Check that hidden parameters are annotated @consume

TODO:

 - check that only @consume parameters flow to @consume parameters

Author: odersky

compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala

@@ -1559,7 +1559,7 @@ class CheckCaptures extends Recheck, SymTransformer:
 
         override def checkInheritedTraitParameters: Boolean = false
 
-        /** Check that overrides don't change the @use status of their parameters */
+        /** Check that overrides don't change the @use or @consume status of their parameters */
         override def additionalChecks(member: Symbol, other: Symbol)(using Context): Unit =
           def fail(msg: String) =
             report.error(
@@ -1571,6 +1571,8 @@ class CheckCaptures extends Recheck, SymTransformer:
           do
             if param1.hasAnnotation(defn.UseAnnot) != param2.hasAnnotation(defn.UseAnnot) then
               fail(i"has a parameter ${param1.name} with different @use status than the corresponding parameter in the overridden definition")
+            if param1.hasAnnotation(defn.ConsumeAnnot) != param2.hasAnnotation(defn.ConsumeAnnot) then
+              fail(i"has a parameter ${param1.name} with different @consume status than the corresponding parameter in the overridden definition")
       end OverridingPairsCheckerCC
 
       def traverse(t: Tree)(using Context) =

compiler/src/dotty/tools/dotc/cc/SepCheck.scala

@@ -28,6 +28,16 @@ object SepChecker:
       else NeedsCheck
   end Captures
 
+  /** The kind of checked type, used for composing error messages */
+  enum TypeKind:
+    case Result(sym: Symbol, inferred: Boolean)
+    case Argument
+
+    def dclSym = this match
+      case Result(sym, _) => sym
+      case _ => NoSymbol
+  end TypeKind
+
 class SepChecker(checker: CheckCaptures.CheckerAPI) extends tpd.TreeTraverser:
   import tpd.*
   import checker.*
@@ -204,7 +214,7 @@ class SepChecker(checker: CheckCaptures.CheckerAPI) extends tpd.TreeTraverser:
     for (arg, idx) <- indexedArgs do
       if arg.needsSepCheck then
         val ac = formalCaptures(arg)
-        checkType(arg.formalType, arg.srcPos, NoSymbol, " the argument's adapted type")
+        checkType(arg.formalType, arg.srcPos, TypeKind.Argument)
         val hiddenInArg = ac.hidden.footprint
         //println(i"check sep $arg: $ac, footprint so far = $footprint, hidden = $hiddenInArg")
         val overlap = hiddenInArg.overlapWith(footprint).deductCapturesOf(deps(arg))
@@ -232,18 +242,29 @@ class SepChecker(checker: CheckCaptures.CheckerAPI) extends tpd.TreeTraverser:
         sepUseError(tree, usedFootprint, overlap)
 
   def checkType(tpt: Tree, sym: Symbol)(using Context): Unit =
-    checkType(tpt.nuType, tpt.srcPos, sym, "")
-
-  /** Check that all parts of type `tpe` are separated.
-   *  @param  tpe  the type to check
-   *  @param  pos  position for error reporting
-   *  @param  sym  if `tpe` is the (result-) type of a val or def, the symbol of
-   *               this definition, otherwise NoSymbol. If `sym` exists we
-   *               deduct its associated direct and reach capabilities everywhere
-   *               from the capture sets we check.
-   *  @param  what a string describing what kind of type it is
-   */
-  def checkType(tpe: Type, pos: SrcPos, sym: Symbol, what: String)(using Context): Unit =
+    checkType(tpt.nuType, tpt.srcPos,
+        TypeKind.Result(sym, inferred = tpt.isInstanceOf[InferredTypeTree]))
+
+  /** Check that all parts of type `tpe` are separated. */
+  def checkType(tpe: Type, pos: SrcPos, kind: TypeKind)(using Context): Unit =
+
+    def typeDescr = kind match
+      case TypeKind.Result(sym, inferred) =>
+        def inferredStr = if inferred then " inferred" else ""
+        def resultStr = if sym.info.isInstanceOf[MethodicType] then " result" else ""
+        i" $sym's$inferredStr$resultStr"
+      case TypeKind.Argument =>
+        " the argument's adapted type"
+
+    def explicitRefs(tp: Type): Refs = tp match
+      case tp: (TermRef | ThisType) => SimpleIdentitySet(tp)
+      case AnnotatedType(parent, _) => explicitRefs(parent)
+      case AndType(tp1, tp2) => explicitRefs(tp1) ++ explicitRefs(tp2)
+      case OrType(tp1, tp2) => explicitRefs(tp1) ** explicitRefs(tp2)
+      case _ => emptySet
+
+    def prune(refs: Refs): Refs =
+      refs.deductSym(kind.dclSym) -- explicitRefs(tpe)
 
