Make cap not subsume anything by default.

Exceptions are bracketed in `withCapAsRoot` calls.

Author: odersky

compiler/src/dotty/tools/dotc/cc/CaptureOps.scala

@@ -100,6 +100,8 @@ class CCState:
 
   private var openExistentialScopes: List[MethodType] = Nil
 
+  private var capIsRoot: Boolean = false
+
 object CCState:
 
   opaque type Level = Int
@@ -144,6 +146,21 @@ object CCState:
     else
       op
 
+  /** Run `op` under the assumption that `cap` can subsume all other capabilties
+   *  except Result capabilities. Every use of this method should be scrutinized
+   *  for whether it introduces an unsoundness hole.
+   */
+  inline def withCapAsRoot[T](op: => T)(using Context): T =
+    if isCaptureCheckingOrSetup then
+      val ccs = ccState
+      val saved = ccs.capIsRoot
+      ccs.capIsRoot = true
+      try op finally ccs.capIsRoot = saved
+    else op
+
+  /** Is `caps.cap` a root capability that is allowed to subsume other capabilities? */
+  def capIsRoot(using Context): Boolean = ccState.capIsRoot
+
   /** The currently opened existential scopes */
   def openExistentialScopes(using Context): List[MethodType] = ccState.openExistentialScopes
 
@@ -441,14 +458,30 @@ extension (tp: Type)
     case AppliedType(tycon, _) => !defn.isFunctionSymbol(tycon.typeSymbol)
     case _ => false
 
-  /** Tests whether the type derives from `caps.Capability`, which means
-   *  references of this type are maximal capabilities.
-   */
-  def derivesFromCapTrait(cls: ClassSymbol)(using Context): Boolean = tp.dealias match
+  /** Tests whether all CapturingType parts of the type that are traversed for
+   *  dcs computation satisfy at least one of two conditions:
+   *   1. They decorate classes that extend the given capability class `cls`, or
+   *   2. Their capture set is constant and consists only of capabilities
+   *      the derive from `cls` in the sense of `derivesFromCapTrait`.
+   */
+  def derivesFromCapTraitDeeply(cls: ClassSymbol)(using Context): Boolean =
+    val accumulate = new DeepTypeAccumulator[Boolean]:
+      def capturingCase(acc: Boolean, parent: Type, refs: CaptureSet) =
+        this(acc, parent)
+        && (parent.derivesFromCapTrait(cls)
+            || refs.isConst && refs.elems.forall(_.derivesFromCapTrait(cls)))
+      def abstractTypeCase(acc: Boolean, t: TypeRef, upperBound: Type) =
+        this(acc, upperBound)
+    accumulate(true, tp)
+
+  /** Tests whether the type derives from capability class `cls`. */
+  def derivesFromCapTrait(cls: ClassSymbol)(using Context): Boolean = tp.dealiasKeepAnnots match
     case tp: (TypeRef | AppliedType) =>
       val sym = tp.typeSymbol
       if sym.isClass then sym.derivesFrom(cls)
       else tp.superType.derivesFromCapTrait(cls)
+    case ReachCapability(tp1) =>
+      tp1.widen.derivesFromCapTraitDeeply(cls)
     case tp: (TypeProxy & ValueType) =>
       tp.superType.derivesFromCapTrait(cls)
     case tp: AndType =>
@@ -545,7 +578,7 @@ extension (tp: Type)
       var change = false
       def apply(t: Type) =
         if variance <= 0 then t
-        else t.dealiasKeepAnnots match
+        else t.dealias match
           case t @ CapturingType(p, cs) if cs.containsRootCapability =>
             change = true
             val reachRef = if cs.isReadOnly then ref.reach.readOnly else ref.reach
@@ -804,33 +837,6 @@ object ReadOnlyCapability extends AnnotatedCapability(defn.ReadOnlyCapabilityAnn
 object ReachCapability extends AnnotatedCapability(defn.ReachCapabilityAnnot):
   protected def unwrappable(using Context) = Set(defn.MaybeCapabilityAnnot, defn.ReadOnlyCapabilityAnnot)
 
