declaration, including other types. But it is intentionally *not* like `friend` in C++.

Unfortunate. If the community found this desirable, would it be additive to add this in the future? I don’t necessary want friend types, but I like that this syntax would make them much, much, much more intuitive than in C++. You wouldn’t even have to read the docs to understand the feature—just read the declaration!

They syntax could certainly be extended to support something like this but it doesn’t really work semantically. This is not a limitation of this model. Instead it is a limitation of any type-based access control. Types don’t facilitate a real encapsulation boundary, especially in a language like Swift where a type can be extended in any scope that can see the type. The core team has repeatedly opposed type-based access control for precisely this reason. I don’t expect that to change but if it did, this syntax could certainly be extended to support such a feature.

`extension` is simply a way to reference the lexical scope created by an extension that contains a declaration. It does not provide access to extensions of the type containing the declaration.

The purpose of access control is compiler verified encapsulation. Since anybody can add an extension anywhere the compiler can't really offer any useful verification of encapsulation. I don't think it would be a good idea for access control to have a feature like this. The same is true of protected and any other type-based access control scheme.

I’m not really understanding what you’re saying here. I think we might be saying the same thing. My understanding was

struct Foo {
  scope(extension) var x: Int
}

means that I can write

extension Foo {
  func bar() {
    x += 1
  }
}

unlike if I had chose Swift 3.0 private.

Nope. This is an example of what it means:

extension Foo {
    struct Bar {
        access(extension) var int = 42
    }
    // Bar.int is available here but not outside the scope of this extension
}

If extensions could have names we wouldn’t need `extension` as a scope specifier. Since they don’t, we do.

The example you gave has all of the problems associated with any type-based access control. It is kind of pointless to have a access control like that because it doesn’t offer any real guarantees. Anybody can come along and do this:

extension Foo {
    public var xWrapper: Int { get { return x } set { x = newValue } }
}

This is why I think symbol groups are a more appropriate solution to this use case. They don’t pretend you are really limiting availability in any way but they do allow you to hide the symbol unless an explicit request is made:

import FoosModule including FooExtensions

This makes all symbols in the symbol group `FooExtensions` available. It required explicit opt-in to availability solving the accidental use problem without pretending to really limit the availability of the symbols. I haven’t thought enough about it yet to have an idea of how it might work within the same module but I think this is the right direction for this use case.

Swift's access control system has always followed the idea of strictly hierarchical scopes, it just hasn't allowed us to name most of them. I think this was a really good principle that we should continue to embrace.

That said, I do have some thoughts about ways to address the kinds of use cases people have in mind for "extensions or subclasses of the type" visibility. The idea I have been exploring is what I have been calling "symbol groups". I have been thinking about this in the context of imported symbols and haven't given any thought as to how it might apply outside that context. The way it looks with an import is this:

import UIKit including UIGestureRecognizerSubclasses

The idea here is that the symbols reside in the same (sub)module as the other symbols they are related to but are not imported unless the symbol group name is explicitly stated. This solves the problem of unintentional or inappropriate symbol availability and accidental misuse without offering promises of encapsulation that can't really be followed through on (as is the case with `protected`).

This is obviously well outside the scope of this proposal but is something I think would be worth pursuing at some point.

Thanks for the great proposal, Matthew!

Thanks Jaden! I'm really happy that you like it. I was pretty uncertain about how it would be received. It's encouraging to see that others like the idea. :slight_smile:

Definitely! I appreciate your hard work! I realize how time-consuming it is to write these proposals, not to mention thinking through them!

Thanks! It always seems to take a lot more time than I expect when I first start working on a proposal.

Cheers,
Jaden Geller

On Mar 2, 2017, at 11:58 AM, Matthew Johnson via swift-evolution <swift-evolution@swift.org> wrote:

I’ve been continuing to think about how to provide clear and consistent semantics for access control in Swift. This draft represents what I think is the best way to accomplish that. It eliminates the current inconsistencies and establishes a principled basis for the features we have today as well as the enhancements we may need in the future. It does this with minimal breaking changes.

The draft is included below and can also be found here: https://github.com/anandabits/swift-evolution/blob/scope-bounded-capabilities/proposals/NNNN-scope-bounded-capabilities.md.

I’m looking forward to everyone’s feedback.

Matthew

A Consistent Foundation For Access Control: Scope-Bounded Capabilities
Proposal: SE-NNNN
Authors: Matthew Johnson
Review Manager: TBD
Status: Awaiting review
Introduction

This proposal introduces a consistent foundation for all access control in Swift: scope-bounded capabilities. The existing access control features are generalized with a single mechanism that unifies their semantics. This unified mechanism eliminates the inessential complexity and inconsistency of the current system while expanding its utility.

