Introduce only-capabilities

Basic representations and definitions, so that we can parse only-capabilities,
convert them to internal representation `Restrict(c, cls)`, not crash on them during
capture checking and print them out correctly.

Author: odersky

compiler/src/dotty/tools/dotc/ast/untpd.scala

@@ -556,6 +556,9 @@ object untpd extends Trees.Instance[Untyped] with UntypedTreeInfo {
   def makeReadOnlyAnnot()(using Context): Tree =
     New(ref(defn.ReadOnlyCapabilityAnnot.typeRef), Nil :: Nil)
 
+  def makeOnlyAnnot(qid: Tree)(using Context) =
+    New(AppliedTypeTree(ref(defn.OnlyCapabilityAnnot.typeRef), qid :: Nil), Nil :: Nil)
+
   def makeConstructor(tparams: List[TypeDef], vparamss: List[List[ValDef]], rhs: Tree = EmptyTree)(using Context): DefDef =
     DefDef(nme.CONSTRUCTOR, joinParams(tparams, vparamss), TypeTree(), rhs)
 

compiler/src/dotty/tools/dotc/cc/Capability.scala

@@ -39,8 +39,9 @@ import annotation.internal.sharable
  *               |                      +-- SetCapability -----+-- TypeRef
  *               |                                             +-- TypeParamRef
  *               |
- *               +-- DerivedCapability -+-- ReadOnly
- *                                      +-- Reach
+ *               +-- DerivedCapability -+-- Reach
+ *                                      +-- Only
+ *                                      +-- ReadOnly
  *                                      +-- Maybe
  *
  *  All CoreCapabilities are Types, or, more specifically instances of TypeProxy.
@@ -96,9 +97,18 @@ object Capabilities:
    *  but they can wrap reach capabilities. We have
    *      (x?).readOnly = (x.rd)?
    */
-  case class ReadOnly(underlying: ObjectCapability | RootCapability | Reach)
-  extends DerivedCapability:
-    assert(!underlying.isInstanceOf[Maybe])
+  case class ReadOnly(underlying: ObjectCapability | RootCapability | Reach | Restricted)
+  extends DerivedCapability
+
+  /** The restricted capability `x.only[C]`. We have {x.only[C]} <: {x}.
+   *
+   *  Restricted capabilities cannot wrap maybe capabilities or read-only capabilities
+   *  but they can wrap reach capabilities. We have
+   *      (x?).restrict[T] = (x.restrict[T])?
+   *      (x.rd).restrict[T] = (x.restrict[T]).rd
+   */
+  case class Restricted(underlying: ObjectCapability | RootCapability | Reach, cls: ClassSymbol)
+  extends DerivedCapability
 
   /** If `x` is a capability, its reach capability `x*`. `x*` stands for all
    *  capabilities reachable through `x`.
@@ -109,11 +119,11 @@ object Capabilities:
    *
    *  Reach capabilities cannot wrap read-only capabilities or maybe capabilities.
    *  We have
-   *      (x.rd).reach = x*.rd
-   *      (x.rd)?      = (x*)?
+   *      (x?).reach        = (x.reach)?
+   *      (x.rd).reach      = (x.reach).rd
+   *      (x.only[T]).reach = (x*).only[T]
    */
-  case class Reach(underlying: ObjectCapability) extends DerivedCapability:
-    assert(!underlying.isInstanceOf[Maybe | ReadOnly])
+  case class Reach(underlying: ObjectCapability) extends DerivedCapability
 
   /** The global root capability referenced as `caps.cap`
    *  `cap` does not subsume other capabilities, except in arguments of
@@ -124,6 +134,7 @@ object Capabilities:
     def descr(using Context) = "the universal root capability"
     override val maybe = Maybe(this)
     override val readOnly = ReadOnly(this)
+    override def restrict(cls: ClassSymbol)(using Context) = Restricted(this, cls)
     override def reach = unsupported("cap.reach")
     override def singletonCaptureSet(using Context) = CaptureSet.universal
     override def captureSetOfInfo(using Context) = singletonCaptureSet
@@ -242,7 +253,7 @@ object Capabilities:
   /** A trait for references in CaptureSets. These can be NamedTypes, ThisTypes or ParamRefs,
    *  as well as three kinds of AnnotatedTypes representing readOnly, reach, and maybe capabilities.
    *  If there are several annotations they come with an order:
-   *  `*` first, `.rd` next, `?` last.
+   *  `*` first, `.only` next, `.rd` next, `?` last.
    */
   trait Capability extends Showable:
 
