Separation checking for applications

Check separation from source 3.7 on.

We currently only check applications, other areas of separation checking
are still to be implemented.

Author: odersky

compiler/src/dotty/tools/dotc/cc/CaptureOps.scala

@@ -54,7 +54,7 @@ object ccConfig:
 
   /** If true, turn on separation checking */
   def useFresh(using Context): Boolean =
-    Feature.sourceVersion.stable.isAtLeast(SourceVersion.`future`)
+    Feature.sourceVersion.stable.isAtLeast(SourceVersion.`3.7`)
 
 end ccConfig
 

compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala

@@ -242,6 +242,17 @@ object CheckCaptures:
 
       /** Was a new type installed for this tree? */
       def hasNuType: Boolean
+
+      /** Is this tree passed to a parameter or assigned to a value with a type
+       *  that contains cap in no-flip covariant position, which will necessite
+       *  a separation check?
+       */
+      def needsSepCheck: Boolean
+
+      /** If a tree is an argument for which needsSepCheck is true,
+       *  the type of the formal paremeter corresponding to the argument.
+       */
+      def formalType: Type
   end CheckerAPI
 
 class CheckCaptures extends Recheck, SymTransformer:
@@ -282,6 +293,15 @@ class CheckCaptures extends Recheck, SymTransformer:
      */
     private val todoAtPostCheck = new mutable.ListBuffer[() => Unit]
 
+    /** Maps trees that need a separation check because they are arguments to
+     *  polymorphic parameters. The trees are mapped to the formal parameter type.
+     */
+    private val sepCheckFormals = util.EqHashMap[Tree, Type]()
+
+    extension [T <: Tree](tree: T)
+      def needsSepCheck: Boolean = sepCheckFormals.contains(tree)
+      def formalType: Type = sepCheckFormals.getOrElse(tree, NoType)
+
     /** Instantiate capture set variables appearing contra-variantly to their
      *  upper approximation.
      */
@@ -662,6 +682,8 @@ class CheckCaptures extends Recheck, SymTransformer:
         // The @use annotation is added to `formal` by `prepareFunction`
         capt.println(i"charging deep capture set of $arg: ${argType} = ${argType.deepCaptureSet}")
         markFree(argType.deepCaptureSet, arg.srcPos)
+      if formal.containsCap then
+        sepCheckFormals(arg) = freshenedFormal
       argType
 
     /** Map existential captures in result to `cap` and implement the following
@@ -1786,6 +1808,7 @@ class CheckCaptures extends Recheck, SymTransformer:
       end checker
 
       checker.traverse(unit)(using ctx.withOwner(defn.RootClass))
+      if ccConfig.useFresh then SepChecker(this).traverse(unit)
       if !ctx.reporter.errorsReported then
         // We dont report errors here if previous errors were reported, because other
         // errors often result in bad applied types, but flagging these bad types gives

