Add restricted capabilities x.only[C] (#23485)

Implementation along the lines of
#23463



 - [x] Syntax and parsing rules for `only`-capabilities.
 - [x] A `Classifier` base trait.
- [x] Enforce restriction that a class cannot inherit two unrelated
classified capability classes.
 - [x] A new capability class for `only`-capabilities.
 - [x] Implement `captureSetOfInfo` for `only` capabilities.
- [x] The empty capability is `x.only[Nothing]`. It should have empty
`captureSetOfInfo`.
- [x] Well-formedness rules: `only` must refer to a classified
capability class.
 - [x] Normalization rules: 
         - it's `*`, then `.only`, then `.rd`,
- multiple `.only` normalize to the smallest one if the classes are
related,
- multiple `.only` normalize to the empty capability if the classes are
not related.
- [x] define transitive capture set and cache it in a capability. The
_tcs_ does not exist if a capture set in the hierarchy is still an
unsolved capture set variable.
 - [x] Add a _classifier_ field to `FreshCap` and `ResultCap`.
- [x] Modify `capToFresh` and `toResultInResults` so that the classifier
field is correctly set.
- [x] Using `tcs`, define when a capability is classified by a
classifier class.
- [x] A FreshCap with a classifier `C` can subsume only capabilities
that are classified as `C`.
 - [x]  Implement subsumption rules:
          - `c.as[C] <: d`  if `c <: d` or `c.as[D] <: empty`
          - `c.as[C] <: d.as[D]`  if `c <: d` and `C` derives from `D`
          - `c <: d.as[D]` if `c <: d` and `c` is classified as `D`
- `c.as[D] <: empty` if `tcs(c)` consists of capabilities that all
derive from classifier classes unrelated to `D`.

Author: odersky

compiler/src/dotty/tools/dotc/ast/Desugar.scala

@@ -2321,10 +2321,6 @@ object desugar {
             Annotated(
               AppliedTypeTree(ref(defn.SeqType), t),
               New(ref(defn.RepeatedAnnot.typeRef), Nil :: Nil))
-        else if op.name == nme.CC_REACH then
-          Annotated(t, New(ref(defn.ReachCapabilityAnnot.typeRef), Nil :: Nil))
-        else if op.name == nme.CC_READONLY then
-          Annotated(t, New(ref(defn.ReadOnlyCapabilityAnnot.typeRef), Nil :: Nil))
         else
           assert(ctx.mode.isExpr || ctx.reporter.errorsReported || ctx.mode.is(Mode.Interactive), ctx.mode)
           Select(t, op.name)

compiler/src/dotty/tools/dotc/ast/untpd.scala

@@ -550,6 +550,15 @@ object untpd extends Trees.Instance[Untyped] with UntypedTreeInfo {
       annot.putAttachment(RetainsAnnot, ())
     Annotated(parent, annot)
 
+  def makeReachAnnot()(using Context): Tree =
+    New(ref(defn.ReachCapabilityAnnot.typeRef), Nil :: Nil)
+
+  def makeReadOnlyAnnot()(using Context): Tree =
+    New(ref(defn.ReadOnlyCapabilityAnnot.typeRef), Nil :: Nil)
+
+  def makeOnlyAnnot(qid: Tree)(using Context) =
+    New(AppliedTypeTree(ref(defn.OnlyCapabilityAnnot.typeRef), qid :: Nil), Nil :: Nil)
+
   def makeConstructor(tparams: List[TypeDef], vparamss: List[List[ValDef]], rhs: Tree = EmptyTree)(using Context): DefDef =
     DefDef(nme.CONSTRUCTOR, joinParams(tparams, vparamss), TypeTree(), rhs)
 

compiler/src/dotty/tools/dotc/cc/CCState.scala

@@ -81,6 +81,16 @@ class CCState:
   def start(): Unit =
     iterCount = 1
 
+  private var mySepCheck = false
+
+  /** Are we currently running separation checks? */
+  def isSepCheck = mySepCheck
+
+  def inSepCheck(op: => Unit): Unit =
+    val saved = mySepCheck
+    mySepCheck = true
+    try op finally mySepCheck = saved
+
   // ------ Global counters -----------------------
 
