Establish a "covers" relation between a fresh for an object

odersky · odersky · commit 339581e5ed84 · 2025-10-06T18:23:55.000+02:00
and a fresh for one of its fields.
diff --git a/compiler/src/dotty/tools/dotc/cc/Capability.scala b/compiler/src/dotty/tools/dotc/cc/Capability.scala
@@ -691,6 +691,8 @@ object Capabilities:
 
       try (this eq y)
       || maxSubsumes(y, canAddHidden = !vs.isOpen)
+          // if vs is open, we should add new elements to the set containing `this`
+          // instead of adding them to the hidden set of of `this`.
       || y.match
         case y: TermRef =>
             y.prefix.match
@@ -773,6 +775,7 @@ object Capabilities:
                 false
 
           vs.ifNotSeen(this)(x.hiddenSet.elems.exists(_.subsumes(y)))
+          || x.coversFresh(y)
           || x.acceptsLevelOf(y)
               && classifierOK
               && canAddHidden
@@ -839,15 +842,39 @@ object Capabilities:
             case _ =>
               false
         || x.match
-            case x: FreshCap if !seen.contains(x) =>
-              seen.add(x)
-              x.hiddenSet.exists(recur(_, y))
+            case x: FreshCap =>
+              if x.coversFresh(y) then true
+              else if !seen.contains(x) then
+                seen.add(x)
+                x.hiddenSet.exists(recur(_, y))
+              else false
             case Restricted(x1, _) => recur(x1, y)
             case _ => false
 
       recur(this, y)
     end covers
 
+    /** `x eq y` or `x` is a fresh cap, `y` is a fresh cap with prefix
+     *  `p`, and there is a prefix of `p` that contains `x` in its
+     *  capture set.
+     */
+    final def coversFresh(y: Capability)(using Context): Boolean =
+      (this eq y) || this.match
+        case x: FreshCap => y match
+          case y: FreshCap =>
+            x.origin match
+              case Origin.InDecl(sym) =>
+                def occursInPrefix(pre: Type): Boolean = pre match
+                  case pre @ TermRef(pre1, _) =>
+                    pre.symbol == sym
+                    && pre.info.captureSet.elems.contains(x)
+                    || occursInPrefix(pre1)
+                  case _ => false
+                occursInPrefix(y.prefix)
+              case _ => false
+          case _ => false
+        case _ => false
+
     def assumedContainsOf(x: TypeRef)(using Context): SimpleIdentitySet[Capability] =
       CaptureSet.assumedContains.getOrElse(x, SimpleIdentitySet.empty)
 
diff --git a/compiler/src/dotty/tools/dotc/cc/CaptureSet.scala b/compiler/src/dotty/tools/dotc/cc/CaptureSet.scala
@@ -1236,6 +1236,7 @@ object CaptureSet:
 
     /** Add element to hidden set. */
     def add(elem: Capability)(using ctx: Context, vs: VarState): Unit =
+      assert(elem ne owningCap)
       includeElem(elem)
 
