Allow reach capabilities from within a nested closure

Author: odersky

compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala

@@ -50,7 +50,8 @@ object CheckCaptures:
       owner: Symbol,
       kind: EnvKind,
       captured: CaptureSet,
-      outer0: Env | Null):
+      outer0: Env | Null,
+      nestedClosure: Symbol = NoSymbol):
 
     def outer = outer0.nn
 
@@ -400,16 +401,18 @@ class CheckCaptures extends Recheck, SymTransformer:
         else
           !sym.isContainedIn(env.owner)
 
-      def checkUseDeclared(c: CaptureRef, env: Env) =
-        c.pathRoot match
+      def checkUseDeclared(c: CaptureRef, env: Env, lastEnv: Env | Null) =
+        if lastEnv != null && env.nestedClosure.exists && env.nestedClosure == lastEnv.owner then
+          () // access is from a nested closure, so it's OK
+        else c.pathRoot match
           case ref: NamedType if !ref.symbol.hasAnnotation(defn.UseAnnot) =>
             val what = if ref.isType then "Capture set parameter" else "Local reach capability"
             report.error(
               em"""$what $c leaks into capture scope of ${env.ownerString}.
                   |To allow this, the ${ref.symbol} should be declared with a @use annotation""", pos)
           case _ =>
 
-      def recur(cs: CaptureSet, env: Env)(using Context): Unit =
+      def recur(cs: CaptureSet, env: Env, lastEnv: Env | Null)(using Context): Unit =
         if env.isOpen && !env.owner.isStaticOwner && !cs.isAlwaysEmpty then
           // Only captured references that are visible from the environment
           // should be included.
@@ -423,7 +426,7 @@ class CheckCaptures extends Recheck, SymTransformer:
               c match
                 case ReachCapability(c1) =>
                   if c1.isParamPath then
-                    checkUseDeclared(c, env)
+                    checkUseDeclared(c, env, lastEnv)
                   else
                     // When a reach capabilty x* where `x` is not a parameter goes out
                     // of scope, we need to continue with `x`'s underlying deep capture set.
@@ -438,16 +441,16 @@ class CheckCaptures extends Recheck, SymTransformer:
                     capt.println(i"Widen reach $c to $underlying in ${env.owner}")
                     underlying.disallowRootCapability: () =>
                       report.error(em"Local reach capability $c leaks into capture scope of ${env.ownerString}", pos)
-                    recur(underlying, env)
+                    recur(underlying, env, lastEnv)
                 case c: TypeRef if c.isParamPath =>
-                  checkUseDeclared(c, env)
+                  checkUseDeclared(c, env, lastEnv)
                 case _ =>
             isVisible
           checkSubset(included, env.captured, pos, provenance(env))
           capt.println(i"Include call or box capture $included from $cs in ${env.owner} --> ${env.captured}")
           if !isOfNestedMethod(env) then
-            recur(included, nextEnvToCharge(env, !_.owner.isStaticOwner))
-      recur(cs, curEnv)
+            recur(included, nextEnvToCharge(env, !_.owner.isStaticOwner), env)
+      recur(cs, curEnv, null)
     end markFree
 
     /** Include references captured by the called method in the current environment stack */
@@ -843,10 +846,19 @@ class CheckCaptures extends Recheck, SymTransformer:
     override def recheckDefDef(tree: DefDef, sym: Symbol)(using Context): Type =
       if Synthetics.isExcluded(sym) then sym.info
       else
+        // If rhs ends in a closure or anonymous class, the corresponding symbol
+        def nestedClosure(rhs: Tree)(using Context): Symbol = rhs match
+          case Closure(_, meth, _) => meth.symbol
+          case Apply(fn, _) if fn.symbol.isConstructor && fn.symbol.owner.isAnonymousClass => fn.symbol.owner
+          case Block(_, expr) => nestedClosure(expr)
+          case Inlined(_, _, expansion) => nestedClosure(expansion)
+          case Typed(expr, _) => nestedClosure(expr)
+          case _ => NoSymbol
+
         val saved = curEnv
         val localSet = capturedVars(sym)
         if !localSet.isAlwaysEmpty then
-          curEnv = Env(sym, EnvKind.Regular, localSet, curEnv)
+          curEnv = Env(sym, EnvKind.Regular, localSet, curEnv, nestedClosure(tree.rhs))
 
