Introduce checked exceptions

Introduce a flexible scheme for declaring and checking exceptions that can be thrown.
It relies on the _effects as implicit capabilities_ pattern.

The scheme is not 100% safe yet since it does not track and prevent capability capture.
Nevertheless, it's already useful for declaring thrown exceptions and finding mismatches
between provided and required capabilities.

Author: odersky

compiler/src/dotty/tools/dotc/config/Feature.scala

@@ -19,12 +19,13 @@ object Feature:
   private def deprecated(str: String): TermName =
     QualifiedName(nme.deprecated, str.toTermName)
 
-  private val namedTypeArguments = experimental("namedTypeArguments")
-  private val genericNumberLiterals = experimental("genericNumberLiterals")
-  private val macros = experimental("macros")
+  val namedTypeArguments = experimental("namedTypeArguments")
+  val genericNumberLiterals = experimental("genericNumberLiterals")
+  val macros = experimental("macros")
 
   val dependent = experimental("dependent")
   val erasedTerms = experimental("erasedTerms")
+  val saferExceptions = experimental("saferExceptions")
   val symbolLiterals: TermName = deprecated("symbolLiterals")
 
 /** Is `feature` enabled by by a command-line setting? The enabling setting is

compiler/src/dotty/tools/dotc/core/Definitions.scala

@@ -653,8 +653,11 @@ class Definitions {
 
   // in scalac modified to have Any as parent
 
-  @tu lazy val ThrowableType: TypeRef          = requiredClassRef("java.lang.Throwable")
-  def ThrowableClass(using Context): ClassSymbol = ThrowableType.symbol.asClass
+  @tu lazy val ThrowableType: TypeRef             = requiredClassRef("java.lang.Throwable")
+  def ThrowableClass(using Context): ClassSymbol  = ThrowableType.symbol.asClass
+  @tu lazy val ExceptionClass: ClassSymbol        = requiredClass("java.lang.Exception")
+  @tu lazy val RuntimeExceptionClass: ClassSymbol = requiredClass("java.lang.RuntimeException")
+
   @tu lazy val SerializableType: TypeRef       = JavaSerializableClass.typeRef
   def SerializableClass(using Context): ClassSymbol = SerializableType.symbol.asClass
 
@@ -818,6 +821,8 @@ class Definitions {
       val methodName = if CanEqualClass.name == tpnme.Eql then nme.eqlAny else nme.canEqualAny
       CanEqualClass.companionModule.requiredMethod(methodName)
 
+  @tu lazy val CanThrowClass: ClassSymbol = requiredClass("scala.CanThrow")
+
   @tu lazy val TypeBoxClass: ClassSymbol = requiredClass("scala.runtime.TypeBox")
     @tu lazy val TypeBox_CAP: TypeSymbol = TypeBoxClass.requiredType(tpnme.CAP)
 

compiler/src/dotty/tools/dotc/transform/TypeUtils.scala

@@ -24,6 +24,16 @@ object TypeUtils {
     def isErasedClass(using Context): Boolean =
       self.underlyingClassRef(refinementOK = true).typeSymbol.is(Flags.Erased)
 
+    /** Is this type a checked exception? This is the case of the type
+     *  derives from Exception but not from RuntimeException. According to
+     *  that definition Throwable is unchecked. That makes sense since you should
+     *  neither throw nor catch `Throwable` anyway, so we should not define
+     *  a capability to do so.
+     */
+    def isCheckedException(using Context): Boolean =
+      self.derivesFrom(defn.ExceptionClass)
+      && !self.derivesFrom(defn.RuntimeExceptionClass)
+
     def isByName: Boolean =
       self.isInstanceOf[ExprType]
 

compiler/src/dotty/tools/dotc/typer/Checking.scala

@@ -34,8 +34,10 @@ import NameOps._
 import SymDenotations.{NoCompleter, NoDenotation}
 import Applications.unapplyArgs
 import transform.patmat.SpaceEngine.isIrrefutableUnapply
-import config.Feature._
+import config.Feature
+import config.Feature.sourceVersion
 import config.SourceVersion._
+import transform.TypeUtils.*
 
 import collection.mutable
 import reporting._
@@ -889,7 +891,7 @@ trait Checking {
                    description: => String,
                    featureUseSite: Symbol,
                    pos: SrcPos)(using Context): Unit =
-    if !enabled(name) then
+    if !Feature.enabled(name) then
       report.featureWarning(name.toString, description, featureUseSite, required = false, pos)
 