compiler/src/dotty/tools/dotc/cc/SepCheck.scala

@@ -0,0 +1,202 @@
+package dotty.tools
+package dotc
+package cc
+import ast.tpd
+import collection.mutable
+
+import core.*
+import Symbols.*, Types.*
+import Contexts.*, Names.*, Flags.*, Symbols.*, Decorators.*
+import CaptureSet.{Refs, emptySet}
+import config.Printers.capt
+import StdNames.nme
+
+class SepChecker(checker: CheckCaptures.CheckerAPI) extends tpd.TreeTraverser:
+  import tpd.*
+  import checker.*
+
+  extension (refs: Refs)
+    private def footprint(using Context): Refs =
+      def recur(elems: Refs, newElems: List[CaptureRef]): Refs = newElems match
+        case newElem :: newElems1 =>
+          val superElems = newElem.captureSetOfInfo.elems.filter: superElem =>
+            !superElem.isMaxCapability && !elems.contains(superElem)
+          recur(elems ++ superElems, newElems1 ++ superElems.toList)
+        case Nil => elems
+      val elems: Refs = refs.filter(!_.isMaxCapability)
+      recur(elems, elems.toList)
+
+    private def overlapWith(other: Refs)(using Context): Refs =
+      val refs1 = refs
+      val refs2 = other
+      def common(refs1: Refs, refs2: Refs) =
+        refs1.filter: ref =>
+          ref.isExclusive && refs2.exists(_.stripReadOnly eq ref)
+      common(refs, other) ++ common(other, refs)
+
+  private def hidden(refs: Refs)(using Context): Refs =
+    val seen: util.EqHashSet[CaptureRef] = new util.EqHashSet
+
+    def hiddenByElem(elem: CaptureRef): Refs =
+      if seen.add(elem) then elem match
+        case Fresh.Cap(hcs) => hcs.elems.filter(!_.isRootCapability) ++ recur(hcs.elems)
+        case ReadOnlyCapability(ref) => hiddenByElem(ref).map(_.readOnly)
+        case _ => emptySet
+      else emptySet
+
+    def recur(cs: Refs): Refs =
+      (emptySet /: cs): (elems, elem) =>
+        elems ++ hiddenByElem(elem)
+
+    recur(refs)
+  end hidden
+
+  /** The captures of an argument or prefix widened to the formal parameter, if
+   *  the latter contains a cap.
+   */
+  private def formalCaptures(arg: Tree)(using Context): Refs =
+    val argType = arg.formalType.orElse(arg.nuType)
+    (if arg.nuType.hasUseAnnot then argType.deepCaptureSet else argType.captureSet)
+      .elems
+
+   /** The captures of an argument of prefix. No widening takes place */
+  private def actualCaptures(arg: Tree)(using Context): Refs =
+    val argType = arg.nuType
+    (if argType.hasUseAnnot then argType.deepCaptureSet else argType.captureSet)
+      .elems
+
+  private def sepError(fn: Tree, args: List[Tree], argIdx: Int,
+      overlap: Refs, hiddenInArg: Refs, footprints: List[(Refs, Int)],
+      deps: collection.Map[Tree, List[Tree]])(using Context): Unit =
+    val arg = args(argIdx)
+    def paramName(mt: Type, idx: Int): Option[Name] = mt match
+      case mt @ MethodType(pnames) =>
+        if idx < pnames.length then Some(pnames(idx)) else paramName(mt.resType, idx - pnames.length)
+      case mt: PolyType => paramName(mt.resType, idx)
+      case _ => None
+    def formalName = paramName(fn.nuType.widen, argIdx) match
+      case Some(pname) => i"$pname "
+      case _ => ""
+    def whatStr = if overlap.size == 1 then "this capability is" else "these capabilities are"
+    def funStr =
+      if fn.symbol.exists then i"${fn.symbol}: ${fn.symbol.info}"
+      else i"a function of type ${fn.nuType.widen}"
+    val clashIdx = footprints
+      .collect:
+        case (fp, idx) if !hiddenInArg.overlapWith(fp).isEmpty => idx
+      .head
+    def whereStr = clashIdx match
+      case 0 => "function prefix"
+      case 1 => "first argument "
+      case 2 => "second argument"
+      case 3 => "third argument "
+      case n => s"${n}th argument  "
+    def clashTree =
+      if clashIdx == 0 then methPart(fn).asInstanceOf[Select].qualifier
+      else args(clashIdx - 1)
+    def clashType = clashTree.nuType
+    def clashCaptures = actualCaptures(clashTree)
+    def hiddenCaptures = hidden(formalCaptures(arg))
+    def clashFootprint = clashCaptures.footprint
+    def hiddenFootprint = hiddenCaptures.footprint
+    def declaredFootprint = deps(arg).map(actualCaptures(_)).foldLeft(emptySet)(_ ++ _).footprint
+    def footprintOverlap = hiddenFootprint.overlapWith(clashFootprint) -- declaredFootprint
+    report.error(
