Fix unsoundness in APPLY and SELECT rules

We have to specially treat the case where the result contains a ResultCap. In that case
no improvement is allowed, even if the alternative capture set is empty.

Author: odersky

compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala

@@ -732,19 +732,26 @@ class CheckCaptures extends Recheck, SymTransformer:
                 |since its capture set ${qualType.captureSet} is read-only""",
             tree.srcPos)
 
-      val selType = mapResultRoots(recheckSelection(tree, qualType, name, disambiguate), tree.symbol)
+      val origSelType = recheckSelection(tree, qualType, name, disambiguate)
+      val selType = mapResultRoots(origSelType, tree.symbol)
       val selWiden = selType.widen
 
+      def capturesResult = origSelType.widenSingleton match
+        case ExprType(resType) => resType.captureSet.containsResultCapability
+        case _ => false
+
       // Don't apply the rule
       //   - on the LHS of assignments, or
       //   - if the qualifier or selection type is boxed, or
-      //   - the selection is either a trackable capture reference or a pure type
+      //   - the selection is either a trackable capture reference or a pure type, or
+      //   - if the selection is of a parameterless method capturing a result cap
       if noWiden(selType, pt)
           || qualType.isBoxedCapturing
           || selType.isBoxedCapturing
           || selWiden.isBoxedCapturing
           || selType.isTrackableRef
           || selWiden.captureSet.isAlwaysEmpty
+          || capturesResult
       then
         selType
       else
@@ -819,9 +826,8 @@ class CheckCaptures extends Recheck, SymTransformer:
      */
     protected override
     def recheckApplication(tree: Apply, qualType: Type, funType: MethodType, argTypes: List[Type])(using Context): Type =
-      val appType = resultToFresh(
-        super.recheckApplication(tree, qualType, funType, argTypes),
-        Origin.ResultInstance(funType, tree.symbol))
+      val resultType = super.recheckApplication(tree, qualType, funType, argTypes)
+      val appType = resultToFresh(resultType, Origin.ResultInstance(funType, tree.symbol))
       val qualCaptures = qualType.captureSet
       val argCaptures =
         for (argType, formal) <- argTypes.lazyZip(funType.paramInfos) yield
@@ -830,6 +836,7 @@ class CheckCaptures extends Recheck, SymTransformer:
         case appType @ CapturingType(appType1, refs)
         if qualType.exists
             && !tree.fun.symbol.isConstructor
+            && !resultType.captureSet.containsResultCapability
             && qualCaptures.mightSubcapture(refs)
             && argCaptures.forall(_.mightSubcapture(refs)) =>
           val callCaptures = argCaptures.foldLeft(qualCaptures)(_ ++ _)

library/src/scala/collection/immutable/LazyListIterable.scala

@@ -321,7 +321,7 @@ final class LazyListIterable[+A] private (lazyState: LazyListIterable.EmptyMarke
         try fun().evaluated
         // restore `fun` in finally so we can try again later if an exception was thrown (similar to lazy val)
         finally _tail = fun
-      _tail = l.rawTail
+      _tail = caps.unsafe.unsafeAssumePure(l.rawTail)
       _head = l.rawHead
     }
   }

tests/neg-custom-args/captures/apply-fresh.check

@@ -0,0 +1,31 @@
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/apply-fresh.scala:17:15 ----------------------------------
+17 |  val _: Ref = x // error
+   |               ^
+   |               Found:    (x : Ref^)
+   |               Required: Ref
+   |
+   |               Note that capability cap is not included in capture set {}.
+   |
+   |               where:    ^ and cap refer to a fresh root capability in the type of value x
+   |
+   | longer explanation available when compiling with `-explain`
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/apply-fresh.scala:21:15 ----------------------------------
+21 |  val _: Ref = y // error
+   |               ^
+   |               Found:    (y : Ref^)
+   |               Required: Ref
+   |
+   |               Note that capability cap is not included in capture set {}.
+   |
+   |               where:    ^ and cap refer to a fresh root capability in the type of value y
+   |
+   | longer explanation available when compiling with `-explain`
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/apply-fresh.scala:25:15 ----------------------------------
+25 |  val _: Ref = z // error
+   |               ^
+   |               Found:    (z : Ref^{bar.newRef})
+   |               Required: Ref
+   |
+   |               Note that capability bar.newRef is not included in capture set {}.
+   |
+   | longer explanation available when compiling with `-explain`