@@ -254,7 +265,15 @@ object Capabilities:
     protected def cached[C <: DerivedCapability](newRef: C): C =
       def recur(refs: List[DerivedCapability]): C = refs match
         case ref :: refs1 =>
-          if ref.getClass == newRef.getClass then ref.asInstanceOf[C] else recur(refs1)
+          val exists = ref match
+            case Restricted(_, cls) =>
+              newRef match
+                case Restricted(_, newCls) => cls == newCls
+                case _ => false
+            case _ =>
+              ref.getClass == newRef.getClass
+          if exists then ref.asInstanceOf[C]
+          else recur(refs1)
         case Nil =>
           myDerived = newRef :: myDerived
           newRef
@@ -267,11 +286,24 @@ object Capabilities:
     def readOnly: ReadOnly | Maybe = this match
       case Maybe(ref1) => Maybe(ref1.readOnly)
       case self: ReadOnly => self
-      case self: (ObjectCapability | RootCapability | Reach) => cached(ReadOnly(self))
-
-    def reach: Reach | ReadOnly | Maybe = this match
+      case self: (ObjectCapability | RootCapability | Reach | Restricted) => cached(ReadOnly(self))
+
+    def restrict(cls: ClassSymbol)(using Context): Restricted | ReadOnly | Maybe = this match
+      case Maybe(ref1) => Maybe(ref1.restrict(cls))
+      case ReadOnly(ref1) => ReadOnly(ref1.restrict(cls).asInstanceOf[Restricted])
+      case self @ Restricted(ref1, prevCls) =>
+        val combinedCls =
+          if prevCls.isSubClass(cls) then prevCls
+          else if cls.isSubClass(prevCls) then cls
+          else defn.NothingClass
+        if combinedCls == prevCls then self
+        else cached(Restricted(ref1, combinedCls))
+      case self: (ObjectCapability | RootCapability | Reach) => cached(Restricted(self, cls))
+
+    def reach: Reach | Restricted | ReadOnly | Maybe = this match
       case Maybe(ref1) => Maybe(ref1.reach)
-      case ReadOnly(ref1) => ReadOnly(ref1.reach.asInstanceOf[Reach])
+      case ReadOnly(ref1) => ReadOnly(ref1.reach.asInstanceOf[Reach | Restricted])
+      case Restricted(ref1, cls) => Restricted(ref1.reach.asInstanceOf[Reach], cls)
       case self: Reach => self
       case self: ObjectCapability => cached(Reach(self))
 
@@ -285,6 +317,12 @@ object Capabilities:
       case tp: SetCapability => tp.captureSetOfInfo.isReadOnly
       case _ => this ne stripReadOnly
 
+    final def restriction(using Context): Symbol = this match
+      case Restricted(_, cls) => cls
+      case ReadOnly(ref1) => ref1.restriction
+      case Maybe(ref1) => ref1.restriction
+      case _ => NoSymbol
+
     /** Is this a reach reference of the form `x*` or a readOnly or maybe variant
      *  of a reach reference?
      */
@@ -299,6 +337,12 @@ object Capabilities:
       case Maybe(ref1) => ref1.stripReadOnly.maybe
       case _ => this
 
+    final def stripRestricted(using Context): Capability = this match
+      case Restricted(ref1, _) => ref1
+      case ReadOnly(ref1) => ref1.stripRestricted.readOnly
+      case Maybe(ref1) => ref1.stripRestricted.maybe
+      case _ => this
+
     final def stripReach(using Context): Capability = this match
       case Reach(ref1) => ref1
       case ReadOnly(ref1) => ref1.stripReach.readOnly

compiler/src/dotty/tools/dotc/cc/CaptureOps.scala

@@ -80,6 +80,8 @@ extension (tp: Type)
       tp1.toCapability.reach
     case ReadOnlyCapability(tp1) =>
       tp1.toCapability.readOnly
+    case OnlyCapability(tp1, cls) =>
+      tp1.toCapability.restrict(cls) // for now
     case ref: TermRef if ref.isCapRef =>
       GlobalCap
     case ref: Capability if ref.isTrackableRef =>
@@ -587,7 +589,6 @@ abstract class AnnotatedCapability(annotCls: Context ?=> ClassSymbol):
   def unapply(tree: AnnotatedType)(using Context): Option[Type] = tree match
     case AnnotatedType(parent: Type, ann) if ann.hasSymbol(annotCls) => Some(parent)
     case _ => None
-
 end AnnotatedCapability
 
 /** An extractor for `ref @readOnlyCapability`, which is used to express
@@ -605,6 +606,17 @@ object ReachCapability extends AnnotatedCapability(defn.ReachCapabilityAnnot)
  */
 object MaybeCapability extends AnnotatedCapability(defn.MaybeCapabilityAnnot)
 
