I'm personally a fan of keeping read-only-ness as a property of function parameters rather than of types as a whole. We lose a little bit of flexibility but it makes sure that the Go type system stays nice and simple.

That being said, while I'm not exactly a huge fan, I'm not opposed to this either. I think some of it gets a bit complicated when we get into how these interact with interfaces. It seems to mostly be caused by polluting the simplicity of the Go type system.

I think it's quite clear what ro []Foo means at first glance, but it's not at all clear or intuitive what interface { ro Foo() } means.

but it's not at all clear or intuitive what interface { ro Foo() } means.

That would be 'has a method Foo that doesn't change the receiver'.

(updated)
If it is clear or not is debatable, what is worth highlighting is why it is needed - a ro interface must not access the non-ro methods on the struct that implements it, and banning all method calls on a ro interface is way too restrictive (and effectively puts interfaces in conflict with ro feature).

The point being, removing just ro from interfaces is not an option. Either more features of the proposal are removed to the point of it not being needed, or it is kept (or some other solution is found that provided the required read-only guarantees)

Oh I'm aware it's needed, I just don't think it's clear. It looks like the ro applies to the whole function rather than just the receiver. ro applying to the whole function of course doesn't make sense if you know how the ro modifier works, but if you don't know, it's definitely not apparent.

For instance this may look confusing to someone:

type Reader interface {
    ro Read([]byte) (int, error)
}

If you don't know what ro means in the context of the interface, it looks a lot like it could mean...

• The function cannot modify any kind of outside state (it's a "read only function")
• Syntactic sugar for all arguments are read only (doesn't make sense for a reader, we need to modify the []byte)
• It's some kind of crazy magic

But either way it's just syntax, so if there is a better way to do it, it should be easily changable. Doesn't hurt the underlying concept behind the proposal.

I think some of it gets a bit complicated when we get into how these interact with interfaces.

Also by this, I didn't only mean with the example I gave. Just the general logic (which is very sound if I may add, just confusing) behind which types can implement what interfaces can get very confusing, and as I said, this is because by adding this feature, we would be adding a layer of complexity on Go's type system.

Again I'm not super against this proposal or anything, just stating my main criticisms.

@JavierZunzunegui
In your last example, rox.Bar() is invalid for the type ro X doesn't has the method Bar.
The Bar method is declared for type X, not ro X. The method set of X should be super set of ro X, which means for every method declared for ro X, an implicit same prototype method will be declared for X, but not vice versa.

@go101 thanks for spotting, updated above

I'm not clear on how this works for interfaces. Can I store an ro-qualified value into an ordinary interface type? The comment that anything is permitted in a interface{} suggests that this is permitted. When I type assert on that value, do I have to type assert back to an ro-qualified type?

How does this work with the reflect package?

As you say, this is quite similar to #22876. Is there a reason to discuss it separately?

Can I store an ro-qualified value into an ordinary interface type?

As the proposal stands, no (assuming ordinary interface = 'has some non-ro receiver method'). It is allowed for interfaces where all methods have ro receiver. The empty interface in this sense is non-ordinary as it has no methods, accepting any T or ro T.

Reading between the lines in your question though, you may have a point that restriction is excessive. Instead the correct rule may be: ro T may implement I (non-ro) if all methods in I are present in T with a ro receiver.

I will double check this statement is correct later today when I have more time and update the proposal accordingly.

(edited)
The condition was indeed too restrictive at first, I updated the document accordingly. The answer now is:
yes, if the type has a ro receiver on all the methods required by the interface.

When I type assert on that value, do I have to type assert back to an ro-qualified type?

Yes, you must assert to the correct of T or ro T. I guess you could allow a non-ro to be type asserted as a ro (effectively doing assertion, then type conversion to ro), but I don't see much gain in that

How does this work with the reflect package?

Have you got a more specific question with regards to reflect?

I have tried to explain in the doc, particularly in Interface type assertion and ro, how the ro-ness is represented in an interface value so that the runtime may honor the right ro-ness of a type (i.e. never un-ro it!).

The reflect package, not explicitly mentioned in the doc, would have to be updated to preserve this ro guarantees - conceivably making ro a bool field in Type, Value.CanSet false for ro types, etc.

As you say, this is quite similar to #22876. Is there a reason to discuss it separately?

I still think there are still significant differences between the two, particularly my proposal blurs in some regards the distinction between ro and non-ro types to avoid code duplication and const-poisoning, and introduces immutability. Since const-poisoning in particular seems to be one of the mayor critiques to the original document, I hope this may qualify for renewed debate.

I think Jonathan himself states his proposal is more than anything a stepping stone towards the right direction. In this one I try to build on it and address the issues the community saw with his.