+      em"""Separation failure: argument of type  ${arg.nuType}
+          |to $funStr
+          |corresponds to capture-polymorphic formal parameter ${formalName}of type  ${arg.formalType}
+          |and captures ${CaptureSet(overlap)}, but $whatStr also passed separately
+          |in the ${whereStr.trim} with type  $clashType.
+          |
+          |  Capture set of $whereStr        : ${CaptureSet(clashCaptures)}
+          |  Hidden set of current argument        : ${CaptureSet(hiddenCaptures)}
+          |  Footprint of $whereStr          : ${CaptureSet(clashFootprint)}
+          |  Hidden footprint of current argument  : ${CaptureSet(hiddenFootprint)}
+          |  Declared footprint of current argument: ${CaptureSet(declaredFootprint)}
+          |  Undeclared overlap of footprints      : ${CaptureSet(footprintOverlap)}""",
+      arg.srcPos)
+  end sepError
+
+  private def checkApply(fn: Tree, args: List[Tree], deps: collection.Map[Tree, List[Tree]])(using Context): Unit =
+    val fnCaptures = methPart(fn) match
+      case Select(qual, _) => qual.nuType.captureSet
+      case _ => CaptureSet.empty
+    capt.println(i"check separate $fn($args), fnCaptures = $fnCaptures, argCaptures = ${args.map(arg => CaptureSet(formalCaptures(arg)))}, deps = ${deps.toList}")
+    var footprint = fnCaptures.elems.footprint
+    val footprints = mutable.ListBuffer[(Refs, Int)]((footprint, 0))
+    val indexedArgs = args.zipWithIndex
+
+    def subtractDeps(elems: Refs, arg: Tree): Refs =
+      deps(arg).foldLeft(elems): (elems, dep) =>
+        elems -- actualCaptures(dep).footprint
+
+    for (arg, idx) <- indexedArgs do
+      if !arg.needsSepCheck then
+        footprint = footprint ++ subtractDeps(actualCaptures(arg).footprint, arg)
+        footprints += ((footprint, idx + 1))
+    for (arg, idx) <- indexedArgs do
+      if arg.needsSepCheck then
+        val ac = formalCaptures(arg)
+        val hiddenInArg = hidden(ac).footprint
+        //println(i"check sep $arg: $ac, footprint so far = $footprint, hidden = $hiddenInArg")
+        val overlap = subtractDeps(hiddenInArg.overlapWith(footprint), arg)
+        if !overlap.isEmpty then
+          sepError(fn, args, idx, overlap, hiddenInArg, footprints.toList, deps)
+        footprint ++= actualCaptures(arg).footprint
+        footprints += ((footprint, idx + 1))
+  end checkApply
+
+  private def collectMethodTypes(tp: Type): List[TermLambda] = tp match
+    case tp: MethodType => tp :: collectMethodTypes(tp.resType)
+    case tp: PolyType => collectMethodTypes(tp.resType)
+    case _ => Nil
+
+  private def dependencies(fn: Tree, argss: List[List[Tree]])(using Context): collection.Map[Tree, List[Tree]] =
+    val mtpe =
+      if fn.symbol.exists then fn.symbol.info
+      else fn.tpe.widen // happens for PolyFunction applies
+    val mtps = collectMethodTypes(mtpe)
+    assert(mtps.hasSameLengthAs(argss), i"diff for $fn: ${fn.symbol} /// $mtps /// $argss")
+    val mtpsWithArgs = mtps.zip(argss)
+    val argMap = mtpsWithArgs.toMap
+    val deps = mutable.HashMap[Tree, List[Tree]]().withDefaultValue(Nil)
+    for
+      (mt, args) <- mtpsWithArgs
+      (formal, arg) <- mt.paramInfos.zip(args)
+      dep <- formal.captureSet.elems.toList
+    do
+      val referred = dep match
+        case dep: TermParamRef =>
+          argMap(dep.binder)(dep.paramNum) :: Nil
+        case dep: ThisType if dep.cls == fn.symbol.owner =>
+          val Select(qual, _) = fn: @unchecked
+          qual :: Nil
+        case _ =>
+          Nil
+      deps(arg) ++= referred
+    deps
+
+  private def traverseApply(tree: Tree, argss: List[List[Tree]])(using Context): Unit = tree match
+    case Apply(fn, args) => traverseApply(fn, args :: argss)
+    case TypeApply(fn, args) => traverseApply(fn, argss) // skip type arguments
+    case _ =>
+      if argss.nestedExists(_.needsSepCheck) then
+        checkApply(tree, argss.flatten, dependencies(tree, argss))
+
+  def traverse(tree: Tree)(using Context): Unit =
+    tree match
+      case tree: GenericApply =>
+        if tree.symbol != defn.Caps_unsafeAssumeSeparate then
+          tree.tpe match
+            case _: MethodOrPoly =>
+            case _ => traverseApply(tree, Nil)
+          traverseChildren(tree)
+      case _ =>
+        traverseChildren(tree)
+end SepChecker
+
+
+
+
+
+