   /** Next CaptureSet.Var id */

compiler/src/dotty/tools/dotc/cc/Capability.scala

@@ -80,6 +80,8 @@ extension (tp: Type)
       tp1.toCapability.reach
     case ReadOnlyCapability(tp1) =>
       tp1.toCapability.readOnly
+    case OnlyCapability(tp1, cls) =>
+      tp1.toCapability.restrict(cls)
     case ref: TermRef if ref.isCapRef =>
       GlobalCap
     case ref: Capability if ref.isTrackableRef =>
@@ -290,7 +292,7 @@ extension (tp: Type)
   def forceBoxStatus(boxed: Boolean)(using Context): Type = tp.widenDealias match
     case tp @ CapturingType(parent, refs) if tp.isBoxed != boxed =>
       val refs1 = tp match
-        case ref: Capability if ref.isTracked || ref.isReach || ref.isReadOnly =>
+        case ref: Capability if ref.isTracked || ref.isInstanceOf[DerivedCapability] =>
           ref.singletonCaptureSet
         case _ => refs
       CapturingType(parent, refs1, boxed)
@@ -376,7 +378,7 @@ extension (tp: Type)
 
   def derivesFromCapability(using Context): Boolean = derivesFromCapTrait(defn.Caps_Capability)
   def derivesFromMutable(using Context): Boolean = derivesFromCapTrait(defn.Caps_Mutable)
-  def derivesFromSharedCapability(using Context): Boolean = derivesFromCapTrait(defn.Caps_SharedCapability)
+  def derivesFromSharedCapability(using Context): Boolean = derivesFromCapTrait(defn.Caps_Sharable)
 
   /** Drop @retains annotations everywhere */
   def dropAllRetains(using Context): Type = // TODO we should drop retains from inferred types before unpickling
@@ -442,6 +444,30 @@ extension (tp: Type)
   def dropUseAndConsumeAnnots(using Context): Type =
     tp.dropAnnot(defn.UseAnnot).dropAnnot(defn.ConsumeAnnot)
 
+  /** If `tp` is a function or method, a type of the same kind with the given
+   *  argument and result types.
+  */
+  def derivedFunctionOrMethod(argTypes: List[Type], resType: Type)(using Context): Type = tp match
+    case tp @ AppliedType(tycon, args) if defn.isNonRefinedFunction(tp) =>
+      val args1 = argTypes :+ resType
+      if args.corresponds(args1)(_ eq _) then tp
+      else tp.derivedAppliedType(tycon, args1)
+    case tp @ defn.RefinedFunctionOf(rinfo) =>
+      val rinfo1 = rinfo.derivedFunctionOrMethod(argTypes, resType)
+      if rinfo1 eq rinfo then tp
+      else if rinfo1.isInstanceOf[PolyType] then tp.derivedRefinedType(refinedInfo = rinfo1)
+      else rinfo1.toFunctionType(alwaysDependent = true)
+    case tp: MethodType =>
+      tp.derivedLambdaType(paramInfos = argTypes, resType = resType)
+    case tp: PolyType =>
+      assert(argTypes.isEmpty)
+      tp.derivedLambdaType(resType = resType)
+    case _ =>
+      tp
+
+  def classifier(using Context): ClassSymbol =
+    tp.classSymbols.map(_.classifier).foldLeft(defn.AnyClass)(leastClassifier)
+
 extension (tp: MethodType)
   /** A method marks an existential scope unless it is the prefix of a curried method */
   def marksExistentialScope(using Context): Boolean =
@@ -473,6 +499,16 @@ extension (cls: ClassSymbol)
       val selfType = bc.givenSelfType
       bc.is(CaptureChecked) && selfType.exists && selfType.captureSet.elems == refs.elems
 
