[rbi] Mark mutable weak capture boxes containing Sendable types as immutable if they are never interprocedurally written to and teach SILIsolationInfo::isSendable that they are meant to be treated as Sendable.

The pass works by walking functions in the modules looking for mutable alloc_box
that contains a weak variable and is knowably a capture. In such a case, the
pass checks all uses of the alloc_box interprocedurally including through
closures and if provably immutable marks the box and all closure parameters as
being inferred immutable.

This change also then subsequently changes SILIsolationInfo to make it so that
such boxes are considered Sendable in a conservative manner that pattern matches
the weak reference code emission pretty closely.

The reason why I am doing this is that issue #82427 correctly tightened region
isolation checking to catch unsafe concurrent access to mutable shared
state. However, this introduced a regression for a common Swift pattern:
capturing `self` weakly in escaping closures.

The problem occurs because:

1. Weak captures are stored in heap-allocated boxes.
2. By default, these boxes are **mutable** (`var`) even if never written to after initialization
3. Mutable boxes are non-Sendable (they could be unsafely mutated from multiple threads)
4. Region isolation now correctly errors when sending non-Sendable values across isolation boundaries

This breaks code like:

```swift
@mainactor class C {
    func test() {
        timer { [weak self] in  // Captures self in a mutable box
            Task { @mainactor in
                self?.update()  // ERROR: sending mutable box risks data races
            }
        }
    }
}
```

Note how even though `self` is Sendable since it is MainActor-isolated, the *box
containing* the weak reference is not Sendable because it is mutable.

With the change in this commit, we now recognize that the box can safely be
treated as Sendable since we would never write to it.

rdar://166081666

Author: gottesmm

include/swift/SIL/OperandDatastructures.h

@@ -102,6 +102,19 @@ class OperandWorklist {
     return false;
   }
 
+  /// Pushes the operands of all uses of \p value onto the worklist if the
+  /// operands have never been pushed before. Returns \p true if we inserted
+  /// /any/ values.
+  ///
+  /// This is a bulk convenience API.
+  bool pushResultOperandsIfNotVisited(SILValue value) {
+    bool insertedOperand = false;
+    for (auto *use : value->getUses()) {
+      insertedOperand |= pushIfNotVisited(use);
+    }
+    return insertedOperand;
+  }
+
   /// Pushes the operands of all uses of \p instruction onto the worklist if the
   /// operands have never been pushed before. Returns \p true if we inserted
   /// /any/ values.
@@ -110,9 +123,7 @@ class OperandWorklist {
   bool pushResultOperandsIfNotVisited(SILInstruction *inst) {
     bool insertedOperand = false;
     for (auto result : inst->getResults()) {
-      for (auto *use : result->getUses()) {
-        insertedOperand |= pushIfNotVisited(use);
-      }
+      insertedOperand |= pushResultOperandsIfNotVisited(result);
     }
     return insertedOperand;
   }

include/swift/SILOptimizer/PassManager/Passes.def

@@ -485,6 +485,8 @@ LEGACY_PASS(DiagnoseUnnecessaryPreconcurrencyImports, "sil-diagnose-unnecessary-
      "Diagnose any preconcurrency imports that Sema and TransferNonSendable did not use")
 LEGACY_PASS(ThunkLowering, "sil-thunk-lowering",
      "Lower thunk instructions to actual thunks")
+LEGACY_PASS(MarkNeverWrittenMutableClosureBoxesAsImmutable, "mark-never-written-mutable-closure-boxes-as-immutable",
+     "Mark never written mutable closure boxes as immutable")
 LEGACY_PASS(PruneVTables, "prune-vtables",
      "Mark class methods that do not require vtable dispatch")
 

lib/SILOptimizer/Mandatory/CMakeLists.txt

@@ -50,6 +50,7 @@ target_sources(swiftSILOptimizer PRIVATE
   YieldOnceCheck.cpp
   OSLogOptimization.cpp
   MoveOnlyWrappedTypeEliminator.cpp
+  MarkNeverWrittenMutableClosureBoxesAsImmutable.cpp
   RegionAnalysisInvalidationTransform.cpp
   DiagnosticDeadFunctionElimination.cpp
   OwnershipModelEliminator.cpp)