tests/neg-custom-args/captures/apply-fresh.scala

@@ -0,0 +1,25 @@
+object Test
+
+class Ref
+
+class Foo:
+  def newRef: Ref^ = Ref()
+
+class Bar:
+  val newRef: Ref^ = Ref()
+
+def newRef: Ref^ = Ref()
+
+def test =
+
+  val f = () => newRef
+  val x = f()
+  val _: Ref = x // error
+
+  val foo = Foo()
+  val y = foo.newRef
+  val _: Ref = y // error
+
+  val bar = Bar()
+  val z = bar.newRef
+  val _: Ref = z // error

tests/neg-custom-args/captures/capt-depfun.check

@@ -1,11 +1,12 @@
 -- [E007] Type Mismatch Error: tests/neg-custom-args/captures/capt-depfun.scala:11:43 ----------------------------------
 11 |  val dc: ((Str^{y, z}) => Str^{y, z}) = ac(g()) // error
    |                                         ^^^^^^^
-   |                                         Found:    Str^{} ->{ac, y, z} Str^{y, z}
-   |                                         Required: Str^{y, z} => Str^{y, z}
+   |Found:    Str^{} => Str^{y, z}
+   |Required: Str^{y, z} =>² Str^{y, z}
    |
-   |                                         Note that capability y is not included in capture set {}.
+   |Note that capability y is not included in capture set {}.
    |
-   |                                         where:    => refers to a fresh root capability in the type of value dc
+   |where:    =>  refers to a fresh root capability created in value dc when instantiating method apply's type (x: C^): Str^{x} =>³ Str^{x}
+   |          =>² refers to a fresh root capability in the type of value dc
    |
    | longer explanation available when compiling with `-explain`

tests/neg-custom-args/captures/caseclass/Test_2.scala

@@ -22,4 +22,4 @@ def test(c: C) =
 
   val y4 = y3 match
     case Ref(xx) => xx
-  val y4c: () ->{y3} Unit = y4
+  val y4c: () ->{y3} Unit = y4 // error

tests/neg-custom-args/captures/linear-buffer-2.check

@@ -1,11 +1,11 @@
 -- Error: tests/neg-custom-args/captures/linear-buffer-2.scala:13:13 ---------------------------------------------------
 13 |  val buf3 = buf.append(3) // error
    |             ^^^
-   |             Separation failure: Illegal access to {buf} which is hidden by the previous definition
-   |             of value buf1 with type Buffer[Int]^.
-   |             This type hides capabilities  {buf}
+   |             Separation failure: Illegal access to (buf : Buffer[Int]^), which was passed to a
+   |             consume parameter or was used as a prefix to a consume method on line 11
+   |             and therefore is no longer available.
    |
-   |             where:    ^ refers to a fresh root capability classified as Mutable in the type of value buf1
+   |             where:    ^ refers to a fresh root capability classified as Mutable in the type of parameter buf
 -- Error: tests/neg-custom-args/captures/linear-buffer-2.scala:20:13 ---------------------------------------------------
 20 |  val buf3 = buf1.append(4) // error
    |             ^^^^

tests/neg-custom-args/captures/nested-classes-2.check

@@ -0,0 +1,11 @@
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/nested-classes-2.scala:9:36 ------------------------------
+9 |    val cc3: cc1.C2^{cc1, x1, x2} = cc2 // error
+  |                                    ^^^
+  |                              Found:    cc1.C2{val y1: () ->{cc2*} Unit; val y2: (() => Unit) ->{cc2*} Unit}^{cc2}
+  |                              Required: cc1.C2^{cc1, x1, x2}
+  |
+  |                              Note that capability cc2 is not included in capture set {cc1, x1, x2}.
+  |
+  |                              where:    => refers to the universal root capability
+  |
+  | longer explanation available when compiling with `-explain`

tests/pos-custom-args/captures/nested-classes-2.scala renamed to tests/neg-custom-args/captures/nested-classes-2.scala

