Implement sealed type parameters (#17422)

Abolish restriction that box/unbox cannot be done with `cap`.

Instead, do a deep check for `cap`

 - in type arguments for `sealed` type variables
 - in the types of mutable vars
 - in the type of `try` under the `saferExceptions` language import

The `caps.unsafe.{unsafeBox, unsafeUnbox, unsafeBoxFunArg}` methods are
not longer
needed and are deprecated. Instead there is an annotation
`annotation.unchecked.uncheckedCaptures` that
can be added to a mutable variable to turn off checking its type.

These changes in behavior are introduced in 3.3. Older source versions
still support the old behavior (which corresponds to the paper).

So to run examples in the paper as described there, they need a `-source
3.2` or a
language import.

Based on #17377

Author: odersky

compiler/src/dotty/tools/dotc/ast/TreeInfo.scala

@@ -464,8 +464,8 @@ trait UntypedTreeInfo extends TreeInfo[Untyped] { self: Trees.Instance[Untyped]
     }
   }
 
-  /** Under pureFunctions: A builder and extractor for `=> T`, which is an alias for `{*}-> T`.
-   *  Only trees of the form `=> T` are matched; trees written directly as `{*}-> T`
+  /** Under pureFunctions: A builder and extractor for `=> T`, which is an alias for `->{cap} T`.
+   *  Only trees of the form `=> T` are matched; trees written directly as `->{cap} T`
    *  are ignored by the extractor.
    */
   object ImpureByNameTypeTree:

compiler/src/dotty/tools/dotc/cc/CaptureOps.scala

@@ -6,6 +6,7 @@ import core.*
 import Types.*, Symbols.*, Contexts.*, Annotations.*, Flags.*
 import ast.{tpd, untpd}
 import Decorators.*, NameOps.*
+import config.SourceVersion
 import config.Printers.capt
 import util.Property.Key
 import tpd.*
@@ -19,6 +20,9 @@ private[cc] def retainedElems(tree: Tree)(using Context): List[Tree] = tree matc
   case Apply(_, Typed(SeqLiteral(elems, _), _) :: Nil) => elems
   case _ => Nil
 
+def allowUniversalInBoxed(using Context) =
+  Feature.sourceVersion.isAtLeast(SourceVersion.`3.3`)
+
 /** An exception thrown if a @retains argument is not syntactically a CaptureRef */
 class IllegalCaptureRef(tpe: Type) extends Exception
 

compiler/src/dotty/tools/dotc/cc/CaptureSet.scala

@@ -319,7 +319,7 @@ object CaptureSet:
   /** The empty capture set `{}` */
   val empty: CaptureSet.Const = Const(emptySet)
 
-  /** The universal capture set `{*}` */
+  /** The universal capture set `{cap}` */
   def universal(using Context): CaptureSet =
     defn.captureRoot.termRef.singletonCaptureSet
 
@@ -429,7 +429,7 @@ object CaptureSet:
 
     /** Roughly: the intersection of all constant known supersets of this set.
      *  The aim is to find an as-good-as-possible constant set that is a superset
-     *  of this set. The universal set {*} is a sound fallback.
+     *  of this set. The universal set {cap} is a sound fallback.
      */
     final def upperApprox(origin: CaptureSet)(using Context): CaptureSet =
       if computingApprox then universal

compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala

@@ -128,6 +128,20 @@ object CheckCaptures:
       if remaining.accountsFor(firstRef) then
         report.warning(em"redundant capture: $remaining already accounts for $firstRef", ann.srcPos)
 
+  def disallowRootCapabilitiesIn(tp: Type, what: String, have: String, addendum: String, pos: SrcPos)(using Context) =
+    val check = new TypeTraverser:
+      def traverse(t: Type) =
+        if variance >= 0 then
+        t.captureSet.disallowRootCapability: () =>
+          def part = if t eq tp then "" else i"the part $t of "
+          report.error(
+            em"""$what cannot $have $tp since
+                |${part}that type captures the root capability `cap`.
+                |$addendum""",
+            pos)
+        traverseChildren(t)
+    check.traverse(tp)
+
 class CheckCaptures extends Recheck, SymTransformer:
   thisPhase =>
 
@@ -525,6 +539,15 @@ class CheckCaptures extends Recheck, SymTransformer:
         case _ =>
       super.recheckTyped(tree)
 