-/** Offers utility method to be used for type maps that follow aliases */
-trait ConservativeFollowAliasMap(using Context) extends TypeMap:
-
-  /** If `mapped` is a type alias, apply the map to the alias, while keeping
-   *  annotations. If the result is different, return it, otherwise return `mapped`.
-   *  Furthermore, if `original` is a LazyRef or TypeVar and the mapped result is
-   *  the same as the underlying type, keep `original`. This avoids spurious differences
-   *  which would lead to spurious dealiasing in the result
-   */
-  protected def applyToAlias(original: Type, mapped: Type) =
-    val mapped1 = mapped match
-      case t: (TypeRef | AppliedType) =>
-        val t1 = t.dealiasKeepAnnots
-        if t1 eq t then t
-        else
-          // If we see a type alias, map the alias type and keep it if it's different
-          val t2 = apply(t1)
-          if t2 ne t1 then t2 else t
-      case _ =>
-        mapped
-    original match
-      case original: (LazyRef | TypeVar) if mapped1 eq original.underlying =>
-        original
-      case _ =>
-        mapped1
-end ConservativeFollowAliasMap
-
 /** An extractor for all kinds of function types as well as method and poly types.
  *  It includes aliases of function types such as `=>`. TODO: Can we do without?
  *  @return  1st half: The argument types or empty if this is a type function
@@ -884,3 +890,36 @@ object ContainsParam:
       if tycon.typeSymbol == defn.Caps_ContainsTrait
           && cs.typeSymbol.isAbstractOrParamType => Some((cs, ref))
       case _ => None
+
+/** A class encapsulating the assumulator logic needed for `CaptureSet.ofTypeDeeply`
+ *  and `derivesFromCapTraitDeeply`.
+ *  NOTE: The traversal logic needs to be in sync with narrowCaps in CaptureOps, which
+ *  replaces caps with reach capabilties. There are two exceptions, however.
+ *   - First, invariant arguments. These have to be included to be conservative
+ *     in dcs but must be excluded in narrowCaps.
+ *   - Second, unconstrained type variables are handled specially in `ofTypeDeeply`.
+ */
+abstract class DeepTypeAccumulator[T](using Context) extends TypeAccumulator[T]:
+  val seen = util.HashSet[Symbol]()
+
+  protected def capturingCase(acc: T, parent: Type, refs: CaptureSet): T
+
+  protected def abstractTypeCase(acc: T, t: TypeRef, upperBound: Type): T
+
+  def apply(acc: T, t: Type) =
+    if variance < 0 then acc
+    else t.dealias match
+      case t @ CapturingType(p, cs1) =>
+        capturingCase(acc, p, cs1)
+      case t: TypeRef if t.symbol.isAbstractOrParamType && !seen.contains(t.symbol) =>
+        seen += t.symbol
+        abstractTypeCase(acc, t, t.info.bounds.hi)
+      case AnnotatedType(parent, _) =>
+        this(acc, parent)
+      case t @ FunctionOrMethod(args, res) =>
+        if args.forall(_.isAlwaysPure) then this(acc, root.resultToFresh(res))
+        else acc
+      case _ =>
+        foldOver(acc, t)
+end DeepTypeAccumulator
+

compiler/src/dotty/tools/dotc/cc/CaptureRef.scala

@@ -260,10 +260,20 @@ trait CaptureRef extends TypeProxy, ValueType:
             ccState.existentialSubsumesFailure.orElse(Some(this, y))
           false
       case _ =>
-        this.isCap && !yIsExistential && canAddHidden && vs != VarState.HardSeparate
-        || y.match
-            case ReadOnlyCapability(y1) => this.stripReadOnly.maxSubsumes(y1, canAddHidden)
-            case _ => false
+        y match
+          case ReadOnlyCapability(y1) => this.stripReadOnly.maxSubsumes(y1, canAddHidden)
+          case _ if this.isCap =>
+            y.isCap
+            || y.derivesFromSharedCapability
+            || !yIsExistential
+                && canAddHidden
+                && vs != VarState.HardSeparate
+                && (CCState.capIsRoot
+                    // || { println(i"no longer $this maxSubsumes $y, ${y.isCap}"); false } // debug
+                   )
+            || false
+          case _ =>
+            false
 
   /** `x covers y` if we should retain `y` when computing the overlap of
    *  two footprints which have `x` respectively `y` as elements.