lib/SILOptimizer/Mandatory/MarkNeverWrittenMutableClosureBoxesAsImmutable.cpp

@@ -0,0 +1,273 @@
+//===--- MarkNeverWrittenMutableClosureBoxesAsImmutable.cpp ---------------===//
+//
+// This source file is part of the Swift.org open source project
+//
+// Copyright (c) 2014 - 2026 Apple Inc. and the Swift project authors
+// Licensed under Apache License v2.0 with Runtime Library Exception
+//
+// See https://swift.org/LICENSE.txt for license information
+// See https://swift.org/CONTRIBUTORS.txt for the list of Swift project authors
+//
+//===----------------------------------------------------------------------===//
+
+#define DEBUG_TYPE "sil-mark-never-written-mutable-closure-boxes-as-immutable"
+
+#include "swift/SIL/ApplySite.h"
+#include "swift/SIL/OperandDatastructures.h"
+#include "swift/SILOptimizer/PassManager/Passes.h"
+#include "swift/SILOptimizer/PassManager/Transforms.h"
+#include "swift/SILOptimizer/Utils/SILIsolationInfo.h"
+
+using namespace swift;
+
+//===----------------------------------------------------------------------===//
+//                            MARK: Implementation
+//===----------------------------------------------------------------------===//
+
+static bool isImmutable(SILValue start, StoreWeakInst *allowableWeakStore,
+                        llvm::DenseSet<SILFunctionArgument *> &visitedArgs) {
+  LLVM_DEBUG(llvm::dbgs() << "Checking in function "
+                          << start->getFunction()->getName() << ": " << *start);
+  // We store the partial apply that we are going to visit serially after we
+  // finish processing the partial_apply so that we do not create too many
+  // OperandWorklist. We can only create a finite amount of them.
+  SmallVector<SILFunctionArgument *, 8> funcArgsToVisit;
+
+  {
+    // Walk the uses to search for the partial_apply. If we have a debug_value,
+    // a move_value [lexical], or a begin_borrow [lexical].
+    OperandWorklist worklist(start->getFunction());
+    worklist.pushResultOperandsIfNotVisited(start);
+
+    while (auto *use = worklist.pop()) {
+      auto *user = use->getUser();
+      LLVM_DEBUG(llvm::dbgs() << "    Visiting User: " << *user);
+
+      // Uses to skip.
+      if (isa<EndBorrowInst>(user) || isa<DestroyValueInst>(user) ||
+          isa<LoadWeakInst>(user) || isa<EndAccessInst>(user) ||
+          isa<DebugValueInst>(user) || isa<MarkFunctionEscapeInst>(user)) {
+        LLVM_DEBUG(llvm::dbgs() << "        Ignoring!\n");
+        continue;
+      }
+
+      // Uses to look through.
+      if (isa<CopyValueInst>(user) || isa<ProjectBoxInst>(user) ||
+          isa<MoveValueInst>(user) || isa<BeginBorrowInst>(user) ||
+          isa<BeginAccessInst>(user)) {
+        LLVM_DEBUG(llvm::dbgs() << "        Looking through!\n");
+        worklist.pushResultOperandsIfNotVisited(user);
+        continue;
+      }
+
+      // If we have a store_weak, continue if it is the store_weak that we are
+      // ok with.
+      if (auto *swi = dyn_cast<StoreWeakInst>(user);
+          swi && swi == allowableWeakStore) {
+        LLVM_DEBUG(llvm::dbgs() << "        Ignoring allowable store_weak!\n");
+        continue;
+      }
+
+      // Visit partial_apply uses and see if:
+      //
+      // 1. We can look up the function.
+      //
+      // 2. If we already know that the function argument is inferred
+      // immutable. In that case, we can just continue.
+      //
+      // 3. Then we check if we already visited the function argument. That
+      // means that we know that it is not immutable if it has not been marked
+      // yet... so just return false.
+      //
+      // 4. Otherwise, we add it to a worklist to process after we finish
+      // walking uses in this function. We do this to ensure we do not create
+      // too many OperandWorklists at the same time since we can only create a
+      // finite amount of them at the same time.
+      if (auto *pai = dyn_cast<PartialApplyInst>(user)) {
+        if (auto *calleeFunc = pai->getReferencedFunctionOrNull()) {
+          auto calleeArgIndex = ApplySite(pai).getCalleeArgIndex(*use);
+          auto *fArg = cast<SILFunctionArgument>(
+              calleeFunc->getArgument(calleeArgIndex));
+          if (fArg->isInferredImmutable()) {
+            LLVM_DEBUG(llvm::dbgs()
+                       << "        Found partial_apply with inferred immutable "
+                          "function arg. Can ignore it!\n");
+            continue;
+          }
+          if (visitedArgs.count(fArg)) {
+            LLVM_DEBUG(llvm::dbgs()
+                       << "        Found mutable function arg user!\n");
+
+            return false;
+          }
+          LLVM_DEBUG(llvm::dbgs()
+                     << "        Found partial apply to check later!\n");
+          funcArgsToVisit.push_back(fArg);
+          continue;
+        }
+      }
+
+      // Unrecognized user. Bail.
+      LLVM_DEBUG(llvm::dbgs()
+                 << "    Not transforming due to unhandled user!\n");
+      return false;
+    }
+  }
+
+  // Now check recursively if our function argument users are immutable. We do
+  // this after we walk to avoid creating too many OperandWorklist.
+  bool allFArgUsersImmutable = true;
+  for (auto *fArg : funcArgsToVisit) {
