Unsafe buffer index manipulation is unsafe

Also mark @safe operations

Author: DougGregor

stdlib/public/core/Array.swift

@@ -1737,7 +1737,7 @@ extension Array {
 
     var it = IndexingIterator(_elements: self)
     it._position = endIndex
-    return (it,buffer.index(buffer.startIndex, offsetBy: self.count))
+    return (it,unsafe buffer.index(buffer.startIndex, offsetBy: self.count))
   }
 }
 

stdlib/public/core/ArraySlice.swift

@@ -1317,7 +1317,7 @@ extension ArraySlice {
 
     var it = IndexingIterator(_elements: self)
     it._position = endIndex
-    return (it,buffer.index(buffer.startIndex, offsetBy: self.count))
+    return (it,unsafe buffer.index(buffer.startIndex, offsetBy: self.count))
   }
 }
 

stdlib/public/core/ContiguousArray.swift

@@ -1257,7 +1257,7 @@ extension ContiguousArray {
 
     var it = IndexingIterator(_elements: self)
     it._position = endIndex
-    return (it,buffer.index(buffer.startIndex, offsetBy: self.count))
+    return (it,unsafe buffer.index(buffer.startIndex, offsetBy: self.count))
   }
 }
 

stdlib/public/core/StringCreate.swift

@@ -349,7 +349,7 @@ extension String {
 
     transcodingLoop:
     while true {
-      switch parser.parseScalar(from: &input) {
+      switch unsafe parser.parseScalar(from: &input) {
       case .valid(let s):
         let scalar = Encoding.decode(s)
         guard let utf8 = Unicode.UTF8.encode(scalar) else {

stdlib/public/core/StringUTF8Validation.swift

@@ -52,7 +52,7 @@ internal func validateUTF8(_ buf: UnsafeBufferPointer<UInt8>) -> UTF8ValidationR
   var lastValidIndex = buf.startIndex
 
   @inline(__always) func guaranteeIn(_ f: (UInt8) -> Bool) throws(UTF8ValidationError) {
-    guard let cu = iter.next() else { throw UTF8ValidationError() }
+    guard let cu = unsafe iter.next() else { throw UTF8ValidationError() }
     guard f(cu) else { throw UTF8ValidationError() }
   }
   @inline(__always) func guaranteeContinuation() throws(UTF8ValidationError) {
@@ -119,7 +119,7 @@ internal func validateUTF8(_ buf: UnsafeBufferPointer<UInt8>) -> UTF8ValidationR
 
   do {
     var isASCII = true
-    while let cu = iter.next() {
+    while let cu = unsafe iter.next() {
       if UTF8.isASCII(cu) { lastValidIndex &+= 1; continue }
       isASCII = false
       if _slowPath(!_isUTF8MultiByteLeading(cu)) {

stdlib/public/core/StringUTF8View.swift

@@ -432,7 +432,7 @@ extension String.UTF8View {
     }
 
     let it = String().utf8.makeIterator()
-    return (it, buffer.index(buffer.startIndex, offsetBy: written))
+    return (it, unsafe buffer.index(buffer.startIndex, offsetBy: written))
   }
 }
 

stdlib/public/core/UnsafeBufferPointer.swift.gyb

@@ -34,13 +34,15 @@ public struct Unsafe${Mutable}BufferPointer<Element: ~Copyable>: Copyable {
 
   @usableFromInline
   @_preInverseGenerics
+  @safe
   let _position: Unsafe${Mutable}Pointer<Element>?
 
   /// The number of elements in the buffer.
   ///
   /// If the `baseAddress` of this buffer is `nil`, the count is zero. However,
   /// a buffer can have a `count` of zero even with a non-`nil` base address.
   @_preInverseGenerics
+  @safe
   public let count: Int
 
   // This works around _debugPrecondition() impacting the performance of
@@ -81,6 +83,7 @@ public struct Unsafe${Mutable}BufferPointer<Element: ~Copyable>: Copyable {
 
   @inlinable // unsafe-performance
   @_preInverseGenerics
+  @safe
   public init(_empty: ()) {
     _position = nil
     count = 0
@@ -105,6 +108,7 @@ public struct Unsafe${Mutable}BufferPointer<Element: ~Copyable>: Copyable {
   /// - Parameter other: The mutable buffer pointer to convert.
   @inlinable // unsafe-performance
   @_preInverseGenerics
+  @safe
   public init(_ other: UnsafeMutableBufferPointer<Element>) {
     _position = UnsafePointer<Element>(other._position)
     count = other.count
@@ -139,6 +143,7 @@ extension UnsafeBufferPointer {
   @frozen // unsafe-performance
   public struct Iterator {
     @usableFromInline
+    @unsafe
     internal var _position, _end: UnsafePointer<Element>?
 