compiler/src/dotty/tools/dotc/cc/CaptureSet.scala

@@ -206,7 +206,8 @@ sealed abstract class CaptureSet extends Showable:
    */
   def mightAccountFor(x: CaptureRef)(using Context): Boolean =
     reporting.trace(i"$this mightAccountFor $x, ${x.captureSetOfInfo}?", show = true):
-      elems.exists(_.subsumes(x)(using ctx, VarState.ClosedUnrecorded))
+      CCState.withCapAsRoot: // OK here since we opportunistically choose an alternative which gets checked later
+        elems.exists(_.subsumes(x)(using ctx, VarState.ClosedUnrecorded))
       || !x.isRootCapability
         && {
           val elems = x.captureSetOfInfo.elems
@@ -639,14 +640,15 @@ object CaptureSet:
      */
     def solve()(using Context): Unit =
       if !isConst then
-        val approx = upperApprox(empty)
-          .map(root.CapToFresh(NoSymbol).inverse)    // Fresh --> cap
-          .showing(i"solve $this = $result", capt)
-        //println(i"solving var $this $approx ${approx.isConst} deps = ${deps.toList}")
-        val newElems = approx.elems -- elems
-        given VarState()
-        if tryInclude(newElems, empty).isOK then
-          markSolved()
+        CCState.withCapAsRoot: // // OK here since we infer parameter types that get checked later
+          val approx = upperApprox(empty)
+            .map(root.CapToFresh(NoSymbol).inverse)    // Fresh --> cap
+            .showing(i"solve $this = $result", capt)
+          //println(i"solving var $this $approx ${approx.isConst} deps = ${deps.toList}")
+          val newElems = approx.elems -- elems
+          given VarState()
+          if tryInclude(newElems, empty).isOK then
+            markSolved()
 
     /** Mark set as solved and propagate this info to all dependent sets */
     def markSolved()(using Context): Unit =
@@ -1356,31 +1358,14 @@ object CaptureSet:
 
   /** The deep capture set of a type is the union of all covariant occurrences of
    *  capture sets. Nested existential sets are approximated with `cap`.
-   *  NOTE: The traversal logic needs to be in sync with narrowCaps in CaptureOps, which
-   *  replaces caps with reach capabilties. The one exception to this is invariant
-   *  arguments. These have to be included to be conservative in dcs but must be
-   *  excluded in narrowCaps.
    */
   def ofTypeDeeply(tp: Type, includeTypevars: Boolean = false)(using Context): CaptureSet =
-    val collect = new TypeAccumulator[CaptureSet]:
-      val seen = util.HashSet[Symbol]()
-      def apply(cs: CaptureSet, t: Type) =
-        if variance < 0 then cs
-        else t.dealias match
-          case t @ CapturingType(p, cs1) =>
-            this(cs, p) ++ cs1
-          case t @ AnnotatedType(parent, ann) =>
-            this(cs, parent)
-          case t: TypeRef if t.symbol.isAbstractOrParamType && !seen.contains(t.symbol) =>
-            seen += t.symbol
-            val upper = t.info.bounds.hi
-            if includeTypevars && upper.isExactlyAny then CaptureSet.fresh(t.symbol)
-            else this(cs, upper)
-          case t @ FunctionOrMethod(args, res) =>
-            if args.forall(_.isAlwaysPure) then this(cs, root.resultToFresh(res))
-            else cs
-          case _ =>
-            foldOver(cs, t)
+    val collect = new DeepTypeAccumulator[CaptureSet]:
+      def capturingCase(acc: CaptureSet, parent: Type, refs: CaptureSet) =
+        this(acc, parent) ++ refs
+      def abstractTypeCase(acc: CaptureSet, t: TypeRef, upperBound: Type) =
+        if includeTypevars && upperBound.isExactlyAny then CaptureSet.fresh(t.symbol)
+        else this(acc, upperBound)
     collect(CaptureSet.empty, tp)
 
   type AssumedContains = immutable.Map[TypeRef, SimpleIdentitySet[CaptureRef]]

compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala

@@ -698,7 +698,7 @@ class CheckCaptures extends Recheck, SymTransformer:
       val meth = tree.fun.symbol
       if meth == defn.Caps_unsafeAssumePure then
         val arg :: Nil = tree.args: @unchecked
-        val argType0 = recheck(arg, pt.stripCapturing.capturing(CaptureSet.universal))
+        val argType0 = recheck(arg, pt.stripCapturing.capturing(root.Fresh()))
         val argType =
           if argType0.captureSet.isAlwaysEmpty then argType0
           else argType0.widen.stripCapturing
@@ -1105,7 +1105,8 @@ class CheckCaptures extends Recheck, SymTransformer:
         for param <- cls.paramGetters do
           if !param.hasAnnotation(defn.ConstructorOnlyAnnot)
             && !param.hasAnnotation(defn.UntrackedCapturesAnnot) then
-            checkSubset(param.termRef.captureSet, thisSet, param.srcPos) // (3)
+            CCState.withCapAsRoot: // OK? We need this here since self types use `cap` instead of `fresh`
+              checkSubset(param.termRef.captureSet, thisSet, param.srcPos) // (3)
         for pureBase <- cls.pureBaseClass do // (4)
           def selfTypeTree = impl.body
             .collect:
@@ -1452,7 +1453,9 @@ class CheckCaptures extends Recheck, SymTransformer:
           val cs = actual.captureSet
           if covariant then cs ++ leaked
           else
-            if !leaked.subCaptures(cs).isOK then
+            if CCState.withCapAsRoot: // Not sure this is OK, actually
+              !leaked.subCaptures(cs).isOK
+            then
               report.error(
                 em"""$expected cannot be box-converted to ${actual.capturing(leaked)}
                     |since the additional capture set $leaked resulted from box conversion is not allowed in $actual""", tree.srcPos)
@@ -1854,7 +1857,8 @@ class CheckCaptures extends Recheck, SymTransformer:
                 val normArgs = args.lazyZip(tl.paramInfos).map: (arg, bounds) =>
                   arg.withType(arg.nuType.forceBoxStatus(
                     bounds.hi.isBoxedCapturing | bounds.lo.isBoxedCapturing))
-                checkBounds(normArgs, tl)
+                CCState.withCapAsRoot: // OK? We need this since bounds use `cap` instead of `fresh`
+                  checkBounds(normArgs, tl)
                 args.lazyZip(tl.paramNames).foreach(healTypeParam(_, _, fun.symbol))
               case _ =>
           case _ =>