+    assert(!fArg->isInferredImmutable() && "Should have been checked earlier");
+    visitedArgs.insert(fArg);
+    if (isImmutable(fArg, nullptr, visitedArgs)) {
+      fArg->setInferredImmutable(true);
+      continue;
+    }
+    allFArgUsersImmutable = false;
+  }
+
+  return allFArgUsersImmutable;
+}
+
+/// Make sure that the given box fits out pattern matching conditions and return
+/// its single initializing begin_borrow scope and store_weak so we can do a
+/// later more intensive recursive check.
+///
+/// The conditions are:
+///
+/// 1. The box must be mutable.
+///
+/// 2. The box must contain a weak reference to a Sendable type.
+///
+/// 3. The box must have a single begin_borrow user that all uses are
+/// initialized from.
+///
+/// 4. There must be a single store_weak that initializes the box from a
+/// project_box from the single begin_borrow.
+///
+/// 5. The box should not have a debug_value use.
+///
+/// This is safe since later we are going to recursively look at uses of the
+/// begin_borrow and if we find any memory uses that are a load_weak or a
+/// different store_weak besides the one we found, we fail the box.
+static StoreWeakInst *isPatternMatchableBox(AllocBoxInst *abi) {
+  LLVM_DEBUG(llvm::dbgs() << "Checking if box can be matched: " << *abi);
+
+  CanSILBoxType boxType = abi->getType().castTo<SILBoxType>();
+  if (boxType->getNumFields() != 1 ||
+      !SILIsolationInfo::boxContainsOnlySendableFields(abi)) {
+    LLVM_DEBUG(llvm::dbgs() << "    Cannot match since either has multiple "
+                               "fields or a non-Sendable field\n");
+    return nullptr;
+  }
+
+  // For now to be conservative, only do this if we have a weak
+  // parameter.
+  if (auto ownership = boxType->getFieldType(*abi->getFunction(), 0)
+                           .getReferenceStorageOwnership();
+      !ownership || *ownership != ReferenceOwnership::Weak) {
+    LLVM_DEBUG(llvm::dbgs()
+               << "    Cannot match since field is not a weak reference\n");
+    return nullptr;
+  }
+
+  BeginBorrowInst *singleBBI = nullptr;
+  for (auto *use : abi->getUses()) {
+    if (isa<DestroyValueInst>(use->getUser()) ||
+        isa<DeallocBoxInst>(use->getUser()) ||
+        isa<CopyValueInst>(use->getUser()))
+      continue;
+    auto *bbi = dyn_cast<BeginBorrowInst>(use->getUser());
+    if (!bbi) {
+      LLVM_DEBUG(llvm::dbgs()
+                 << "    Cannot match since has a non-begin_borrow, "
+                    "destroy_value, dealloc_box immediate user: "
+                 << *use->getUser());
+      return nullptr;
+    }
+
+    if (bbi->isFromVarDecl()) {
+      LLVM_DEBUG(llvm::dbgs()
+                 << "    Cannot match since begin_borrow from var_decl\n");
+      return nullptr;
+    }
+
+    if (singleBBI) {
+      LLVM_DEBUG(llvm::dbgs() << "    Cannot match since found multiple "
+                                 "begin_borrow initializations\n");
+      return nullptr;
+    }
+    singleBBI = bbi;
+  }
+
+  if (!singleBBI) {
+    LLVM_DEBUG(llvm::dbgs() << "    Cannot match since did not find "
+                               "begin_borrow for initialization\n");
+    return nullptr;
+  }
+
+  // Now look for a single store_weak from a project_box from our singleBBI.
+  //
+  // DISCUSSION: We could be lazier here and leave the checking of multiple
+  // store_weak to the later recursive check... but why not just check now and
+  // end earlier.
+  StoreWeakInst *singleStoreWeak = nullptr;
+  for (auto *use : singleBBI->getUsersOfType<ProjectBoxInst>()) {
+    if (auto *swi = use->getSingleUserOfType<StoreWeakInst>()) {
+      if (singleStoreWeak) {
+        LLVM_DEBUG(llvm::dbgs()
+                   << "    Cannot match since found multiple store_weak\n");
+        return nullptr;
+      }
+      singleStoreWeak = swi;
+    }
+  }
+  if (!singleStoreWeak) {
+    LLVM_DEBUG(llvm::dbgs() << "    Cannot match since did not find a single "
+                               "store_weak initialization\n");
+    return {};
+  }
+
+  return singleStoreWeak;
+}
+
+namespace {
+
+class MarkNeverWrittenMutableClosureBoxesAsImmutable
+    : public SILModuleTransform {
+  void run() override {
+    bool madeChange = false;
+    llvm::DenseSet<SILFunctionArgument *> visitedArgs;
+    for (auto &fn : *getModule()) {
+      for (auto &block : fn) {
+        for (auto &inst : block) {
+          auto *abi = dyn_cast<AllocBoxInst>(&inst);
+          if (!abi)
+            continue;
+          auto *singleInitialization = isPatternMatchableBox(abi);
+          if (!singleInitialization ||
+              !isImmutable(abi, singleInitialization, visitedArgs))
+            continue;
+
+          abi->setInferredImmutable(true);
+          LLVM_DEBUG(llvm::dbgs() << "Marking Box as Inferred Immutable!\n");
+          madeChange = true;
+        }
+      }
+    }
+
+    if (madeChange)
+      invalidateAll();
+  };
+};
+
+} // namespace
+
+//===----------------------------------------------------------------------===//
+//                         MARK: Top Level Entrypoint
+//===----------------------------------------------------------------------===//
+
+SILTransform *swift::createMarkNeverWrittenMutableClosureBoxesAsImmutable() {
+  return new MarkNeverWrittenMutableClosureBoxesAsImmutable();
+}