     /** Apply function `f` to `elems` while setting `elems` to empty for the
diff --git a/compiler/src/dotty/tools/dotc/cc/SepCheck.scala b/compiler/src/dotty/tools/dotc/cc/SepCheck.scala
@@ -221,7 +221,7 @@ object SepCheck:
         refs1.foreach: ref =>
           if !ref.isReadOnly then
             val coreRef = ref.stripRestricted
-            if refs2.exists(_.stripRestricted.stripReadOnly eq coreRef) then
+            if refs2.exists(_.stripRestricted.stripReadOnly.coversFresh(coreRef)) then
               acc += coreRef
         acc
       assert(refs.forall(_.isTerminalCapability))
diff --git a/tests/neg-custom-args/captures/sep-pairs-unboxed.check b/tests/neg-custom-args/captures/sep-pairs-unboxed.check
@@ -0,0 +1,86 @@
+-- Error: tests/neg-custom-args/captures/sep-pairs-unboxed.scala:11:27 -------------------------------------------------
+11 |def mkPair(x: Ref^) = Pair(x, x) // error: separation failure
+   |                           ^
+   |Separation failure: argument of type  (x : Ref^)
+   |to constructor Pair: (fst: Ref^, snd: Ref^): Pair
+   |corresponds to capture-polymorphic formal parameter fst of type  Ref^²
+   |and hides capabilities  {x}.
+   |Some of these overlap with the captures of the second argument with type  (x : Ref^).
+   |
+   |  Hidden set of current argument        : {x}
+   |  Hidden footprint of current argument  : {x}
+   |  Capture set of second argument        : {x}
+   |  Footprint set of second argument      : {x}
+   |  The two sets overlap at               : {x}
+   |
+   |where:    ^  refers to a fresh root capability classified as Mutable in the type of parameter x
+   |          ^² refers to a fresh root capability classified as Mutable created in method mkPair when checking argument to parameter fst of constructor Pair
+-- Error: tests/neg-custom-args/captures/sep-pairs-unboxed.scala:35:25 -------------------------------------------------
+35 |  val twoCopy = Pair(two.fst, two.fst) // error
+   |                     ^^^^^^^
+   |Separation failure: argument of type  (two.fst : Ref^)
+   |to constructor Pair: (fst: Ref^, snd: Ref^): Pair
+   |corresponds to capture-polymorphic formal parameter fst of type  Ref^²
+   |and hides capabilities  {two.fst}.
+   |Some of these overlap with the captures of the second argument with type  (two.fst : Ref^).
+   |
+   |  Hidden set of current argument        : {two.fst}
+   |  Hidden footprint of current argument  : {two.fst}
+   |  Capture set of second argument        : {two.fst}
+   |  Footprint set of second argument      : {two.fst}
+   |  The two sets overlap at               : {two.fst}
+   |
+   |where:    ^  refers to a fresh root capability classified as Mutable in the type of value fst
+   |          ^² refers to a fresh root capability classified as Mutable created in value twoCopy when checking argument to parameter fst of constructor Pair
+-- Error: tests/neg-custom-args/captures/sep-pairs-unboxed.scala:41:29 -------------------------------------------------
+41 |  val twisted = PairPair(two.fst, two) // error
+   |                         ^^^^^^^
+   |Separation failure: argument of type  (two.fst : Ref^)
+   |to constructor PairPair: (fst: Ref^, snd: Pair^): PairPair
+   |corresponds to capture-polymorphic formal parameter fst of type  Ref^²
+   |and hides capabilities  {two.fst}.
+   |Some of these overlap with the captures of the second argument with type  (two : Pair{val fst: Ref^; val snd: Ref^}^).
+   |
+   |  Hidden set of current argument        : {two.fst}
+   |  Hidden footprint of current argument  : {two.fst}
+   |  Capture set of second argument        : {two*}
+   |  Footprint set of second argument      : {two*}
+   |  The two sets overlap at               : {two.cap of class Pair}
+   |
+   |where:    ^  refers to a fresh root capability classified as Mutable in the type of value fst
+   |          ^² refers to a fresh root capability classified as Mutable created in value twisted when checking argument to parameter fst of constructor PairPair
+-- Error: tests/neg-custom-args/captures/sep-pairs-unboxed.scala:47:24 -------------------------------------------------
+47 |  val twisted = swapped(two, two.snd) // error
+   |                        ^^^
+   |Separation failure: argument of type  (two : Pair{val fst: Ref^; val snd: Ref^²}^³)
+   |to method swapped: (@consume x: Pair^, @consume y: Ref^): PairPair^
+   |corresponds to capture-polymorphic formal parameter x of type  Pair^⁴
+   |and hides capabilities  {two}.
+   |Some of these overlap with the captures of the second argument with type  (two.snd : Ref^).
+   |
+   |  Hidden set of current argument        : {two}