   /** Check that `tp` is a class type and that any top-level type arguments in this type
@@ -1283,6 +1285,10 @@ trait Checking {
       report.warning(
         em"""${kind} should be an instance of Matchable,
             |but it has unmatchable type $tp instead""", pos)
+
+  def checkCanThrow(tp: Type, span: Span)(using Context): Unit =
+    if Feature.enabled(Feature.saferExceptions) && tp.isCheckedException then
+      ctx.typer.implicitArgTree(defn.CanThrowClass.typeRef.appliedTo(tp), span)
 }
 
 trait ReChecking extends Checking {
@@ -1295,6 +1301,7 @@ trait ReChecking extends Checking {
   override def checkAnnotApplicable(annot: Tree, sym: Symbol)(using Context): Boolean = true
   override def checkMatchable(tp: Type, pos: SrcPos, pattern: Boolean)(using Context): Unit = ()
   override def checkNoModuleClash(sym: Symbol)(using Context) = ()
+  override def checkCanThrow(tp: Type, span: Span)(using Context): Unit = ()
 }
 
 trait NoChecking extends ReChecking {

compiler/src/dotty/tools/dotc/typer/ReTyper.scala

@@ -114,6 +114,9 @@ class ReTyper extends Typer with ReChecking {
       super.handleUnexpectedFunType(tree, fun)
   }
 
+  override def addCanThrowCapabilities(expr: untpd.Tree, cases: List[CaseDef])(using Context): untpd.Tree =
+    expr
+
   override def typedUnadapted(tree: untpd.Tree, pt: Type, locked: TypeVars)(using Context): Tree =
     try super.typedUnadapted(tree, pt, locked)
     catch {

compiler/src/dotty/tools/dotc/typer/Typer.scala

@@ -38,7 +38,8 @@ import annotation.tailrec
 import Implicits._
 import util.Stats.record
 import config.Printers.{gadts, typr, debug}
-import config.Feature._
+import config.Feature
+import config.Feature.{sourceVersion, migrateTo3}
 import config.SourceVersion._
 import rewrites.Rewrites.patch
 import NavigateAST._
@@ -695,7 +696,7 @@ class Typer extends Namer
           case Whole(16) => // cant parse hex literal as double
           case _         => return lit(doubleFromDigits(digits))
         }
-      else if genericNumberLiteralsEnabled
+      else if Feature.enabled(Feature.genericNumberLiterals)
           && target.isValueType && isFullyDefined(target, ForceDegree.none)
       then
         // If expected type is defined with a FromDigits instance, use that one
@@ -1711,10 +1712,30 @@ class Typer extends Namer
         .withNotNullInfo(body1.notNullInfo.retractedInfo.seq(cond1.notNullInfoIf(false)))
     }
 
+  /** Add givens reflecting `CanThrow` capabilities for all checked exceptions matched
+   *  by `cases`. The givens appear in nested blocks with earlier cases leading to
+   *  more deeply nested givens. This way, given priority will be the same as pattern priority.
+   *  The functionality is enabled if the experimental.saferExceptions language feature is enabled.
+   */
+  def addCanThrowCapabilities(expr: untpd.Tree, cases: List[CaseDef])(using Context): untpd.Tree =
+    def makeCanThrow(tp: Type): untpd.Tree =
+      untpd.ValDef(
+          EvidenceParamName.fresh(),
+          untpd.TypeTree(defn.CanThrowClass.typeRef.appliedTo(tp)),
+          untpd.ref(defn.Predef_undefined))
+        .withFlags(Given | Final | Lazy | Erased)
+        .withSpan(expr.span)
+    val caps =
+      for
+        CaseDef(pat, _, _) <- cases
+        if Feature.enabled(Feature.saferExceptions) && pat.tpe.widen.isCheckedException
+      yield makeCanThrow(pat.tpe.widen)
+    caps.foldLeft(expr)((e, g) => untpd.Block(g :: Nil, e))
+
   def typedTry(tree: untpd.Try, pt: Type)(using Context): Try = {
     val expr2 :: cases2x = harmonic(harmonize, pt) {
-      val expr1 = typed(tree.expr, pt.dropIfProto)
       val cases1 = typedCases(tree.cases, EmptyTree, defn.ThrowableType, pt.dropIfProto)
+      val expr1 = typed(addCanThrowCapabilities(tree.expr, cases1), pt.dropIfProto)
       expr1 :: cases1
     }
     val finalizer1 = typed(tree.finalizer, defn.UnitType)
@@ -1733,6 +1754,7 @@ class Typer extends Namer
 
