Add resilience boundary around non-inlinable bodies

Previously, the availability checker has assumed that no code in a module is available on less than the minimum deployment target. In modules using library evolution, this is not actually true--certain function bodies can be inlined into modules with lower minimum deployment targets, where they can run against versions of the library that had lower minimum deployment targets. By failing to check for availability violations in these function bodies that relate to versions below the minimum deployment target, we can end up allowing inlinable code that doesn't compile with the correct runtime linkage or has other serious problems.

This commit lowers the root type refinement context's avialability to the value of the -target-min-inlining-version option (if provided) and then raises it again inside the bodies of functions whose implementations are not exposed to clients. This introduces some incorrect typechecking of declaration signatures, but we'll fix that in another commit.

Author: beccadax

include/swift/AST/Availability.h

@@ -217,6 +217,10 @@ class AvailabilityContext {
   /// deployment target.
   static AvailabilityContext forDeploymentTarget(ASTContext &Ctx);
 
+  /// Creates a context that imposes the constraints of the ASTContext's
+  /// inlining target (i.e. minimum inlining version).
+  static AvailabilityContext forInliningTarget(ASTContext &Ctx);
+
   /// Creates a context that imposes no constraints.
   ///
   /// \see isAlwaysAvailable

include/swift/AST/TypeRefinementContext.h

@@ -58,6 +58,12 @@ class TypeRefinementContext : public ASTAllocated<TypeRefinementContext> {
     /// function declaration or the contents of a class declaration).
     Decl,
 
+    /// The context was introduced by a resilience boundary; that is, we are in
+    /// a module with library evolution enabled and the parent context's
+    /// contents can be visible to the module's clients, but this context's
+    /// contents are not.
+    ResilienceBoundary,
+
     /// The context was introduced for the Then branch of an IfStmt.
     IfStmtThenBranch,
 
@@ -102,7 +108,10 @@ class TypeRefinementContext : public ASTAllocated<TypeRefinementContext> {
 
   public:
     IntroNode(SourceFile *SF) : IntroReason(Reason::Root), SF(SF) {}
-    IntroNode(Decl *D) : IntroReason(Reason::Decl), D(D) {}
+    IntroNode(Decl *D, Reason introReason = Reason::Decl)
+        : IntroReason(introReason), D(D) {
+      (void)getAsDecl();    // check that assertion succeeds
+    }
     IntroNode(IfStmt *IS, bool IsThen) :
     IntroReason(IsThen ? Reason::IfStmtThenBranch : Reason::IfStmtElseBranch),
                 IS(IS) {}
@@ -122,7 +131,8 @@ class TypeRefinementContext : public ASTAllocated<TypeRefinementContext> {
     }
 
     Decl *getAsDecl() const {
-      assert(IntroReason == Reason::Decl);
+      assert(IntroReason == Reason::Decl ||
+             IntroReason == Reason::ResilienceBoundary);
       return D;
     }
 
@@ -182,7 +192,14 @@ class TypeRefinementContext : public ASTAllocated<TypeRefinementContext> {
                                               const AvailabilityContext &Info,
                                               const AvailabilityContext &ExplicitInfo,
                                               SourceRange SrcRange);
-  
+
+  /// Create a refinement context for the given declaration.
+  static TypeRefinementContext *
+  createForResilienceBoundary(ASTContext &Ctx, Decl *D,
+                              TypeRefinementContext *Parent,
+                              const AvailabilityContext &Info,
+                              SourceRange SrcRange);
+
   /// Create a refinement context for the Then branch of the given IfStmt.
   static TypeRefinementContext *
   createForIfStmtThen(ASTContext &Ctx, IfStmt *S, TypeRefinementContext *Parent,

lib/AST/Availability.cpp

@@ -30,6 +30,11 @@ AvailabilityContext AvailabilityContext::forDeploymentTarget(ASTContext &Ctx) {
       VersionRange::allGTE(Ctx.LangOpts.getMinPlatformVersion()));
 }
 
+AvailabilityContext AvailabilityContext::forInliningTarget(ASTContext &Ctx) {
+  return AvailabilityContext(
+      VersionRange::allGTE(Ctx.LangOpts.MinimumInliningTargetVersion));
+}
+
 namespace {
 
 /// The inferred availability required to access a group of declarations

lib/AST/TypeRefinementContext.cpp

@@ -64,6 +64,20 @@ TypeRefinementContext::createForDecl(ASTContext &Ctx, Decl *D,
       TypeRefinementContext(Ctx, D, Parent, SrcRange, Info, ExplicitInfo);
 }
 
