Implement sealed type variables

Abolish restriction that box/unbox cannot be done with `cap`.

Instead, do a deep check for `cap`

 - in type arguments for `sealed` type variables
 - in the types of mutable vars
 - in the type of `try` under the `saferExceptions` language import

The caps.unsafe.{unsafeBox, unsafeUnbox, unsafeBoxFunArg} methods are not longer
needed and are deprecated. Instead there is an annotation annotation.unchecked.uncheckedCaptures that
can be added to a mutable variable to turn off checking its type.

These changes in behavior are introduced in 3.3. Older source versions
still support the old behavior (which corresponds to the paper).

So to run examples in the paper as described there, they need a `-source 3.2` or a
language import.

    import language.`3.2`.

Author: odersky

compiler/src/dotty/tools/dotc/cc/CaptureOps.scala

@@ -6,6 +6,7 @@ import core.*
 import Types.*, Symbols.*, Contexts.*, Annotations.*, Flags.*
 import ast.{tpd, untpd}
 import Decorators.*, NameOps.*
+import config.SourceVersion
 import config.Printers.capt
 import util.Property.Key
 import tpd.*
@@ -19,6 +20,9 @@ private[cc] def retainedElems(tree: Tree)(using Context): List[Tree] = tree matc
   case Apply(_, Typed(SeqLiteral(elems, _), _) :: Nil) => elems
   case _ => Nil
 
+def allowUniversalInBoxed(using Context) =
+  Feature.sourceVersion.isAtLeast(SourceVersion.`3.3`)
+
 /** An exception thrown if a @retains argument is not syntactically a CaptureRef */
 class IllegalCaptureRef(tpe: Type) extends Exception
 

compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala

@@ -128,6 +128,20 @@ object CheckCaptures:
       if remaining.accountsFor(firstRef) then
         report.warning(em"redundant capture: $remaining already accounts for $firstRef", ann.srcPos)
 
+  def disallowRootCapabilitiesIn(tp: Type, what: String, have: String, addendum: String, pos: SrcPos)(using Context) =
+    val check = new TypeTraverser:
+      def traverse(t: Type) =
+        if variance >= 0 then
+        t.captureSet.disallowRootCapability: () =>
+          def part = if t eq tp then "" else i"the part $t of "
+          report.error(
+            em"""$what cannot $have $tp since
+                |${part}that type captures the root capability `cap`.
+                |$addendum""",
+            pos)
+        traverseChildren(t)
+    check.traverse(tp)
+
 class CheckCaptures extends Recheck, SymTransformer:
   thisPhase =>
 
@@ -525,6 +539,15 @@ class CheckCaptures extends Recheck, SymTransformer:
         case _ =>
       super.recheckTyped(tree)
 
+    override def recheckTry(tree: Try, pt: Type)(using Context): Type =
+      val tp = super.recheckTry(tree, pt)
+      if allowUniversalInBoxed && Feature.enabled(Feature.saferExceptions) then
+        disallowRootCapabilitiesIn(tp,
+          "Result of `try`", "have type",
+          "This is often caused by a locally generated exception capability leaking as part of its result.",
+          tree.srcPos)
+      tp
+
     /* Currently not needed, since capture checking takes place after ElimByName.
      * Keep around in case we need to get back to it
     def recheckByNameArg(tree: Tree, pt: Type)(using Context): Type =
@@ -588,7 +611,7 @@ class CheckCaptures extends Recheck, SymTransformer:
           }
           checkNotUniversal(parent)
         case _ =>
-      checkNotUniversal(typeToCheck)
+      if !allowUniversalInBoxed then checkNotUniversal(typeToCheck)
       super.recheckFinish(tpe, tree, pt)
 
