Check accesses to non-local this in hidden sets

Allow them only in @consume methods

Author: odersky

compiler/src/dotty/tools/dotc/cc/CaptureOps.scala

@@ -281,7 +281,8 @@ extension (tp: Type)
 
   /** The first element of this path type */
   final def pathRoot(using Context): Type = tp.dealias match
-    case tp1: NamedType if tp1.symbol.maybeOwner.isClass => tp1.prefix.pathRoot
+    case tp1: TermRef if tp1.symbol.maybeOwner.isClass => tp1.prefix.pathRoot
+    case tp1: TypeRef if !tp1.symbol.is(Param) => tp1.prefix.pathRoot
     case tp1 => tp1
 
   /** If this part starts with `C.this`, the class `C`.

compiler/src/dotty/tools/dotc/cc/SepCheck.scala

@@ -455,15 +455,30 @@ class SepChecker(checker: CheckCaptures.CheckerAPI) extends tpd.TreeTraverser:
       val badParams = mutable.ListBuffer[Symbol]()
       def currentOwner = kind.dclSym.orElse(ctx.owner)
       for hiddenRef <- prune(refsToCheck) do
-        val refSym = hiddenRef.pathRoot.termSymbol // TODO also hangle ThisTypes as pathRoots
-        if refSym.exists && !refSym.info.derivesFrom(defn.Caps_SharedCapability) then
-          if currentOwner.enclosingMethodOrClass.isProperlyContainedIn(refSym.owner.enclosingMethodOrClass) then
-            report.error(em"""Separation failure: $descr non-local $refSym""", pos)
-          else if refSym.is(TermParam)
-            && !refSym.hasAnnotation(defn.ConsumeAnnot)
-            && currentOwner.isContainedIn(refSym.owner)
-          then
-            badParams += refSym
+        val proot = hiddenRef.pathRoot
+        if !proot.widen.derivesFrom(defn.Caps_SharedCapability) then
+          proot match
+            case ref: TermRef =>
+              val refSym = ref.symbol
+              if currentOwner.enclosingMethodOrClass.isProperlyContainedIn(refSym.maybeOwner.enclosingMethodOrClass) then
+                report.error(em"""Separation failure: $descr non-local $refSym""", pos)
+              else if refSym.is(TermParam)
+                && !refSym.hasAnnotation(defn.ConsumeAnnot)
+                && currentOwner.isContainedIn(refSym.owner)
+              then
+                badParams += refSym
+            case ref: ThisType =>
+              val encl = currentOwner.enclosingMethodOrClass
+              if encl.isProperlyContainedIn(ref.cls)
+                  && !encl.is(Synthetic)
+                  && !encl.hasAnnotation(defn.ConsumeAnnot)
+              then
+                report.error(
+                  em"""Separation failure: $descr non-local this of class ${ref.cls}.
+                      |The access must be in a @consume method to allow this.""",
+                  pos)
+            case _ =>
+
       if badParams.nonEmpty then
         def paramsStr(params: List[Symbol]): String = (params: @unchecked) match
           case p :: Nil => i"${p.name}"

compiler/src/dotty/tools/dotc/cc/Setup.scala

@@ -698,15 +698,24 @@ class Setup extends PreRecheck, SymTransformer, SetupAPI:
      */
     def checkProperUseOrConsume(tree: Tree)(using Context): Unit = tree match
       case tree: MemberDef =>
-        for ann <- tree.symbol.annotations do
-          def isAllowedFor(sym: Symbol) =
-            (sym.is(Param) || sym.is(ParamAccessor))
-            && (ann.symbol != defn.ConsumeAnnot || sym.isTerm)
+        val sym = tree.symbol
+        def isMethodParam = (sym.is(Param) || sym.is(ParamAccessor))
             && !sym.owner.isAnonymousFunction
-          def termStr =
-            if ann.symbol == defn.ConsumeAnnot then " term" else ""
-          if defn.ccParamOnlyAnnotations.contains(ann.symbol) && !isAllowedFor(tree.symbol) then
-            report.error(i"Only$termStr parameters of methods can have @${ann.symbol.name} annotations", tree.srcPos)
+        for ann <- tree.symbol.annotations do
+          val annotCls = ann.symbol
+          if annotCls == defn.ConsumeAnnot then
+            if !(isMethodParam && sym.isTerm)
+              && !(sym.is(Method) && sym.owner.isClass)
+            then
+              report.error(
+                em"""@consume cannot be used here. Only memeber methods and their term parameters
+                    |can have @consume annotations.""",
+                tree.srcPos)
+          else if annotCls == defn.UseAnnot then
+            if !isMethodParam then
+              report.error(
+                em"@use cannot be used here. Only method parameters can have @use annotations.",
+                tree.srcPos)
       case _ =>
     end checkProperUseOrConsume
   end setupTraverser