Swift-evolution thread: Discussion thread topic for that proposal

Motivation

The new access control features in Swift 3 have proven to be extremely controversial. The most common refrain is that we need a more simple system. In order to accomplish this we need to do more than tweak the system we already have. We need to revisit the foundation of the system itself.

Simple Made Easy

Rich Hickey gave a fantastic talk called [Simple Made Easy])(https://www.infoq.com/presentations/Simple-Made-Easy). In this talk Rich explores the etymology and relationship of the words "simple", "complex", and "easy". The meanings he explores are:

Complex: entangled, intertwined, interleaved, braided together
Simple: one strand, single focus, disentangled
Easy: familiar, nearby, readily at hand
The central point Rich makes in this talk is that when a design entangles two orthogonal concepts complexity is the result. He coins the term "complect" to refer to this kind of inessential complexity. This complexity can be removed by disentangling the concepts. Instead of "complecting" independent concerns we can compose them.

The result is a simpler system. It is simpler because independent concepts can be considered and understood independently of each other.

The composition of independent concerns also results in a more flexible system. When orthogonal concepts are entangled it is more difficult to extend the system to meet future needs. One concept cannot be extended independently of the other. It is not possible to make independent decisions about what should be orthogonal aspects of the design.

Rich believes that the programming community is often too quick to reach for an immediately "easy" solution. Unfortunately, the "easy" solution often entangles concepts and are therefor actually complex. He suggests that we firstdesign a simple (i.e. disentangled) solution and then layer ease of use and familiarity on top, thus the title "Simple Made Easy".

Two orthogonal concepts

The access control system in Swift 3 incorporates two orthogonal concepts: availability and capability. Availability is what immediately comes to mind when one thinks of access control: a symbol is either available or it is not. Capability is more nuanced. It refers to what you can do with that symbol.

Each declaration supports a basic capability which is always available when the symbol itself is available. Many declarations also offer additional capabiities (such as the ability to inherit, override, set a property, etc). These additional capabilities may be less available than the symbol itself.

In Swift, availability is always specified in terms of a scope. Swift does not currently have a consistent way to talk about capabilities. Thus far we have introduced new syntax every time we wish to distinguish the availabiltiy of an additionalcapability from that of the symbol itself:

open vs public access modifiers classes and methods
Access modifier parameterization for setter availability: private(set)
The @closed attribute which has been discussed as a way to specify non-resilient enums in Swift 4*
It is clear that we need to be able to talk about not just basic availability, but also capabilities. It would be very nice if we had one consistent way to do this. This can be accomplished by composing the concepts of availability and capability into the notion of a scope-bounded capability.

*@closed would lie outside the access control system proper. It is included for the sake of completeness. It is also included to demonstrate how the language currently lacks a clear and obvious way to specify new capability bounds when they are arise.

Problems with Swift's access control system

Swift's current access control system can has several problems.

Inconsistency

As noted above, the ways additional capabilities are bounded is inconsistent. The semantics of public are also inconsistent.

Internal default

The Swift evolution community has adopted the principle that nothing should be available outside a module without an explicit declaration of intent by a library author. This is an excellent default which protects library authors against making an error of omission that would require a breaking change to correct. Unfortunately this principle has not been consistently applied.

public

In most cases public only provides access to the basic capability a declaration offers. This is true by definition for declarations do not offer additional capabilities but it is also true for classes (with respect to inheritance) and class methods (with respect to overrides).

However, there are three cases where public currently provides access to additional capabilities:

public var allows access to the setter
public enum allows exhaustive switch
public protocol allows new conformances to be introduced
It is not currently possible to declare resilient enums or closed protocols but both have received significant discussion. Further, resilient enums need to be supported before ABI stability is declared. A consistent access control system would treat these as independent capabilities that are not made available with a simple public declaration.

private and fileprivate

The most heavily debated aspect of the changes to the access control system in Swift 3 is without question the change in meaning of private to be the current lexical scope and the renaming of the file-level scope to fileprivate. This change was made with the idea that a lexically scoped private would prove to be a good "soft default" for a less-than-module availability bound. While many users appreciate the semantics of a scope-based access modifier it has not proven to be a good "soft default" and therefore does not deserve the name private.

Extensions

In languages without extensions lexically scoped availability is equivalent to type-based availability for members of a type. In such a language it could make a reasonable default. Swift is not such a language.

Using several extensions on the same type within the same file is an extremely common Swift idiom. This idiom is not well supported by a "soft default" of scope-based availability. The tension between a pervasive idiom and the "soft default" leads to confusion about when scope-based a availability is appropriate, and often an overuse of the feature. It also leads to the need to use fileprivate much more frequently than is desirable for such an awkward keyword.

