Level-based capture checking for try/catch

Author: odersky

compiler/src/dotty/tools/dotc/cc/CaptureOps.scala

@@ -49,6 +49,11 @@ class CCState:
    *  the reference could not be added to the set due to a level conflict.
    */
   var levelError: Option[(CaptureRef, CaptureSet)] = None
+
+  /** Under saferExceptions: The <try block> symbol generated  for a try.
+   *  Installed by Setup, removed by CheckCaptures.
+   */
+  val tryBlockOwner: mutable.HashMap[Try, Symbol] = new mutable.HashMap
 end CCState
 
 /** Property key for capture checking state */

compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala

@@ -163,14 +163,15 @@ object CheckCaptures:
    *  Note: We need to perform the check on the original annotation rather than its
    *  capture set since the conversion to a capture set already eliminates redundant elements.
    */
-  def warnIfRedundantCaptureSet(ann: Tree)(using Context): Unit =
+  def warnIfRedundantCaptureSet(ann: Tree, tpt: Tree)(using Context): Unit =
     var retained = retainedElems(ann).toArray
     for i <- 0 until retained.length do
       val ref = retained(i).toCaptureRef
       val others = for j <- 0 until retained.length if j != i yield retained(j).toCaptureRef
       val remaining = CaptureSet(others*)
       if remaining.accountsFor(ref) then
-        report.warning(em"redundant capture: $remaining already accounts for $ref", ann.srcPos)
+        val srcTree = if ann.span.exists then ann else tpt
+        report.warning(em"redundant capture: $remaining already accounts for $ref", srcTree.srcPos)
 
   /** Report an error if some part of `tp` contains the root capability in its capture set */
   def disallowRootCapabilitiesIn(tp: Type, what: String, have: String, addendum: String, pos: SrcPos)(using Context) =
@@ -689,7 +690,14 @@ class CheckCaptures extends Recheck, SymTransformer:
       super.recheckTyped(tree)
 
     override def recheckTry(tree: Try, pt: Type)(using Context): Type =
-      val tp = super.recheckTry(tree, pt)
+      val tryOwner = ccState.tryBlockOwner.remove(tree).getOrElse(ctx.owner)
+      val saved = curEnv
+      curEnv = Env(tryOwner, EnvKind.Regular, CaptureSet.Var(curEnv.owner), curEnv)
+      val tp = try
+        inContext(ctx.withOwner(tryOwner)):
+          super.recheckTry(tree, pt)
+        finally
+          curEnv = saved
       if allowUniversalInBoxed && Feature.enabled(Feature.saferExceptions) then
         disallowRootCapabilitiesIn(tp,
           "Result of `try`", "have type",
@@ -1192,7 +1200,7 @@ class CheckCaptures extends Recheck, SymTransformer:
               checkWellformedPost(tp, tree.srcPos)
               tp match
                 case AnnotatedType(_, annot) if annot.symbol == defn.RetainsAnnot =>
-                  warnIfRedundantCaptureSet(annot.tree)
+                  warnIfRedundantCaptureSet(annot.tree, tree)
                 case _ =>
             }
           case t: ValOrDefDef

compiler/src/dotty/tools/dotc/cc/Setup.scala

@@ -6,13 +6,14 @@ import core._
 import Phases.*, DenotTransformers.*, SymDenotations.*
 import Contexts.*, Names.*, Flags.*, Symbols.*, Decorators.*
 import Types.*, StdNames.*
+import Annotations.Annotation
+import config.Feature
 import config.Printers.capt
 import ast.tpd
 import transform.Recheck.*
 import CaptureSet.IdentityCaptRefMap
 import Synthetics.isExcluded
 import util.Property
-import dotty.tools.dotc.core.Annotations.Annotation
 
 /** A tree traverser that prepares a compilation unit to be capture checked.
  *  It does the following:
@@ -289,13 +290,27 @@ extends tpd.TreeTraverser:
       def inverse = thisMap
   end SubstParams
 