     def checkParts(parts: List[Type]): Unit =
       var footprint: Refs = emptySet
@@ -265,21 +286,21 @@ class SepChecker(checker: CheckCaptures.CheckerAPI) extends tpd.TreeTraverser:
           if !globalOverlap.isEmpty then
             val (prevStr, prevRefs, overlap) = parts.iterator.take(checked)
               .map: prev =>
-                val prevRefs = mapRefs(prev.deepCaptureSet.elems).footprint.deductSym(sym)
+                val prevRefs = prune(mapRefs(prev.deepCaptureSet.elems).footprint)
                 (i",  $prev , ", prevRefs, prevRefs.overlapWith(next))
               .dropWhile(_._3.isEmpty)
               .nextOption
               .getOrElse(("", current, globalOverlap))
             report.error(
-              em"""Separation failure in$what type $tpe.
+              em"""Separation failure in$typeDescr type $tpe.
                   |One part,  $part , $nextRel  ${CaptureSet(next)}.
                   |A previous part$prevStr $prevRel  ${CaptureSet(prevRefs)}.
                   |The two sets overlap at  ${CaptureSet(overlap)}.""",
               pos)
 
         val partRefs = part.deepCaptureSet.elems
-        val partFootprint = partRefs.footprint.deductSym(sym)
-        val partHidden = partRefs.hidden.footprint.deductSym(sym) -- partFootprint
+        val partFootprint = prune(partRefs.footprint)
+        val partHidden = prune(partRefs.hidden.footprint) -- partFootprint
 
         checkSep(footprint, partHidden, identity, "references", "hides")
         checkSep(hiddenSet, partHidden, _.hidden, "also hides", "hides")
@@ -325,9 +346,43 @@ class SepChecker(checker: CheckCaptures.CheckerAPI) extends tpd.TreeTraverser:
             case t =>
               foldOver(c, t)
 
+    def checkParameters() =
+      val badParams = mutable.ListBuffer[Symbol]()
+      def currentOwner = kind.dclSym.orElse(ctx.owner)
+      for hiddenRef <- prune(tpe.deepCaptureSet.elems.hidden.footprint) do
+        val refSym = hiddenRef.termSymbol
+        if refSym.is(TermParam)
+          && !refSym.hasAnnotation(defn.ConsumeAnnot)
+          && !refSym.info.derivesFrom(defn.Caps_SharedCapability)
+          && currentOwner.isContainedIn(refSym.owner)
+        then
+          badParams += refSym
+      if badParams.nonEmpty then
+        def paramsStr(params: List[Symbol]): String = (params: @unchecked) match
+          case p :: Nil => i"${p.name}"
+          case p :: p2 :: Nil => i"${p.name} and ${p2.name}"
+          case p :: ps => i"${p.name}, ${paramsStr(ps)}"
+        val (pluralS, singleS) = if badParams.tail.isEmpty then ("", "s") else ("s", "")
+        report.error(
+          em"""Separation failure:$typeDescr type $tpe hides parameter$pluralS ${paramsStr(badParams.toList)}
+              |The parameter$pluralS need$singleS to be annotated with @consume to allow this.""",
+            pos)
+
+    def flagHiddenParams =
+      kind match
+        case TypeKind.Result(sym, _) =>
+          !sym.isAnonymousFunction // we don't check return types of anonymous functions
+          && !sym.is(Case)         // We don't check so far binders in patterns since they
+                                   // have inferred universal types. TODO come back to this;
+                                   // either infer more precise types for such binders or
+                                   // "see through them" when we look at hidden sets.
+        case TypeKind.Argument =>
+          false
+
     if !tpe.hasAnnotation(defn.UntrackedCapturesAnnot) then
       traverse(Captures.None, tpe)
       traverse.toCheck.foreach(checkParts)
+      if flagHiddenParams then checkParameters()
   end checkType
 
   private def collectMethodTypes(tp: Type): List[TermLambda] = tp match

compiler/src/dotty/tools/dotc/core/Definitions.scala

@@ -1010,6 +1010,7 @@ class Definitions {
     @tu lazy val Caps_ContainsTrait: TypeSymbol = CapsModule.requiredType("Contains")
     @tu lazy val Caps_containsImpl: TermSymbol = CapsModule.requiredMethod("containsImpl")
     @tu lazy val Caps_Mutable: ClassSymbol = requiredClass("scala.caps.Mutable")
+    @tu lazy val Caps_SharedCapability: ClassSymbol = requiredClass("scala.caps.SharedCapability")
 
