Enforce no-exclusive capability restriction only for lazy vals in Mutable types

Author: odersky

compiler/src/dotty/tools/dotc/cc/CheckCaptures.scala

@@ -81,7 +81,7 @@ object CheckCaptures:
   end Env
 
   def definesEnv(sym: Symbol)(using Context): Boolean =
-    sym.is(Method) || sym.isClass || sym.is(Lazy)
+    sym.isOneOf(MethodOrLazy) || sym.isClass
 
   /** Similar normal substParams, but this is an approximating type map that
    *  maps parameters in contravariant capture sets to the empty set.
@@ -578,7 +578,7 @@ class CheckCaptures extends Recheck, SymTransformer:
           if !isOfNestedMethod(env) then
             val nextEnv = nextEnvToCharge(env)
             if nextEnv != null && !nextEnv.owner.isStaticOwner then
-              if env.owner.isReadOnlyMethod && nextEnv.owner != env.owner then
+              if env.owner.isReadOnlyMethodOrLazyVal && nextEnv.owner != env.owner then
                 checkReadOnlyMethod(included, env)
               recur(included, nextEnv, env)
           	// Under deferredReaches, don't propagate out of methods inside terms.
@@ -665,7 +665,7 @@ class CheckCaptures extends Recheck, SymTransformer:
      */
     override def recheckIdent(tree: Ident, pt: Type)(using Context): Type =
       val sym = tree.symbol
-      if sym.is(Method) || sym.is(Lazy) then
+      if sym.isOneOf(MethodOrLazy) then
         // If ident refers to a parameterless method or lazy val, charge its cv to the environment.
         // Lazy vals are like parameterless methods: accessing them may trigger initialization
         // that uses captured references.
@@ -690,7 +690,7 @@ class CheckCaptures extends Recheck, SymTransformer:
         case pt: PathSelectionProto if ref.isTracked =>
           // if `ref` is not tracked then the selection could not give anything new
           // class SerializationProxy in stdlib-cc/../LazyListIterable.scala has an example where this matters.
-          if pt.select.symbol.isReadOnlyMethod then
+          if pt.select.symbol.isReadOnlyMethodOrLazyVal then
             markFree(ref.readOnly, tree)
           else
             val sel = ref.select(pt.select.symbol).asInstanceOf[TermRef]
@@ -711,7 +711,7 @@ class CheckCaptures extends Recheck, SymTransformer:
     override def selectionProto(tree: Select, pt: Type)(using Context): Type =
       val sym = tree.symbol
       if !sym.isOneOf(MethodOrLazyOrMutable) && !sym.isStatic
-          || sym.isReadOnlyMethod
+          || sym.isReadOnlyMethodOrLazyVal
       then PathSelectionProto(tree, pt)
       else super.selectionProto(tree, pt)
 
@@ -746,19 +746,6 @@ class CheckCaptures extends Recheck, SymTransformer:
         checkUpdate(qualType, tree.srcPos):
           i"Cannot call update ${tree.symbol} of ${qualType.showRef}"
 
-        // Additionally, lazy val initializers should not call update methods on
-        // non-local exclusive capabilities (capabilities defined outside the lazy val)
-        if curEnv.owner.is(Lazy) then
-          qualType.captureSet.elems.foreach: elem =>
-            if elem.isExclusive then
-              val owner = elem.pathOwner
-              // Allow update methods on local capabilities (owned by the lazy val or nested within it)
-              if !owner.isContainedIn(curEnv.owner) && owner != curEnv.owner then
-                report.error(
-                  em"""Lazy val initializer calls update method on non-local exclusive capability $elem;
-                      |lazy val initializers should only access non-local capabilities in a read-only fashion.""",
-                  tree.srcPos)
-
       val origSelType = recheckSelection(tree, qualType, name, disambiguate)
       val selType = mapResultRoots(origSelType, tree.symbol)
       val selWiden = selType.widen
@@ -1161,12 +1148,10 @@ class CheckCaptures extends Recheck, SymTransformer:
           interpolateIfInferred(tree.tpt, sym)
 
         def declaredCaptures = tree.tpt.nuType.captureSet
+        curEnv = savedEnv
+
         if runInConstructor && savedEnv.owner.isClass then
-          curEnv = savedEnv
           markFree(declaredCaptures, tree, addUseInfo = false)
-        else if sym.is(Lazy) then
-          // Restore environment after checking lazy val
-          curEnv = savedEnv
 
         if sym.owner.isStaticOwner && !declaredCaptures.elems.isEmpty && sym != defn.captureRoot then
           def where =

compiler/src/dotty/tools/dotc/cc/Mutability.scala

@@ -53,21 +53,21 @@ object Mutability:
       sym.isAllOf(Mutable | Method)
         && (!sym.isSetter || sym.field.is(Transparent))
 