+  /** If the outer context directly enclosing the definition of `sym`
+   *  has a <try block> owner, that owner, otherwise null.
+   */
+  def newOwnerFor(sym: Symbol)(using Context): Symbol | Null =
+    var octx = ctx
+    while octx.owner == sym do octx = octx.outer
+    if octx.owner.name == nme.TRY_BLOCK then octx.owner else null
+
   /** Update info of `sym` for CheckCaptures phase only */
   private def updateInfo(sym: Symbol, info: Type)(using Context) =
-    sym.updateInfoBetween(preRecheckPhase, thisPhase, info)
+    sym.updateInfoBetween(preRecheckPhase, thisPhase, info, newOwnerFor(sym))
     sym.namedType match
       case ref: CaptureRef => ref.invalidateCaches()
       case _ =>
 
+  /** Update only the owner part fo info if necessary. A symbol should be updated
+   *  only once by either updateInfo or updateOwner.
+   */
+  private def updateOwner(sym: Symbol)(using Context) =
+    if newOwnerFor(sym) != null then updateInfo(sym, sym.info)
+
   def traverse(tree: Tree)(using Context): Unit =
     tree match
       case tree: DefDef =>
@@ -367,11 +382,24 @@ extends tpd.TreeTraverser:
       case tree: Template =>
         inContext(ctx.withOwner(tree.symbol.owner)):
           traverseChildren(tree)
+      case tree: Try if Feature.enabled(Feature.saferExceptions) =>
+        val tryOwner = newSymbol(ctx.owner, nme.TRY_BLOCK, SyntheticMethod, MethodType(Nil, defn.UnitType))
+        ccState.tryBlockOwner(tree) = tryOwner
+        inContext(ctx.withOwner(tryOwner)):
+          traverseChildren(tree)
       case _ =>
         traverseChildren(tree)
     postProcess(tree)
   end traverse
 
+  override def apply(x: Unit, trees: List[Tree])(using Context): Unit = trees match
+    case (imp: Import) :: rest =>
+      traverse(rest)(using ctx.importContext(imp, imp.symbol))
+    case tree :: rest =>
+      traverse(tree)
+      traverse(rest)
+    case Nil =>
+
   def postProcess(tree: Tree)(using Context): Unit = tree match
     case tree: TypeTree =>
       transformTT(tree, boxed = false, exact = false,
@@ -451,6 +479,9 @@ extends tpd.TreeTraverser:
                 // are checked on depand
                 denot.info = newInfo
                 recheckDef(tree, sym))
+        else updateOwner(sym)
+      else if !sym.is(Module) then updateOwner(sym) // Modules are updated with their module classes
+
     case tree: Bind =>
       val sym = tree.symbol
       updateInfo(sym, transformInferredType(sym.info, boxed = false, mapRoots = true))
@@ -482,11 +513,14 @@ extends tpd.TreeTraverser:
               val modul = cls.sourceModule
               updateInfo(modul, CapturingType(modul.info, newSelfType.captureSet))
               modul.termRef.invalidateCaches()
+          else
+            updateOwner(cls)
+            if cls.is(ModuleClass) then updateOwner(cls.sourceModule)
         case _ =>
           val info = atPhase(preRecheckPhase)(tree.symbol.info)
           val newInfo = transformExplicitType(info, boxed = false, mapRoots = !ctx.owner.isStaticOwner)
+          updateInfo(tree.symbol, newInfo)
           if newInfo ne info then
-            updateInfo(tree.symbol, newInfo)
             capt.println(i"update info of ${tree.symbol} from $info to $newInfo")
     case _ =>
   end postProcess

compiler/src/dotty/tools/dotc/core/StdNames.scala

@@ -299,6 +299,7 @@ object StdNames {
     val SELF: N                     = "$this"
     val SKOLEM: N                   = "<skolem>"
     val TRAIT_CONSTRUCTOR: N        = "$init$"
+    val TRY_BLOCK: N                = "<try block>"
     val THROWS: N                   = "$throws"
     val U2EVT: N                    = "u2evt$"
     val ALLARGS: N                  = "$allArgs"

compiler/src/dotty/tools/dotc/transform/Recheck.scala

@@ -49,10 +49,12 @@ object Recheck:
   extension (sym: Symbol)
 