Can you expand on how this proposal avoids const-poisoning? It seems to me that it is necessary to use the ro qualifier everywhere. Where can it be avoided?

Can you expand on how this proposal avoids const-poisoning? It seems to me that it is necessary to use the ro qualifier everywhere. Where can it be avoided?

Functions can be written with the most restrictive inputs with regards to ro-ness at no cost. For example, if a function Foo takes in a X but doesn't modify or have it escape the function, it can declare that input as ro X, making the intention clearer and, potentially, benefiting from immutability optimisations. When it comes to using Foo, it may be used interchangeably as either a function with input X or ro X. The same principle applies to methods and interface implementations, and similarly but inversely (the flexibility is in the interface, not the implementation) for ro in return values.

Following my latest edit to the proposal (non-ro interfaces are implemented by ro types more leniently, with no restriction on the part of the interface and requiring the type to have ro receivers for the interface's methods), it may be worth to explicitly state the purpose of a ro receiver within an interface and a ro interface in general.

A ro receiver in an interface allows the method to continue to be called on the ro interface. This becomes non-trivial when the interface is part of a structure which has in turn been made ro and still needs the interface method be called. For example:

type FooIface interface {
  Bar()
  ro RoBar()
}

type FooType struct {
  i FooIface
}

var x = FooType{i: ...}
x.i.Bar() // legal
x.i.RoBar() // legal

var rx = ro x
rx.i.Bar() // illegal, Bar is not `ro` in `FooIface`
rx.i.RoBar() // legal, RoBar is `ro` in `FooIface`

Additionally, ro interfaces remain significant to make full use of the immutability features.

When it comes to using Foo, it may be used interchangeably as either a function with input X or ro X. The same principle applies to methods and interface implementations, and similarly but inversely (the flexibility is in the interface, not the implementation) for ro in return values.

This does not fix the const poisoning problem. The problem comes from if I have a function that takes a ro parameter, then everything that the parameter is passed in to must also be qualified with ro. This means that I now must traverse all of my functions and make sure that they all have the proper ro qualifiers.

This also becomes a problem when using libraries, especially ones that were written in Go 1. I would not be able to use my ro types with old libraries because we cannot guarantee that the old library will treat it as a read-only.

This does not fix the const poisoning problem

I don't think the issue you are describing is const poisoning. By limiting poisoning I mean that you are free to write your function with or without ro arguments, the caller may still call it without ro (and therefore your migration will not break callers). In that sense you are not poisoning the stack on top of your function.

What you are saying is that to migrate your function to ro in the first place you need dependencies down the stack to be ro, which is correct. By that isn't const poisoning, it just means you can't migrate all your code to ro on day one, it is a process thats starts at the lowest level of the stack and makes its way up. But throughout this process or even after it is complete, existing pre-ro code will still work, even if calling ro enabled functions (assuming we don't make deliberate breaking changes, which I'd imagine will be some).

See the Migration section on the proposal.

From this blog post (which is coincidentally written by Ian):

Although const qualified pointers are just documentation, in practice they are used far more often than const variables. When the C90 standard came out and C compilers started supporting const, programmers spoke of const-poisoning: the feeling that once you use the const qualifier anywhere, it spread throughout your program as it had to be tracked through all assignments and function calls to avoid compiler warnings. Adding const-poisoning to a program does not make it any more correct or reliable. It’s just documentation, albeit documentation that the compiler enforces.

What this is describing is that once you want to use it in a single place, you need to use it everywhere. We are already starting to see the same thing with "context poisoning", where we see context.Context being used everywhere. Again, this is because once you use it in one place, you need to use it everywhere down the stack. Also, for migration, I'd hate to see even more variations of every function (with Foo, FooContext, and FooRoContext).

If you want to mitigate const-poisoning, you need to offer some way to pass the data from a variable that was originally ro to a function which takes a non-ro type. This of course sacrifices immutability, but it prevents the poisoning problem.

@deanveloper I still think you are seeing poisoning in the wrong way. "context poisoning" is very real because it requires the changes to be made up the stack - the context must be passed to your function, which requires the caller to require it from its caller, etc. all the way up. The context case does not require the propagation down the stack (you can stop passing the context to lower functions when it is no longer needed). ro is opposite, the caller isn't affected, but the called methods are (recursively). This is a much smaller problem: it can be done gradually, does not require methods to be repeated and once building you don't have to worry about what code that depends on your function has been broken.

I'd hate to see even more variations of every function (with Foo, FooContext, and FooRoContext)

Following the point above, Foo could be given ro arguments and still remain named Foo and be used in the same way as it was before ro was introduced. Only when the return value is made ro is RoFoo (or a breaking change) required.