+    override def recheckTry(tree: Try, pt: Type)(using Context): Type =
+      val tp = super.recheckTry(tree, pt)
+      if allowUniversalInBoxed && Feature.enabled(Feature.saferExceptions) then
+        disallowRootCapabilitiesIn(tp,
+          "Result of `try`", "have type",
+          "This is often caused by a locally generated exception capability leaking as part of its result.",
+          tree.srcPos)
+      tp
+
     /* Currently not needed, since capture checking takes place after ElimByName.
      * Keep around in case we need to get back to it
     def recheckByNameArg(tree: Tree, pt: Type)(using Context): Type =
@@ -588,7 +611,7 @@ class CheckCaptures extends Recheck, SymTransformer:
           }
           checkNotUniversal(parent)
         case _ =>
-      checkNotUniversal(typeToCheck)
+      if !allowUniversalInBoxed then checkNotUniversal(typeToCheck)
       super.recheckFinish(tpe, tree, pt)
 
     /** Massage `actual` and `expected` types using the methods below before checking conformance */
@@ -771,21 +794,22 @@ class CheckCaptures extends Recheck, SymTransformer:
             val criticalSet =          // the set which is not allowed to have `cap`
               if covariant then cs1    // can't box with `cap`
               else expected.captureSet // can't unbox with `cap`
-            if criticalSet.isUniversal && expected.isValueType then
+            if criticalSet.isUniversal && expected.isValueType && !allowUniversalInBoxed then
               // We can't box/unbox the universal capability. Leave `actual` as it is
               // so we get an error in checkConforms. This tends to give better error
               // messages than disallowing the root capability in `criticalSet`.
               if ctx.settings.YccDebug.value then
                 println(i"cannot box/unbox $actual vs $expected")
               actual
             else
-              // Disallow future addition of `cap` to `criticalSet`.
-              criticalSet.disallowRootCapability { () =>
-                report.error(
-                  em"""$actual cannot be box-converted to $expected
-                      |since one of their capture sets contains the root capability `cap`""",
-                pos)
-              }
+              if !allowUniversalInBoxed then
+                // Disallow future addition of `cap` to `criticalSet`.
+                criticalSet.disallowRootCapability { () =>
+                  report.error(
+                    em"""$actual cannot be box-converted to $expected
+                        |since one of their capture sets contains the root capability `cap`""",
+                  pos)
+                }
               if !insertBox then  // unboxing
                 markFree(criticalSet, pos)
               adaptedType(!boxed)
@@ -860,7 +884,7 @@ class CheckCaptures extends Recheck, SymTransformer:
 