-    /** A read-only methid is a real method (not an accessor) in a type extending
-     *  Mutable that is not an update method.
+    /** A read-only method is a real method (not an accessor) in a type extending
+     *  Mutable that is not an update method. Included are also lazy vals in such types.
      */
-    def isReadOnlyMethod(using Context): Boolean =
-      sym.is(Method, butNot = Mutable | Accessor) && sym.owner.derivesFrom(defn.Caps_Mutable)
+    def isReadOnlyMethodOrLazyVal(using Context): Boolean =
+      sym.isOneOf(MethodOrLazy, butNot = Mutable | Accessor)
+      && sym.owner.derivesFrom(defn.Caps_Mutable)
 
     private def inExclusivePartOf(cls: Symbol)(using Context): Exclusivity =
       import Exclusivity.*
-      val encl = sym.enclosingMethodOrClass.skipConstructor
       if sym == cls then OK // we are directly in `cls` or in one of its constructors
-      else if encl.owner == cls then
-        if encl.isUpdateMethod then OK
-        else NotInUpdateMethod(encl, cls)
-      else if encl.isStatic then OutsideClass(cls)
-      else encl.owner.inExclusivePartOf(cls)
+      else if sym.owner == cls then
+        if sym.isUpdateMethod || sym.isConstructor then OK
+        else NotInUpdateMethod(sym, cls)
+      else if sym.isStatic then OutsideClass(cls)
+      else sym.owner.inExclusivePartOf(cls)
 
   extension (tp: Type)
     /** Is this a type extending `Mutable` that has non-private update methods

docs/_docs/reference/experimental/capture-checking/mutability.md

@@ -217,7 +217,7 @@ val b2: Ref^{cap.rd} = a
 
 ## Lazy Vals and Read-Only Restrictions
 
-Lazy val initializers are subject to read-only restrictions similar to those for normal methods in `Mutable` classes. Specifically, a lazy val initializer cannot call update methods on non-local exclusive capabilities—capabilities defined outside the lazy val's scope.
+Lazy val initializers in `Mutable` classes are subject to read-only restrictions similar to those for normal methods. Specifically, a lazy val initializer in a `Mutable` class cannot call update methods or refer to non-local exclusive capabilities—capabilities defined outside the lazy val's scope.
 
