[Strict memory safety] Remove now-extraneous "unsafe" from the standard libraries

Now that we aren't propagating "unsafe" to nested types, remove
unnecessary "unsafe" keywords from the standard library.

Author: DougGregor

stdlib/public/Concurrency/Deque/Deque+UnsafeHandle.swift

@@ -63,7 +63,7 @@ extension _Deque._UnsafeHandle {
 
   var startSlot: Slot {
     get { unsafe _header.pointee.startSlot }
-    nonmutating set { unsafe _header.pointee.startSlot = unsafe newValue }
+    nonmutating set { unsafe _header.pointee.startSlot = newValue }
   }
 
   func ptr(at slot: Slot) -> UnsafeMutablePointer<Element> {
@@ -99,28 +99,28 @@ extension _Deque._UnsafeHandle {
 
   internal func slot(after slot: Slot) -> Slot {
     unsafe assert(slot.position < capacity)
-    let position = unsafe slot.position + 1
+    let position = slot.position + 1
     if unsafe position >= capacity {
-      return unsafe Slot(at: 0)
+      return Slot(at: 0)
     }
-    return unsafe Slot(at: position)
+    return Slot(at: position)
   }
 
   internal func slot(before slot: Slot) -> Slot {
     unsafe assert(slot.position < capacity)
-    if unsafe slot.position == 0 { return unsafe Slot(at: capacity - 1) }
-    return unsafe Slot(at: slot.position - 1)
+    if slot.position == 0 { return unsafe Slot(at: capacity - 1) }
+    return Slot(at: slot.position - 1)
   }
 
   internal func slot(_ slot: Slot, offsetBy delta: Int) -> Slot {
     unsafe assert(slot.position <= capacity)
-    let position = unsafe slot.position + delta
+    let position = slot.position + delta
     if delta >= 0 {
       if unsafe position >= capacity { return unsafe Slot(at: position - capacity) }
     } else {
       if position < 0 { return unsafe Slot(at: position + capacity) }
     }
-    return unsafe Slot(at: position)
+    return Slot(at: position)
   }
 
   internal var endSlot: Slot {
@@ -139,7 +139,7 @@ extension _Deque._UnsafeHandle {
     // random-access subscript operations. (Up to 2x on some microbenchmarks.)
     let position = unsafe startSlot.position &+ offset
     guard unsafe position < capacity else { return unsafe Slot(at: position &- capacity) }
-    return unsafe Slot(at: position)
+    return Slot(at: position)
   }
 }
 
@@ -199,9 +199,9 @@ extension _Deque._UnsafeHandle {
     from source: UnsafeBufferPointer<Element>
   ) -> Slot {
     unsafe assert(start.position + source.count <= capacity)
-    guard source.count > 0 else { return unsafe start }
+    guard source.count > 0 else { return start }
     unsafe ptr(at: start).initialize(from: source.baseAddress!, count: source.count)
-    return unsafe Slot(at: start.position + source.count)
+    return Slot(at: start.position + source.count)
   }
 
   @discardableResult
@@ -210,9 +210,9 @@ extension _Deque._UnsafeHandle {
     from source: UnsafeMutableBufferPointer<Element>
   ) -> Slot {
     unsafe assert(start.position + source.count <= capacity)
-    guard source.count > 0 else { return unsafe start }
+    guard source.count > 0 else { return start }
     unsafe ptr(at: start).moveInitialize(from: source.baseAddress!, count: source.count)
-    return unsafe Slot(at: start.position + source.count)
+    return Slot(at: start.position + source.count)
   }
 
