Add @safe(unchecked) to allow unsafe code within a declaration.

Introduce an attribute to allow unsafe code within the annotated
declaration without presenting an unsafe interface to users. This is,
by its nature, and unsafe construct, and is used to document where
unsafe behavior is encapsulated in safe constructs.

There is an optional message that can be used as part of an audit
trail.

Author: DougGregor

include/swift/AST/Attr.h

@@ -2837,6 +2837,26 @@ class RawLayoutAttr final : public DeclAttribute {
   UNIMPLEMENTED_CLONE(RawLayoutAttr)
 };
 
+class SafeAttr final : public DeclAttribute {
+public:
+  /// The optional message.
+  const StringRef message;
+
+  SafeAttr(SourceLoc atLoc, SourceRange range, StringRef message,
+           bool isImplicit = false)
+      : DeclAttribute(DeclAttrKind::Safe, atLoc, range, isImplicit),
+        message(message) { }
+
+  static bool classof(const DeclAttribute *DA) {
+    return DA->getKind() == DeclAttrKind::Safe;
+  }
+
+  /// Create a copy of this attribute.
+  SafeAttr *clone(ASTContext &ctx) const {
+    return new (ctx) SafeAttr(AtLoc, Range, message, isImplicit());
+  }
+};
+
 class LifetimeAttr final : public DeclAttribute {
   LifetimeEntry *entry;
 

include/swift/AST/DeclAttr.def

@@ -504,8 +504,8 @@ SIMPLE_DECL_ATTR(sensitive, Sensitive,
   159)
 
 SIMPLE_DECL_ATTR(unsafe, Unsafe,
-  OnAbstractFunction | OnSubscript | OnVar | OnMacro | OnNominalType | OnExtension |
-  UserInaccessible |
+  OnAbstractFunction | OnSubscript | OnVar | OnMacro | OnNominalType |
+  OnExtension | OnTypeAlias | UserInaccessible |
   ABIStableToAdd | ABIStableToRemove | APIBreakingToAdd | APIStableToRemove,
   160)
 
@@ -517,7 +517,13 @@ SIMPLE_DECL_ATTR(_addressableSelf, AddressableSelf,
   OnAccessor | OnConstructor | OnFunc | OnSubscript | ABIBreakingToAdd | ABIStableToRemove | APIBreakingToAdd | APIStableToRemove | UserInaccessible,
   162)
 
-LAST_DECL_ATTR(AddressableSelf)
+DECL_ATTR(safe, Safe,
+  OnAbstractFunction | OnSubscript | OnVar | OnMacro | OnNominalType |
+  OnExtension | OnTypeAlias | UserInaccessible |
+  ABIStableToAdd | ABIStableToRemove | APIBreakingToAdd | APIStableToRemove,
+  163)
+
+LAST_DECL_ATTR(Safe)
 
 #undef DECL_ATTR_ALIAS
 #undef CONTEXTUAL_DECL_ATTR_ALIAS

include/swift/AST/DiagnosticsParse.def

@@ -2106,6 +2106,9 @@ ERROR(parser_new_parser_errors,none,
       "new Swift parser generated errors for code that C++ parser accepted",
        ())
 
+ERROR(safe_attr_unchecked,none,
+      "'@safe' attribute must be written as '@safe(unchecked)'", ())
+
 // MARK: Reference Binding Diagnostics
 ERROR(sil_markuncheckedreferencebinding_requires_attribute,none,
       "mark_unchecked_reference_binding requires an attribute like [inout]", ())

lib/AST/ASTDumper.cpp

@@ -4116,6 +4116,11 @@ class PrintAttribute : public AttributeVisitor<PrintAttribute, void, StringRef>,
     }
     printFoot();
   }
+  void visitSafeAttr(SafeAttr *Attr, StringRef label) {
+    printCommon(Attr, "safe_attr", label);
+    printFieldQuoted(Attr->message, "message");
+    printFoot();
+  }
   void visitSILGenNameAttr(SILGenNameAttr *Attr, StringRef label) {
     printCommon(Attr, "silgen_name_attr", label);
     printFlag(Attr->Raw, "raw");

lib/AST/Attr.cpp

@@ -1715,7 +1715,8 @@ StringRef DeclAttribute::getAttrName() const {
     AccessLevel access = cast<AbstractAccessControlAttr>(this)->getAccess();
     return getAccessLevelSpelling(access);
   }
-
+  case DeclAttrKind::Safe:
+    return "safe";
   case DeclAttrKind::SPIAccessControl:
     return "_spi";
   case DeclAttrKind::ReferenceOwnership:

lib/AST/Decl.cpp

@@ -1080,7 +1080,7 @@ bool Decl::isUnsafe() const {
 }
 
 bool Decl::allowsUnsafe() const {
-  return isUnsafe();
+  return getAttrs().hasAttribute<SafeAttr>() || isUnsafe();
 }
 