Types and members

A "soft default" should not have subtle behavior that has the potential to confuse beginners. Most beginners would expect Foo and bar in the following example to have the same visibility. This was true in Swift 2 but it is not true in Swift 3.

private struct Foo {
    private var bar = 42
}
An advanced feature

Lexically scoped availability has important uses such as preserving invariants. All access to invariant-related state can be routed through basis methods which access the state carefully without violating invariants, even when that access happens in an extension in the same file. We should not abandon this tool but it should not be the "soft default". It is best reserved for specific use cases where the guarantee it offers is important to correctess of the software.

Essential and inessential complexity

The inconsistencies noted above and a bad "soft default" of private are all forms of inessential complexity. This makes Swift's access control system more difficult to understand and use than it needs to be and causes confusion.

At the same time the essential complexity of capabilities that are bounded independent of basic symbol availability is not explicitly acknowledged and embraced. This also makes the access control system more difficult to understand and use than it should be. Users are not taught to think in terms of independently bounded capabilities. This is a concept that could be learned once and applied generally if it was more visible in the language.

Proposed solution

The proposed solution is to establish a semantic foundation for access control that is simple in the sense of composing rather than interleaving independent concerns. The solution is made easy by defining familiar names in terms of this foundation while preserving the semantics Swift users expect them to have. It is consistent in its use of a single mechanism for bounding capabilities and its default of internal for all capabilities.

Scope-bounded capabilities

All access control is defined in terms of a parameterized access modifier that allows the user to specify a capability and a scope that bounds that capability.

// The scope of the setter is the current file.
scope(set, file) var foo = 42
Each parameter has a default argument. The default argument for the capability is simply the basic capability the declaration provides. For a variable this is the getter, for a method it is the ability to call the method, for a type it is the ability to use the type and so on. The default argument for the scope is the current lexical scope.

// The scope of the getter is the current lexical scope.
// This is equivalent to `private var foo = 42` in Swift 3.
scope var foo = 42

// The scope of the getter is the current file.
scope(file) var bar = 42

// The scope of the setter is the current lexical scope.
scope(set) var baz = 42
The scope of the basic capability implicitly bounds additional capabilities: if basic use of a symbol is not available it is not possible to anything with that symbol. This is similar to the existing rule that a type implicitly bounds the availability of all symbols declared within its scope: a public property of an internal type is not available outside the module because the type itself is not available.

Aliases

This modifier is simple (in the sense defined above), general and powerful. However it is also unfamiliar, often slightly verbose, and offers a very wide configuration space. Familiar aliases are provided as "soft defaults" which are recommended for common use cases.

These aliases introduce no additional semantics. Once a user understand scopes, capabilities and how they compose to produce scope-bounded capabilities the user also has the ability to understand all aliases we introduce. Tools could even make the definition of the alias available to remind the user of its underlying meaning (similarly to they way Xcode allows a user to command-click to see a symbol definition).

These aliases are defined in terms of the parameterized scope modifier:

private(capability) = scope(capability, file)
internal(capability) = scope(capability, submodule)
public(capability) = scope(capability, everywhere)
open = scope(inherit, everywhere)
open = scope(override, everywhere)
final = scope(inherit, nowhere)
final = scope(override, nowhere)
total = scope(switch, everywhere)
private reverts to the Swift 2 semantics. scope with no parameters has semantics equivalent to that of private in Swift 3.

internal is specified in terms of submodule and is equivalent to module scope until submodules are introduced. It is specified this way to indicate the intent of the author should submodules be added.

total is a placholder subject to bikeshedding. total enum provides semantics equivalent to public enum. public enum receives the semantics of resilient enums. If a suitable shorthand is not identified the slightly longer public(switch) enum can be used to specify an enum which supports exhaustive switch outside the module.

open, final and closed are overloaded based on the kind of declaration they are applied to.

Scopes

The hierarchy of scopes is as follows:

nowhere
lexical
TypeName
extension
file
submodule
SubmoduleName
module
everywhere
The name of any ancestor type or submodule of a declaration, including the immediately containing type or submodule, form the set of valid user-defined scope references.

Including nowhere allows us to define final in terms of this system. It also allows us to model all properties and functions with the same set of capabilities: the setter of a read only property is automatically bounded to nowhere and the override capability of a function that is not a class method is automatically bounded to nowhere.

Allowing users to reference any ancestor scope introduces affords advanced users a degree of control that is not possible in the current access control system. If submodules are introduced into Swift this additional control will be especially useful as a means to facilitate bounded collaboration between peer submodules allowing them to communicate in ways not available to the rest of the module.