@@ -6,5 +6,7 @@ def test2(x1: (() => Unit), x2: (() => Unit) => Unit) =
   def test3(y1: (() => Unit), y2: (() => Unit) => Unit) =
     val cc1: C1^{y1, y2} = C1(y1, y2)
     val cc2 = cc1.c2(x1, x2)
-    val cc3: cc1.C2^{cc1, x1, x2} = cc2
+    val cc3: cc1.C2^{cc1, x1, x2} = cc2 // error
+    val cc4: cc1.C2^{cc2} = cc2 // ok
+
 

tests/neg-custom-args/captures/reaches.check

@@ -81,26 +81,22 @@
    |                    ^³ and cap² refer to a fresh root capability in the type of value id
    |
    | longer explanation available when compiling with `-explain`
--- [E007] Type Mismatch Error: tests/neg-custom-args/captures/reaches.scala:67:38 --------------------------------------
-67 |  val leaked = usingFile[File^{id*}]: f => // error
-   |                                      ^
-   |Found:    (f: File^'s6) ->'s7 File^{id*}
-   |Required: File^ => File^{id*}
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/reaches.scala:68:27 --------------------------------------
+68 |    val f1: File^{id*} = id(f)   // error
+   |                         ^^^^^
+   |Found:    File^
+   |Required: File^{id*}
    |
    |Note that capability cap is not included in capture set {id*}.
    |
-   |where:    =>  refers to a fresh root capability created in value leaked when checking argument to parameter f of method usingFile
-   |          ^   refers to the universal root capability
-   |          cap is a fresh root capability created in anonymous function of type (f: File^'s6): File^{id*} of parameter parameter f² of method $anonfun
-68 |    val f1: File^{id*} = id(f)
-69 |    f1
+   |where:    ^ and cap refer to a fresh root capability created in value f1 when instantiating method apply's type (x: File^²): File^³
    |
    | longer explanation available when compiling with `-explain`
 -- [E007] Type Mismatch Error: tests/neg-custom-args/captures/reaches.scala:85:10 --------------------------------------
 85 |  ps.map((x, y) => compose1(x, y)) // error
    |          ^^^^^^^^^^^^^^^^^^^^^^^
-   |Found:    (x$1: (A^ ->'s8 A^'s9, A^ ->'s10 A^'s11)^'s12) ->'s13 A^'s14 ->'s15 A^'s16
-   |Required: ((A ->{ps*} A, A ->{ps*} A)) => A^'s17 ->'s18 A^'s19
+   |Found:    (x$1: (A^ ->'s6 A^'s7, A^ ->'s8 A^'s9)^'s10) ->'s11 A^'s12 ->'s13 A^'s14
+   |Required: ((A ->{ps*} A, A ->{ps*} A)) => A^'s15 ->'s16 A^'s17
    |
    |Note that capability ps* cannot be included in capture set {} of value x.
    |
@@ -111,8 +107,8 @@
 -- [E007] Type Mismatch Error: tests/neg-custom-args/captures/reaches.scala:88:10 --------------------------------------
 88 |  ps.map((x, y) => compose1(x, y)) // error
    |          ^^^^^^^^^^^^^^^^^^^^^^^
-   |Found:    (x$1: (A^ ->'s20 A^'s21, A^ ->'s22 A^'s23)^'s24) ->'s25 A^'s26 ->'s27 A^'s28
-   |Required: ((A ->{C} A, A ->{C} A)) => A^'s29 ->'s30 A^'s31
+   |Found:    (x$1: (A^ ->'s18 A^'s19, A^ ->'s20 A^'s21)^'s22) ->'s23 A^'s24 ->'s25 A^'s26
+   |Required: ((A ->{C} A, A ->{C} A)) => A^'s27 ->'s28 A^'s29
    |
    |Note that capability C cannot be included in capture set {} of value x.
    |