Use a different criterion to plug unsoundness for reach capabilities

odersky · odersky · commit 09e4e0f44924 · 2024-03-31T11:13:06.000+02:00
Enforce an analogous restriction to the one for creating reach capabilities
for all values. The type of a value cannot both have a reach capability with variance
&gt;= 0 and at the same time a universal capability with variance &lt;= 0.
diff --git a/compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala b/compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala
@@ -249,6 +249,67 @@ class CheckCaptures extends Recheck, SymTransformer:
           else i"references $cs1$cs1description are not all",
           pos, provenance)
 
+    def showRef(ref: CaptureRef)(using Context): String =
+        ctx.printer.toTextCaptureRef(ref).show
+
+    // Uses 4-space indent as a trial
+    def checkReachCapsIsolated(tpe: Type, pos: SrcPos)(using Context): Unit =
+
+        object checker extends TypeTraverser:
+            var seenRefs: Map[Boolean, Int] = Map.empty
+            var seenReach: CaptureRef | Null = null
+            def traverse(tp: Type) =
+                tp match
+                case CapturingType(parent, refs) =>
+                    traverse(parent)
+                    for ref <- refs.elems do
+                        if ref.isReach && !ref.stripReach.isInstanceOf[TermParamRef]
+                            || ref.isRootCapability
+                        then
+                            val isReach = ref.isReach
+                            def register() =
+                                seenRefs = seenRefs.updated(isReach, variance)
+                                seenReach = ref
+                            seenRefs.get(isReach) match
+                                case None => register()
+                                case Some(v) => if v != 0 && variance == 0 then register()
+                case _ =>
+                    traverseChildren(tp)
+
+        checker.traverse(tpe)
+        //println(i"check $tpe = ${checker.seenRefs}")
+        if checker.seenRefs.size == 2
+            && checker.seenRefs(true) >= 0
+            && checker.seenRefs(false) <= 0
+        then
+            report.error(
+                em"""Reach capability ${showRef(checker.seenReach.nn)} and universal capability cap cannot both
+                    |appear in the type $tpe of this expression""",
+                pos)
+
+    end checkReachCapsIsolated
+
+    // Uses 4-space indent as a trial
+    def checkReachCapsOnlyCovariant(tpe: Type, pos: SrcPos)(using Context): Unit =
+        val checker = new TypeTraverser:
+            def traverse(tp: Type) =
+                tp match
+                case CapturingType(parent, refs) =>
+                    traverse(parent)
+                    if variance <= 0 then
+                        for ref <- refs.elems do
+                            if ref.isReach then
+                                val prefix = if variance == 0 then "in" else "contra"
+                                report.error(
+                                    em"""Reach capability ${showRef(ref)} is not allowed to appear in ${prefix}variant position
+                                        |in argument type $tpe""",
+                                    pos
+                                )
+                case _ =>
+                    traverseChildren(tp)
+        checker.traverse(tpe)
+    end checkReachCapsOnlyCovariant
+
     /** The current environment */
     private val rootEnv: Env = inContext(ictx):
       Env(defn.RootClass, EnvKind.Regular, CaptureSet.empty, null)
@@ -456,27 +517,8 @@ class CheckCaptures extends Recheck, SymTransformer:
     // Uses 4-space indent as a trial
     override def recheckArg(arg: Tree, pt: Type)(using Context) =
         val argType = recheck(arg, pt)
-
-        def checkOnlyCovariantReachCaps = new TypeTraverser:
-            def traverse(tp: Type) =
-                tp match
-                case CapturingType(parent, refs) =>
-                    traverse(parent)
-                    if variance <= 0 then
-                        for ref <- refs.elems do
-                            if ref.isReach then
-                                val prefix = if variance == 0 then "in" else "contra"
-                                report.error(
-                                    em"""Reach capability ${ctx.printer.toTextCaptureRef(ref).show} is not allowed to appear in ${prefix}variant position
-                                        |in argument type ${argType.widen}""",
-                                    arg.srcPos
-                                )
-                case _ =>
-                    traverseChildren(tp)
-
-        checkOnlyCovariantReachCaps.traverse(argType.widen)
+        //checkReachCapsOnlyCovariant(argType.widen, arg.srcPos)
         argType
-    end recheckArg
 
     private def isDistinct(xs: List[Type]): Boolean = xs match
       case x :: xs1 => xs1.isEmpty || !xs1.contains(x) && isDistinct(xs1)
@@ -804,8 +846,10 @@ class CheckCaptures extends Recheck, SymTransformer:
           report.error(ex.getMessage.nn)
           tree.tpe
         finally curEnv = saved
-      if tree.isTerm && !pt.isBoxedCapturing then
-        markFree(res.boxedCaptureSet, tree.srcPos)
+      if tree.isTerm then
+        checkReachCapsIsolated(res.widen, tree.srcPos)
+        if !pt.isBoxedCapturing then
+          markFree(res.boxedCaptureSet, tree.srcPos)
       res
 