 ### Read-Only Initialization
 

tests/neg-custom-args/captures/lazyvals-sep.check

@@ -0,0 +1,63 @@
+-- Error: tests/neg-custom-args/captures/lazyvals-sep.scala:30:6 -------------------------------------------------------
+30 |    r.set(current * 100)  // error - exclusive access in initializer
+   |    ^^^^^
+   |    Cannot call update method set of TestClass.this.r
+   |    since the access is in lazy value lazyVal2, which is not an update method.
+-- Error: tests/neg-custom-args/captures/lazyvals-sep.scala:36:12 ------------------------------------------------------
+36 |    () => r.set(current); r.get()  // error, even though exclusive access is in closure, not initializer
+   |          ^^^^^
+   |          Cannot call update method set of TestClass.this.r
+   |          since the access is in lazy value lazyVal3, which is not an update method.
+-- Error: tests/neg-custom-args/captures/lazyvals-sep.scala:42:10 ------------------------------------------------------
+42 |        r.set(100)  // error
+   |        ^^^^^
+   |        Cannot call update method set of TestClass.this.r
+   |        since the access is in lazy value lazyVal4, which is not an update method.
+-- Error: tests/neg-custom-args/captures/lazyvals-sep.scala:61:6 -------------------------------------------------------
+61 |    r.set(200)  // error
+   |    ^^^^^
+   |    Cannot call update method set of TestClass.this.r
+   |    since the access is in lazy value lazyVal6, which is not an update method.
+-- Error: tests/neg-custom-args/captures/lazyvals-sep.scala:71:6 -------------------------------------------------------
+71 |    r.set(200)  // error
+   |    ^^^^^
+   |    Cannot call update method set of TestClass.this.r
+   |    since the access is in lazy value lazyVal8, which is not an update method.
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/lazyvals-sep.scala:72:12 ---------------------------------
+72 |    Wrapper(r)  // error
+   |            ^
+   |Found:    Ref^{TestClass.this.r.rd}
+   |Required: Ref^
+   |
+   |Note that capability TestClass.this.r.rd is not included in capture set {}.
+   |
+   |Note that {cap} is an exclusive capture set of the mutable type Ref^,
+   |it cannot subsume a read-only capture set of the mutable type Ref^{TestClass.this.r.rd}.
+   |
+   |where:    ^ and cap refer to a fresh root capability classified as Mutable created in lazy value lazyVal8 when checking argument to parameter ref of constructor Wrapper
+   |
+   | longer explanation available when compiling with `-explain`
+-- [E007] Type Mismatch Error: tests/neg-custom-args/captures/lazyvals-sep.scala:77:12 ---------------------------------
+77 |    Wrapper(r) // error
+   |            ^
+   |Found:    Ref^{TestClass.this.r.rd}
+   |Required: Ref^
+   |
+   |Note that capability TestClass.this.r.rd is not included in capture set {}.
+   |
+   |Note that {cap} is an exclusive capture set of the mutable type Ref^,
+   |it cannot subsume a read-only capture set of the mutable type Ref^{TestClass.this.r.rd}.
+   |
+   |where:    ^ and cap refer to a fresh root capability classified as Mutable created in lazy value lazyVal9 when checking argument to parameter ref of constructor Wrapper
+   |
+   | longer explanation available when compiling with `-explain`
+-- Error: tests/neg-custom-args/captures/lazyvals-sep.scala:82:8 -------------------------------------------------------
+82 |      r.set(0)  // error exclusive access in conditional
+   |      ^^^^^
+   |      Cannot call update method set of TestClass.this.r
+   |      since the access is in lazy value lazyVal10, which is not an update method.
+-- Error: tests/neg-custom-args/captures/lazyvals-sep.scala:90:8 -------------------------------------------------------
+90 |      r.set(42)  // error
+   |      ^^^^^
+   |      Cannot call update method set of TestClass.this.r
+   |      since the access is in lazy value lazyVal11, which is not an update method.

tests/neg-custom-args/captures/lazyvals-sep.scala

@@ -15,7 +15,7 @@ class Wrapper(val ref: Ref^) extends Mutable:
 class WrapperRd(val ref: Ref^{cap.rd}):
   def compute(): Int = ref.get()
 
-@main def run =
+class TestClass extends Mutable:
   val r: Ref^ = Ref(0)
   val r2: Ref^ = Ref(42)
 
@@ -33,7 +33,7 @@ class WrapperRd(val ref: Ref^{cap.rd}):
   // Test case 3: Exclusive access in returned closure - should be OK
   lazy val lazyVal3: () ->{r} Int =
     val current = r2.get()
-    () => r.set(current); r.get()  // exclusive access in closure, not initializer
+    () => r.set(current); r.get()  // error, even though exclusive access is in closure, not initializer
 
   // Test case 4: Multiple nested blocks with exclusive access - should error
   lazy val lazyVal4: () ->{r.rd} Int =
@@ -69,12 +69,12 @@ class WrapperRd(val ref: Ref^{cap.rd}):
   // Test case 8: Wrapper type - exclusive access in initializer - should error
   lazy val lazyVal8: Wrapper^{cap, r} =
     r.set(200)  // error
-    Wrapper(r)
+    Wrapper(r)  // error
 
   // Test case 9: Wrapper type - non-exclusive access in initializer - should be ok
   lazy val lazyVal9: Wrapper^{cap, r} =
     r.get()
-    Wrapper(r)
+    Wrapper(r) // error
 
   // Test case 10: Conditional with exclusive access - should error
   lazy val lazyVal10: WrapperRd^{r} =
@@ -110,4 +110,14 @@ class WrapperRd(val ref: Ref^{cap.rd}):
   lazy val lazyVal14: () => Ref^ =
     val r3: Ref^ = Ref(10)
     r3.set(100)  // ok
-    () => r3
+    () => r3
+
+def test =
+  val r: Ref^ = Ref(0)
+  val r2: Ref^ = Ref(42)
+
+  lazy val lazyVal2: () ->{r.rd} Int =
+    val current = r2.get()
+    r.set(current * 100)  // ok, lazy vals outside Mutable can access exclusive capabilities
+    () => r.get()
+