     /** Massage `actual` and `expected` types using the methods below before checking conformance */
@@ -771,21 +794,22 @@ class CheckCaptures extends Recheck, SymTransformer:
             val criticalSet =          // the set which is not allowed to have `cap`
               if covariant then cs1    // can't box with `cap`
               else expected.captureSet // can't unbox with `cap`
-            if criticalSet.isUniversal && expected.isValueType then
+            if criticalSet.isUniversal && expected.isValueType && !allowUniversalInBoxed then
               // We can't box/unbox the universal capability. Leave `actual` as it is
               // so we get an error in checkConforms. This tends to give better error
               // messages than disallowing the root capability in `criticalSet`.
               if ctx.settings.YccDebug.value then
                 println(i"cannot box/unbox $actual vs $expected")
               actual
             else
-              // Disallow future addition of `cap` to `criticalSet`.
-              criticalSet.disallowRootCapability { () =>
-                report.error(
-                  em"""$actual cannot be box-converted to $expected
-                      |since one of their capture sets contains the root capability `cap`""",
-                pos)
-              }
+              if !allowUniversalInBoxed then
+                // Disallow future addition of `cap` to `criticalSet`.
+                criticalSet.disallowRootCapability { () =>
+                  report.error(
+                    em"""$actual cannot be box-converted to $expected
+                        |since one of their capture sets contains the root capability `cap`""",
+                  pos)
+                }
               if !insertBox then  // unboxing
                 markFree(criticalSet, pos)
               adaptedType(!boxed)

compiler/src/dotty/tools/dotc/cc/Setup.scala

@@ -411,11 +411,28 @@ extends tpd.TreeTraverser:
           boxed = tree.symbol.is(Mutable),    // types of mutable variables are boxed
           exact = tree.symbol.allOverriddenSymbols.hasNext // types of symbols that override a parent don't get a capture set
         )
+        if allowUniversalInBoxed && tree.symbol.is(Mutable)
+            && !tree.symbol.hasAnnotation(defn.UncheckedCapturesAnnot)
+        then
+          CheckCaptures.disallowRootCapabilitiesIn(tpt.knownType,
+            i"Mutable variable ${tree.symbol.name}", "have type",
+            "This restriction serves to prevent local capabilities from escaping the scope where they are defined.",
+            tree.srcPos)
         traverse(tree.rhs)
       case tree @ TypeApply(fn, args) =>
         traverse(fn)
         for case arg: TypeTree <- args do
           transformTT(arg, boxed = true, exact = false) // type arguments in type applications are boxed
+
+        if allowUniversalInBoxed then
+          val polyType = fn.tpe.widen.asInstanceOf[TypeLambda]
+          for case (arg: TypeTree, pinfo, pname) <- args.lazyZip(polyType.paramInfos).lazyZip((polyType.paramNames)) do
+            if pinfo.bounds.hi.hasAnnotation(defn.Caps_SealedAnnot) then
+              def where = if fn.symbol.exists then i" in the body of ${fn.symbol}" else ""
+              CheckCaptures.disallowRootCapabilitiesIn(arg.knownType,
+                i"Sealed type variable $pname", " be instantiated to",
+                i"This is often caused by a local capability$where\nleaking as part of its result.",
+                tree.srcPos)
       case _ =>
         traverseChildren(tree)
     tree match
@@ -494,11 +511,10 @@ extends tpd.TreeTraverser:
 
   def apply(tree: Tree)(using Context): Unit =
     traverse(tree)(using ctx.withProperty(Setup.IsDuringSetupKey, Some(())))
-end Setup
 
 object Setup:
   val IsDuringSetupKey = new Property.Key[Unit]
 
   def isDuringSetup(using Context): Boolean =
     ctx.property(IsDuringSetupKey).isDefined
-
+end Setup

compiler/src/dotty/tools/dotc/config/SourceVersion.scala

@@ -18,6 +18,8 @@ enum SourceVersion:
 
   def isAtLeast(v: SourceVersion) = stable.ordinal >= v.ordinal
 
+  def isAtMost(v: SourceVersion) = stable.ordinal <= v.ordinal
+
 object SourceVersion extends Property.Key[SourceVersion]:
   def defaultSourceVersion = `3.3`
 

compiler/src/dotty/tools/dotc/core/Definitions.scala

@@ -973,6 +973,7 @@ class Definitions {
     @tu lazy val Caps_unsafeBox: Symbol = CapsUnsafeModule.requiredMethod("unsafeBox")
     @tu lazy val Caps_unsafeUnbox: Symbol = CapsUnsafeModule.requiredMethod("unsafeUnbox")
     @tu lazy val Caps_unsafeBoxFunArg: Symbol = CapsUnsafeModule.requiredMethod("unsafeBoxFunArg")
+    @tu lazy val Caps_SealedAnnot: ClassSymbol = requiredClass("scala.caps.Sealed")
 