     /** Check that self types of subclasses conform to self types of super classes.
      *  (See comment below how this is achieved). The check assumes that classes
-     *  without an explicit self type have the universal capture set `{*}` on the
+     *  without an explicit self type have the universal capture set `{cap}` on the
      *  self type. If a class without explicit self type is not `effectivelyFinal`
      *  it is checked that the inferred self type is universal, in order to assure
      *  that joint and separate compilation give the same result.
@@ -917,9 +941,9 @@ class CheckCaptures extends Recheck, SymTransformer:
      *  that this type parameter can't see.
      *  For example, when capture checking the following expression:
      *
-     *    def usingLogFile[T](op: (f: {*} File) => T): T = ...
+     *    def usingLogFile[T](op: (f: {cap} File) => T): T = ...
      *
-     *    usingLogFile[box ?1 () -> Unit] { (f: {*} File) => () => { f.write(0) } }
+     *    usingLogFile[box ?1 () -> Unit] { (f: {cap} File) => () => { f.write(0) } }
      *
      *  We may propagate `f` into ?1, making ?1 ill-formed.
      *  This also causes soundness issues, since `f` in ?1 should be widened to `cap`,
@@ -986,61 +1010,67 @@ class CheckCaptures extends Recheck, SymTransformer:
      *   - Heal ill-formed capture sets of type parameters. See `healTypeParam`.
      */
     def postCheck(unit: tpd.Tree)(using Context): Unit =
-      unit.foreachSubTree {
-        case _: InferredTypeTree =>
-        case tree: TypeTree if !tree.span.isZeroExtent =>
-          tree.knownType.foreachPart { tp =>
-            checkWellformedPost(tp, tree.srcPos)
-            tp match
-              case AnnotatedType(_, annot) if annot.symbol == defn.RetainsAnnot =>
-                warnIfRedundantCaptureSet(annot.tree)
+      val checker = new TreeTraverser:
+        def traverse(tree: Tree)(using Context): Unit =
+          traverseChildren(tree)
+          check(tree)
+        def check(tree: Tree) = tree match
+          case _: InferredTypeTree =>
+          case tree: TypeTree if !tree.span.isZeroExtent =>
+            tree.knownType.foreachPart { tp =>
+              checkWellformedPost(tp, tree.srcPos)
+              tp match
+                case AnnotatedType(_, annot) if annot.symbol == defn.RetainsAnnot =>
+                  warnIfRedundantCaptureSet(annot.tree)
+                case _ =>
+            }
+          case t: ValOrDefDef
+          if t.tpt.isInstanceOf[InferredTypeTree] && !Synthetics.isExcluded(t.symbol) =>
+            val sym = t.symbol
+            val isLocal =
+              sym.owner.ownersIterator.exists(_.isTerm)
+              || sym.accessBoundary(defn.RootClass).isContainedIn(sym.topLevelClass)
+            def canUseInferred =    // If canUseInferred is false, all capturing types in the type of `sym` need to be given explicitly
+              sym.is(Private)                   // private symbols can always have inferred types
+              || sym.name.is(DefaultGetterName) // default getters are exempted since otherwise it would be
+                                                // too annoying. This is a hole since a defualt getter's result type
+                                                // might leak into a type variable.
+              ||                                // non-local symbols cannot have inferred types since external capture types are not inferred
+                isLocal                         // local symbols still need explicit types if
+                && !sym.owner.is(Trait)         // they are defined in a trait, since we do OverridingPairs checking before capture inference
+            def isNotPureThis(ref: CaptureRef) = ref match {
+              case ref: ThisType => !ref.cls.isPureClass
+              case _ => true
+            }
+            if !canUseInferred then
+              val inferred = t.tpt.knownType
+              def checkPure(tp: Type) = tp match
+                case CapturingType(_, refs)
+                if !refs.elems.filter(isNotPureThis).isEmpty =>
+                  val resultStr = if t.isInstanceOf[DefDef] then " result" else ""
+                  report.error(
+                    em"""Non-local $sym cannot have an inferred$resultStr type
+                        |$inferred
+                        |with non-empty capture set $refs.
+                        |The type needs to be declared explicitly.""".withoutDisambiguation(),
+                    t.srcPos)
+                case _ =>
+              inferred.foreachPart(checkPure, StopAt.Static)
+          case t @ TypeApply(fun, args) =>
+            fun.knownType.widen match
+              case tl: PolyType =>
+                val normArgs = args.lazyZip(tl.paramInfos).map { (arg, bounds) =>
+                  arg.withType(arg.knownType.forceBoxStatus(
+                    bounds.hi.isBoxedCapturing | bounds.lo.isBoxedCapturing))
+                }
+                checkBounds(normArgs, tl)
               case _ =>
-          }
-        case t: ValOrDefDef
-        if t.tpt.isInstanceOf[InferredTypeTree] && !Synthetics.isExcluded(t.symbol) =>
-          val sym = t.symbol
-          val isLocal =
-            sym.owner.ownersIterator.exists(_.isTerm)
-            || sym.accessBoundary(defn.RootClass).isContainedIn(sym.topLevelClass)
-          def canUseInferred =    // If canUseInferred is false, all capturing types in the type of `sym` need to be given explicitly
-            sym.is(Private)                   // private symbols can always have inferred types
-            || sym.name.is(DefaultGetterName) // default getters are exempted since otherwise it would be
-                                              // too annoying. This is a hole since a defualt getter's result type
-                                              // might leak into a type variable.
-            ||                                // non-local symbols cannot have inferred types since external capture types are not inferred
-              isLocal                         // local symbols still need explicit types if
-              && !sym.owner.is(Trait)         // they are defined in a trait, since we do OverridingPairs checking before capture inference
-          def isNotPureThis(ref: CaptureRef) = ref match {
-            case ref: ThisType => !ref.cls.isPureClass
-            case _ => true
-          }
-          if !canUseInferred then
-            val inferred = t.tpt.knownType
-            def checkPure(tp: Type) = tp match
-              case CapturingType(_, refs)
-              if !refs.elems.filter(isNotPureThis).isEmpty =>
-                val resultStr = if t.isInstanceOf[DefDef] then " result" else ""
-                report.error(
-                  em"""Non-local $sym cannot have an inferred$resultStr type
-                      |$inferred
-                      |with non-empty capture set $refs.
-                      |The type needs to be declared explicitly.""".withoutDisambiguation(),
-                  t.srcPos)
-              case _ =>
-            inferred.foreachPart(checkPure, StopAt.Static)
-        case t @ TypeApply(fun, args) =>
-          fun.knownType.widen match
-            case tl: PolyType =>
-              val normArgs = args.lazyZip(tl.paramInfos).map { (arg, bounds) =>
-                arg.withType(arg.knownType.forceBoxStatus(
-                  bounds.hi.isBoxedCapturing | bounds.lo.isBoxedCapturing))
-              }
-              checkBounds(normArgs, tl)
-            case _ =>
 