         // ctx with AssumedContains entries for each Contains parameter
         val bodyCtx =

docs/_docs/internals/cc/use-design.md

@@ -0,0 +1,71 @@
+
+Possible design:
+
+ 1. Have @use annotation on type parameters and value parameters of regular methods
+   (not anonymous functions).
+ 2. In markFree, keep track whether a capture set variable or reach capability
+   is used directly in the method where it is defined, or in a nested context
+   (either unbound nested closure or unbound anonymous class).
+ 3. Disallow charging a reach capability `xs*` to the environment of the method where
+   `xs` is a parameter unless `xs` is declared `@use`.
+ 4. Analogously, disallow charging a capture set variable `C^` to the environment of the method where `C^` is a parameter unless `C^` is declared `@use`.
+ 5. When passing an argument to a `@use`d term parameter, charge the `dcs` of the argument type to the environments via markFree.
+ 6. When instantiating a `@use`d type parameter, charge the capture set of the argument
+   to the environments via markFree.
+
+It follows that we cannot refer to methods with @use term parameters as values. Indeed,
+their eta expansion would produce an anonymous function that includes a reach capability of
+its parameter in its use set, violating (3).
+
+Example:
+
+```scala
+  def runOps(@use ops: List[() => Unit]): Unit = ops.foreach(_())
+```
+Then `runOps` expands to
+```scala
+(xs: List[() => Unit]) => runOps(xs)
+```
+Note that `xs` does not carry a `@use` since this is disallowed by (1) for anonymous functions. By (5), we charge the deep capture set of `xs`, which is `xs*` to the environment. By (3), this is actually disallowed.
+
+Now, if we express this with explicit capture set parameters we get:
+```scala
+  def runOpsPoly[@use C^](ops: List[() ->{C^} Unit]): Unit = ops.foreach[C^](_())
+```
+Then `runOpsPoly` expands to `runOpsPoly[cs]` for some inferred capture set `cs`. And this expands to:
+```scala
+(xs: List[() ->{cs} Unit]) => runOpsPoly[cs](xs)
+```
+Since `cs` is passed to the `@use` parameter of `runOpsPoly` it is charged
+to the environment of the function body, so the type of the previous expression is
+```scala
+List[() ->{cs} Unit]) ->{cs} Unit
+```
+
+We can also use explicit capture set parameters to eta expand the first `runOps` manually:
+
+```scala
+[C^] => (xs: List[() ->{C^} Unit]) => runOps(xs)
+  : [C^] -> List[() ->{C^} Unit] ->[C^] Unit
+```
+Except that this currently runs afoul of the implementation restriction that polymorphic functions cannot wrap capturing functions. But that's a restriction we need to lift anyway.
+
+## `@use` inference
+
+ - `@use` is implied for a term parameter `x` of a method if `x`'s type contains a boxed cap and `x` or `x*` is not referred to in the result type of the method.
+
+ - `@use` is implied for a capture set parameter `C` of a method if `C` is not referred to in the result type of the method.
+
+If `@use` is implied, one can override to no use by giving an explicit use annotation
+`@use(false)` instead. Example:
+```scala
+  def f(@use(false) xs: List[() => Unit]): Int = xs.length
+```
+
+This works since `@use` is defined like this:
+```scala
+class use(cond: Boolean = true) extends StaticAnnotation
+```
+
+
+

tests/neg-custom-args/captures/method-uses.scala

@@ -0,0 +1,30 @@
+def test(xs: List[() => Unit]) =
+  xs.head // error
+
+  def foo =
+    xs.head // ok
+  def bar() =
+    xs.head // ok
+
+  class Foo:
+    println(xs.head) // error, but could be OK
+
+  foo // error
+  bar() // error
+  Foo() // OK, but could be error
+
+def test2(xs: List[() => Unit]) =
+  def foo = xs.head // ok
+  ()
+
+def test3(xs: List[() => Unit]): () ->{xs*} Unit = () =>
+  println(xs.head)  // ok
+
+  def test4(xs: List[() => Unit]) = () => xs.head // ok
+
+  def test5(xs: List[() => Unit]) = new:
+    println(xs.head) // ok
+
+  def test6(xs: List[() => Unit]) =
+    val x= new { println(xs.head) } // error
+    x