OSSA: Add requirements on Unowned uses.

Clarify which uses are allowed to take Unowned values. Add enforcement
to ensure that Unowned values are not passed to other uses.

Operations that can take unowned are:

- copy_value
- apply/return @unowned argument
- aggregates (struct, tuple, destructure, phi)
- forwarding operations that are arbitrary type casts

Unowned values are currently borrowed within ObjC deinitializers
materialized by the Swift compiler. This will be banned as soon as
SILGen is fixed.

Author: atrick

include/swift/SIL/SILValue.h

@@ -288,7 +288,10 @@ struct ValueOwnershipKind {
     llvm_unreachable("covered switch");
   }
 
-  OperandOwnership getForwardingOperandOwnership() const;
+  /// Return the OperandOwnership for a forwarded operand when the forwarded
+  /// result has this ValueOwnershipKind. \p allowUnowned is true for a subset
+  /// of forwarding operations that are allowed to propagate Unowned values.
+  OperandOwnership getForwardingOperandOwnership(bool allowUnowned) const;
 
   /// Returns true if \p Other can be merged successfully with this, implying
   /// that the two ownership kinds are "compatibile".
@@ -626,25 +629,35 @@ enum class OperandOwnership {
   /// ownership but are otherwise not verified.
   None,
 
-  /// MARK: Uses of any ownership values:
-
-  /// Point-in-time use. Uses the value instantaneously.
-  /// (copy_value, single-instruction apply with @guaranteed argument)
+  /// Use the value only for the duration of the operation, which may have side
+  /// effects. Requires an owned or guaranteed value.
+  /// (single-instruction apply with @guaranteed argument)
   InstantaneousUse,
-  // FIXME: The PointerEscape category should be eliminated. All pointer escapes
-  // should be InteriorPointer, guarded by a borrow scope.
+
+  /// MARK: Uses of Any ownership values:
+
+  /// Use a value without requiring or propagating ownership. The operation may
+  /// not have side-effects that could affect ownership. This is limited to a
+  /// small number of operations that are allowed to take Unowned values.
+  /// (copy_value, single-instruction apply with @unowned argument))
+  UnownedInstantaneousUse,
+
+  /// Forwarding instruction with an Unowned result. Its operands may have any
+  /// ownership.
+  ForwardingUnowned,
+
+  // Escape a pointer into a value in a way that cannot be tracked or verified.
+  //
+  // TODO: Eliminate the PointerEscape category. All pointer escapes should be
+  // InteriorPointer, guarded by a borrow scope, and verified.
   PointerEscape,
+
   /// Bitwise escape. Escapes the nontrivial contents of the value.
   /// OSSA does not enforce the lifetime of the escaping bits.
   /// The programmer must explicitly force lifetime extension.
   /// (ref_to_unowned, unchecked_trivial_bitcast)
   BitwiseEscape,
 
-  /// MARK: Uses of Unowned values:
-
-  /// Forwarding instruction with an Unowned result must have Unowned operands.
-  ForwardingUnowned,
-
   /// MARK: Uses of Owned values:
 
   /// Borrow. Propagates the owned value within a scope, without consuming it.
@@ -663,8 +676,10 @@ enum class OperandOwnership {
   /// scope, without ending the outer borrow scope, following stack discipline.
   /// (begin_borrow, begin_apply with @guaranteed).
   NestedBorrow,
-  /// Interior Pointer. Propagates an address into the guaranteed value within
-  /// the base's borrow scope.  (ref_element_addr, open_existential_box)
+  /// Interior Pointer. Propagates a trivial value (e.g. address, pointer, or
+  /// no-escape closure) that depends on the guaranteed value within the base's
+  /// borrow scope. The verifier checks that all uses of the trivial value are
+  /// in scope.  (ref_element_addr, open_existential_box)
   InteriorPointer,
   /// Forwarded Borrow. Propagates the guaranteed value within the base's
   /// borrow scope.
@@ -692,11 +707,11 @@ getOwnershipConstraint(OperandOwnership operandOwnership) {
   case OperandOwnership::None:
     return {OwnershipKind::None, UseLifetimeConstraint::NonLifetimeEnding};
   case OperandOwnership::InstantaneousUse:
+  case OperandOwnership::UnownedInstantaneousUse:
+  case OperandOwnership::ForwardingUnowned:
   case OperandOwnership::PointerEscape:
   case OperandOwnership::BitwiseEscape:
     return {OwnershipKind::Any, UseLifetimeConstraint::NonLifetimeEnding};
-  case OperandOwnership::ForwardingUnowned:
-    return {OwnershipKind::Unowned, UseLifetimeConstraint::NonLifetimeEnding};
   case OperandOwnership::Borrow:
     return {OwnershipKind::Owned, UseLifetimeConstraint::NonLifetimeEnding};
   case OperandOwnership::DestroyingConsume:
@@ -713,20 +728,27 @@ getOwnershipConstraint(OperandOwnership operandOwnership) {
   }
 }
 