-          args.foreach(healTypeParam(_))
-        case _ =>
-      }
+            args.foreach(healTypeParam(_))
+          case _ =>
+        end check
+      end checker
+      checker.traverse(unit)
       if !ctx.reporter.errorsReported then
         // We dont report errors here if previous errors were reported, because other
         // errors often result in bad applied types, but flagging these bad types gives

compiler/src/dotty/tools/dotc/cc/Setup.scala

@@ -122,7 +122,7 @@ extends tpd.TreeTraverser:
           val sym = tp.typeSymbol
           if sym.isClass then
             sym == defn.AnyClass
-              // we assume Any is a shorthand of {*} Any, so if Any is an upper
+              // we assume Any is a shorthand of {cap} Any, so if Any is an upper
               // bound, the type is taken to be impure.
           else superTypeIsImpure(tp.superType)
         case tp: (RefinedOrRecType | MatchType) =>
@@ -155,7 +155,7 @@ extends tpd.TreeTraverser:
         case CapturingType(parent, refs) =>
           needsVariable(parent)
           && refs.isConst      // if refs is a variable, no need to add another
-          && !refs.isUniversal // if refs is {*}, an added variable would not change anything
+          && !refs.isUniversal // if refs is {cap}, an added variable would not change anything
         case _ =>
           false
     }.showing(i"can have inferred capture $tp = $result", capt)
@@ -411,11 +411,28 @@ extends tpd.TreeTraverser:
           boxed = tree.symbol.is(Mutable),    // types of mutable variables are boxed
           exact = tree.symbol.allOverriddenSymbols.hasNext // types of symbols that override a parent don't get a capture set
         )
+        if allowUniversalInBoxed && tree.symbol.is(Mutable)
+            && !tree.symbol.hasAnnotation(defn.UncheckedCapturesAnnot)
+        then
+          CheckCaptures.disallowRootCapabilitiesIn(tpt.knownType,
+            i"Mutable variable ${tree.symbol.name}", "have type",
+            "This restriction serves to prevent local capabilities from escaping the scope where they are defined.",
+            tree.srcPos)
         traverse(tree.rhs)
       case tree @ TypeApply(fn, args) =>
         traverse(fn)
         for case arg: TypeTree <- args do
           transformTT(arg, boxed = true, exact = false) // type arguments in type applications are boxed
+
+        if allowUniversalInBoxed then
+          val polyType = fn.tpe.widen.asInstanceOf[TypeLambda]
+          for case (arg: TypeTree, pinfo, pname) <- args.lazyZip(polyType.paramInfos).lazyZip((polyType.paramNames)) do
+            if pinfo.bounds.hi.hasAnnotation(defn.Caps_SealedAnnot) then
+              def where = if fn.symbol.exists then i" in the body of ${fn.symbol}" else ""
+              CheckCaptures.disallowRootCapabilitiesIn(arg.knownType,
+                i"Sealed type variable $pname", " be instantiated to",
+                i"This is often caused by a local capability$where\nleaking as part of its result.",
+                tree.srcPos)
       case _ =>
         traverseChildren(tree)
     tree match
@@ -494,11 +511,10 @@ extends tpd.TreeTraverser:
 
   def apply(tree: Tree)(using Context): Unit =
     traverse(tree)(using ctx.withProperty(Setup.IsDuringSetupKey, Some(())))
-end Setup
 
 object Setup:
   val IsDuringSetupKey = new Property.Key[Unit]
 
   def isDuringSetup(using Context): Boolean =
     ctx.property(IsDuringSetupKey).isDefined
-
+end Setup

compiler/src/dotty/tools/dotc/cc/Synthetics.scala

@@ -54,9 +54,9 @@ object Synthetics:
 