My bad, when I referred to context poisoning you are correct that context traverses up the stack. But in order to make full use of context, it must also traverse down the stack as far as it can if your API was not originally designed to support it.

This is a much smaller problem: it can be done gradually, does not require methods to be repeated and once building you don't have to worry about what code that depends on your function has been broken.

It depends on your perspective here. In terms of migration, it cannot be done gradually. If I want to update my library to use ro, I need to update my entire library at once. Not to mention breaking changes if I need to return ro types.

On a separate note - we'd also want to update the standard library interfaces, yes? Something like type Writer interface { Write(ro []byte) (int, error) } would be preferable, but we cannot do this because we'd break all implementations of Writer. This is mentioned in your Migration section but seems to be glossed over in less than a sentence.

Other things we'd want to update but can't:

type Stringer interface { ro String() string }
type Formatter interface { ro Format(...) (...) }
// Other formatting interfaces...

type WriterTo interface { WriteTo(Writer, ro []byte) (int, error) }
// Other IO interfaces...

There really are a lot of interfaces that should be moved over, but can't be for backward compatability reasons. I think it's a mistake to simply gloss over this.

In terms of migration, it cannot be done gradually.

It can be done somewhat gradually - update implementations before interfaces, update only some methods first, update dependency libraries before your library itself... No challenge on the ro return comment though, that is a breaking change.

we'd also want to update the standard library interfaces, yes?

Yes, and your examples are valid. Short answer is we would, over some time, introduce all these as breaking changes (go2 surely has some tolerance to breaking changes!). Again, it doesn't have to be done in one massive, all-breaking change but can be done gradually - say Stringer first, then Writer, etc. This must also be managed carefully to allow for easy gradual changes, for example move all implementations before the interface is changed and enforce it via linter/vet or by having both forms of the interface at one, separated by a build tag, to encourage users to guarantee they are ready for the move before it happens. But ultimately they are breaking changes and unmaintained go1 code would cease to build in go2.

Also worth mentioning I think another important interface to update would be error:

type error interface {
  ro Error() string // ro receiver
}

I do still feel that this approach is vulnerable to const-poisoning. One particular aspect of const-poisoning is that in practice, as the program changes, you sometimes need to change a value that was marked as ro. Then you need to remove the ro, and remove it from all callers, and all their callers, etc. Experience teaches us that if the type system has qualifiers, there will be times when those qualifiers have to be removed. This is a problem with type qualifiers in general, and is part of the reason why Go has only one type qualifier (the direction of a channel).

Then you need to remove the ro, and remove it from all callers, and all their callers, etc.

Yes, but then again removing ro from an argument is a breaking change, it's effects (and causes) are not that different from say adding a new argument which may also need callers modified to take the extra argument, etc. The natural way to mitigate this is developing and promoting good ro practices - for example, don't add ro to interfaces or public methods carelessly just because they happen to not write yet, but OK in private methods. While ro can be misused (like const, final, ... in other languages) the go team and community can educate and encourage it's proper use.

Writing bad code or carelessly designed libraries is a bigger problem than read-only alone. My personal opinion is almost any feature can potentially be mis-used, limiting a language by that principle would leave us with a no features at all.

Also worth highlighting again the potential significance of read-only (not this proposal in particular) towards bringing about other higher level features in the future (such as data-race freedom as @jba argues in his document).

To summarize, I'm saying that practical experience shows that type qualifiers are painful in large programs. You are saying that people should adopt better programming practices. I think we are both right. But as a general rule the development of the Go language is guided more by practical experience than by aspirational hopes.

But as a general rule the development of the Go language is guided more by practical experience than by aspirational hopes.

True, but perhaps I should have clarified what I mean by promoting good practices. If good ro practices are built into the tooling (into vet or some other similar tool), that would reduce the likelihood of the ro feature being misused in a harmful way (such as the poisoning example you presented). I think practical experience of tooling in go is positive (fmt, vet, lint, goimports are almost universal, right?), so in that sense we can be hopeful that, if protected by tooling, ro will not be misused often.

As a hypothetical example, the tool could discourage the ro qualifiers with least impact but most likely to cause conflicts down the line. For example all ro receiver interfaces, ro arguments with non-ro methods, ro arguments which escape the current package, etc. could cause a warning, suppressed by some special comment, i.e. // ro-vet: some explanation of why you are overruling the warning.

To summarize myself, acknowledging the risks of ro (or any read-only proposal for that matter) being misused is sensible, but should perhaps be taken as a motivation to think ahead and take some risk mitigation measures rather than as cause for proposal dismissal.

