Refinements for sealed types
Brian Goetz
brian.goetz at oracle.com
Thu Aug 15 17:38:23 UTC 2019
As Gavin has worked through the spec for sealed types, it has shone a
spotlight on one of the messy parts -- implicitly sealed types. I've
got an alternate way to stack this that I think is simpler and still
meets the goals.
First, the goals (which in most cases align, but in some cases conflict
with each other):
Unsealed concrete leaves should not be the default. If we follow the
default strategy that a class declaration gets only the flags that are
declared explicitly (which is generally a good default), it is quite
likely that many subtypes of sealed types will be extensible, when that
was not the intent or understanding of the author. For example, in a
hierarchy like the following:
sealed interface X permits A, B { }
class A implements X { }
class B implements X { }
it is highly likely to be a source of mistakes that A and B are neither
sealed nor final, even though they are co-declared with the sealed
interface. The author may well assume that they are in control of all
the implementations of X methods, when in fact anyone can subclass A and
override those methods.
Avoiding excessive ceremony. If the user had to declare every concrete
subtype as final, this may well be seen as excess ceremony. (This is
the same reason we allow the permits clause to be inferred.)
In the current design, we took the following path:
- Subtypes of sealed types are implicitly sealed, unless marked
non-sealed.
- We infer a permits clause when it is omitted, which is possibly
empty (in which case the type is effectively final.)
These are reasonable defaults, both from avoiding the safety question of
accidental extensibility, and reducing ceremony, but they interact in
some uncomfortable ways. For example, under these rules, its possible
to have an explicit "permits" clause without saying "sealed", which is a
little strange. And it is possible to infer both sealing and the
permits list, which might exceed our nontransparency comfort level.
So, let me propose a simplification:
- A concrete subtype A of a sealed type X, which has no permits
clause, no known subtypes, and is not marked non-sealed, is implicitly
sealed (with an empty permits clause).
- Any other subtype of a sealed type must either have a "sealed"
modifier, or a "non-sealed" modifier.
- Any type with a permits list must have a sealed modifier.
Rationale: This still manages to avoid the "accidental extension"
problem, and addresses both the extension and the ceremony problem where
they are both most severe -- at the leaves. Abstract types (which are
generally fewer in number than leaves) err on the side of explicitness.
So the above hierarchy could be written as above, and A/B would be
implicitly final, as desired. If A or B wanted to permit subtypes, they
would need to be explicitly marked non-sealed (to reopen them), or
explicitly sealed (with or without an explicit permits list.)
I think this stays within the spirit of the goals, but with a little
less magic / complexity.
More information about the amber-spec-experts
mailing list