   def typedThrow(tree: untpd.Throw)(using Context): Tree = {
     val expr1 = typed(tree.expr, defn.ThrowableType)
+    checkCanThrow(expr1.tpe.widen, tree.span)
     Throw(expr1).withSpan(tree.span)
   }
 
@@ -1828,7 +1850,7 @@ class Typer extends Namer
   def typedAppliedTypeTree(tree: untpd.AppliedTypeTree)(using Context): Tree = {
     tree.args match
       case arg :: _ if arg.isTerm =>
-        if dependentEnabled then
+        if Feature.dependentEnabled then
           return errorTree(tree, i"Not yet implemented: T(...)")
         else
           return errorTree(tree, dependentStr)
@@ -1925,7 +1947,7 @@ class Typer extends Namer
     typeIndexedLambdaTypeTree(tree, tparams, body)
 
   def typedTermLambdaTypeTree(tree: untpd.TermLambdaTypeTree)(using Context): Tree =
-    if dependentEnabled then
+    if Feature.dependentEnabled then
       errorTree(tree, i"Not yet implemented: (...) =>> ...")
     else
       errorTree(tree, dependentStr)
@@ -2303,7 +2325,7 @@ class Typer extends Namer
         ctx.phase.isTyper &&
         cdef1.symbol.ne(defn.DynamicClass) &&
         cdef1.tpe.derivesFrom(defn.DynamicClass) &&
-        !dynamicsEnabled
+        !Feature.dynamicsEnabled
       if (reportDynamicInheritance) {
         val isRequired = parents1.exists(_.tpe.isRef(defn.DynamicClass))
         report.featureWarning(nme.dynamics.toString, "extension of type scala.Dynamic", cls, isRequired, cdef.srcPos)
@@ -3216,7 +3238,7 @@ class Typer extends Namer
         case args =>
           args.lengthCompare(1) > 0
           && isUnary(funType)
-          && autoTuplingEnabled
+          && Feature.autoTuplingEnabled
 
     def adaptToArgs(wtp: Type, pt: FunProto): Tree = wtp match {
       case wtp: MethodOrPoly =>
@@ -3424,7 +3446,7 @@ class Typer extends Namer
       def isAutoApplied(sym: Symbol): Boolean =
         sym.isConstructor
         || sym.matchNullaryLoosely
-        || warnOnMigration(MissingEmptyArgumentList(sym.show), tree.srcPos)
+        || Feature.warnOnMigration(MissingEmptyArgumentList(sym.show), tree.srcPos)
            && { patch(tree.span.endPos, "()"); true }
 
       // Reasons NOT to eta expand:
@@ -3755,7 +3777,7 @@ class Typer extends Namer
         case ref: TermRef =>
           pt match {
             case pt: FunProto
-            if needsTupledDual(ref, pt) && autoTuplingEnabled =>
+            if needsTupledDual(ref, pt) && Feature.autoTuplingEnabled =>
               adapt(tree, pt.tupledDual, locked)
             case _ =>
               adaptOverloaded(ref)