+object OnlyCapability:
+  def apply(tp: Type, cls: ClassSymbol)(using Context): AnnotatedType =
+    AnnotatedType(tp,
+      Annotation(defn.OnlyCapabilityAnnot.typeRef.appliedTo(cls.typeRef), Nil, util.Spans.NoSpan))
+
+  def unapply(tree: AnnotatedType)(using Context): Option[(Type, ClassSymbol)] = tree match
+    case AnnotatedType(parent: Type, ann) if ann.hasSymbol(defn.OnlyCapabilityAnnot) =>
+      Some((parent, ann.tree.tpe.argTypes.head.classSymbol.asClass))
+    case _ => None
+end OnlyCapability
+
 /** An extractor for all kinds of function types as well as method and poly types.
  *  It includes aliases of function types such as `=>`. TODO: Can we do without?
  *  @return  1st half: The argument types or empty if this is a type function

compiler/src/dotty/tools/dotc/cc/CaptureSet.scala

@@ -403,6 +403,8 @@ sealed abstract class CaptureSet extends Showable:
 
   def maybe(using Context): CaptureSet = map(MaybeMap())
 
+  def restrict(cls: ClassSymbol)(using Context): CaptureSet = map(RestrictMap(cls))
+
   def readOnly(using Context): CaptureSet =
     val res = map(ReadOnlyMap())
     if mutability != Ignored then res.mutability = Reader
@@ -1344,9 +1346,10 @@ object CaptureSet:
 
   /** A template for maps on capabilities where f(c) <: c and f(f(c)) = c */
   private abstract class NarrowingCapabilityMap(using Context) extends BiTypeMap:
-
     def apply(t: Type) = mapOver(t)
 
+    protected def isSameMap(other: BiTypeMap) = other.getClass == getClass
+
     override def fuse(next: BiTypeMap)(using Context) = next match
       case next: Inverse if next.inverse.getClass == getClass => Some(IdentityTypeMap)
       case next: NarrowingCapabilityMap if next.getClass == getClass => Some(this)
@@ -1358,8 +1361,8 @@ object CaptureSet:
       def inverse = NarrowingCapabilityMap.this
       override def toString = NarrowingCapabilityMap.this.toString ++ ".inverse"
       override def fuse(next: BiTypeMap)(using Context) = next match
-        case next: NarrowingCapabilityMap if next.inverse.getClass == getClass => Some(IdentityTypeMap)
-        case next: NarrowingCapabilityMap if next.getClass == getClass => Some(this)
+        case next: NarrowingCapabilityMap if isSameMap(next.inverse) => Some(IdentityTypeMap)
+        case next: NarrowingCapabilityMap if isSameMap(next) => Some(this)
         case _ => None
 
     lazy val inverse = Inverse()
@@ -1375,6 +1378,13 @@ object CaptureSet:
     override def mapCapability(c: Capability, deep: Boolean) = c.readOnly
     override def toString = "ReadOnly"
 
+  private class RestrictMap(val cls: ClassSymbol)(using Context) extends NarrowingCapabilityMap:
+    override def mapCapability(c: Capability, deep: Boolean) = c.restrict(cls)
+    override def toString = "Restrict"
+    override def isSameMap(other: BiTypeMap) = other match
+      case other: RestrictMap => cls == other.cls
+      case _ => false
+
   /* Not needed:
   def ofClass(cinfo: ClassInfo, argTypes: List[Type])(using Context): CaptureSet =
     CaptureSet.empty
@@ -1402,6 +1412,9 @@ object CaptureSet:
     case Reach(c1) =>
       c1.widen.deepCaptureSet(includeTypevars = true)
         .showing(i"Deep capture set of $c: ${c1.widen} = ${result}", capt)
+    case Restricted(c1, cls) =>
+      if cls == defn.NothingClass then CaptureSet.empty
+      else c1.captureSetOfInfo.restrict(cls) // todo: should we simplify using subsumption here?
     case ReadOnly(c1) =>
       c1.captureSetOfInfo.readOnly
     case Maybe(c1) =>

compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala

@@ -113,6 +113,8 @@ object CheckCaptures:
           report.error(em"Cannot form a reach capability from `cap`", ann.srcPos)
       case ReadOnlyCapability(ref) =>
         check(ref)
+      case OnlyCapability(ref, cls) =>
+        check(ref)
       case tpe =>
         report.error(em"$elem: $tpe is not a legal element of a capture set", ann.srcPos)
     ann.retainedSet.retainedElementsRaw.foreach(check)