+  def isClassifiedCapabilityClass(using Context): Boolean =
+    cls.derivesFrom(defn.Caps_Capability) && cls.parentSyms.contains(defn.Caps_Classifier)
+
+  def classifier(using Context): ClassSymbol =
+    if cls.derivesFrom(defn.Caps_Capability) then
+      cls.baseClasses
+        .filter(_.parentSyms.contains(defn.Caps_Classifier))
+        .foldLeft(defn.AnyClass)(leastClassifier)
+    else defn.AnyClass
+
 extension (sym: Symbol)
 
   /** This symbol is one of `retains` or `retainsCap` */
@@ -587,7 +623,6 @@ abstract class AnnotatedCapability(annotCls: Context ?=> ClassSymbol):
   def unapply(tree: AnnotatedType)(using Context): Option[Type] = tree match
     case AnnotatedType(parent: Type, ann) if ann.hasSymbol(annotCls) => Some(parent)
     case _ => None
-
 end AnnotatedCapability
 
 /** An extractor for `ref @readOnlyCapability`, which is used to express
@@ -605,6 +640,17 @@ object ReachCapability extends AnnotatedCapability(defn.ReachCapabilityAnnot)
  */
 object MaybeCapability extends AnnotatedCapability(defn.MaybeCapabilityAnnot)
 
+object OnlyCapability:
+  def apply(tp: Type, cls: ClassSymbol)(using Context): AnnotatedType =
+    AnnotatedType(tp,
+      Annotation(defn.OnlyCapabilityAnnot.typeRef.appliedTo(cls.typeRef), Nil, util.Spans.NoSpan))
+
+  def unapply(tree: AnnotatedType)(using Context): Option[(Type, ClassSymbol)] = tree match
+    case AnnotatedType(parent: Type, ann) if ann.hasSymbol(defn.OnlyCapabilityAnnot) =>
+      Some((parent, ann.tree.tpe.argTypes.head.classSymbol.asClass))
+    case _ => None
+end OnlyCapability
+
 /** An extractor for all kinds of function types as well as method and poly types.
  *  It includes aliases of function types such as `=>`. TODO: Can we do without?
  *  @return  1st half: The argument types or empty if this is a type function
@@ -618,28 +664,6 @@ object FunctionOrMethod:
     case defn.RefinedFunctionOf(rinfo) => unapply(rinfo)
     case _ => None
 
-/** If `tp` is a function or method, a type of the same kind with the given
- *  argument and result types.
- */
-extension (self: Type)
-  def derivedFunctionOrMethod(argTypes: List[Type], resType: Type)(using Context): Type = self match
-    case self @ AppliedType(tycon, args) if defn.isNonRefinedFunction(self) =>
-      val args1 = argTypes :+ resType
-      if args.corresponds(args1)(_ eq _) then self
-      else self.derivedAppliedType(tycon, args1)
-    case self @ defn.RefinedFunctionOf(rinfo) =>
-      val rinfo1 = rinfo.derivedFunctionOrMethod(argTypes, resType)
-      if rinfo1 eq rinfo then self
-      else if rinfo1.isInstanceOf[PolyType] then self.derivedRefinedType(refinedInfo = rinfo1)
-      else rinfo1.toFunctionType(alwaysDependent = true)
-    case self: MethodType =>
-      self.derivedLambdaType(paramInfos = argTypes, resType = resType)
-    case self: PolyType =>
-      assert(argTypes.isEmpty)
-      self.derivedLambdaType(resType = resType)
-    case _ =>
-      self
-
 /** An extractor for a contains argument */
 object ContainsImpl:
   def unapply(tree: TypeApply)(using Context): Option[(Tree, Tree)] =

compiler/src/dotty/tools/dotc/cc/CaptureOps.scala

@@ -83,6 +83,14 @@ sealed abstract class CaptureSet extends Showable:
    */
   def owner: Symbol
 
+  /** If this set is a variable: Drop capabilities that are known to be empty
+   *  This is called during separation checking so that capabilities that turn
+   *  out to be always empty because of conflicting clasisifiers don't contribute
+   *  to peaks. We can't do it before that since classifiers are set during
+   *  capture checking.
+   */
+  def dropEmpties()(using Context): this.type
+
   /** Is this capture set definitely non-empty? */
   final def isNotEmpty: Boolean = !elems.isEmpty
 