compiler/src/dotty/tools/dotc/cc/Synthetics.scala

@@ -132,8 +132,9 @@ object Synthetics:
       val (pt: PolyType) = info: @unchecked
       val (mt: MethodType) = pt.resType: @unchecked
       val (enclThis: ThisType) = owner.thisType: @unchecked
+      val paramCaptures = CaptureSet(enclThis, defn.captureRoot.termRef)
       pt.derivedLambdaType(resType = MethodType(mt.paramNames)(
-        mt1 => mt.paramInfos.map(_.capturing(CaptureSet.universal)),
+        mt1 => mt.paramInfos.map(_.capturing(paramCaptures)),
         mt1 => CapturingType(mt.resType, CaptureSet(enclThis, mt1.paramRefs.head))))
 
     def transformCurriedTupledCaptures(info: Type, owner: Symbol) =
@@ -148,7 +149,10 @@ object Synthetics:
       ExprType(mapFinalResult(et.resType, CapturingType(_, CaptureSet(enclThis))))
 
     def transformCompareCaptures =
-      MethodType(defn.ObjectType.capturing(CaptureSet.universal) :: Nil, defn.BooleanType)
+      val (enclThis: ThisType) = symd.owner.thisType: @unchecked
+      MethodType(
+        defn.ObjectType.capturing(CaptureSet(defn.captureRoot.termRef, enclThis)) :: Nil,
+        defn.BooleanType)
 
     symd.copySymDenotation(info = symd.name match
       case DefaultGetterName(nme.copy, n) =>

compiler/src/dotty/tools/dotc/core/Definitions.scala

@@ -1006,6 +1006,7 @@ class Definitions {
     @tu lazy val Caps_Exists: ClassSymbol = requiredClass("scala.caps.Exists")
     @tu lazy val CapsUnsafeModule: Symbol = requiredModule("scala.caps.unsafe")
     @tu lazy val Caps_unsafeAssumePure: Symbol = CapsUnsafeModule.requiredMethod("unsafeAssumePure")
+    @tu lazy val Caps_unsafeAssumeSeparate: Symbol = CapsUnsafeModule.requiredMethod("unsafeAssumeSeparate")
     @tu lazy val Caps_ContainsTrait: TypeSymbol = CapsModule.requiredType("Contains")
     @tu lazy val Caps_containsImpl: TermSymbol = CapsModule.requiredMethod("containsImpl")
     @tu lazy val Caps_Mutable: ClassSymbol = requiredClass("scala.caps.Mutable")

library/src/scala/annotation/internal/freshCapability.scala

@@ -0,0 +1,7 @@
+package scala.annotation
+package internal
+
+/** An annotation used internally for fresh capability wrappers of `cap`
+ */
+class freshCapability extends StaticAnnotation
+

library/src/scala/caps.scala

@@ -79,4 +79,9 @@ import annotation.{experimental, compileTimeOnly, retainsCap}
        */
       def unsafeAssumePure: T = x
 