   @discardableResult
@@ -224,7 +224,7 @@ extension _Deque._UnsafeHandle {
     assert(count >= 0)
     unsafe assert(source.position + count <= self.capacity)
     unsafe assert(target.position + count <= self.capacity)
-    guard count > 0 else { return unsafe (source, target) }
+    guard count > 0 else { return (source, target) }
     unsafe ptr(at: target).moveInitialize(from: ptr(at: source), count: count)
     return unsafe (slot(source, offsetBy: count), slot(target, offsetBy: count))
   }
@@ -451,7 +451,7 @@ extension _Deque._UnsafeHandle {
   ) -> _UnsafeMutableWrappedBuffer<Element> {
     unsafe assert(start.position <= capacity)
     unsafe assert(end.position <= capacity)
-    if unsafe start < end {
+    if start < end {
       return unsafe .init(start: ptr(at: start), count: end.position - start.position)
     }
     return unsafe .init(

stdlib/public/Synchronization/Atomics/AtomicPointers.swift

@@ -822,7 +822,7 @@ extension UnsafeBufferPointer: @unsafe AtomicRepresentable where Element: ~Copya
   public static func decodeAtomicRepresentation(
     _ representation: consuming AtomicRepresentation
   ) -> UnsafeBufferPointer<Element> {
-    let wp = unsafe WordPair.decodeAtomicRepresentation(representation)
+    let wp = WordPair.decodeAtomicRepresentation(representation)
 
     return unsafe UnsafeBufferPointer<Element>(
       start: UnsafePointer<Element>(bitPattern: wp.first),
@@ -890,7 +890,7 @@ where Element: ~Copyable
   public static func decodeAtomicRepresentation(
     _ representation: consuming AtomicRepresentation
   ) -> UnsafeMutableBufferPointer<Element> {
-    let wp = unsafe WordPair.decodeAtomicRepresentation(representation)
+    let wp = WordPair.decodeAtomicRepresentation(representation)
 
     return unsafe UnsafeMutableBufferPointer<Element>(
       start: UnsafeMutablePointer<Element>(bitPattern: wp.first),
@@ -956,7 +956,7 @@ extension UnsafeRawBufferPointer: @unsafe AtomicRepresentable {
   public static func decodeAtomicRepresentation(
     _ representation: consuming AtomicRepresentation
   ) -> UnsafeRawBufferPointer {
-    let wp = unsafe WordPair.decodeAtomicRepresentation(representation)
+    let wp = WordPair.decodeAtomicRepresentation(representation)
 
     return unsafe UnsafeRawBufferPointer(
       start: UnsafeRawPointer(bitPattern: wp.first),
@@ -1022,7 +1022,7 @@ extension UnsafeMutableRawBufferPointer: @unsafe AtomicRepresentable {
   public static func decodeAtomicRepresentation(
     _ representation: consuming AtomicRepresentation
   ) -> UnsafeMutableRawBufferPointer {
-    let wp = unsafe WordPair.decodeAtomicRepresentation(representation)
+    let wp = WordPair.decodeAtomicRepresentation(representation)
 
     return unsafe UnsafeMutableRawBufferPointer(
       start: UnsafeMutableRawPointer(bitPattern: wp.first),

stdlib/public/core/ArrayBuffer.swift

@@ -330,7 +330,7 @@ extension _ArrayBuffer {
       .assumingMemoryBound(to: AnyObject.self)
     let (_, c) = unsafe _nonNative._copyContents(
       initializing: UnsafeMutableBufferPointer(start: ptr, count: buffer.count))
-    return unsafe (IndexingIterator(_elements: self, _position: c), c)
+    return (IndexingIterator(_elements: self, _position: c), c)
   }
 
   /// Returns a `_SliceBuffer` containing the given sub-range of elements in

stdlib/public/core/CollectionAlgorithms.swift

@@ -402,7 +402,7 @@ extension MutableCollection where Self: BidirectionalCollection {
       (bufferPointer) -> Int in
       let unsafeBufferPivot = try unsafe bufferPointer._partitionImpl(
         by: belongsInSecondPartition)
-      return unsafe unsafeBufferPivot - bufferPointer.startIndex
+      return unsafeBufferPivot - bufferPointer.startIndex
     }
     if let offset = maybeOffset {
       return index(startIndex, offsetBy: offset)

stdlib/public/core/SmallString.swift

@@ -147,7 +147,7 @@ extension _SmallString {
     var copy = self
     unsafe withUnsafeBytes(of: &copy._storage) {
       unsafe _internalInvariant(
-        $0[count..<_SmallString.capacity].allSatisfy { unsafe $0 == 0 })
+        $0[count..<_SmallString.capacity].allSatisfy { $0 == 0 })
     }
   }
   #endif // INTERNAL_CHECKS_ENABLED