     override def recheckFinish(tpe: Type, tree: Tree, pt: Type)(using Context): Type =
diff --git a/tests/neg-custom-args/captures/i15749a.scala b/tests/neg-custom-args/captures/i15749a.scala
@@ -19,4 +19,4 @@ def test =
   def forceWrapper[A](mx: Wrapper[Unit ->{cap} A]): Wrapper[A] =
     // Γ ⊢ mx: Wrapper[□ {cap} Unit => A]
     // `force` should be typed as ∀(□ {cap} Unit -> A) A, but it can not
-    strictMap[Unit ->{mx*} A, A](mx)(t => force[A](t)) // error // error
+    strictMap[Unit ->{mx*} A, A](mx)(t => force[A](t)) // error
diff --git a/tests/neg-custom-args/captures/reaches.check b/tests/neg-custom-args/captures/reaches.check
@@ -41,8 +41,3 @@
    |                         Required: File^{id*}
    |
    | longer explanation available when compiling with `-explain`
--- Error: tests/neg-custom-args/captures/reaches.scala:67:10 -----------------------------------------------------------
-67 |  ps.map((x, y) => compose(x, y)) // error
-   |          ^^^^^^^^^^^^^^^^^^^^^^
-   |Reach capability ps* is not allowed to appear in contravariant position
-   |in argument type (x$1: (box (x$0: A^?) ->{ps*} A^?, box (x$0: A^?) ->{ps*} A^?)^?) ->? box (x$0: A^?) ->{ps*} A^?
diff --git a/tests/neg-custom-args/captures/reaches.scala b/tests/neg-custom-args/captures/reaches.scala
@@ -60,10 +60,3 @@ def attack2 =
     val f1: File^{id*} = id(f) // error
     f1
 
-def compose[A, B, C](f: A => B, g: B => C): A ->{f, g} C =
-  z => g(f(z))
-
-def mapCompose[A](ps: List[(A => A, A => A)]): List[A ->{ps*} A] =
-  ps.map((x, y) => compose(x, y)) // error
-    // unfortunately this does not work. x and y have type A ->{ps*} A, and that
-    // type is not allowed to appear contra-variantly in the argument
diff --git a/tests/neg-custom-args/captures/refine-withFile.scala b/tests/neg-custom-args/captures/refine-withFile.scala
@@ -1,8 +1,9 @@
 import language.experimental.captureChecking
+import scala.concurrent.duration.DurationConversions.spanConvert
 
 trait File
 val useFile: [R] -> (path: String) -> (op: File^ -> R) -> R = ???
 def main(): Unit =
   val f: [R] -> (path: String) -> (op: File^ -> R) -> R = useFile
   val g: [R] -> (path: String) -> (op: File^{f*} -> R) -> R = f  // error
-  val leaked = g[File^{f*}]("test")(f => f)  // error
+  val leaked = g[File^{f*}]("test")(f => f)
diff --git a/tests/neg/unsound-reach-2.scala b/tests/neg/unsound-reach-2.scala
@@ -18,8 +18,8 @@ def bad(): Unit =
 
   var escaped: File^{backdoor*} = null
   withFile("hello.txt"): f =>
-    boom.use(f):
-      new Consumer[File^{backdoor*}]: // error
+    boom.use(f): // error
+      new Consumer[File^{backdoor*}]:
         def apply(f1: File^{backdoor*}) =
           escaped = f1
 
diff --git a/tests/neg/unsound-reach.check b/tests/neg/unsound-reach.check
@@ -1,6 +1,5 @@
--- Error: tests/neg/unsound-reach.scala:18:17 --------------------------------------------------------------------------
+-- Error: tests/neg/unsound-reach.scala:18:9 ---------------------------------------------------------------------------
 18 |    boom.use(f): (f1: File^{backdoor*}) => // error
-   |                 ^
-   |                 Reach capability backdoor* is not allowed to appear in contravariant position
-   |                 in argument type (f1: box File^{backdoor*}) ->? Unit
-19 |      escaped = f1
+   |    ^^^^^^^^
+   |    Reach capability backdoor* and universal capability cap cannot both
+   |    appear in the type (x: File^)(op: box File^{backdoor*} => Unit): Unit of this expression
diff --git a/tests/pos-custom-args/captures/reaches.scala b/tests/pos-custom-args/captures/reaches.scala
@@ -35,6 +35,9 @@ def compose1[A, B, C](f: A => B, g: B => C): A ->{f, g} C =
 def compose2[A, B, C](f: A => B, g: B => C): A => C =
   z => g(f(z))
 
+def mapCompose[A](ps: List[(A => A, A => A)]): List[A ->{ps*} A] =
+  ps.map((x, y) => compose1(x, y))
+
 @annotation.capability class IO
 
 def test(io: IO) =

Original file line number	Diff line number	Diff line change
`@@ -41,8 +41,3 @@`
`41`	`41`	`\| Required: File^{id*}`
`42`	`42`	`\|`
`43`	`43`	\| longer explanation available when compiling with `-explain`
`44`		`--- Error: tests/neg-custom-args/captures/reaches.scala:67:10 -----------------------------------------------------------`
`45`		`-67 \| ps.map((x, y) => compose(x, y)) // error`
`46`		`- \| ^^^^^^^^^^^^^^^^^^^^^^`
`47`		`- \|Reach capability ps* is not allowed to appear in contravariant position`
`48`		`- \|in argument type (x$1: (box (x$0: A^?) ->{ps} A^?, box (x$0: A^?) ->{ps} A^?)^?) ->? box (x$0: A^?) ->{ps*} A^?`