-// Forwarding instructions have a dynamic ownership kind. Their forwarded
-// operand constraint depends on that dynamic result ownership. If the result is
-// owned, then the instruction moves owned operand to its result, ending its
-// lifetime. If the result is guaranteed value, then the instruction propagates
-// the lifetime of its borrows operand through its result.
+/// Return the OperandOwnership for a forwarded operand when the forwarded
+/// result has this ValueOwnershipKind. \p allowUnowned is true for a subset
+/// of forwarding operations that are allowed to propagate Unowned values.
+///
+/// The ownership of a forwarded value is derived from the forwarding
+/// instruction's constant ownership attribute. If the result is owned, then the
+/// instruction moves owned operand to its result, ending its lifetime. If the
+/// result is guaranteed value, then the instruction propagates the lifetime of
+/// its borrows operand through its result.
 inline OperandOwnership
-ValueOwnershipKind::getForwardingOperandOwnership() const {
+ValueOwnershipKind::getForwardingOperandOwnership(bool allowUnowned) const {
   switch (value) {
   case OwnershipKind::Any:
     llvm_unreachable("invalid value ownership");
+  case OwnershipKind::Unowned:
+    if (allowUnowned) {
+      return OperandOwnership::ForwardingUnowned;
+    }
+    llvm_unreachable("invalid value ownership");
   case OwnershipKind::None:
     return OperandOwnership::None;
-  case OwnershipKind::Unowned:
-    return OperandOwnership::ForwardingUnowned;
   case OwnershipKind::Guaranteed:
     return OperandOwnership::ForwardingBorrow;
   case OwnershipKind::Owned:
@@ -829,8 +851,8 @@ class Operand {
   }
 
   /// Returns true if changing the operand to use a value with the given
-  /// ownership kind would not cause the operand to violate the operand's
-  /// ownership constraints. Returns false otherwise.
+  /// ownership kind, without rewriting the instruction, would not cause the
+  /// operand to violate the operand's ownership constraints.
   bool canAcceptKind(ValueOwnershipKind kind) const;
 
   /// Returns true if this operand and its value satisfy the operand's

lib/SIL/IR/OperandOwnership.cpp

@@ -179,26 +179,18 @@ OPERAND_OWNERSHIP(None, UnconditionalCheckedCastAddr)
 OPERAND_OWNERSHIP(None, AllocValueBuffer)
 OPERAND_OWNERSHIP(None, DeallocValueBuffer)
 