     /** Update symbol's info to newInfo from prevPhase.next to lastPhase.
-     *  Reset to previous info for phases after lastPhase.
+     *  Also update owner to newOwnerOrNull if it is not null.
+     *  Reset to previous info and owner for phases after lastPhase.
      */
-    def updateInfoBetween(prevPhase: DenotTransformer, lastPhase: DenotTransformer, newInfo: Type)(using Context): Unit =
-      if sym.info ne newInfo then
+    def updateInfoBetween(prevPhase: DenotTransformer, lastPhase: DenotTransformer, newInfo: Type, newOwnerOrNull: Symbol | Null = null)(using Context): Unit =
+      val newOwner = if newOwnerOrNull == null then sym.owner else newOwnerOrNull
+      if (sym.info ne newInfo) || (sym.owner ne newOwner)  then
         val flags = sym.flags
         sym.copySymDenotation(
             initFlags =
@@ -61,6 +63,7 @@ object Recheck:
               else flags
           ).installAfter(lastPhase) // reset
         sym.copySymDenotation(
+            owner = newOwner,
             info = newInfo,
             initFlags =
               if newInfo.isInstanceOf[LazyType] then flags &~ Touched

tests/neg-custom-args/captures/capt-test.scala

@@ -14,14 +14,14 @@ def raise[E <: Exception](e: E): Nothing throws E = throw e
 def foo(x: Boolean): Int throws Fail =
   if x then 1 else raise(Fail())
 
-def handle[E <: Exception, sealed R <: Top](op: (CanThrow[E]) => R)(handler: E => R): R =
-  val x: CanThrow[E] = ???
+def handle[E <: Exception, R <: Top](op: (lcap: caps.Root) ?-> (CT[E] @retains(lcap)) => R)(handler: E => R): R =
+  val x: CT[E] = ???
   try op(x)
   catch case ex: E => handler(ex)
 
 def test: Unit =
-  val b = handle[Exception, () => Nothing] { // error
-    (x: CanThrow[Exception]) => () => raise(new Exception)(using x)
+  val b = handle[Exception, () => Nothing] {
+    (x: CanThrow[Exception]) => () => raise(new Exception)(using x)  // error
   } {
     (ex: Exception) => ???
   }

tests/neg-custom-args/captures/lazylists-exceptions.check

@@ -1,11 +1,13 @@
--- Error: tests/neg-custom-args/captures/lazylists-exceptions.scala:36:2 -----------------------------------------------
-36 |  try  // error
-   |  ^
-   |  Result of `try` cannot have type LazyList[Int]^ since
-   |  that type captures the root capability `cap`.
-   |  This is often caused by a locally generated exception capability leaking as part of its result.
-37 |    tabulate(10) { i =>
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/lazylists-exceptions.scala:37:4 --------------------------
+37 |    tabulate(10) { i => // error
+   |    ^
+   |    Found:    LazyList[Int]^
+   |    Required: LazyList[Int]^?
+   |
+   |    Note that reference (cap : caps.Root), defined at level 2
+   |    cannot be included in outer capture set ?, defined at level 1 in method problem
 38 |      if i > 9 then throw Ex1()
 39 |      i * i
 40 |    }
-41 |  catch case ex: Ex1 => LazyNil
+   |
+   | longer explanation available when compiling with `-explain`

tests/neg-custom-args/captures/lazylists-exceptions.scala

@@ -33,8 +33,8 @@ def tabulate[A](n: Int)(gen: Int => A): LazyList[A]^{gen} =
 class Ex1 extends Exception
 
 def problem =
-  try  // error
-    tabulate(10) { i =>
+  try
+    tabulate(10) { i => // error
       if i > 9 then throw Ex1()
       i * i
     }