 Type AbstractFunctionDecl::getThrownInterfaceType() const {

lib/ASTGen/Sources/ASTGen/DeclAttrs.swift

@@ -164,6 +164,8 @@ extension ASTGenVisitor {
         return handle(self.generateProjectedValuePropertyAttr(attribute: node)?.asDeclAttribute)
       case .rawLayout:
         fatalError("unimplemented")
+      case .safe:
+        fatalError("unimplemented")
       case .section:
         return handle(self.generateSectionAttr(attribute: node)?.asDeclAttribute)
       case .semantics:

lib/Parse/ParseDecl.cpp

@@ -3214,6 +3214,69 @@ ParserStatus Parser::parseNewDeclAttribute(DeclAttributes &Attributes,
     break;
   }
 
+  case DeclAttrKind::Safe: {
+    if (!consumeIfAttributeLParen()) {
+      diagnose(Loc, diag::attr_expected_lparen, AttrName,
+               DeclAttribute::isDeclModifier(DK));
+      return makeParserError();
+    }
+
+    StringRef parsedName = Tok.getText();
+    if (!consumeIf(tok::identifier) || parsedName != "unchecked") {
+      diagnose(Loc, diag::safe_attr_unchecked);
+      errorAndSkipUntilConsumeRightParen(*this, AttrName);
+      return makeParserError();
+    }
+
+    StringRef message;
+    if (consumeIf(tok::comma)) {
+      if (!Tok.is(tok::identifier)) {
+        diagnose(Tok, diag::attr_expected_label, "message", AttrName);
+        errorAndSkipUntilConsumeRightParen(*this, AttrName);
+        return makeParserError();
+      }
+
+      StringRef flag = Tok.getText();
+
+      if (flag != "message") {
+        diagnose(Tok.getLoc(), diag::attr_unknown_option, flag, AttrName);
+        errorAndSkipUntilConsumeRightParen(*this, AttrName);
+        return makeParserError();
+      }
+      consumeToken();
+      if (!consumeIf(tok::colon)) {
+        diagnose(Tok.getLoc(), diag::attr_expected_colon_after_label, flag);
+        errorAndSkipUntilConsumeRightParen(*this, AttrName);
+        return makeParserError();
+      }
+      if (!Tok.is(tok::string_literal)) {
+        diagnose(Tok.getLoc(), diag::attr_expected_string_literal, AttrName);
+        errorAndSkipUntilConsumeRightParen(*this, AttrName);
+        return makeParserSuccess();
+      }
+
+      std::optional<StringRef> value =
+          getStringLiteralIfNotInterpolated(Tok.getLoc(), flag);
+      if (!value) {
+        errorAndSkipUntilConsumeRightParen(*this, AttrName);
+        return makeParserError();
+      }
+      consumeToken();
+      message = *value;
+    }
+
+    if (!consumeIf(tok::r_paren)) {
+      diagnose(PreviousLoc, diag::attr_expected_rparen,
+          AttrName, /*isModifier*/false)
+        .fixItInsertAfter(PreviousLoc, ")");
+    }
+    AttrRange = SourceRange(Loc, PreviousLoc);
+
+    if (!DiscardAttribute)
+      Attributes.add(new (Context) SafeAttr(AtLoc, AttrRange, message));
+    break;
+  }
+
   case DeclAttrKind::Section: {
     if (!consumeIfAttributeLParen()) {
       diagnose(Loc, diag::attr_expected_lparen, AttrName,

lib/Sema/TypeCheckAttr.cpp

@@ -387,6 +387,7 @@ class AttributeChecker : public AttributeVisitor<AttributeChecker> {
   void visitWeakLinkedAttr(WeakLinkedAttr *attr);
   void visitSILGenNameAttr(SILGenNameAttr *attr);
   void visitUnsafeAttr(UnsafeAttr *attr);
+  void visitSafeAttr(SafeAttr *attr);
   void visitLifetimeAttr(LifetimeAttr *attr);
   void visitAddressableSelfAttr(AddressableSelfAttr *attr);
 };
@@ -7775,6 +7776,13 @@ void AttributeChecker::visitUnsafeAttr(UnsafeAttr *attr) {
   diagnoseAndRemoveAttr(attr, diag::unsafe_attr_disabled);
 }
 
+void AttributeChecker::visitSafeAttr(SafeAttr *attr) {
+  if (Ctx.LangOpts.hasFeature(Feature::AllowUnsafeAttribute))
+    return;
+
+  diagnoseAndRemoveAttr(attr, diag::unsafe_attr_disabled);
+}
+
 void AttributeChecker::visitLifetimeAttr(LifetimeAttr *attr) {}
 
 void AttributeChecker::visitAddressableSelfAttr(AddressableSelfAttr *attr) {

lib/Sema/TypeCheckDeclOverride.cpp

@@ -1737,6 +1737,7 @@ namespace  {
     UNINTERESTING_ATTR(Lifetime)
     UNINTERESTING_ATTR(AddressableSelf)
     UNINTERESTING_ATTR(Unsafe)
+    UNINTERESTING_ATTR(Safe)
 #undef UNINTERESTING_ATTR
 
     void visitAvailableAttr(AvailableAttr *attr) {