@@ -210,6 +218,7 @@ sealed abstract class CaptureSet extends Showable:
 
   protected def addIfHiddenOrFail(elem: Capability)(using ctx: Context, vs: VarState): Boolean =
     elems.exists(_.maxSubsumes(elem, canAddHidden = true))
+    || elem.isKnownEmpty
     || failWith(IncludeFailure(this, elem))
 
   /** If this is a variable, add `cs` as a dependent set */
@@ -403,11 +412,33 @@ sealed abstract class CaptureSet extends Showable:
 
   def maybe(using Context): CaptureSet = map(MaybeMap())
 
+  def restrict(cls: ClassSymbol)(using Context): CaptureSet = map(RestrictMap(cls))
+
   def readOnly(using Context): CaptureSet =
     val res = map(ReadOnlyMap())
     if mutability != Ignored then res.mutability = Reader
     res
 
+  def transClassifiers(using Context): Classifiers =
+    def elemClassifiers =
+      (ClassifiedAs(Nil) /: elems.map(_.transClassifiers))(joinClassifiers)
+    if ccState.isSepCheck then
+      dropEmpties()
+      elemClassifiers
+    else if isConst then
+      elemClassifiers
+    else
+      UnknownClassifier
+
+  def tryClassifyAs(cls: ClassSymbol)(using Context): Boolean =
+    elems.forall(_.tryClassifyAs(cls))
+
+  def adoptClassifier(cls: ClassSymbol)(using Context): Unit =
+    for elem <- elems do
+      elem.stripReadOnly match
+        case fresh: FreshCap => fresh.hiddenSet.adoptClassifier(cls)
+        case _ =>
+
   /** A bad root `elem` is inadmissible as a member of this set. What is a bad roots depends
    *  on the value of `rootLimit`.
    *  If the limit is null, all capture roots are good.
@@ -557,6 +588,8 @@ object CaptureSet:
 
     def owner = NoSymbol
 
+    def dropEmpties()(using Context) = this
+
     private var isComplete = true
 
     def setMutable()(using Context): Unit =
@@ -641,6 +674,16 @@ object CaptureSet:
 
     def isMaybeSet = false // overridden in BiMapped
 
+    private var emptiesDropped = false
+
+    def dropEmpties()(using Context): this.type =
+      if !emptiesDropped then
+        emptiesDropped = true
+        for elem <- elems do
+          if elem.isKnownEmpty then
+            elems -= empty
+      this
+
     /** A handler to be invoked if the root reference `cap` is added to this set */
     var rootAddedHandler: () => Context ?=> Unit = () => ()
 
@@ -649,6 +692,25 @@ object CaptureSet:
      */
     private[CaptureSet] var rootLimit: Symbol | Null = null
 
+    private var myClassifier: ClassSymbol = defn.AnyClass
+    def classifier: ClassSymbol = myClassifier
+
+    private def narrowClassifier(cls: ClassSymbol)(using Context): Unit =
+      val newClassifier = leastClassifier(classifier, cls)
+      if newClassifier == defn.NothingClass then
+        println(i"conflicting classifications for $this, was $classifier, now $cls")
+      myClassifier = newClassifier
+
+    override def adoptClassifier(cls: ClassSymbol)(using Context): Unit =
+      if !classifier.isSubClass(cls) then // serves as recursion brake
+        narrowClassifier(cls)
+        super.adoptClassifier(cls)
+
+    override def tryClassifyAs(cls: ClassSymbol)(using Context): Boolean =
+      classifier.isSubClass(cls)
+      || super.tryClassifyAs(cls)
+          && { narrowClassifier(cls); true }
+
     /** A handler to be invoked when new elems are added to this set */
     var newElemAddedHandler: Capability => Context ?=> Unit = _ => ()
 
