Enable strict memory safety in the Cxx/CxxStdlib modules

DougGregor · DougGregor · commit 89d0277a35cc · 2025-02-26T14:28:30.000-08:00
diff --git a/stdlib/public/Cxx/CMakeLists.txt b/stdlib/public/Cxx/CMakeLists.txt
@@ -23,6 +23,7 @@ add_swift_target_library(swiftCxx STATIC NO_LINK_NAME IS_STDLIB IS_SWIFT_ONLY
     -cxx-interoperability-mode=default
     -enable-experimental-feature Span
     -enable-experimental-feature BuiltinModule
+    -strict-memory-safety
     # This module should not pull in the C++ standard library, so we disable it explicitly.
     # For functionality that depends on the C++ stdlib, use C++ stdlib overlay (`swiftstd` module).
     -Xcc -nostdinc++
diff --git a/stdlib/public/Cxx/CxxSpan.swift b/stdlib/public/Cxx/CxxSpan.swift
@@ -63,26 +63,26 @@ extension CxxSpan {
   /// Creates a C++ span from a Swift UnsafeBufferPointer
   @inlinable
   public init(_ unsafeBufferPointer: UnsafeBufferPointer<Element>) {
-    precondition(unsafeBufferPointer.baseAddress != nil, 
+    unsafe precondition(unsafeBufferPointer.baseAddress != nil, 
                   "UnsafeBufferPointer should not point to nil")
-    self.init(unsafeBufferPointer.baseAddress!, Size(unsafeBufferPointer.count))
+    unsafe self.init(unsafeBufferPointer.baseAddress!, Size(unsafeBufferPointer.count))
   }
 
   @inlinable
   public init(_ unsafeMutableBufferPointer: UnsafeMutableBufferPointer<Element>) {
-    precondition(unsafeMutableBufferPointer.baseAddress != nil, 
+    unsafe precondition(unsafeMutableBufferPointer.baseAddress != nil, 
                   "UnsafeMutableBufferPointer should not point to nil")
-    self.init(unsafeMutableBufferPointer.baseAddress!, Size(unsafeMutableBufferPointer.count))
+    unsafe self.init(unsafeMutableBufferPointer.baseAddress!, Size(unsafeMutableBufferPointer.count))
   }
 
   @available(SwiftStdlib 6.1, *)
   @inlinable
   @unsafe
   public init(_ span: Span<Element>) {
-    let (p, c) = unsafeBitCast(span, to: (UnsafeRawPointer?, Int).self)
-    precondition(p != nil, "Span should not point to nil")
-    let binding = p!.bindMemory(to: Element.self, capacity: c)
-    self.init(binding, Size(c))
+    let (p, c) = unsafe unsafeBitCast(span, to: (UnsafeRawPointer?, Int).self)
+    unsafe precondition(p != nil, "Span should not point to nil")
+    let binding = unsafe p!.bindMemory(to: Element.self, capacity: c)
+    unsafe self.init(binding, Size(c))
   }
 }
 
@@ -94,10 +94,10 @@ extension Span {
   public init<T: CxxSpan<Element>>(
     _unsafeCxxSpan span: borrowing T,
   ) {
-    let buffer = UnsafeBufferPointer(start: span.__dataUnsafe(), count: Int(span.size()))
+    let buffer = unsafe UnsafeBufferPointer(start: span.__dataUnsafe(), count: Int(span.size()))
     let newSpan = Span(_unsafeElements: buffer)
     // 'self' is limited to the caller's scope of the variable passed to the 'span' argument.
-    self = _overrideLifetime(newSpan, borrowing: span)
+    self = unsafe _overrideLifetime(newSpan, borrowing: span)
   }
 }
 
@@ -113,8 +113,8 @@ extension CxxMutableSpan {
   /// Creates a C++ span from a Swift UnsafeMutableBufferPointer
   @inlinable
   public init(_ unsafeMutableBufferPointer: UnsafeMutableBufferPointer<Element>) {
-    precondition(unsafeMutableBufferPointer.baseAddress != nil, 
+    unsafe precondition(unsafeMutableBufferPointer.baseAddress != nil, 
                   "UnsafeMutableBufferPointer should not point to nil")
-    self.init(unsafeMutableBufferPointer.baseAddress!, Size(unsafeMutableBufferPointer.count))
+    unsafe self.init(unsafeMutableBufferPointer.baseAddress!, Size(unsafeMutableBufferPointer.count))
   }
 }
diff --git a/stdlib/public/Cxx/UnsafeCxxIterators.swift b/stdlib/public/Cxx/UnsafeCxxIterators.swift
@@ -34,9 +34,9 @@ public protocol UnsafeCxxInputIterator: Equatable {
   func successor() -> Self
 }
 
-extension UnsafePointer: UnsafeCxxInputIterator {}
+extension UnsafePointer: @unsafe UnsafeCxxInputIterator {}
 
-extension UnsafeMutablePointer: UnsafeCxxInputIterator {}
+extension UnsafeMutablePointer: @unsafe UnsafeCxxInputIterator {}
 
 extension Optional: UnsafeCxxInputIterator where Wrapped: UnsafeCxxInputIterator {
   public typealias Pointee = Wrapped.Pointee
@@ -79,9 +79,9 @@ public protocol UnsafeCxxRandomAccessIterator: UnsafeCxxInputIterator {
   static func +=(lhs: inout Self, rhs: Distance)
 }
 
-extension UnsafePointer: UnsafeCxxRandomAccessIterator {}
+extension UnsafePointer: @unsafe UnsafeCxxRandomAccessIterator {}
 
-extension UnsafeMutablePointer: UnsafeCxxRandomAccessIterator {}
+extension UnsafeMutablePointer: @unsafe UnsafeCxxRandomAccessIterator {}
 
 public protocol UnsafeCxxMutableRandomAccessIterator:
 UnsafeCxxRandomAccessIterator, UnsafeCxxMutableInputIterator {}
diff --git a/stdlib/public/Cxx/std/CMakeLists.txt b/stdlib/public/Cxx/std/CMakeLists.txt
@@ -60,6 +60,8 @@ add_swift_target_library(swiftCxxStdlib STATIC NO_LINK_NAME IS_STDLIB IS_SWIFT_O
     # using C++ symbols in resilient overlays (see f4204568).
     -enable-experimental-feature AssumeResilientCxxTypes
 
+    -strict-memory-safety
+
     # The varying modularization of the C++ standard library on different
     # platforms makes it difficult to enable MemberImportVisibility for this
     # module
diff --git a/stdlib/public/Cxx/std/String.swift b/stdlib/public/Cxx/std/String.swift