   /** The same as CaptureSet.universal but generated implicitly for references of Capability subtypes */
   @tu lazy val universalCSImpliedByCapability = CaptureSet(captureRoot.termRef.readOnly)
@@ -1071,6 +1072,7 @@ class Definitions {
   @tu lazy val UncheckedCapturesAnnot: ClassSymbol = requiredClass("scala.annotation.unchecked.uncheckedCaptures")
   @tu lazy val UntrackedCapturesAnnot: ClassSymbol = requiredClass("scala.caps.untrackedCaptures")
   @tu lazy val UseAnnot:  ClassSymbol = requiredClass("scala.caps.use")
+  @tu lazy val ConsumeAnnot:  ClassSymbol = requiredClass("scala.caps.consume")
   @tu lazy val RefineOverrideAnnot:  ClassSymbol = requiredClass("scala.caps.refineOverride")
   @tu lazy val VolatileAnnot: ClassSymbol = requiredClass("scala.volatile")
   @tu lazy val LanguageFeatureMetaAnnot: ClassSymbol = requiredClass("scala.annotation.meta.languageFeature")

compiler/src/dotty/tools/dotc/util/SimpleIdentitySet.scala

@@ -42,6 +42,11 @@ abstract class SimpleIdentitySet[+Elem <: AnyRef] {
         if (that.contains(x)) s else s + x
       }
 
+  def ** [E >: Elem <: AnyRef](that: SimpleIdentitySet[E]): SimpleIdentitySet[E] =
+    if this.size == 0 then this
+    else if that.size == 0 then that
+    else this.filter(that.contains)
+
   def == [E >: Elem <: AnyRef](that: SimpleIdentitySet[E]): Boolean =
     this.size == that.size && forall(that.contains)
 

library/src/scala/caps.scala

@@ -18,6 +18,8 @@ import annotation.{experimental, compileTimeOnly, retainsCap}
 
   trait Mutable extends Capability
 
+  trait SharedCapability extends Capability
+
   /** Carrier trait for capture set type parameters */
   trait CapSet extends Any
 
@@ -77,6 +79,8 @@ import annotation.{experimental, compileTimeOnly, retainsCap}
    */
   final class refineOverride extends annotation.StaticAnnotation
 
+  final class consume extends annotation.StaticAnnotation
+
   object unsafe:
 
     extension [T](x: T)

tests/neg-custom-args/captures/box-adapt-contra.scala

@@ -1,4 +1,5 @@
-import language.experimental.captureChecking
+import language.future // sepchecks on
+import caps.consume
 
 trait Cap
 
@@ -7,7 +8,7 @@ def useCap[X](x: X): (X -> Unit) -> Unit = ???
 def test1(c: Cap^): Unit =
   val f: (Cap^{c} -> Unit) -> Unit = useCap[Cap^{c}](c)  // error
 
-def test2(c: Cap^, d: Cap^): Unit =
+def test2(@consume c: Cap^, d: Cap^): Unit =
   def useCap1[X](x: X): (X => Unit) -> Unit = ???
   val f1: (Cap^{c} => Unit) ->{c} Unit = useCap1[Cap^{c}](c)  // ok
 

tests/neg-custom-args/captures/capt-depfun.check

@@ -1,7 +1,12 @@
--- [E007] Type Mismatch Error: tests/neg-custom-args/captures/capt-depfun.scala:10:43 ----------------------------------
-10 |  val dc: ((Str^{y, z}) => Str^{y, z}) = ac(g()) // error
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/capt-depfun.scala:11:43 ----------------------------------
+11 |  val dc: ((Str^{y, z}) => Str^{y, z}) = ac(g()) // error // error: separatioon
    |                                         ^^^^^^^
    |                                         Found:    Str^{} ->{ac, y, z} Str^{y, z}
    |                                         Required: Str^{y, z} ->{fresh} Str^{y, z}
    |
    | longer explanation available when compiling with `-explain`
+-- Error: tests/neg-custom-args/captures/capt-depfun.scala:11:24 -------------------------------------------------------
+11 |  val dc: ((Str^{y, z}) => Str^{y, z}) = ac(g()) // error // error: separatioon
+   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |           Separation failure: value dc's type Str^{y, z} => Str^{y, z} hides parameters y and z
+   |           The parameters need to be annotated with @consume to allow this.