+TypeRefinementContext *
+TypeRefinementContext::createForResilienceBoundary(ASTContext &Ctx, Decl *D,
+                                TypeRefinementContext *Parent,
+                                const AvailabilityContext &Info,
+                                SourceRange SrcRange) {
+  assert(D);
+  assert(Parent);
+  return new (Ctx)
+      TypeRefinementContext(Ctx, IntroNode(D, Reason::ResilienceBoundary),
+                            Parent, SrcRange, Info,
+                            AvailabilityContext::alwaysAvailable());
+
+}
+
 TypeRefinementContext *
 TypeRefinementContext::createForIfStmtThen(ASTContext &Ctx, IfStmt *S,
                                            TypeRefinementContext *Parent,
@@ -170,6 +184,7 @@ void TypeRefinementContext::dump(raw_ostream &OS, SourceManager &SrcMgr) const {
 SourceLoc TypeRefinementContext::getIntroductionLoc() const {
   switch (getReason()) {
   case Reason::Decl:
+  case Reason::ResilienceBoundary:
     return Node.getAsDecl()->getLoc();
 
   case Reason::IfStmtThenBranch:
@@ -283,6 +298,7 @@ TypeRefinementContext::getAvailabilityConditionVersionSourceRange(
       Node.getAsWhileStmt()->getCond(), Platform, Version);
 
   case Reason::Root:
+  case Reason::ResilienceBoundary:
     return SourceRange();
   }
 
@@ -296,13 +312,16 @@ void TypeRefinementContext::print(raw_ostream &OS, SourceManager &SrcMgr,
 
   OS << " versions=" << AvailabilityInfo.getOSVersion().getAsString();
 
-  if (getReason() == Reason::Decl) {
+  if (getReason() == Reason::Decl
+      || getReason() == Reason::ResilienceBoundary) {
     Decl *D = Node.getAsDecl();
     OS << " decl=";
     if (auto VD = dyn_cast<ValueDecl>(D)) {
       OS << VD->getName();
     } else if (auto *ED = dyn_cast<ExtensionDecl>(D)) {
       OS << "extension." << ED->getExtendedType().getString();
+    } else if (isa<TopLevelCodeDecl>(D)) {
+      OS << "<top-level-code>";
     }
   }
 
@@ -336,6 +355,9 @@ StringRef TypeRefinementContext::getReasonName(Reason R) {
   case Reason::Decl:
     return "decl";
 
+  case Reason::ResilienceBoundary:
+    return "resilience_boundary";
+
   case Reason::IfStmtThenBranch:
     return "if_then";
 

lib/Sema/TypeCheckAvailability.cpp

@@ -181,7 +181,7 @@ ExportContext ExportContext::forDeclSignature(Decl *D) {
   auto runningOSVersion =
       (Ctx.LangOpts.DisableAvailabilityChecking
        ? AvailabilityContext::alwaysAvailable()
-       : TypeChecker::overApproximateAvailabilityAtLocation(D->getEndLoc(), DC));
+       : TypeChecker::overApproximateAvailabilityAtLocation(D->getLoc(), DC));
   bool spi = Ctx.LangOpts.LibraryLevel == LibraryLevel::SPI;
   bool implicit = false;
   bool deprecated = false;
@@ -288,6 +288,27 @@ static bool hasActiveAvailableAttribute(Decl *D,
   return getActiveAvailableAttribute(D, AC);
 }
 
+static bool bodyIsResilienceBoundary(Decl *D) {
+  // The declaration contains code...
+  if (auto afd = dyn_cast<AbstractFunctionDecl>(D)) {
+    // And it has a location so we can check it...
+    if (!afd->isImplicit() && afd->getBodySourceRange().isValid()) {
+      // And the code is within our resilience domain, so it should be
+      // compiled with the minimum deployment target, not the minimum inlining
+      // target.
+      return afd->getResilienceExpansion() != ResilienceExpansion::Minimal;
+    }
+  }
+
+  return false;
+}
+
+static bool computeContainedByDeploymentTarget(TypeRefinementContext *TRC,
+                                               ASTContext &ctx) {
+  return TRC->getAvailabilityInfo()
+                  .isContainedIn(AvailabilityContext::forDeploymentTarget(ctx));
+}
+
 namespace {
 
 /// A class to walk the AST to build the type refinement context hierarchy.
@@ -302,6 +323,8 @@ class TypeRefinementContextBuilder : private ASTWalker {
     /// indicating that custom logic elsewhere will handle removing
     /// the context when needed.
     ParentTy ScopeNode;
+
+    bool ContainedByDeploymentTarget;
   };
 
   std::vector<ContextInfo> ContextStack;
@@ -318,10 +341,24 @@ class TypeRefinementContextBuilder : private ASTWalker {
     return ContextStack.back().TRC;
   }
 