compiler/src/dotty/tools/dotc/cc/SepCheck.scala

@@ -256,6 +256,7 @@ object SepCheck:
 
       def hiddenByElem(elem: Capability): Refs = elem match
         case elem: FreshCap => elem.hiddenSet.elems ++ recur(elem.hiddenSet.elems)
+        case Restricted(elem1, cls) => hiddenByElem(elem1).map(_.restrict(cls))
         case ReadOnly(elem1) => hiddenByElem(elem1).map(_.readOnly)
         case _ => emptyRefs
 

compiler/src/dotty/tools/dotc/core/Definitions.scala

@@ -1092,6 +1092,7 @@ class Definitions {
   @tu lazy val ReachCapabilityAnnot = requiredClass("scala.annotation.internal.reachCapability")
   @tu lazy val RootCapabilityAnnot = requiredClass("scala.caps.internal.rootCapability")
   @tu lazy val ReadOnlyCapabilityAnnot = requiredClass("scala.annotation.internal.readOnlyCapability")
+  @tu lazy val OnlyCapabilityAnnot = requiredClass("scala.annotation.internal.onlyCapability")
   @tu lazy val RequiresCapabilityAnnot: ClassSymbol = requiredClass("scala.annotation.internal.requiresCapability")
   @tu lazy val RetainsAnnot: ClassSymbol = requiredClass("scala.annotation.retains")
   @tu lazy val RetainsCapAnnot: ClassSymbol = requiredClass("scala.annotation.retainsCap")

compiler/src/dotty/tools/dotc/core/StdNames.scala

@@ -568,6 +568,7 @@ object StdNames {
     val null_ : N               = "null"
     val ofDim: N                = "ofDim"
     val on: N                   = "on"
+    val only: N                 = "only"
     val opaque: N               = "opaque"
     val open: N                 = "open"
     val ordinal: N              = "ordinal"

compiler/src/dotty/tools/dotc/core/Types.scala

@@ -6282,6 +6282,10 @@ object Types extends TypeUtils {
       case c: RootCapability => c
       case Reach(c1) =>
         mapCapability(c1, deep = true)
+      case Restricted(c1, cls) =>
+        mapCapability(c1) match
+          case c2: Capability => c2.restrict(cls)
+          case (cs: CaptureSet, exact) => (cs.restrict(cls), exact)
       case ReadOnly(c1) =>
         assert(!deep)
         mapCapability(c1) match

compiler/src/dotty/tools/dotc/parsing/Parsers.scala

@@ -1587,24 +1587,35 @@ object Parsers {
       case _ => None
     }
 
-    /** CaptureRef  ::=  { SimpleRef `.` } SimpleRef [`*`] [`.` `rd`] -- under captureChecking
+    /** CaptureRef  ::=  { SimpleRef `.` } SimpleRef [`*`] [CapFilter] [`.` `rd`] -- under captureChecking
+     *  CapFilter   ::=  `.` `as` `[` QualId `]`
      */
     def captureRef(): Tree =
 
-      def derived(ref: Tree, ann: () => Tree) =
-        in.nextToken()
-        atSpan(startOffset(ref)) { Annotated(ref, ann()) }
+      def derived(ref: Tree): Tree =
+        atSpan(startOffset(ref)):
+          if in.isIdent(nme.raw.STAR) then
+            in.nextToken()
+            Annotated(ref, makeReachAnnot())
+          else if in.isIdent(nme.rd) then
+            in.nextToken()
+            Annotated(ref, makeReadOnlyAnnot())
+          else if in.isIdent(nme.only) then
+            in.nextToken()
+            Annotated(ref, makeOnlyAnnot(inBrackets(convertToTypeId(qualId()))))
+          else assert(false)
 
       def recur(ref: Tree): Tree =
         if in.token == DOT then
           in.nextToken()
-          if in.isIdent(nme.rd) then derived(ref, makeReadOnlyAnnot)
+          if in.isIdent(nme.rd) || in.isIdent(nme.only) then derived(ref)
           else recur(selector(ref))
         else if in.isIdent(nme.raw.STAR) then
-          val reachRef = derived(ref, makeReachAnnot)
-          if in.token == DOT && in.lookahead.isIdent(nme.rd) then
+          val reachRef = derived(ref)
+          val next = in.lookahead
+          if in.token == DOT && (next.isIdent(nme.rd) || next.isIdent(nme.only)) then
             in.nextToken()
-            derived(reachRef, makeReadOnlyAnnot)
+            derived(reachRef)
           else reachRef
         else ref