docs/docs/reference/metaprogramming/erased-terms.md

@@ -9,6 +9,7 @@ title: "Erased Terms And Classes"
 import scala.language.experimental.erased
 ```
 or by setting the command line option `-language:experimental.erased`.
+
 ## Why erased terms?
 
 Let's describe the motivation behind erased terms with an example. In the

library/src-bootstrapped/scala/CanThrow.scala

@@ -0,0 +1,19 @@
+package scala
+import language.experimental.erasedTerms
+import annotation.implicitNotFound
+
+/** A capability class that allows to throw exception `E`. When used with the
+ *  experimental.saferThrows feature, a `throw Ex` expression will require
+ *  a given of class `CanThrow[Ex]` to be available.
+ */
+@implicitNotFound("The capability to throw exception ${E} is missing.\nThe capability can be provided by one of the following:\n - A using clause `(using CanThrow[${E}])`\n - A `canThrow` clause in a result type such as `X canThrow ${E}`\n - an enclosing `try` that catches ${E}")
+erased class CanThrow[-E <: Exception]
+
+/** A helper type to allow syntax like
+ *
+ *    def f(): T throws Ex
+ */
+infix type canThrow[R, +E <: Exception] = CanThrow[E] ?=> R
+
+object unsafeExceptions:
+  given canThrowAny[E <: Exception]: CanThrow[E] = ???

library/src/scala/runtime/stdLibPatches/language.scala

@@ -37,9 +37,15 @@ object language:
       */
     object genericNumberLiterals
 
-    /** Experimental support for `erased` modifier */
+    /** Experimental support for `erased` modifier
+     *
+     *  @see [[https://dotty.epfl.ch/docs/reference/metaprogramming/erased-terms]]
+     */
     object erasedTerms
 
+    /** Experimental support for typechecked exception capabilities */
+    object saferExceptions
+
   end experimental
 
   /** The deprecated object contains features that are no longer officially suypported in Scala.

tests/neg/saferExceptions.check

@@ -0,0 +1,26 @@
+-- Error: tests/neg/saferExceptions.scala:12:16 ------------------------------------------------------------------------
+12 |      case 4 => throw Exception()             // error
+   |                ^^^^^^^^^^^^^^^^^
+   |                The capability to throw exception Exception is missing.
+   |                The capability can be provided by one of the following:
+   |                 - A using clause `(using CanThrow[Exception])`
+   |                 - A `canThrow` clause in a result type such as `X canThrow Exception`
+   |                 - an enclosing `try` that catches Exception
+   |
+   |                The following import might fix the problem:
+   |
+   |                  import unsafeExceptions.canThrowAny
+   |
+-- Error: tests/neg/saferExceptions.scala:17:48 ------------------------------------------------------------------------
+17 |  def baz(x: Int): Int canThrow Failure = bar(x)  // error
+   |                                                ^
+   |                                The capability to throw exception java.io.IOException is missing.
+   |                                The capability can be provided by one of the following:
+   |                                 - A using clause `(using CanThrow[java.io.IOException])`
+   |                                 - A `canThrow` clause in a result type such as `X canThrow java.io.IOException`
+   |                                 - an enclosing `try` that catches java.io.IOException
+   |
+   |                                The following import might fix the problem:
+   |
+   |                                  import unsafeExceptions.canThrowAny
+   |

tests/neg/saferExceptions.scala

@@ -0,0 +1,17 @@
+object test:
+  import language.experimental.saferExceptions
+  import java.io.IOException
+
+  class Failure extends Exception
+
+  def bar(x: Int): Int canThrow Failure canThrow IOException =
+    x match
+      case 1 => throw AssertionError()
+      case 2 => throw Failure()               // ok
+      case 3 => throw java.io.IOException()   // ok
+      case 4 => throw Exception()             // error
+      case 5 => throw Throwable()             // ok: Throwable is treated as unchecked
+      case _ => 0
+
+  def foo(x: Int): Int canThrow Exception = bar(x)
+  def baz(x: Int): Int canThrow Failure = bar(x)  // error

tests/run/saferExceptions.scala

@@ -0,0 +1,34 @@
+import language.experimental.saferExceptions
+
+class Fail extends Exception
+
+def foo(x: Int) =
+  try x match
+    case 1 => throw AssertionError()
+    case 2 => throw Fail()
+    case 3 => throw java.io.IOException()
+    case 4 => throw Exception()
+    case 5 => throw Throwable()
+    case _ => 0
+  catch
+    case ex: AssertionError => 1
+    case ex: Fail => 2
+    case ex: java.io.IOException => 3
+    case ex: Exception => 4
+    case ex: Throwable => 5
+
+def bar(x: Int): Int canThrow Exception =
+  x match
+    case 1 => throw AssertionError()
+    case 2 => throw Fail()
+    case 3 => throw java.io.IOException()
+    case 4 => throw Exception()
+    case _ => 0
+
+@main def Test =
+  assert(foo(1) + foo(2) + foo(3) + foo(4) + foo(5) + foo(6) == 15)
+  import unsafeExceptions.canThrowAny
+  val x =
+    try bar(2)
+    catch case ex: Fail => 3 // OK
+  assert(x == 3)