Earlier I asked whether this could just be discussed with #22876. You suggested that this proposal was better than that one with regard to const-poisoning. Why is that? To me they same approximately the same in that regard.

• Same: removing ro from a function's argument breaks usages where the value is already ro

func foo() {
  x := ro []int{}
  bar(x)
}

func bar(ro []int) {...}  // removing ro here breaks under both proposals

• Better: adding ro to a function's argument breaks nothing

func foo() {
  x := []int{} // non-ro
  func(f func([]int) {
    f(x)
  }(bar)
}

func bar([]int) {...}  // adding ro here is OK in this proposal, not in the other

// similarly (and probably more relevant) for interface implementation

From a poisoning perspective I think the difference can be summarized as:
#22876 assumes implicit conversion to ro for variables, this one also implicit conversion (to non-ro) of function arguments and to ro for return values.

Would it be correct to say that in this proposal there is an implicit conversion from func(ro T) to func(T), for any type T?

That seems like a modification that could be discussed in the context of #22876. It is an improvement but it doesn't seem very different.

If you drop permission genericity, how do you handle the problem it addresses? For example, how would you write

func tail(x ro? []int) ro? []int { return x[1:] }

there is an implicit conversion from func(ro T) to func(T)

Yes, also from func() T to func() ro T and most significantly for interface implementation:

type Foo interface {
  Bar(T)
}

type foo struct {}
func (f foo) Bar(ro T) {...}

var _ Foo = foo{} // foo implements Foo despite not matching in ro

That seems like a modification that could be discussed in the context of #22876

Sure. These changes are the main distinction between the proposals, of course if they are added to the original they can be discussed there. I discuss these in more detail in relaxed typing rules for ro qualifiers. I think the distinction around interfaces and type assertion is small but relevant.
Immutability is unrelated but can be applied to both proposals regardless (and in fact I already posted those ideas in #22876 (comment)).

If you drop permission genericity, how do you handle the problem it addresses?

With two separate methods (tail(x []int) []int and roTail(x ro []int) ro []int). It is unfortunate duplicity, but I think preferable..

If we had to write two variants of every function like this, the benefits of read-only types would be outweighed by the pain they cause.

I don't think these situations are common. ro? is only really relevant if the variable is returned as a ro?

• how likely (or sensible) are functions func(ro? T), func(ro? T) T or func(ro? T) ro T? Why would the logic of these functions be different if the input is ro or not? It seems to me to distinguish the two is a code smell, and ro? is enabling it.
• functions following the ro? return pattern, i.e. func(ro? T) ro? T are mainly getters or small functions like the example one. Writing them twice is not a big deal in exchange for clarity and simplicity.

Functions as variables with ro? are problematic. I discuss it in #22876 (comment), but x := tail means x is type func(ro? []int) ro? []int. That means ro? is a full type (not simply a keyword to help developers create 2+ functions at once), and then there are ro??, ro???, etc. which make that even more complex.

Also as you have already highlighted in Subsumed by Generics, ro? would not be needed in generics existed. Since the hope exists go will one day have generics it seems problematic down the line to introduce ro?.

On the more opinionated side, I see the purpose you want to address with ro? but find the feature too intrusive for little gain. If writing a few methods twice is that inconvenient we can always create a simple code generation tool that effectively does the same thing without changing the whole language (with separate names though, no genericity).

I think the need for ro? is greater than you think. The following functions from the bytes package would need it:

• Fields, FieldsFunc
• Split, SplitAfter, SplitAfterN, SplitN
• TrimXXX (9 functions)

These are not "mainly getters or small functions".

The above can do without ro? just fine:

// common private auxiliar method
func trim(s ro []byte, cutset string) (int, int) {...}

// exactly as before
func Trim(s []byte, cutset string) []byte {from, to := trim(s, cutset); return s[from:to]}

// We should agree on a standard for ro-version of such functions - suffixed by 'Ro' for example
func TrimRo(s ro []byte, cutset string) ro []byte {from, to := trim(s, cutset); return s[from:to]}

SplitXXand FieldsXX functions can be done similarly with some 'next' loop.

While of course we have new functions with separate names, I actually find this positive - go is very explicit and not introducing genericity (even in this very limited form) keeps the language easy to understand.

These are not "mainly getters or small functions".

They can be seen as small functions wrapping a larger, private, common function.

Either way, for the few situations when there is no easy implementable common function to call or perhaps performance-wise a different approach is preferred, a simple code generation tool should be developed that can easily generate 2 versions out of one.

Does this not make ro? an very niche and arbitrary feature?

It's also noteworthy that ro? is useless if the generics draft is adopted

I'm going to go ahead and close this in favor of #22876. While this one is different, the differences are small, and we can discuss the ideas here on that issue.