+  bool isCurrentTRCContainedByDeploymentTarget() {
+    return ContextStack.back().ContainedByDeploymentTarget;
+  }
+
   void pushContext(TypeRefinementContext *TRC, ParentTy PopAfterNode) {
     ContextInfo Info;
     Info.TRC = TRC;
     Info.ScopeNode = PopAfterNode;
+
+    if (!ContextStack.empty() && isCurrentTRCContainedByDeploymentTarget()) {
+      assert(computeContainedByDeploymentTarget(TRC, Context) &&
+             "incorrectly skipping computeContainedByDeploymentTarget()");
+      Info.ContainedByDeploymentTarget = true;
+    } else {
+      Info.ContainedByDeploymentTarget =
+          computeContainedByDeploymentTarget(TRC, Context);
+    }
+
     ContextStack.push_back(Info);
   }
 
@@ -367,11 +404,16 @@ class TypeRefinementContextBuilder : private ASTWalker {
       pushContext(DeclTRC, D);
     }
 
+    // Adds in a TRC that covers only the body of the declaration.
+    if (auto BodyTRC = getNewContextForBodyOfDecl(D)) {
+      pushContext(BodyTRC, D);
+    }
+
     return true;
   }
 
   bool walkToDeclPost(Decl *D) override {
-    // As seen above, we could have up to two TRCs in the stack for a single
+    // As seen above, we could have up to three TRCs in the stack for a single
     // declaration.
     while (ContextStack.back().ScopeNode.getAsDecl() == D) {
       ContextStack.pop_back();
@@ -510,6 +552,39 @@ class TypeRefinementContextBuilder : private ASTWalker {
     return D->getSourceRange();
   }
 
+  TypeRefinementContext *getNewContextForBodyOfDecl(Decl *D) {
+    if (bodyIntroducesNewContext(D))
+      return buildBodyRefinementContext(D);
+
+    return nullptr;
+  }
+
+  bool bodyIntroducesNewContext(Decl *D) {
+    // Are we already effectively in a resilience boundary? If not, adding one
+    // wouldn't change availability.
+    if (isCurrentTRCContainedByDeploymentTarget())
+      return false;
+
+    // If we're in a function, is its body a resilience boundary?
+    if (auto afd = dyn_cast<AbstractFunctionDecl>(D))
+      return bodyIsResilienceBoundary(afd);
+
+    return false;
+  }
+
+  TypeRefinementContext *buildBodyRefinementContext(Decl *D) {
+    auto afd = cast<AbstractFunctionDecl>(D);
+    SourceRange range = afd->getBodySourceRange();
+
+    AvailabilityContext DeploymentTargetInfo =
+        AvailabilityContext::forDeploymentTarget(Context);
+    DeploymentTargetInfo.intersectWith(getCurrentTRC()->getAvailabilityInfo());
+
+    return TypeRefinementContext::createForResilienceBoundary(
+                                           Context, D, getCurrentTRC(),
+                                           DeploymentTargetInfo, range);
+  }
+
   std::pair<bool, Stmt *> walkToStmtPre(Stmt *S) override {
     if (auto *IS = dyn_cast<IfStmt>(S)) {
       buildIfStmtRefinementContext(IS);
@@ -927,8 +1002,8 @@ void TypeChecker::buildTypeRefinementContextHierarchy(SourceFile &SF) {
   if (!RootTRC) {
     // The root type refinement context reflects the fact that all parts of
     // the source file are guaranteed to be executing on at least the minimum
-    // platform version.
-    auto MinPlatformReq = AvailabilityContext::forDeploymentTarget(Context);
+    // platform version for inlining.
+    auto MinPlatformReq = AvailabilityContext::forInliningTarget(Context);
     RootTRC = TypeRefinementContext::createRoot(&SF, MinPlatformReq);
     SF.setTypeRefinementContext(RootTRC);
   }
@@ -993,9 +1068,8 @@ TypeChecker::overApproximateAvailabilityAtLocation(SourceLoc loc,
   // refined. For now, this is fine -- but if we ever synthesize #available(),
   // this will be a real problem.
 
-  // We can assume we are running on at least the minimum deployment target.
-  auto OverApproximateContext =
-    AvailabilityContext::forDeploymentTarget(Context);
+  // We can assume we are running on at least the minimum inlining target.
+  auto OverApproximateContext = AvailabilityContext::forInliningTarget(Context);
   auto isInvalidLoc = [SF](SourceLoc loc) {
     return SF ? loc.isInvalid() : true;
   };