   // Annotation base classes
   @tu lazy val AnnotationClass: ClassSymbol = requiredClass("scala.annotation.Annotation")
@@ -1021,6 +1022,7 @@ class Definitions {
   @tu lazy val UncheckedAnnot: ClassSymbol = requiredClass("scala.unchecked")
   @tu lazy val UncheckedStableAnnot: ClassSymbol = requiredClass("scala.annotation.unchecked.uncheckedStable")
   @tu lazy val UncheckedVarianceAnnot: ClassSymbol = requiredClass("scala.annotation.unchecked.uncheckedVariance")
+  @tu lazy val UncheckedCapturesAnnot: ClassSymbol = requiredClass("scala.annotation.unchecked.uncheckedCaptures")
   @tu lazy val VolatileAnnot: ClassSymbol = requiredClass("scala.volatile")
   @tu lazy val WithPureFunsAnnot: ClassSymbol = requiredClass("scala.annotation.internal.WithPureFuns")
   @tu lazy val BeanGetterMetaAnnot: ClassSymbol = requiredClass("scala.annotation.meta.beanGetter")

compiler/src/dotty/tools/dotc/core/Types.scala

@@ -3960,10 +3960,15 @@ object Types {
 
     protected def toPInfo(tp: Type)(using Context): PInfo
 
+    /** If `tparam` is a sealed type parameter symbol of a polymorphic method, add
+     *  a @caps.Sealed annotation to the upperbound in `tp`.
+     */
+    protected def addSealed(tparam: ParamInfo, tp: Type)(using Context): Type = tp
+
     def fromParams[PI <: ParamInfo.Of[N]](params: List[PI], resultType: Type)(using Context): Type =
       if (params.isEmpty) resultType
       else apply(params.map(_.paramName))(
-        tl => params.map(param => toPInfo(tl.integrate(params, param.paramInfo))),
+        tl => params.map(param => toPInfo(addSealed(param, tl.integrate(params, param.paramInfo)))),
         tl => tl.integrate(params, resultType))
   }
 
@@ -4285,6 +4290,16 @@ object Types {
         resultTypeExp: PolyType => Type)(using Context): PolyType =
       unique(new PolyType(paramNames)(paramInfosExp, resultTypeExp))
 
+    override protected def addSealed(tparam: ParamInfo, tp: Type)(using Context): Type =
+      tparam match
+        case tparam: Symbol if tparam.is(Sealed) =>
+          tp match
+            case tp @ TypeBounds(lo, hi) =>
+              tp.derivedTypeBounds(lo,
+                AnnotatedType(hi, Annotation(defn.Caps_SealedAnnot, tparam.span)))
+            case _ => tp
+        case _ => tp
+
     def unapply(tl: PolyType): Some[(List[LambdaParam], Type)] =
       Some((tl.typeParams, tl.resType))
   }

compiler/src/dotty/tools/dotc/parsing/Parsers.scala

@@ -3152,7 +3152,9 @@ object Parsers {
      *                         id [HkTypeParamClause] TypeParamBounds
      *
      *  DefTypeParamClause::=  ‘[’ DefTypeParam {‘,’ DefTypeParam} ‘]’
-     *  DefTypeParam      ::=  {Annotation} id [HkTypeParamClause] TypeParamBounds
+     *  DefTypeParam      ::=  {Annotation}
+     *                         [`sealed`]                                    -- under captureChecking
+     *                         id [HkTypeParamClause] TypeParamBounds
      *
      *  TypTypeParamClause::=  ‘[’ TypTypeParam {‘,’ TypTypeParam} ‘]’
      *  TypTypeParam      ::=  {Annotation} id [HkTypePamClause] TypeBounds
@@ -3162,24 +3164,25 @@ object Parsers {
      */
     def typeParamClause(ownerKind: ParamOwner): List[TypeDef] = inBrackets {
 