+    /** A wrapper around code for which separation checks are suppressed.
+     */
+    def unsafeAssumeSeparate[T](op: T): T = op
+
   end unsafe
+end caps

scala2-library-cc/src/scala/collection/IterableOnce.scala

@@ -805,7 +805,7 @@ trait IterableOnceOps[+A, +CC[_], +C] extends Any { this: IterableOnce[A]^ =>
       case  _ => Some(reduceLeft(op))
     }
   private final def reduceLeftOptionIterator[B >: A](op: (B, A) => B): Option[B] = reduceOptionIterator[A, B](iterator)(op)
-  private final def reduceOptionIterator[X >: A, B >: X](it: Iterator[X]^)(op: (B, X) => B): Option[B] = {
+  private final def reduceOptionIterator[X >: A, B >: X](it: Iterator[X]^{this, caps.cap})(op: (B, X) => B): Option[B] = {
     if (it.hasNext) {
       var acc: B = it.next()
       while (it.hasNext)

scala2-library-cc/src/scala/collection/immutable/LazyListIterable.scala

@@ -25,6 +25,7 @@ import scala.runtime.Statics
 import language.experimental.captureChecking
 import annotation.unchecked.uncheckedCaptures
 import caps.untrackedCaptures
+import caps.unsafe.unsafeAssumeSeparate
 
 /**  This class implements an immutable linked list. We call it "lazy"
   *  because it computes its elements only when they are needed.
@@ -879,6 +880,7 @@ final class LazyListIterable[+A] private(@untrackedCaptures lazyState: () => Laz
         if (!cursor.stateDefined) b.append(sep).append("<not computed>")
       } else {
         @inline def same(a: LazyListIterable[A]^, b: LazyListIterable[A]^): Boolean = (a eq b) || (a.state eq b.state)
+          // !!!CC with qualifiers, same should have cap.rd parameters
         // Cycle.
         // If we have a prefix of length P followed by a cycle of length C,
         // the scout will be at position (P%C) in the cycle when the cursor
@@ -890,7 +892,7 @@ final class LazyListIterable[+A] private(@untrackedCaptures lazyState: () => Laz
         // the start of the loop.
         var runner = this
         var k = 0
-        while (!same(runner, scout)) {
+        while (!unsafeAssumeSeparate(same(runner, scout))) {
           runner = runner.tail
           scout = scout.tail
           k += 1
@@ -900,11 +902,11 @@ final class LazyListIterable[+A] private(@untrackedCaptures lazyState: () => Laz
         // everything once.  If cursor is already at beginning, we'd better
         // advance one first unless runner didn't go anywhere (in which case
         // we've already looped once).
-        if (same(cursor, scout) && (k > 0)) {
+        if (unsafeAssumeSeparate(same(cursor, scout)) && (k > 0)) {
           appendCursorElement()
           cursor = cursor.tail
         }
-        while (!same(cursor, scout)) {
+        while (!unsafeAssumeSeparate(same(cursor, scout))) {
           appendCursorElement()
           cursor = cursor.tail
         }
@@ -1052,7 +1054,9 @@ object LazyListIterable extends IterableFactory[LazyListIterable] {
         val head = it.next()
         rest     = rest.tail
         restRef  = rest                       // restRef.elem = rest
-        sCons(head, newLL(stateFromIteratorConcatSuffix(it)(flatMapImpl(rest, f).state)))
+        sCons(head, newLL(
+          unsafeAssumeSeparate(
+            stateFromIteratorConcatSuffix(it)(flatMapImpl(rest, f).state))))
       } else State.Empty
     }
   }
@@ -1181,7 +1185,7 @@ object LazyListIterable extends IterableFactory[LazyListIterable] {
   def iterate[A](start: => A)(f: A => A): LazyListIterable[A]^{start, f} =
     newLL {
       val head = start
-      sCons(head, iterate(f(head))(f))
+      sCons(head, unsafeAssumeSeparate(iterate(f(head))(f)))
     }
 
   /**