-// Point-in-time uses of any ownership.
-OPERAND_OWNERSHIP(InstantaneousUse, CopyValue)
-OPERAND_OWNERSHIP(InstantaneousUse, DebugValue)
+// Use an owned or guaranteed value only for the duration of the operation.
 OPERAND_OWNERSHIP(InstantaneousUse, ExistentialMetatype)
 OPERAND_OWNERSHIP(InstantaneousUse, FixLifetime)
 OPERAND_OWNERSHIP(InstantaneousUse, WitnessMethod)
 OPERAND_OWNERSHIP(InstantaneousUse, DynamicMethodBranch)
 OPERAND_OWNERSHIP(InstantaneousUse, ValueMetatype)
 OPERAND_OWNERSHIP(InstantaneousUse, IsEscapingClosure)
 OPERAND_OWNERSHIP(InstantaneousUse, ClassMethod)
-OPERAND_OWNERSHIP(InstantaneousUse, ObjCMethod)
-OPERAND_OWNERSHIP(InstantaneousUse, ObjCSuperMethod)
 OPERAND_OWNERSHIP(InstantaneousUse, SuperMethod)
 OPERAND_OWNERSHIP(InstantaneousUse, BridgeObjectToWord)
 OPERAND_OWNERSHIP(InstantaneousUse, ClassifyBridgeObject)
-OPERAND_OWNERSHIP(InstantaneousUse, CopyBlock)
 OPERAND_OWNERSHIP(InstantaneousUse, SetDeallocating)
-OPERAND_OWNERSHIP(InstantaneousUse, UnmanagedRetainValue)
-OPERAND_OWNERSHIP(InstantaneousUse, UnmanagedReleaseValue)
-OPERAND_OWNERSHIP(InstantaneousUse, UnmanagedAutoreleaseValue)
 #define ALWAYS_OR_SOMETIMES_LOADABLE_CHECKED_REF_STORAGE(Name, ...)            \
   OPERAND_OWNERSHIP(InstantaneousUse, RefTo##Name)                             \
   OPERAND_OWNERSHIP(InstantaneousUse, Name##ToRef)                             \
@@ -208,6 +200,16 @@ OPERAND_OWNERSHIP(InstantaneousUse, UnmanagedAutoreleaseValue)
   OPERAND_OWNERSHIP(InstantaneousUse, StrongCopy##Name##Value)
 #include "swift/AST/ReferenceStorage.def"
 
+// Unowned uses ignore the value's ownership
+OPERAND_OWNERSHIP(UnownedInstantaneousUse, DebugValue)
+OPERAND_OWNERSHIP(UnownedInstantaneousUse, CopyBlock)
+OPERAND_OWNERSHIP(UnownedInstantaneousUse, CopyValue)
+OPERAND_OWNERSHIP(UnownedInstantaneousUse, ObjCMethod)
+OPERAND_OWNERSHIP(UnownedInstantaneousUse, ObjCSuperMethod)
+OPERAND_OWNERSHIP(UnownedInstantaneousUse, UnmanagedRetainValue)
+OPERAND_OWNERSHIP(UnownedInstantaneousUse, UnmanagedReleaseValue)
+OPERAND_OWNERSHIP(UnownedInstantaneousUse, UnmanagedAutoreleaseValue)
+
 // Instructions that currently violate structural ownership requirements,
 // and therefore completely defeat canonicalization and optimization of any
 // OSSA value that they use.
@@ -278,39 +280,63 @@ OPERAND_OWNERSHIP(EndBorrow, EndBorrow)
 