stdlib/public/core/Sort.swift

@@ -530,10 +530,10 @@ extension UnsafeMutableBufferPointer {
     buffer: UnsafeMutablePointer<Element>,
     by areInIncreasingOrder: (Element, Element) throws -> Bool
   ) rethrows -> Bool {
-    unsafe _internalInvariant(runs[i - 1].upperBound == runs[i].lowerBound)
-    let low = unsafe runs[i - 1].lowerBound
-    let middle = unsafe runs[i].lowerBound
-    let high = unsafe runs[i].upperBound
+    _internalInvariant(runs[i - 1].upperBound == runs[i].lowerBound)
+    let low = runs[i - 1].lowerBound
+    let middle = runs[i].lowerBound
+    let high = runs[i].upperBound
 
     try unsafe _merge(
       low: baseAddress! + low,
@@ -542,8 +542,8 @@ extension UnsafeMutableBufferPointer {
       buffer: buffer,
       by: areInIncreasingOrder)
 
-    unsafe runs[i - 1] = unsafe low..<high
-    unsafe runs.remove(at: i)
+    runs[i - 1] = low..<high
+    runs.remove(at: i)
 
     return true
   }
@@ -588,30 +588,30 @@ extension UnsafeMutableBufferPointer {
     // for the entirety of `runs`.
 
     // The invariant is always in place for a single element.
-    while unsafe runs.count > 1 {
-      var lastIndex = unsafe runs.count - 1
+    while runs.count > 1 {
+      var lastIndex = runs.count - 1
 
       // Check for the three invariant-breaking conditions, and break out of
       // the while loop if none are met.
-      if unsafe lastIndex >= 3 &&
+      if lastIndex >= 3 &&
         (runs[lastIndex - 3].count <=
           runs[lastIndex - 2].count + runs[lastIndex - 1].count)
       {
         // Second-to-last three runs do not follow W > X + Y.
         // Always merge Y with the smaller of X or Z.
-        if unsafe runs[lastIndex - 2].count < runs[lastIndex].count {
+        if runs[lastIndex - 2].count < runs[lastIndex].count {
           lastIndex -= 1
         }
-      } else if unsafe lastIndex >= 2 &&
+      } else if lastIndex >= 2 &&
         (runs[lastIndex - 2].count <=
           runs[lastIndex - 1].count + runs[lastIndex].count)
       {
         // Last three runs do not follow X > Y + Z.
         // Always merge Y with the smaller of X or Z.
-        if unsafe runs[lastIndex - 2].count < runs[lastIndex].count {
+        if runs[lastIndex - 2].count < runs[lastIndex].count {
           lastIndex -= 1
         }
-      } else if unsafe runs[lastIndex - 1].count <= runs[lastIndex].count {
+      } else if runs[lastIndex - 1].count <= runs[lastIndex].count {
         // Last two runs do not follow Y > Z, so merge Y and Z.
         // This block is intentionally blank--the merge happens below.
       } else {
@@ -645,7 +645,7 @@ extension UnsafeMutableBufferPointer {
     buffer: UnsafeMutablePointer<Element>,
     by areInIncreasingOrder: (Element, Element) throws -> Bool
   ) rethrows -> Bool {
-    while unsafe runs.count > 1 {
+    while runs.count > 1 {
       try unsafe _mergeRuns(
         &runs, at: runs.count - 1, buffer: buffer, by: areInIncreasingOrder)
     }
@@ -677,7 +677,7 @@ extension UnsafeMutableBufferPointer {
     // closure, since the buffer is guaranteed to be uninitialized at exit.
     _ = try unsafe Array<Element>(_unsafeUninitializedCapacity: count / 2) {
       buffer, _ in
-      var runs: [Range<Index>] = unsafe []
+      var runs: [Range<Index>] = []
 
       var start = startIndex
       while start < endIndex {
@@ -690,24 +690,24 @@ extension UnsafeMutableBufferPointer {
 