tests/neg-custom-args/captures/capt-depfun.scala

@@ -1,10 +1,11 @@
 import annotation.retains
 import language.future // sepchecks on
+
 class C
 type Cap = C @retains(caps.cap)
 class Str
 
 def f(y: Cap, z: Cap) =
   def g(): C @retains(y, z) = ???
   val ac: ((x: Cap) => Str @retains(x) => Str @retains(x)) = ???
-  val dc: ((Str^{y, z}) => Str^{y, z}) = ac(g()) // error
+  val dc: ((Str^{y, z}) => Str^{y, z}) = ac(g()) // error // error: separatioon

tests/neg-custom-args/captures/consume-overrides.scala

@@ -0,0 +1,15 @@
+import caps.consume
+
+trait A[X]:
+  def foo(@consume x: X): X
+  def bar(x: X): X
+
+trait B extends A[C]:
+  def foo(x: C): C        // error
+  def bar(@consume x: C): C // error
+
+trait B2:
+  def foo(x: C): C
+  def bar(@consume x: C): C
+
+abstract class C extends A[C], B2 // error

tests/neg-custom-args/captures/delayedRunops.check

@@ -1,14 +1,14 @@
--- Error: tests/neg-custom-args/captures/delayedRunops.scala:16:13 -----------------------------------------------------
-16 |      runOps(ops1)  // error
+-- Error: tests/neg-custom-args/captures/delayedRunops.scala:17:13 -----------------------------------------------------
+17 |      runOps(ops1)  // error
    |             ^^^^
    |             reference ops* is not included in the allowed capture set {}
    |             of an enclosing function literal with expected type () -> Unit
--- Error: tests/neg-custom-args/captures/delayedRunops.scala:22:13 -----------------------------------------------------
-22 |      runOps(ops1)  // error
+-- Error: tests/neg-custom-args/captures/delayedRunops.scala:23:13 -----------------------------------------------------
+23 |      runOps(ops1)  // error
    |             ^^^^
    |             Local reach capability ops1* leaks into capture scope of enclosing function
--- Error: tests/neg-custom-args/captures/delayedRunops.scala:28:13 -----------------------------------------------------
-28 |      runOps(ops1)  // error
+-- Error: tests/neg-custom-args/captures/delayedRunops.scala:29:13 -----------------------------------------------------
+29 |      runOps(ops1)  // error
    |             ^^^^
    |             reference ops* is not included in the allowed capture set {}
    |             of an enclosing function literal with expected type () -> Unit

tests/neg-custom-args/captures/delayedRunops.scala

@@ -1,5 +1,6 @@
 import language.experimental.captureChecking
-import caps.use
+import language.future // sepchecks on
+import caps.{use, consume}
 
   // ok
   def runOps(@use ops: List[() => Unit]): Unit =
@@ -16,7 +17,7 @@ import caps.use
       runOps(ops1)  // error
 
   // unsound: impure operation pretended pure
-  def delayedRunOps2(ops: List[() => Unit]): () ->{} Unit =
+  def delayedRunOps2(@consume ops: List[() => Unit]): () ->{} Unit =
     () =>
       val ops1: List[() => Unit] = ops
       runOps(ops1)  // error

tests/neg-custom-args/captures/depfun-reach.check

@@ -12,3 +12,8 @@
    |                                        Required: (xs: List[box () ->{io} Unit]) ->{fresh} List[() -> Unit]
    |
    | longer explanation available when compiling with `-explain`
+-- Error: tests/neg-custom-args/captures/depfun-reach.scala:12:17 ------------------------------------------------------
+12 |               : (xs: List[(X, () ->{io} Unit)]) => List[() ->{} Unit] = // error
+   |                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   |Separation failure: method foo's result type (xs: List[(X, box () ->{io} Unit)]) => List[() -> Unit] hides parameter op
+   |The parameter needs to be annotated with @consume to allow this.