 #undef OPERAND_OWNERSHIP
 
-// Conditionally either ForwardingConsume or ForwardingBorrow, depending on
-// instruction result's dynamic ownership kind.
-#define FORWARD_ANY_OWNERSHIP(INST)                                            \
-  OperandOwnership                                                             \
-  OperandOwnershipClassifier::visit##INST##Inst(INST##Inst *i) {               \
-    return i->getOwnershipKind().getForwardingOperandOwnership();              \
+// Forwarding operations are conditionally either ForwardingConsumes or
+// ForwardingBorrows, depending on the instruction's constant ownership
+// attribute.
+#define FORWARDING_OWNERSHIP(INST)                                             \
+  OperandOwnership OperandOwnershipClassifier::visit##INST##Inst(              \
+      INST##Inst *i) {                                                         \
+    return i->getOwnershipKind().getForwardingOperandOwnership(         \
+      /*allowUnowned*/false);                                           \
+  }
+FORWARDING_OWNERSHIP(Object)
+FORWARDING_OWNERSHIP(OpenExistentialRef)
+FORWARDING_OWNERSHIP(ConvertFunction)
+FORWARDING_OWNERSHIP(RefToBridgeObject)
+FORWARDING_OWNERSHIP(BridgeObjectToRef)
+FORWARDING_OWNERSHIP(UnconditionalCheckedCast)
+FORWARDING_OWNERSHIP(InitExistentialRef)
+FORWARDING_OWNERSHIP(DifferentiableFunction)
+FORWARDING_OWNERSHIP(LinearFunction)
+#undef FORWARDING_OWNERSHIP
+
+// Arbitrary value casts are forwarding instructions that are also allowed to
+// propagate Unowned values. If the result is Unowned, then the operand must
+// also be Unowned.
+#define FORWARDING_ANY_OWNERSHIP(INST)                                         \
+  OperandOwnership OperandOwnershipClassifier::visit##INST##Inst(              \
+      INST##Inst *i) {                                                         \
+    return i->getOwnershipKind().getForwardingOperandOwnership(         \
+      /*allowUnowned*/true);                                            \
   }
-FORWARD_ANY_OWNERSHIP(Object)
-FORWARD_ANY_OWNERSHIP(Enum)
-FORWARD_ANY_OWNERSHIP(OpenExistentialRef)
-FORWARD_ANY_OWNERSHIP(Upcast)
-FORWARD_ANY_OWNERSHIP(UncheckedRefCast)
-FORWARD_ANY_OWNERSHIP(ConvertFunction)
-FORWARD_ANY_OWNERSHIP(RefToBridgeObject)
-FORWARD_ANY_OWNERSHIP(BridgeObjectToRef)
-FORWARD_ANY_OWNERSHIP(UnconditionalCheckedCast)
-FORWARD_ANY_OWNERSHIP(UncheckedEnumData)
-FORWARD_ANY_OWNERSHIP(InitExistentialRef)
-FORWARD_ANY_OWNERSHIP(DifferentiableFunction)
-FORWARD_ANY_OWNERSHIP(LinearFunction)
-FORWARD_ANY_OWNERSHIP(UncheckedValueCast)
-FORWARD_ANY_OWNERSHIP(SwitchEnum)
-FORWARD_ANY_OWNERSHIP(CheckedCastBranch)
-FORWARD_ANY_OWNERSHIP(Return)
-
-// FIXME: Guaranteed Tuple, Struct, and Destructure should be Reborrow, not
-// ForwardingBorrow, because the borrowed value is different on either side of
-// the operation and the lifetimes of borrowed members could differ.
-FORWARD_ANY_OWNERSHIP(Tuple)
-FORWARD_ANY_OWNERSHIP(Struct)
-FORWARD_ANY_OWNERSHIP(DestructureStruct)
-FORWARD_ANY_OWNERSHIP(DestructureTuple)
-#undef FORWARD_ANY_OWNERSHIP
+FORWARDING_ANY_OWNERSHIP(Upcast)
+FORWARDING_ANY_OWNERSHIP(UncheckedRefCast)
+FORWARDING_ANY_OWNERSHIP(UncheckedValueCast)
+FORWARDING_ANY_OWNERSHIP(CheckedCastBranch)
+#undef FORWARDING_ANY_OWNERSHIP
+
+// Any valid ownership kind can be combined with values of None ownership, but
+// they cannot be combined with each other. An aggregates result ownership is
+// the meet of its operands' ownership. A destructured member has the same
+// ownership as its aggregate unless its type gives it None ownership.
+//
+// TODO: Aggregate operations should be Reborrows, not ForwardingBorrows,
+// because the borrowed value is different on either side of the operation and
+// the lifetimes of borrowed members could differ.
+#define AGGREGATE_OWNERSHIP(INST)                                              \
+  OperandOwnership OperandOwnershipClassifier::visit##INST##Inst(              \
+      INST##Inst *i) {                                                         \
+    return i->getOwnershipKind().getForwardingOperandOwnership(         \
+      /*allowUnowned*/true);                                            \
+  }
+AGGREGATE_OWNERSHIP(Tuple)
+AGGREGATE_OWNERSHIP(Struct)
+AGGREGATE_OWNERSHIP(DestructureStruct)
+AGGREGATE_OWNERSHIP(DestructureTuple)
+AGGREGATE_OWNERSHIP(Enum)
+AGGREGATE_OWNERSHIP(UncheckedEnumData)
+AGGREGATE_OWNERSHIP(SwitchEnum)
+#undef AGGREGATE_OWNERSHIP
 
