Limit access of implicit typealiases for associated type witnesses (#20891)

jrose-apple · web-flow · commit 66c3abdaf0fd · 2018-12-04T17:37:18.000-08:00
When conformance checking infers an associated type, it makes a new typealias to represent that type. Unfortunately, the access of that typealias was always the same as the conforming type's, which (1) might have leaked implementation details if the protocol wasn't as public as the conforming type, and (2) might have been straight-up incorrect if the /inferred type/ wasn't as public as the conforming type. Fix this in pre-Swift-5 modes by limiting the access to fit the underlying type (technically source-breaking, but most code that relied on this would have failed to link anyway), and in Swift 5 mode by using the minimum possible access (the intersection of the protocol and conforming type). rdar://problem/46143405 (cherry picked from commit 859e2b0)
diff --git a/lib/Sema/TypeCheckProtocol.cpp b/lib/Sema/TypeCheckProtocol.cpp
@@ -23,6 +23,7 @@
 #include "swift/Basic/StringExtras.h"
 #include "swift/Basic/Statistic.h"
 #include "swift/AST/AccessScope.h"
+#include "swift/AST/AccessScopeChecker.h"
 #include "swift/AST/GenericSignatureBuilder.h"
 #include "swift/AST/ASTContext.h"
 #include "swift/AST/ASTMangler.h"
@@ -2474,11 +2475,46 @@ void ConformanceChecker::recordTypeWitness(AssociatedTypeDecl *assocType,
 
     // Inject the typealias into the nominal decl that conforms to the protocol.
     if (auto nominal = DC->getSelfNominalTypeDecl()) {
-      // FIXME: Ideally this would use the protocol's access too---that is,
-      // a typealias added for an internal protocol shouldn't need to be
-      // public---but that can be problematic if the same type conforms to two
-      // protocols with different access levels.
-      aliasDecl->copyFormalAccessFrom(nominal, /*sourceIsParentContext*/true);
+      AccessScope requiredAccessScope = getRequiredAccessScope();
+
+      if (!TC.Context.isSwiftVersionAtLeast(5) &&
+          DC->getParentModule()->getResilienceStrategy() !=
+              ResilienceStrategy::Resilient) {
+        // HACK: In pre-Swift-5, these typealiases were synthesized with the
+        // same access level as the conforming type, which might be more
+        // visible than the associated type witness. Preserve that behavior
+        // when the underlying type has sufficient access, but only in
+        // non-resilient modules.
+        Optional<AccessScope> underlyingTypeScope =
+            TypeAccessScopeChecker::getAccessScope(type, DC,
+                                                   /*usableFromInline*/false);
+        assert(underlyingTypeScope.hasValue() &&
+               "the type is already invalid and we shouldn't have gotten here");
+
+        AccessScope nominalAccessScope = nominal->getFormalAccessScope(DC);
+        Optional<AccessScope> widestPossibleScope =
+            underlyingTypeScope->intersectWith(nominalAccessScope);
+        assert(widestPossibleScope.hasValue() &&
+               "we found the nominal and the type witness, didn't we?");
+        requiredAccessScope = widestPossibleScope.getValue();
+      }
+
+      // An associated type witness can never be less than fileprivate, since
+      // it must always be at least as visible as the enclosing type.
+      AccessLevel requiredAccess =
+          std::max(requiredAccessScope.accessLevelForDiagnostics(),
+                   AccessLevel::FilePrivate);
+
+      aliasDecl->setAccess(requiredAccess);
+      if (isUsableFromInlineRequired()) {
+        auto *attr = new (TC.Context) UsableFromInlineAttr(/*implicit=*/true);
+        aliasDecl->getAttrs().add(attr);
+      }
+
+      bool unused;
+      assert(TC.Context.hadError() ||
+             !checkWitnessAccess(assocType, aliasDecl, &unused));
+      (void)unused;
 
       if (nominal == DC) {
         nominal->addMember(aliasDecl);
diff --git a/test/attr/accessibility_print_inferred_type_witnesses.swift b/test/attr/accessibility_print_inferred_type_witnesses.swift
@@ -0,0 +1,41 @@
+// RUN: %empty-directory(%t)
+
+// RUN: %target-swift-ide-test -skip-deinit=false -print-ast-typechecked -print-access -source-filename=%s -swift-version 4| %FileCheck -check-prefix=CHECK -check-prefix=CHECK-4 %s
+// RUN: %target-swift-frontend -emit-module-path %t/accessibility_print.swiftmodule -module-name accessibility_print %s -swift-version 4
+// RUN: %target-swift-ide-test -skip-deinit=false -print-module -print-access -module-to-print=accessibility_print -I %t -source-filename=%s -swift-version 4 | %FileCheck -check-prefix=CHECK -check-prefix=CHECK-4 %s
+
+// RUN: %target-swift-ide-test -skip-deinit=false -print-ast-typechecked -print-access -source-filename=%s -swift-version 5 | %FileCheck -check-prefix=CHECK -check-prefix=CHECK-5 %s
+// RUN: %target-swift-frontend -emit-module-path %t/accessibility_print.swiftmodule -module-name accessibility_print %s -swift-version 5
+// RUN: %target-swift-ide-test -skip-deinit=false -print-module -print-access -module-to-print=accessibility_print -I %t -source-filename=%s -swift-version 5 | %FileCheck -check-prefix=CHECK -check-prefix=CHECK-5 %s
+
+// Enabling resilience means opting into the new behavior.
+// RUN: %target-swift-frontend -emit-module-path %t/accessibility_print.swiftmodule -module-name accessibility_print %s -swift-version 4 -enable-resilience
+// RUN: %target-swift-ide-test -skip-deinit=false -print-module -print-access -module-to-print=accessibility_print -I %t -source-filename=%s -swift-version 4 | %FileCheck -check-prefix=CHECK -check-prefix=CHECK-5 %s
+
+internal struct InternalStruct {}
+
+public protocol PublicAssocTypeProto {
+  associatedtype PublicValue
+  var publicValue: PublicValue { get }
+}
+fileprivate protocol FilePrivateAssocTypeProto {
+  associatedtype FilePrivateValue
+  var filePrivateValue: FilePrivateValue { get }
+}
+
+// CHECK-LABEL: private{{(\*/)?}} class PrivateImpl : PublicAssocTypeProto, FilePrivateAssocTypeProto {
+private class PrivateImpl: PublicAssocTypeProto, FilePrivateAssocTypeProto {
+  fileprivate var publicValue: InternalStruct?
+  fileprivate var filePrivateValue: Int?
+  // CHECK-DAG: {{^}} fileprivate typealias PublicValue
+  // CHECK-DAG: {{^}} fileprivate typealias FilePrivateValue
+} // CHECK: {{^[}]}}
+
+// CHECK-LABEL: public{{(\*/)?}} class PublicImpl : PublicAssocTypeProto, FilePrivateAssocTypeProto {
+public class PublicImpl: PublicAssocTypeProto, FilePrivateAssocTypeProto {
+  public var publicValue: Int?
+  fileprivate var filePrivateValue: InternalStruct?
+  // CHECK-DAG: {{^}} public typealias PublicValue
+  // CHECK-4-DAG: {{^}} internal typealias FilePrivateValue
+  // CHECK-5-DAG: {{^}} fileprivate typealias FilePrivateValue
+} // CHECK: {{^[}]}}