tests/neg-custom-args/captures/real-try.check

@@ -1,36 +1,36 @@
--- [E129] Potential Issue Warning: tests/neg-custom-args/captures/real-try.scala:30:4 ----------------------------------
-30 |  b.x
+-- [E129] Potential Issue Warning: tests/neg-custom-args/captures/real-try.scala:36:4 ----------------------------------
+36 |  b.x
    |  ^^^
    |  A pure expression does nothing in statement position; you may be omitting necessary parentheses
    |
    | longer explanation available when compiling with `-explain`
--- Error: tests/neg-custom-args/captures/real-try.scala:12:2 -----------------------------------------------------------
-12 |  try  // error
-   |  ^
-   |  Result of `try` cannot have type () => Unit since
-   |  that type captures the root capability `cap`.
-   |  This is often caused by a locally generated exception capability leaking as part of its result.
-13 |    () => foo(1)
-14 |  catch
-15 |    case _: Ex1 => ???
-16 |    case _: Ex2 => ???
--- Error: tests/neg-custom-args/captures/real-try.scala:18:2 -----------------------------------------------------------
-18 |  try  // error
-   |  ^
-   |  Result of `try` cannot have type () => Cell[Unit]^? since
-   |  that type captures the root capability `cap`.
-   |  This is often caused by a locally generated exception capability leaking as part of its result.
-19 |    () => Cell(foo(1))
-20 |  catch
-21 |    case _: Ex1 => ???
-22 |    case _: Ex2 => ???
--- Error: tests/neg-custom-args/captures/real-try.scala:24:10 ----------------------------------------------------------
-24 |  val b = try  // error
-   |          ^
-   |          Result of `try` cannot have type Cell[box () => Unit]^? since
-   |          the part box () => Unit of that type captures the root capability `cap`.
-   |          This is often caused by a locally generated exception capability leaking as part of its result.
-25 |    Cell(() => foo(1))//: Cell[box {ev} () => Unit] <: Cell[box {cap} () => Unit]
-26 |  catch
-27 |    case _: Ex1 => ???
-28 |    case _: Ex2 => ???
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/real-try.scala:19:4 --------------------------------------
+19 |    () => foo(1)  // error
+   |    ^^^^^^^^^^^^
+   |    Found:    () => Unit
+   |    Required: () ->? Unit
+   |
+   |    Note that reference (cap : caps.Root), defined at level 2
+   |    cannot be included in outer capture set ?, defined at level 1 in method test
+   |
+   | longer explanation available when compiling with `-explain`
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/real-try.scala:25:4 --------------------------------------
+25 |    () => Cell(foo(1))  // error
+   |    ^^^^^^^^^^^^^^^^^^
+   |    Found:    () => Cell[Unit]^?
+   |    Required: () ->? Cell[Unit]^?
+   |
+   |    Note that reference (cap : caps.Root), defined at level 2
+   |    cannot be included in outer capture set ?, defined at level 1 in method test
+   |
+   | longer explanation available when compiling with `-explain`
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/real-try.scala:31:4 --------------------------------------
+31 |    Cell(() => foo(1))// // error
+   |    ^^^^^^^^^^^^^^^^^^
+   |    Found:    Cell[box () => Unit]^?
+   |    Required: Cell[() ->? Unit]^?
+   |
+   |    Note that reference (cap : caps.Root), defined at level 2
+   |    cannot be included in outer capture set ?, defined at level 1 in method test
+   |
+   | longer explanation available when compiling with `-explain`

tests/neg-custom-args/captures/real-try.scala

@@ -9,20 +9,26 @@ def foo(i: Int): (CanThrow[Ex1], CanThrow[Ex2]) ?-> Unit =
 class Cell[+T](val x: T)
 
 def test(): Unit =
-  try  // error
-    () => foo(1)
+  try
+    () => foo(1)  // no error, since result type is Unit
   catch
     case _: Ex1 => ???
     case _: Ex2 => ???
 