@@ -680,14 +742,15 @@ object CaptureSet:
         addIfHiddenOrFail(elem)
       else if !levelOK(elem) then
         failWith(IncludeFailure(this, elem, levelError = true))    // or `elem` is not visible at the level of the set.
+      else if !elem.tryClassifyAs(classifier) then
+        failWith(IncludeFailure(this, elem))
       else
         // id == 108 then assert(false, i"trying to add $elem to $this")
         assert(elem.isWellformed, elem)
         assert(!this.isInstanceOf[HiddenSet] || summon[VarState].isSeparating, summon[VarState])
         includeElem(elem)
         if isBadRoot(rootLimit, elem) then
           rootAddedHandler()
-        newElemAddedHandler(elem)
         val normElem = if isMaybeSet then elem else elem.stripMaybe
         // assert(id != 5 || elems.size != 3, this)
         val res = deps.forall: dep =>
@@ -1344,9 +1407,10 @@ object CaptureSet:
 
   /** A template for maps on capabilities where f(c) <: c and f(f(c)) = c */
   private abstract class NarrowingCapabilityMap(using Context) extends BiTypeMap:
-
     def apply(t: Type) = mapOver(t)
 
+    protected def isSameMap(other: BiTypeMap) = other.getClass == getClass
+
     override def fuse(next: BiTypeMap)(using Context) = next match
       case next: Inverse if next.inverse.getClass == getClass => Some(IdentityTypeMap)
       case next: NarrowingCapabilityMap if next.getClass == getClass => Some(this)
@@ -1358,8 +1422,8 @@ object CaptureSet:
       def inverse = NarrowingCapabilityMap.this
       override def toString = NarrowingCapabilityMap.this.toString ++ ".inverse"
       override def fuse(next: BiTypeMap)(using Context) = next match
-        case next: NarrowingCapabilityMap if next.inverse.getClass == getClass => Some(IdentityTypeMap)
-        case next: NarrowingCapabilityMap if next.getClass == getClass => Some(this)
+        case next: NarrowingCapabilityMap if isSameMap(next.inverse) => Some(IdentityTypeMap)
+        case next: NarrowingCapabilityMap if isSameMap(next) => Some(this)
         case _ => None
 
     lazy val inverse = Inverse()
@@ -1375,6 +1439,13 @@ object CaptureSet:
     override def mapCapability(c: Capability, deep: Boolean) = c.readOnly
     override def toString = "ReadOnly"
 
+  private class RestrictMap(val cls: ClassSymbol)(using Context) extends NarrowingCapabilityMap:
+    override def mapCapability(c: Capability, deep: Boolean) = c.restrict(cls)
+    override def toString = "Restrict"
+    override def isSameMap(other: BiTypeMap) = other match
+      case other: RestrictMap => cls == other.cls
+      case _ => false
+
   /* Not needed:
   def ofClass(cinfo: ClassInfo, argTypes: List[Type])(using Context): CaptureSet =
     CaptureSet.empty
@@ -1402,6 +1473,9 @@ object CaptureSet:
     case Reach(c1) =>
       c1.widen.deepCaptureSet(includeTypevars = true)
         .showing(i"Deep capture set of $c: ${c1.widen} = ${result}", capt)
+    case Restricted(c1, cls) =>
+      if cls == defn.NothingClass then CaptureSet.empty
+      else c1.captureSetOfInfo.restrict(cls) // todo: should we simplify using subsumption here?
     case ReadOnly(c1) =>
       c1.captureSetOfInfo.readOnly
     case Maybe(c1) =>

compiler/src/dotty/tools/dotc/cc/CaptureSet.scala

@@ -40,6 +40,8 @@ object CapturingType:
         apply(parent1, refs ++ refs1, boxed)
       case _ =>
         if parent.derivesFromMutable then refs.setMutable()
+        val classifier = parent.classifier
+        refs.adoptClassifier(parent.classifier)
         AnnotatedType(parent, CaptureAnnotation(refs, boxed)(defn.RetainsAnnot))
 
   /** An extractor for CapturingTypes. Capturing types are recognized if