lib/SILOptimizer/PassManager/PassPipeline.cpp

@@ -115,6 +115,8 @@ static void addDefiniteInitialization(SILPassPipelinePlan &P) {
 // should be in the -Onone pass pipeline and the prepare optimizations pipeline.
 static void addMandatoryDiagnosticOptPipeline(SILPassPipelinePlan &P) {
   P.startPipeline("Mandatory Diagnostic Passes + Enabling Optimization Passes");
+
+  P.addMarkNeverWrittenMutableClosureBoxesAsImmutable();
   P.addDiagnoseInvalidEscapingCaptures();
   P.addReferenceBindingTransform();
   P.addNestedSemanticFunctionCheck();

lib/SILOptimizer/Utils/SILIsolationInfo.cpp

@@ -1581,8 +1581,46 @@ void SILIsolationInfo::printForOneLineLogging(SILFunction *fn,
 }
 
 bool SILIsolationInfo::isSendable(SILValue value) {
-  // For now just rely on the type based analysis.
-  return isSendableType(value->getType(), value->getFunction());
+  // If the type system says we are sendable, then we are always sendable.
+  if (isSendableType(value->getType(), value->getFunction()))
+    return true;
+
+  if (auto *fArg = dyn_cast<SILFunctionArgument>(value);
+      fArg && fArg->isClosureCapture() && fArg->isInferredImmutable()) {
+    CanSILBoxType boxType = fArg->getType().getAs<SILBoxType>();
+    if (!boxType || boxType->getNumFields() != 1)
+      return false;
+    auto innerType = boxType->getFieldType(*fArg->getFunction(), 0);
+    // We can only do this if the underlying type is Sendable.
+    if (isNonSendableType(innerType, fArg->getFunction()))
+      return false;
+    // For now to be conservative, only do this if we have a weak parameter.
+    if (auto ownership = innerType.getReferenceStorageOwnership();
+        !ownership || *ownership != ReferenceOwnership::Weak)
+      return false;
+    // Ok, we can treat this as Sendable.
+    return true;
+  }
+
+  if (auto *abi = dyn_cast<AllocBoxInst>(lookThroughOwnershipInsts(value));
+      abi && abi->isInferredImmutable()) {
+    CanSILBoxType boxType = abi->getType().castTo<SILBoxType>();
+    if (boxType->getNumFields() != 1)
+      return false;
+
+    auto innerType = boxType->getFieldType(*abi->getFunction(), 0);
+    if (isNonSendableType(innerType, abi->getFunction()))
+      return false;
+
+    // For now to be conservative, only do this if we have a weak parameter.
+    if (auto ownership = innerType.getReferenceStorageOwnership();
+        !ownership || *ownership != ReferenceOwnership::Weak)
+      return false;
+
+    return true;
+  }
+
+  return false;
 }
 
 // Check if the passed in type is NonSendable.