+   |  Hidden footprint of current argument  : {two}
+   |  Capture set of second argument        : {two.snd}
+   |  Footprint set of second argument      : {two.snd}
+   |  The two sets overlap at               : {two.snd}
+   |
+   |where:    ^  refers to a fresh root capability classified as Mutable in the type of value fst
+   |          ^² refers to a fresh root capability classified as Mutable in the type of value snd
+   |          ^³ refers to a fresh root capability in the type of value two
+   |          ^⁴ refers to a fresh root capability created in value twisted when checking argument to parameter x of method swapped
+-- Error: tests/neg-custom-args/captures/sep-pairs-unboxed.scala:58:22 -------------------------------------------------
+58 |  val twoOther = Pair(two.fst, two.snd)  // error // error
+   |                      ^^^
+   |                      Separation failure: Illegal access to {two.fst} which is hidden by the previous definition
+   |                      of value twoCopy with type Pair^.
+   |                      This type hides capabilities  {two.fst, two.snd}
+   |
+   |                      where:    ^ refers to a fresh root capability in the type of value twoCopy
+-- Error: tests/neg-custom-args/captures/sep-pairs-unboxed.scala:58:31 -------------------------------------------------
+58 |  val twoOther = Pair(two.fst, two.snd)  // error // error
+   |                               ^^^
+   |                      Separation failure: Illegal access to {two.snd} which is hidden by the previous definition
+   |                      of value twoCopy with type Pair^.
+   |                      This type hides capabilities  {two.fst, two.snd}
+   |
+   |                      where:    ^ refers to a fresh root capability in the type of value twoCopy
diff --git a/tests/neg-custom-args/captures/sep-pairs-unboxed.scala b/tests/neg-custom-args/captures/sep-pairs-unboxed.scala
@@ -0,0 +1,60 @@
+import caps.Mutable
+import caps.cap
+
+class Ref extends Mutable:
+  var x = 0
+  def get: Int = x
+  update def put(y: Int): Unit = x = y
+
+class Pair(val fst: Ref^, val snd: Ref^)
+
+def mkPair(x: Ref^) = Pair(x, x) // error: separation failure
+
+def bad: Pair^ =
+  val r0 = Ref()
+  val r1 = mkPair(r0)
+  r1
+
+def twoRefs(): Pair^ =
+  val r1 = Ref()
+  val r2 = Ref()
+  Pair(r1, r2)
+
+def good1(): Unit =
+  val two = twoRefs()
+  val fst = two.fst
+  val snd = two.snd
+  val twoCopy = Pair(fst, snd) // ok
+
+def good2(): Unit =
+  val two = twoRefs()
+  val twoCopy = Pair(two.fst, two.snd) // ok
+
+def bad2(): Unit =
+  val two = twoRefs()
+  val twoCopy = Pair(two.fst, two.fst) // error
+
+class PairPair(val fst: Ref^, val snd: Pair^)
+
+def bad3(): Unit =
+  val two = twoRefs()
+  val twisted = PairPair(two.fst, two) // error
+
+def swapped(consume x: Pair^, consume y: Ref^): PairPair^ = PairPair(y, x)
+
+def bad4(): Unit =
+  val two = twoRefs()
+  val twisted = swapped(two, two.snd) // error
+
+def good3(): Unit =
+  val two = twoRefs()
+  val twoCopy = Pair(two.fst, two.snd)
+  val _: Pair^{two.fst, two.snd} = twoCopy
+  val twoOther = Pair(two.fst, two.snd)
+
+def bad5(): Unit =
+  val two = twoRefs()
+  val twoCopy: Pair^ = Pair(two.fst, two.snd)
+  val twoOther = Pair(two.fst, two.snd)  // error // error
+
+
diff --git a/tests/neg-custom-args/captures/sep-pairs.check b/tests/neg-custom-args/captures/sep-pairs.check
@@ -26,7 +26,7 @@
    |            Separation failure in value sameToPair's type Pair[Ref^, Ref^²].
    |            One part,  Ref^, hides capabilities  {fstSame}.
    |            Another part,  Ref^²,  captures capabilities  {sndSame, same.snd*}.
-   |            The two sets overlap at  cap of value same.
+   |            The two sets overlap at  {cap of value same}.
    |
    |            where:    ^  refers to a fresh root capability classified as Mutable in the type of value sameToPair
    |                      ^² refers to a fresh root capability classified as Mutable in the type of value sameToPair

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@`
`26`	`26`	`\| Separation failure in value sameToPair's type Pair[Ref^, Ref^²].`
`27`	`27`	`\| One part, Ref^, hides capabilities {fstSame}.`
`28`	`28`	`\| Another part, Ref^², captures capabilities {sndSame, same.snd*}.`
`29`		`- \| The two sets overlap at cap of value same.`
	`29`	`+ \| The two sets overlap at {cap of value same}.`
`30`	`30`	`\|`
`31`	`31`	`\| where: ^ refers to a fresh root capability classified as Mutable in the type of value sameToPair`
`32`	`32`	`\| ^² refers to a fresh root capability classified as Mutable in the type of value sameToPair`