-      def variance(vflag: FlagSet): FlagSet =
-        if ownerKind == ParamOwner.Def || ownerKind == ParamOwner.TypeParam then
-          syntaxError(em"no `+/-` variance annotation allowed here")
-          in.nextToken()
-          EmptyFlags
-        else
-          in.nextToken()
-          vflag
+      def checkVarianceOK(): Boolean =
+        val ok = ownerKind != ParamOwner.Def && ownerKind != ParamOwner.TypeParam
+        if !ok then syntaxError(em"no `+/-` variance annotation allowed here")
+        in.nextToken()
+        ok
 
       def typeParam(): TypeDef = {
         val isAbstractOwner = ownerKind == ParamOwner.Type || ownerKind == ParamOwner.TypeParam
         val start = in.offset
-        val mods =
-          annotsAsMods()
-          | (if (ownerKind == ParamOwner.Class) Param | PrivateLocal else Param)
-          | (if isIdent(nme.raw.PLUS) then variance(Covariant)
-             else if isIdent(nme.raw.MINUS) then variance(Contravariant)
-             else EmptyFlags)
+        var mods = annotsAsMods() | Param
+        if ownerKind == ParamOwner.Class then mods |= PrivateLocal
+        if Feature.ccEnabled && in.token == SEALED then
+          if ownerKind == ParamOwner.Def then mods |= Sealed
+          else syntaxError(em"`sealed` modifier only allowed for method type parameters")
+          in.nextToken()
+        if isIdent(nme.raw.PLUS) && checkVarianceOK() then
+          mods |= Covariant
+        else if isIdent(nme.raw.MINUS) && checkVarianceOK() then
+          mods |= Contravariant
         atSpan(start, nameStart) {
           val name =
             if (isAbstractOwner && in.token == USCORE) {

compiler/src/dotty/tools/dotc/transform/Recheck.scala

@@ -4,7 +4,7 @@ package transform
 
 import core.*
 import Symbols.*, Contexts.*, Types.*, ContextOps.*, Decorators.*, SymDenotations.*
-import Flags.*, SymUtils.*, NameKinds.*, Denotations.Denotation
+import Flags.*, SymUtils.*, NameKinds.*, Denotations.{Denotation, SingleDenotation}
 import ast.*
 import Names.Name
 import Phases.Phase
@@ -22,7 +22,7 @@ import StdNames.nme
 import reporting.trace
 import annotation.constructorOnly
 import cc.CaptureSet.IdempotentCaptRefMap
-import dotty.tools.dotc.core.Denotations.SingleDenotation
+import annotation.tailrec
 
 object Recheck:
   import tpd.*
@@ -406,7 +406,14 @@ abstract class Recheck extends Phase, SymTransformer:
       NoType
 
     def recheckStats(stats: List[Tree])(using Context): Unit =
-      stats.foreach(recheck(_))
+      @tailrec def traverse(stats: List[Tree])(using Context): Unit = stats match
+        case (imp: Import) :: rest =>
+          traverse(rest)(using ctx.importContext(imp, imp.symbol))
+        case stat :: rest =>
+          recheck(stat)
+          traverse(rest)
+        case _ =>
+      traverse(stats)
 
     def recheckDef(tree: ValOrDefDef, sym: Symbol)(using Context): Unit =
       inContext(ctx.localContext(tree, sym)) {

compiler/src/dotty/tools/dotc/typer/Checking.scala

@@ -506,7 +506,12 @@ object Checking {
         // note: this is not covered by the next test since terms can be abstract (which is a dual-mode flag)
         // but they can never be one of ClassOnlyFlags
     if !sym.isClass && sym.isOneOf(ClassOnlyFlags) then
-      fail(em"only classes can be ${(sym.flags & ClassOnlyFlags).flagsString}")
+      val illegal = sym.flags & ClassOnlyFlags
+      if sym.is(TypeParam) && illegal == Sealed && Feature.ccEnabled && cc.allowUniversalInBoxed then
+        if !sym.owner.is(Method) then
+          fail(em"only method type parameters can be sealed")
+      else
+        fail(em"only classes can be ${illegal.flagsString}")
     if (sym.is(AbsOverride) && !sym.owner.is(Trait))
       fail(AbstractOverrideOnlyInTraits(sym))
     if sym.is(Trait) then

compiler/src/dotty/tools/dotc/typer/Typer.scala

@@ -608,7 +608,7 @@ class Typer(@constructorOnly nestingLevel: Int = 0) extends Namer
       ownType match
         case ownType: TermRef if ownType.symbol.is(ConstructorProxy) =>
           findRef(name, pt, EmptyFlags, ConstructorProxy, tree.srcPos) match
-            case shadowed: TermRef =>
+            case shadowed: TermRef if !shadowed.symbol.maybeOwner.isEmptyPackage =>
               pt match
                 case pt: FunOrPolyProto =>
                   def err(shadowedIsApply: Boolean) =