compiler/src/dotty/tools/dotc/typer/RefChecks.scala

@@ -21,7 +21,7 @@ import config.MigrationVersion
 import config.Printers.refcheck
 import reporting.*
 import Constants.Constant
-import cc.{stripCapturing, isUpdateMethod}
+import cc.{stripCapturing, isUpdateMethod, CCState}
 
 object RefChecks {
   import tpd.*
@@ -107,7 +107,9 @@ object RefChecks {
       def checkSelfConforms(other: ClassSymbol) =
         var otherSelf = other.declaredSelfTypeAsSeenFrom(cls.thisType)
         if otherSelf.exists then
-          if !(cinfo.selfType <:< otherSelf) then
+          if !CCState.withCapAsRoot: // OK? We need this here since self types use `cap` instead of `fresh`
+            cinfo.selfType <:< otherSelf
+        then
             report.error(DoesNotConformToSelfType("illegal inheritance", cinfo.selfType, cls, otherSelf, "parent", other),
               cls.srcPos)
 

tests/neg-custom-args/captures/box-adapt-cs.scala

@@ -5,7 +5,10 @@ def test1(io: Cap^): Unit = {
 
   val x: Id[Cap^{io}] = ???
   val f: (Cap^) -> Unit = ???
-  x(f)  // ok
+  x(f)  // error
+
+  val g: (Cap^{io}) -> Unit = ???
+  x(g)  // ok
 }
 
 def test2(io: Cap^): Unit = {

tests/pos-custom-args/captures/cc-poly-source.scala renamed to tests/neg-custom-args/captures/cc-poly-source.scala

@@ -27,7 +27,10 @@ import caps.use
 
   def test2(@use lbls: List[Label^]) =
     def makeListener(lbl: Label^): Listener^{lbl} = ???
-    val listeners = lbls.map(makeListener)
+    val listeners = lbls.map(makeListener) // error
+      // we get an error here because we no longer allow contravariant cap
+      // to subsume other capabilities. The problem can be solved by declaring
+      // Label a SharedCapability, see cc-poly-source-capability.scala
     val src = Source[CapSet^{lbls*}]
     for l <- listeners do
       src.register(l)

tests/neg-custom-args/captures/i19330-alt2.scala

@@ -11,5 +11,5 @@ trait Foo:
   def foo: this.T =
     val leaked = usingLogger[T]: l =>  // error
       val t: () => Logger^ = () => l // error separation
-      t: T
+      t: T // error
     leaked

tests/neg-custom-args/captures/i19330.check

@@ -3,6 +3,13 @@
    |                           ^^^
    |                           Type variable T of method usingLogger cannot be instantiated to x.T since
    |                           the part () => Logger^ of that type captures the root capability `cap`.
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/i19330.scala:17:4 ----------------------------------------
+17 |    t: x.T // error
+   |    ^
+   |    Found:    () ->{t} Logger^{t*}
+   |    Required: x.T
+   |
+   | longer explanation available when compiling with `-explain`
 -- [E007] Type Mismatch Error: tests/neg-custom-args/captures/i19330.scala:22:22 ---------------------------------------
 22 |  val bad: bar.T = foo(bar) // error
    |                   ^^^^^^^^

tests/neg-custom-args/captures/i19330.scala

@@ -14,7 +14,7 @@ class Bar extends Foo:
 def foo(x: Foo): x.T =
   val leaked = usingLogger[x.T]: l =>  // error
     val t: () => Logger^ = () => l // error
-    t: x.T
+    t: x.T // error
   leaked
 
 def test(): Unit =