         // If the current run is shorter than the minimum length, use the
         // insertion sort to extend it.
-        if unsafe end < endIndex && end - start < minimumRunLength {
+        if end < endIndex && end - start < minimumRunLength {
           let newEnd = Swift.min(endIndex, start + minimumRunLength)
           try unsafe _insertionSort(
             within: start..<newEnd, sortedEnd: end, by: areInIncreasingOrder)
-          unsafe end = newEnd
+          end = newEnd
         }
 
         // Append this run and merge down as needed to maintain the `runs`
         // invariants.
-        unsafe runs.append(start..<end)
+        runs.append(start..<end)
         try unsafe _mergeTopRuns(
           &runs, buffer: buffer.baseAddress!, by: areInIncreasingOrder)
-        start = unsafe end
+        start = end
       }
 
       try unsafe _finalizeRuns(
         &runs, buffer: buffer.baseAddress!, by: areInIncreasingOrder)
-      unsafe _internalInvariant(runs.count == 1, "Didn't complete final merge")
+      _internalInvariant(runs.count == 1, "Didn't complete final merge")
     }
   }
 }

stdlib/public/core/StringUTF8Validation.swift

@@ -160,11 +160,11 @@ internal func validateUTF8(_ buf: UnsafeBufferPointer<UInt8>) -> UTF8ValidationR
   func _legacyNarrowIllegalRange(buf: Slice<UnsafeBufferPointer<UInt8>>) -> Range<Int> {
     var reversePacked: UInt32 = 0
     if let third = unsafe buf.dropFirst(2).first {
-      unsafe reversePacked |= UInt32(third)
+      reversePacked |= UInt32(third)
       reversePacked <<= 8
     }
     if let second = unsafe buf.dropFirst().first {
-      unsafe reversePacked |= UInt32(second)
+      reversePacked |= UInt32(second)
       reversePacked <<= 8
     }
     unsafe reversePacked |= UInt32(buf.first!)
@@ -177,8 +177,8 @@ internal func validateUTF8(_ buf: UnsafeBufferPointer<UInt8>) -> UTF8ValidationR
     var endIndex = unsafe buf.startIndex
     var iter = unsafe buf.makeIterator()
     _ = unsafe iter.next()
-    while let cu = unsafe iter.next(), unsafe UTF8.isContinuation(cu) {
-      unsafe endIndex += 1
+    while let cu = unsafe iter.next(), UTF8.isContinuation(cu) {
+      endIndex += 1
       // Unicode's Maximal subpart of an ill-formed subsequence will yield
       // at most 3 bytes of error.
       if unsafe buf.distance(from: buf.startIndex, to: endIndex) >= 3 {

stdlib/public/core/UnsafeBufferPointer.swift.gyb

@@ -1300,7 +1300,7 @@ extension UnsafeMutableBufferPointer where Element: ~Copyable {
   ///   - index: The index of the element to initialize
   @_alwaysEmitIntoClient
   public func initializeElement(at index: Index, to value: consuming Element) {
-    _debugPrecondition(unsafe startIndex <= index && index < endIndex)
+    _debugPrecondition(startIndex <= index && index < endIndex)
     let p = unsafe baseAddress._unsafelyUnwrappedUnchecked.advanced(by: index)
     unsafe p.initialize(to: value)
   }
@@ -1317,7 +1317,7 @@ extension UnsafeMutableBufferPointer where Element: ~Copyable {
   /// - Returns: The instance referenced by this index in this buffer.
   @_alwaysEmitIntoClient
   public func moveElement(from index: Index) -> Element {
-    _debugPrecondition(unsafe startIndex <= index && index < endIndex)
+    _debugPrecondition(startIndex <= index && index < endIndex)
     return unsafe baseAddress._unsafelyUnwrappedUnchecked.advanced(by: index).move()
   }
 
@@ -1331,7 +1331,7 @@ extension UnsafeMutableBufferPointer where Element: ~Copyable {
   ///   - index: The index of the buffer element to deinitialize.
   @_alwaysEmitIntoClient
   public func deinitializeElement(at index: Index) {
-    _debugPrecondition(unsafe startIndex <= index && index < endIndex)
+    _debugPrecondition(startIndex <= index && index < endIndex)
     let p = unsafe baseAddress._unsafelyUnwrappedUnchecked.advanced(by: index)
     unsafe p.deinitialize(count: 1)
   }