Capabilities

The capabilities available depend on the kind of declaration an access modifier is applied to. All declarations offer a basiccapability that is always available when the declaration itself is available. The basic capability is specified by default when the scope modifier or a parameterized alias is used without an explicit capability argument. Some declarations also offer additional capabilities which may have an independent bound applied to them.

Properties and subscripts

get (the basic capability)
set (for readwrite properties only)
override (for class properties only)
Functions and initializers

call (the basic capability)
override (for class methods only)
Types

use (the basic capability)
inherit (for classes)
switch (for enums)
Protocols

use (the basic capability)
conform
Extensions and typealiases

use (the basic capability)
Scalable in the future

As the language grows the mechanism of scope-bounded capabilities can be extended in an obvious way to meet the needs of future declarations and capabilities. Users are only required to learn about the new declaration or capability that was introduced. Their existing knowledge of the scope-bounded capability access control system is immediately applicable.

Detailed design

Rules

The rules which make up the essential complexity in Swift's access control system are:

The default scope for all capabilites a declaration offers is module-wide (or submodule-wide in the future).
The scope of a capability may be modified by an explicit access modifier.
The scope of an additional capability is implicitly bounded by the scope of the basic capability.
The scope of an additional capability may not be explicitly specified as greater than that of the basic capability.
If no scope is explicitly provided for the basic capability and an additional capability is specified to be available outside the (sub)module the basic capability is also given the same availability.
The scope of a declaration (including all capabilities) may be bounded by the declaration of ancestor.
The scope of a declaration may not be greater than the scope of the capabilities necessary to use that declaration: if you can't see a parameter type you can't call the function.
Most of these rules already exist in Swift's access control system. There is one change and one addition:

The first rule changes the availability of the additional capability of public readwrite properties, protocols and enums.
The fifth rule affords shorthand for implicitly making the basic capability public when an additional capability is also made public.
Grammar

The changes to the access modifier grammar are as follows:

access-level-modifier → scope­ | scope­(­ capability-specifier ­)­ | scope­(­ scope-specifier ­)­ | scope­( capability-specifier ­, scope-specifier ­)­
access-level-modifier → private­ | private­(­ capability-specifier ­)­
access-level-modifier → internal­ | internal­(­ capability-specifier ­)­
access-level-modifier → public­ | public­(­ capability-specifier ­)­
access-level-modifier → open­
access-level-modifier → final
access-level-modifier → total

scope-specifier → nowhere | extension | file | submodule | module | everywhere | identifier
capability-specifier → set | inherit | override | conform | switch
Playground

A Swift playground that includes a prototype of the basic scope-bounded capability access modifier as well as the aliases is availabe here.

Future possibilities

Scope-bounded capabilities are able to express set-only properties and override-only methods with a minor change to the rules of the system. These features have been requested on the list in the past. In the case of override-only methods there are known examples in Apple's frameworks. Allowing support for these would add some complexity to the model and is not essential to establishing a consistent basis for the existing access control feature.

Source compatibility

This proposal will not cause any Swift 3 source to fail to compile but will produce different behavior in three cases. In all cases a mechanical migration is possible.

public var

This proposal removes the availability of the setter of a public var outside the module, requiring public(set) var to expose the setter. This requires a migration of existing code. We could ease this transition with a deprecation warning in one release and then introduce the semantic change in the following release.

public enum

This proposal removes the availability of exhaustive switch from public enums. Non-resilient enums will need to be declared as a total enum (or the equivalent keyword chose after bikeshedding) or public(switch) enum if we choose not to introduce an alias for this semantic. As with public var, a deprecation warning and deferred semantic change could be used to ease the transition.

public protocol

This proposal requires protocols conformable outside the module to use the open protocol alias rather than public protocol. Visible but not conformable protocols are out of scope for Swift 4. This means that in Swift 4 open protocoland public protocol could share the same semantics with a deprecation warning on public protocol telling users to use open and that the semantics of public protocol will be different in the future. We could remove support for public protocol in a point release, reserving it until we introduce the ability for a protocol to be visible but not conformable.

Effect on ABI stability

If this proposal impacts ABI stability it would be in the area of runtime metadata or introspection. Input on this topic is welcome.

Effect on API resilience

This proposal does not impact API reslience. The proposed solution recasts some existing features but does so in a way that should be backwards compatible. No existing semantics are changed, only how those semantics are stated syntactically.

Alternatives considered

The primary alternative is to continue using the ad-hoc approach to meeting our access control needs. There have been many different ideas about how we might be able to simplify the current system by removing or slightly tweaking some of the existing features. The author believes this approach will not be able to meet future needs well and will continue to be burdened by the accumulation of inessential complexity. This situation will get worse, not better, as new features are added to the language.
_______________________________________________
swift-evolution mailing list
swift-evolution@swift.org
https://lists.swift.org/mailman/listinfo/swift-evolution