   /** Add capture dependencies to the type of the `apply` or `copy` method of a case class.
    *  An apply method in a case class like this:
-   *    case class CC(a: {d} A, b: B, {*} c: C)
+   *    case class CC(a: {d} A, b: B, {cap} c: C)
    *  would get type
-   *    def apply(a': {d} A, b: B, {*} c': C): {a', c'} CC { val a = {a'} A, val c = {c'} C }
+   *    def apply(a': {d} A, b: B, {cap} c': C): {a', c'} CC { val a = {a'} A, val c = {c'} C }
    *  where `'` is used to indicate the difference between parameter symbol and refinement name.
    *  Analogous for the copy method.
    */
@@ -123,7 +123,7 @@ object Synthetics:
     case _ =>
       info
 
-  /** Augment an unapply of type `(x: C): D` to `(x: {*} C): {x} D` */
+  /** Augment an unapply of type `(x: C): D` to `(x: {cap} C): {x} D` */
   private def addUnapplyCaptures(info: Type)(using Context): Type = info match
     case info: MethodType =>
       val paramInfo :: Nil = info.paramInfos: @unchecked

compiler/src/dotty/tools/dotc/config/SourceVersion.scala

@@ -18,6 +18,8 @@ enum SourceVersion:
 
   def isAtLeast(v: SourceVersion) = stable.ordinal >= v.ordinal
 
+  def isAtMost(v: SourceVersion) = stable.ordinal <= v.ordinal
+
 object SourceVersion extends Property.Key[SourceVersion]:
   def defaultSourceVersion = `3.3`
 

compiler/src/dotty/tools/dotc/core/Definitions.scala

@@ -106,7 +106,7 @@ class Definitions {
    *      }
    *  ImpureXYZFunctionN follow this template:
    *
-   *      type ImpureXYZFunctionN[-T0,...,-T{N-1}, +R] = {*} XYZFunctionN[T0,...,T{N-1}, R]
+   *      type ImpureXYZFunctionN[-T0,...,-T{N-1}, +R] = {cap} XYZFunctionN[T0,...,T{N-1}, R]
    */
   private def newFunctionNType(name: TypeName): Symbol = {
     val impure = name.startsWith("Impure")
@@ -973,6 +973,7 @@ class Definitions {
     @tu lazy val Caps_unsafeBox: Symbol = CapsUnsafeModule.requiredMethod("unsafeBox")
     @tu lazy val Caps_unsafeUnbox: Symbol = CapsUnsafeModule.requiredMethod("unsafeUnbox")
     @tu lazy val Caps_unsafeBoxFunArg: Symbol = CapsUnsafeModule.requiredMethod("unsafeBoxFunArg")
+    @tu lazy val Caps_SealedAnnot: ClassSymbol = requiredClass("scala.caps.Sealed")
 
   // Annotation base classes
   @tu lazy val AnnotationClass: ClassSymbol = requiredClass("scala.annotation.Annotation")
@@ -1021,6 +1022,7 @@ class Definitions {
   @tu lazy val UncheckedAnnot: ClassSymbol = requiredClass("scala.unchecked")
   @tu lazy val UncheckedStableAnnot: ClassSymbol = requiredClass("scala.annotation.unchecked.uncheckedStable")
   @tu lazy val UncheckedVarianceAnnot: ClassSymbol = requiredClass("scala.annotation.unchecked.uncheckedVariance")
+  @tu lazy val UncheckedCapturesAnnot: ClassSymbol = requiredClass("scala.annotation.unchecked.uncheckedCaptures")
   @tu lazy val VolatileAnnot: ClassSymbol = requiredClass("scala.volatile")
   @tu lazy val WithPureFunsAnnot: ClassSymbol = requiredClass("scala.annotation.internal.WithPureFuns")
   @tu lazy val BeanGetterMetaAnnot: ClassSymbol = requiredClass("scala.annotation.meta.beanGetter")

compiler/src/dotty/tools/dotc/core/Flags.scala

@@ -315,7 +315,7 @@ object Flags {
   val (SuperParamAliasOrScala2x @ _, SuperParamAlias @ _, Scala2x @ _) = newFlags(26, "<super-param-alias>", "<scala-2.x>")
 
   /** A parameter with a default value / an impure untpd.FunctionWithMods type */
-  val (_, HasDefault @ _, Impure @ _) = newFlags(27, "<hasdefault>", "<{*}>")
+  val (_, HasDefault @ _, Impure @ _) = newFlags(27, "<hasdefault>", "<impure>")
 
   /** An extension method, or a collective extension instance */
   val (Extension @ _, ExtensionMethod @ _, _) = newFlags(28, "<extension>")