 // A begin_borrow is conditionally nested.
 OperandOwnership
@@ -321,7 +347,10 @@ OperandOwnershipClassifier::visitBeginBorrowInst(BeginBorrowInst *borrow) {
   case OwnershipKind::None:
     return OperandOwnership::None;
   case OwnershipKind::Unowned:
-    return OperandOwnership::InstantaneousUse;
+    // FIXME: disallow borrowing an Unowned value. Temporarily model it as an
+    // instantaneous use until SILGenFunction::emitClassMemberDestruction is
+    // fixed.
+    return OperandOwnership::UnownedInstantaneousUse;
   case OwnershipKind::Guaranteed:
     return OperandOwnership::NestedBorrow;
   case OwnershipKind::Owned:
@@ -344,17 +373,21 @@ OperandOwnershipClassifier::visitSelectEnumInst(SelectEnumInst *i) {
   if (getValue() == i->getEnumOperand()) {
     return OperandOwnership::InstantaneousUse;
   }
-  return getOwnershipKind().getForwardingOperandOwnership();
+  return getOwnershipKind().getForwardingOperandOwnership(
+    /*allowUnowned*/true);
 }
 
 OperandOwnership OperandOwnershipClassifier::visitBranchInst(BranchInst *bi) {
   ValueOwnershipKind destBlockArgOwnershipKind =
       bi->getDestBB()->getArgument(getOperandIndex())->getOwnershipKind();
 
+  // FIXME: remove this special case once all aggregate operations behave just
+  // like phis.
   if (destBlockArgOwnershipKind == OwnershipKind::Guaranteed) {
     return OperandOwnership::Reborrow;
   }
-  return destBlockArgOwnershipKind.getForwardingOperandOwnership();
+  return destBlockArgOwnershipKind.getForwardingOperandOwnership(
+    /*allowUnowned*/true);
 }
 
 OperandOwnership
@@ -378,9 +411,11 @@ static OperandOwnership getFunctionArgOwnership(SILArgumentConvention argConv) {
   case SILArgumentConvention::Indirect_In_Constant:
   case SILArgumentConvention::Indirect_In_Guaranteed:
   case SILArgumentConvention::Direct_Guaranteed:
-  case SILArgumentConvention::Direct_Unowned:
     return OperandOwnership::InstantaneousUse;
 
+  case SILArgumentConvention::Direct_Unowned:
+    return OperandOwnership::UnownedInstantaneousUse;
+
   case SILArgumentConvention::Indirect_Out:
   case SILArgumentConvention::Indirect_Inout:
   case SILArgumentConvention::Indirect_InoutAliasable:
@@ -445,6 +480,20 @@ OperandOwnership OperandOwnershipClassifier::visitYieldInst(YieldInst *i) {
   return getFunctionArgOwnership(argConv);
 }
 
+OperandOwnership OperandOwnershipClassifier::visitReturnInst(ReturnInst *i) {
+  switch (i->getOwnershipKind()) {
+  case OwnershipKind::Any:
+  case OwnershipKind::Guaranteed:
+    llvm_unreachable("invalid value ownership");
+  case OwnershipKind::None:
+    return OperandOwnership::None;
+  case OwnershipKind::Unowned:
+    return OperandOwnership::UnownedInstantaneousUse;
+  case OwnershipKind::Owned:
+    return OperandOwnership::ForwardingConsume;
+  }
+}
+
 OperandOwnership OperandOwnershipClassifier::visitAssignInst(AssignInst *i) {
   if (getValue() != i->getSrc()) {
     return OperandOwnership::None;
@@ -476,14 +525,15 @@ OperandOwnership OperandOwnershipClassifier::visitCopyBlockWithoutEscapingInst(
   if (getValue() == i->getClosure()) {
     return OperandOwnership::ForwardingConsume;
   }
-  return OperandOwnership::InstantaneousUse;
+  return OperandOwnership::UnownedInstantaneousUse;
 }
 
 OperandOwnership
 OperandOwnershipClassifier::visitMarkDependenceInst(MarkDependenceInst *mdi) {
   // If we are analyzing "the value", we forward ownership.
   if (getValue() == mdi->getValue()) {
-    return getOwnershipKind().getForwardingOperandOwnership();
+    return getOwnershipKind().getForwardingOperandOwnership(
+      /*allowUnowned*/true);
   }
   // FIXME: Add an end_dependence instruction so we can treat mark_dependence as
   // a borrow of the base (mark_dependence %base -> end_dependence is analogous