tests/neg-custom-args/captures/depfun-reach.scala

@@ -9,7 +9,7 @@ def test(io: Object^, async: Object^) =
     compose(op)
 
   def foo[X](op: (xs: List[(X, () ->{io} Unit)]) => List[() ->{xs*} Unit])
-               : (xs: List[(X, () ->{io} Unit)]) => List[() ->{} Unit] =
+               : (xs: List[(X, () ->{io} Unit)]) => List[() ->{} Unit] = // error
     op // error
 
   def boom(op: List[(() ->{async} Unit, () ->{io} Unit)]): List[() ->{} Unit] =

tests/neg-custom-args/captures/effect-swaps-explicit.scala

@@ -1,4 +1,4 @@
-
+import language.future // sepchecks on
 
 object boundary:
 
@@ -14,7 +14,7 @@ end boundary
 
 import boundary.{Label, break}
 
-trait Async extends caps.Capability
+trait Async extends caps.SharedCapability
 object Async:
   def blocking[T](body: Async ?=> T): T = ???
 

tests/neg-custom-args/captures/effect-swaps.check

@@ -1,29 +1,29 @@
--- [E007] Type Mismatch Error: tests/neg-custom-args/captures/effect-swaps.scala:62:8 ----------------------------------
-61 |      Result:
-62 |        Future: // error, type mismatch
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/effect-swaps.scala:64:8 ----------------------------------
+63 |      Result:
+64 |        Future: // error, type mismatch
    |      ^
    |      Found:    Result.Ok[box Future[box T^?]^{fr, contextual$1}]
    |      Required: Result[Future[T], Nothing]
-63 |          fr.await.ok
+65 |          fr.await.ok
    |--------------------------------------------------------------------------------------------------------------------
    |Inline stack trace
    |- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   |This location contains code that was inlined from effect-swaps.scala:39
-39 |    boundary(Ok(body))
+   |This location contains code that was inlined from effect-swaps.scala:41
+41 |    boundary(Ok(body))
    |             ^^^^^^^^
     --------------------------------------------------------------------------------------------------------------------
    |
    | longer explanation available when compiling with `-explain`
--- [E007] Type Mismatch Error: tests/neg-custom-args/captures/effect-swaps.scala:72:10 ---------------------------------
-72 |          Future: fut ?=> // error: type mismatch
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/effect-swaps.scala:74:10 ---------------------------------
+74 |          Future: fut ?=> // error: type mismatch
    |          ^
    |          Found:    Future[box T^?]^{fr, lbl}
    |          Required: Future[box T^?]^?
-73 |            fr.await.ok
+75 |            fr.await.ok
    |
    | longer explanation available when compiling with `-explain`
--- Error: tests/neg-custom-args/captures/effect-swaps.scala:66:15 ------------------------------------------------------
-66 |        Result.make: // error: local reference leaks
+-- Error: tests/neg-custom-args/captures/effect-swaps.scala:68:15 ------------------------------------------------------
+68 |        Result.make: // error: local reference leaks
    |        ^^^^^^^^^^^
    |local reference contextual$9 from (using contextual$9: boundary.Label[Result[box Future[box T^?]^{fr, contextual$9}, box E^?]]):
    |  box Future[box T^?]^{fr, contextual$9} leaks into outer capture set of type parameter T of method make in object Result

tests/neg-custom-args/captures/effect-swaps.scala

@@ -1,3 +1,5 @@
+import language.future // sepchecks on
+
 object boundary:
 
   final class Label[-T] extends caps.Capability
@@ -12,7 +14,7 @@ end boundary
 
 import boundary.{Label, break}
 
-trait Async extends caps.Capability
+trait Async extends caps.SharedCapability
 object Async:
   def blocking[T](body: Async ?=> T): T = ???
 

tests/neg-custom-args/captures/i15772.check

@@ -39,3 +39,8 @@
    |  Required: () -> Unit
    |
    | longer explanation available when compiling with `-explain`
+-- Error: tests/neg-custom-args/captures/i15772.scala:34:10 ------------------------------------------------------------
+34 |  def c : C^ = new C(x) // error separation
+   |          ^^
+   |          Separation failure: method c's result type C^ hides parameter x
+   |          The parameter needs to be annotated with @consume to allow this.