-  try  // error
-    () => Cell(foo(1))
+  val x = try
+    () => foo(1)  // error
   catch
     case _: Ex1 => ???
     case _: Ex2 => ???
 
-  val b = try  // error
-    Cell(() => foo(1))//: Cell[box {ev} () => Unit] <: Cell[box {cap} () => Unit]
+  val y = try
+    () => Cell(foo(1))  // error
+  catch
+    case _: Ex1 => ???
+    case _: Ex2 => ???
+
+  val b = try
+    Cell(() => foo(1))// // error
   catch
     case _: Ex1 => ???
     case _: Ex2 => ???

tests/neg-custom-args/captures/try.check

@@ -1,15 +1,17 @@
--- Error: tests/neg-custom-args/captures/try.scala:23:16 ---------------------------------------------------------------
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/try.scala:23:49 ------------------------------------------
 23 |  val a = handle[Exception, CanThrow[Exception]] { // error
-   |          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-   |          Sealed type variable R cannot be instantiated to box CT[Exception]^ since
-   |          that type captures the root capability `cap`.
-   |          This is often caused by a local capability in an argument of method handle
-   |          leaking as part of its result.
+   |                                                 ^
+   |Found:    (lcap: caps.Root) ?->? (x$0: CT[Exception]^{lcap}) ->? box CT[Exception]^{lcap}
+   |Required: (lcap: caps.Root) ?-> CT[Exception]^{lcap} ->{'cap[..test](from instantiating handle)} box CT[Exception]^
+24 |    (x: CanThrow[Exception]) => x
+25 |  }{
+   |
+   | longer explanation available when compiling with `-explain`
 -- Error: tests/neg-custom-args/captures/try.scala:30:65 ---------------------------------------------------------------
 30 |    (x: CanThrow[Exception]) => () => raise(new Exception)(using x) // error
    |                                                                 ^
-   |           (x : CanThrow[Exception]) cannot be referenced here; it is not included in the allowed capture set {}
-   |           of an enclosing function literal with expected type () ->? Nothing
+   |          (x : CT[Exception]^{lcap}) cannot be referenced here; it is not included in the allowed capture set {}
+   |          of an enclosing function literal with expected type () ->? Nothing
 -- [E007] Type Mismatch Error: tests/neg-custom-args/captures/try.scala:52:2 -------------------------------------------
 47 |val global: () -> Int = handle {
 48 |  (x: CanThrow[Exception]) =>
@@ -18,19 +20,13 @@
 51 |      22
 52 |} { // error
    |                        ^
-   |                        Found:    () ->{x$0, x$0²} Int
+   |                        Found:    () ->{x$0, lcap} Int
    |                        Required: () -> Int
-   |
-   |                        where:    x$0  is a reference to a value parameter
-   |                                  x$0² is a reference to a value parameter
 53 |  (ex: Exception) => () => 22
 54 |}
    |
    | longer explanation available when compiling with `-explain`
 -- Error: tests/neg-custom-args/captures/try.scala:35:11 ---------------------------------------------------------------
 35 |  val xx = handle {  // error
    |           ^^^^^^
-   |           Sealed type variable R cannot be instantiated to box () => Int since
-   |           that type captures the root capability `cap`.
-   |           This is often caused by a local capability in an argument of method handle
-   |           leaking as part of its result.
+   |           escaping local reference lcap.type

tests/neg-custom-args/captures/try.scala

@@ -14,8 +14,8 @@ def raise[E <: Exception](e: E): Nothing throws E = throw e
 def foo(x: Boolean): Int throws Fail =
   if x then 1 else raise(Fail())
 
-def handle[E <: Exception, sealed R <: Top](op: CanThrow[E] => R)(handler: E => R): R =
-  val x: CanThrow[E] = ???
+def handle[E <: Exception, R <: Top](op: (lcap: caps.Root) ?-> CT[E]^{lcap} => R)(handler: E => R): R =
+  val x: CT[E] = ???
   try op(x)
   catch case ex: E => handler(ex)