     @inlinable // unsafe-performance
@@ -147,31 +152,32 @@ extension UnsafeBufferPointer {
       _position: UnsafePointer<Element>?,
       _end: UnsafePointer<Element>?
     ) {
-        self._position = _position
-        self._end = _end
+        unsafe self._position = _position
+        unsafe self._end = _end
     }
   }
 }
 
 @available(*, unavailable)
 extension UnsafeBufferPointer.Iterator: Sendable {}
 
-extension UnsafeBufferPointer.Iterator: IteratorProtocol {
+extension UnsafeBufferPointer.Iterator: @unsafe IteratorProtocol {
   /// Advances to the next element and returns it, or `nil` if no next element
   /// exists.
   ///
   /// Once `nil` has been returned, all subsequent calls return `nil`.
   @inlinable // unsafe-performance
+  @unsafe
   public mutating func next() -> Element? {
-    guard let start = _position else {
+    guard let start = unsafe _position else {
       return nil
     }
-    _internalInvariant(_end != nil, "inconsistent _position, _end pointers")
+    _internalInvariant(unsafe _end != nil, "inconsistent _position, _end pointers")
 
-    if start == _end._unsafelyUnwrappedUnchecked { return nil }
+    if unsafe start == _end._unsafelyUnwrappedUnchecked { return nil }
 
     let result = unsafe start.pointee
-    _position  = start + 1
+    unsafe _position  = start + 1
     return result
   }
 }
@@ -213,6 +219,7 @@ extension Unsafe${Mutable}BufferPointer: @unsafe Sequence {
   }
 
   @inlinable
+  @safe
   public func withContiguousStorageIfAvailable<R>(
     _ body: (UnsafeBufferPointer<Element>) throws -> R
   ) rethrows -> R? {
@@ -232,6 +239,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
   /// - Complexity: O(1)
   @_alwaysEmitIntoClient
   @_preInverseGenerics
+  @safe
   public var isEmpty: Bool { count == 0 }
 
   /// The index of the first element in a nonempty buffer.
@@ -240,6 +248,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
   /// is always zero.
   @inlinable
   @_preInverseGenerics
+  @safe
   public var startIndex: Int { 0 }
 
   /// The "past the end" position---that is, the position one greater than the
@@ -249,10 +258,12 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
   /// always identical to `count`.
   @inlinable
   @_preInverseGenerics
+  @safe
   public var endIndex: Int { count }
 
   @inlinable
   @_preInverseGenerics
+  @unsafe
   public func index(after i: Int) -> Int {
     // NOTE: this is a manual specialization of index movement for a Strideable
     // index that is required for UnsafeBufferPointer performance. The
@@ -271,6 +282,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
 
   @inlinable
   @_preInverseGenerics
+  @unsafe
   public func formIndex(after i: inout Int) {
     // NOTE: this is a manual specialization of index movement for a Strideable
     // index that is required for UnsafeBufferPointer performance. The
@@ -285,6 +297,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
 
   @inlinable
   @_preInverseGenerics
+  @unsafe
   public func index(before i: Int) -> Int {
     // NOTE: this is a manual specialization of index movement for a Strideable
     // index that is required for UnsafeBufferPointer performance. The
@@ -299,6 +312,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
 
   @inlinable
   @_preInverseGenerics
+  @unsafe
   public func formIndex(before i: inout Int) {
     // NOTE: this is a manual specialization of index movement for a Strideable
     // index that is required for UnsafeBufferPointer performance. The
@@ -313,6 +327,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
 
   @inlinable
   @_preInverseGenerics
+  @unsafe
   public func index(_ i: Int, offsetBy n: Int) -> Int {
     // NOTE: this is a manual specialization of index movement for a Strideable
     // index that is required for UnsafeBufferPointer performance. The
@@ -327,6 +342,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
 
   @inlinable
   @_preInverseGenerics
+  @unsafe
   public func index(_ i: Int, offsetBy n: Int, limitedBy limit: Int) -> Int? {
     // NOTE: this is a manual specialization of index movement for a Strideable
     // index that is required for UnsafeBufferPointer performance. The
@@ -349,6 +365,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
 