library/src/scala/annotation/unchecked/uncheckedCapabilityLeaks.scala

@@ -0,0 +1,12 @@
+package scala.annotation
+package unchecked
+
+/** An annotation for mutable variables that are allowed to capture
+ *  the root capability `cap`. Allowing this is not capture safe since
+ *  it can cause leakage of capabilities from local scopes by assigning
+ *  values retaining such capabilties to the annotated variable in
+ *  an outer scope.
+ */
+class uncheckedCaptures extends StaticAnnotation
+
+

library/src/scala/caps.scala

@@ -27,8 +27,15 @@ import annotation.experimental
      *  avoids the error that would be raised when unboxing `*`.
      */
     extension [T, U](f: T => U) def unsafeBoxFunArg: T => U = f
+
   end unsafe
 
+  /** An annotation that expresses the sealed modifier on a type parameter
+   *  Should not be directly referred to in source
+   */
+  @deprecated("The Sealed annotation should not be directly used in source code.\nUse the `sealed` modifier on type parameters instead.")
+  class Sealed extends annotation.Annotation
+
   /** Mixing in this trait forces a trait or class to be pure, i.e.
    *  have no capabilities retained in its self type.
    */

tests/neg-custom-args/captures/box-adapt-cases.scala

@@ -4,7 +4,7 @@ def test1(): Unit = {
   type Id[X] = [T] -> (op: X => T) -> T
 
   val x: Id[Cap^] = ???
-  x(cap => cap.use())  // error
+  x(cap => cap.use())  // was error, now OK
 }
 
 def test2(io: Cap^{cap}): Unit = {

tests/neg-custom-args/captures/capt-test.scala

@@ -14,14 +14,14 @@ def raise[E <: Exception](e: E): Nothing throws E = throw e
 def foo(x: Boolean): Int throws Fail =
   if x then 1 else raise(Fail())
 
-def handle[E <: Exception, R <: Top](op: (CanThrow[E]) => R)(handler: E => R): R =
+def handle[E <: Exception, sealed R <: Top](op: (CanThrow[E]) => R)(handler: E => R): R =
   val x: CanThrow[E] = ???
   try op(x)
   catch case ex: E => handler(ex)
 
 def test: Unit =
-  val b = handle[Exception, () => Nothing] {
+  val b = handle[Exception, () => Nothing] { // error
     (x: CanThrow[Exception]) => () => raise(new Exception)(using x)
-  } { // error
+  } {
     (ex: Exception) => ???
   }

tests/neg-custom-args/captures/capt1.check

@@ -40,14 +40,7 @@
 -- [E007] Type Mismatch Error: tests/neg-custom-args/captures/capt1.scala:32:24 ----------------------------------------
 32 |  val z2 = h[() -> Cap](() => x) // error
    |                        ^^^^^^^
-   |                        Found:    () ->{x} Cap
+   |                        Found:    () ->{x} box C^
    |                        Required: () -> box C^
    |
    | longer explanation available when compiling with `-explain`
--- [E007] Type Mismatch Error: tests/neg-custom-args/captures/capt1.scala:33:5 -----------------------------------------
-33 |    (() => C())  // error
-   |     ^^^^^^^^^
-   |     Found:    () ->? Cap
-   |     Required: () -> box C^
-   |
-   | longer explanation available when compiling with `-explain`

tests/neg-custom-args/captures/capt1.scala

@@ -30,7 +30,7 @@ def foo() =
   val x: C @retains(caps.cap) = ???
   def h[X](a: X)(b: X) = a
   val z2 = h[() -> Cap](() => x) // error
-    (() => C())  // error
+    (() => C())
   val z3 = h[(() -> Cap) @retains(x)](() => x)(() => C())  // ok
   val z4 = h[(() -> Cap) @retains(x)](() => x)(() => C())  // what was inferred for z3
 

tests/neg-custom-args/captures/ctest.scala

@@ -2,5 +2,5 @@ class CC
 type Cap = CC^
 
 def test(cap1: Cap, cap2: Cap) =
-  var b: List[String => String] = Nil // was error, now OK
-  val bc = b.head // error
+  var b: List[String => String] = Nil // error
+  val bc = b.head // was error, now OK