tests/neg-custom-args/captures/bad-uses-2.scala

@@ -6,7 +6,7 @@ class TestUse:
   def foo[@use T](@use c: T): Unit = ??? // OK
 
 class TestConsume:
-  @consume def F = ???  // error
+  @consume def F = ???  // ok
   @consume val x = ???  // error
   @consume type T       // error
   def foo[@consume T](@use c: T): Unit = ??? // error

tests/neg-custom-args/captures/linear-buffer.check

@@ -1,29 +1,44 @@
--- Error: tests/neg-custom-args/captures/linear-buffer.scala:13:17 -----------------------------------------------------
-13 |  val buf3 = app(buf, 3) // error
+-- Error: tests/neg-custom-args/captures/linear-buffer.scala:5:24 ------------------------------------------------------
+5 |  mut def append(x: T): BadBuffer[T]^ = this // error
+  |                        ^^^^^^^^^^^^^
+  |      Separation failure: method append's result type BadBuffer[T]^ hides non-local this of class class BadBuffer.
+  |      The access must be in a @consume method to allow this.
+-- Error: tests/neg-custom-args/captures/linear-buffer.scala:7:13 ------------------------------------------------------
+7 |    def bar: BadBuffer[T]^ = this // error
+  |             ^^^^^^^^^^^^^
+  |         Separation failure: method bar's result type BadBuffer[T]^ hides non-local this of class class BadBuffer.
+  |         The access must be in a @consume method to allow this.
+-- Error: tests/neg-custom-args/captures/linear-buffer.scala:6:9 -------------------------------------------------------
+6 |  def foo = // error
+  |         ^
+  |Separation failure: method foo's inferred result type BadBuffer[box T^?]^ hides non-local this of class class BadBuffer.
+  |The access must be in a @consume method to allow this.
+-- Error: tests/neg-custom-args/captures/linear-buffer.scala:19:17 -----------------------------------------------------
+19 |  val buf3 = app(buf, 3) // error
    |                 ^^^
    |                 Separation failure: Illegal access to (buf : Buffer[Int]^),
-   |                 which was passed to a @consume parameter on line 11
+   |                 which was passed to a @consume parameter on line 17
    |                 and therefore is no longer available.
--- Error: tests/neg-custom-args/captures/linear-buffer.scala:20:17 -----------------------------------------------------
-20 |  val buf3 = app(buf1, 4) // error
+-- Error: tests/neg-custom-args/captures/linear-buffer.scala:26:17 -----------------------------------------------------
+26 |  val buf3 = app(buf1, 4) // error
    |                 ^^^^
    |                 Separation failure: Illegal access to (buf1 : Buffer[Int]^),
-   |                 which was passed to a @consume parameter on line 18
+   |                 which was passed to a @consume parameter on line 24
    |                 and therefore is no longer available.
--- Error: tests/neg-custom-args/captures/linear-buffer.scala:28:17 -----------------------------------------------------
-28 |  val buf3 = app(buf1, 4) // error
+-- Error: tests/neg-custom-args/captures/linear-buffer.scala:34:17 -----------------------------------------------------
+34 |  val buf3 = app(buf1, 4) // error
    |                 ^^^^
    |                 Separation failure: Illegal access to (buf1 : Buffer[Int]^),
-   |                 which was passed to a @consume parameter on line 25
+   |                 which was passed to a @consume parameter on line 31
    |                 and therefore is no longer available.
--- Error: tests/neg-custom-args/captures/linear-buffer.scala:38:17 -----------------------------------------------------
-38 |  val buf3 = app(buf1, 4) // error
+-- Error: tests/neg-custom-args/captures/linear-buffer.scala:44:17 -----------------------------------------------------
+44 |  val buf3 = app(buf1, 4) // error
    |                 ^^^^
    |                 Separation failure: Illegal access to (buf1 : Buffer[Int]^),
-   |                 which was passed to a @consume parameter on line 33
+   |                 which was passed to a @consume parameter on line 39
    |                 and therefore is no longer available.
--- Error: tests/neg-custom-args/captures/linear-buffer.scala:42:8 ------------------------------------------------------
-42 |    app(buf, 1)  // error
+-- Error: tests/neg-custom-args/captures/linear-buffer.scala:48:8 ------------------------------------------------------
+48 |    app(buf, 1)  // error
    |        ^^^
    |        Separation failure: (buf : Buffer[Int]^) appears in a loop,
    |        therefore it cannot be passed to a @consume parameter.

tests/neg-custom-args/captures/linear-buffer.scala

@@ -1,8 +1,14 @@
 import caps.{cap, consume, Mutable}
 import language.experimental.captureChecking
 
+class BadBuffer[T] extends Mutable:
+  mut def append(x: T): BadBuffer[T]^ = this // error
+  def foo = // error
+    def bar: BadBuffer[T]^ = this // error
+    bar
+
 class Buffer[T] extends Mutable:
-  mut def append(x: T): Buffer[T]^ = ???
+  @consume mut def append(x: T): Buffer[T]^ = this // ok
 
 def app[T](@consume buf: Buffer[T]^, elem: T): Buffer[T]^ =
   buf.append(elem)