   @inlinable
   @_preInverseGenerics
+  @safe
   public func distance(from start: Int, to end: Int) -> Int {
     // NOTE: this is a manual specialization of index movement for a Strideable
     // index that is required for UnsafeBufferPointer performance. The
@@ -500,6 +517,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
   /// - Parameter bounds: A valid range of indices within this buffer.
   /// - Returns: A new buffer pointer over the items at `bounds`.
   @_alwaysEmitIntoClient
+  @safe
   public func extracting(_ bounds: Range<Int>) -> Self {
     _precondition(bounds.lowerBound >= 0 && bounds.upperBound <= count,
       "Index out of range")
@@ -538,6 +556,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
   /// - Parameter bounds: A valid range of indices within this buffer.
   /// - Returns: A new buffer pointer over the items at `bounds`.
   @_alwaysEmitIntoClient
+  @safe
   public func extracting(_ bounds: some RangeExpression<Int>) -> Self {
     extracting(bounds.relative(to: unsafe Range(uncheckedBounds: (0, count))))
   }
@@ -557,6 +576,7 @@ extension Unsafe${Mutable}BufferPointer where Element: ~Copyable {
   //
   /// - Returns: The same buffer as `self`.
   @_alwaysEmitIntoClient
+  @safe
   public func extracting(_ bounds: UnboundedRange) -> Self {
     self
   }
@@ -627,6 +647,7 @@ extension Unsafe${Mutable}BufferPointer {
 
   @_spi(SwiftStdlibLegacyABI) @available(swift, obsoleted: 1)
   @usableFromInline
+  @unsafe
   internal subscript(_unchecked i: Int) -> Element {
     get {
       _internalInvariant(i >= 0)
@@ -655,20 +676,23 @@ extension Unsafe${Mutable}BufferPointer:
   public typealias SubSequence = Slice<Unsafe${Mutable}BufferPointer<Element>>
 
   @inlinable // unsafe-performance
+  @safe
   public func _failEarlyRangeCheck(_ index: Int, bounds: Range<Int>) {
     // NOTE: In release mode, this method is a no-op for performance reasons.
     _debugPrecondition(index >= bounds.lowerBound)
     _debugPrecondition(index < bounds.upperBound)
   }
 
   @inlinable // unsafe-performance
+  @safe
   public func _failEarlyRangeCheck(_ range: Range<Int>, bounds: Range<Int>) {
     // NOTE: In release mode, this method is a no-op for performance reasons.
     _debugPrecondition(range.lowerBound >= bounds.lowerBound)
     _debugPrecondition(range.upperBound <= bounds.upperBound)
   }
 
   @inlinable // unsafe-performance
+  @safe
   public var indices: Indices {
     // Not checked because init forbids negative count.
     return unsafe Indices(uncheckedBounds: (startIndex, endIndex))
@@ -741,14 +765,15 @@ extension Unsafe${Mutable}BufferPointer:
 %  if Mutable:
   @inlinable
   @available(*, deprecated, renamed: "withContiguousMutableStorageIfAvailable")
+  @safe
   public mutating func _withUnsafeMutableBufferPointerIfSupported<R>(
     _ body: (inout UnsafeMutableBufferPointer<Element>) throws -> R
   ) rethrows -> R? {
     return try body(&self)
   }
 
   @inlinable
-  @unsafe
+  @safe
   public mutating func withContiguousMutableStorageIfAvailable<R>(
     _ body: (inout UnsafeMutableBufferPointer<Element>) throws -> R
   ) rethrows -> R? {
@@ -875,6 +900,7 @@ extension UnsafeMutableBufferPointer where Element: ~Copyable {
   ///   of `Element`.
   @inlinable
   @_preInverseGenerics
+  @safe
   public static func allocate(
     capacity count: Int
   ) -> UnsafeMutableBufferPointer<Element> {
@@ -1038,7 +1064,7 @@ extension UnsafeMutableBufferPointer {
     while index < endIndex {
       guard let element = iterator.next() else { break }
       unsafe _position._unsafelyUnwrappedUnchecked[index] = element
-      formIndex(after: &index)
+      unsafe formIndex(after: &index)
     }
     return (iterator, index)
   }
@@ -1102,7 +1128,7 @@ extension UnsafeMutableBufferPointer {
         break
       }
       unsafe _position._unsafelyUnwrappedUnchecked[index] = value
-      formIndex(after: &index)
+      unsafe formIndex(after: &index)
     }
     return index
   }
@@ -1453,6 +1479,7 @@ extension Unsafe${Mutable}BufferPointer: CustomDebugStringConvertible
 where Element: ~Copyable {
   /// A textual representation of the buffer, suitable for debugging.
   @_preInverseGenerics
+  @safe
   public var debugDescription: String {
     return "Unsafe${Mutable}BufferPointer"
       + "(start: \(_position.map(String.init(describing:)) ?? "nil"), count: \(count))"