[Strict memory safety] Update standard library for nested safe/unsafe types

Use this to mark a few internal types @safe now that it works properly.

Author: DougGregor

stdlib/public/core/Bitset.swift

@@ -45,7 +45,7 @@ extension _UnsafeBitset {
     _internalInvariant(element >= 0)
     // Note: We perform on UInts to get faster unsigned math (shifts).
     let element = UInt(bitPattern: element)
-    let capacity = unsafe UInt(bitPattern: Word.capacity)
+    let capacity = UInt(bitPattern: Word.capacity)
     return Int(bitPattern: element / capacity)
   }
 
@@ -55,7 +55,7 @@ extension _UnsafeBitset {
     _internalInvariant(element >= 0)
     // Note: We perform on UInts to get faster unsigned math (masking).
     let element = UInt(bitPattern: element)
-    let capacity = unsafe UInt(bitPattern: Word.capacity)
+    let capacity = UInt(bitPattern: Word.capacity)
     return Int(bitPattern: element % capacity)
   }
 
@@ -68,8 +68,8 @@ extension _UnsafeBitset {
   @inlinable
   @inline(__always)
   internal static func join(word: Int, bit: Int) -> Int {
-    unsafe _internalInvariant(bit >= 0 && bit < Word.capacity)
-    return unsafe word &* Word.capacity &+ bit
+    _internalInvariant(bit >= 0 && bit < Word.capacity)
+    return word &* Word.capacity &+ bit
   }
 }
 
@@ -84,7 +84,7 @@ extension _UnsafeBitset {
   internal var capacity: Int {
     @inline(__always)
     get {
-      return unsafe wordCount &* Word.capacity
+      return wordCount &* Word.capacity
     }
   }
 
@@ -199,7 +199,7 @@ extension _UnsafeBitset {
 
     @inlinable
     internal init(_ value: UInt) {
-      unsafe self.value = value
+      self.value = value
     }
   }
 }
@@ -217,7 +217,7 @@ extension _UnsafeBitset.Word {
   @inline(__always)
   internal func uncheckedContains(_ bit: Int) -> Bool {
     _internalInvariant(bit >= 0 && bit < UInt.bitWidth)
-    return unsafe value & (1 &<< bit) != 0
+    return value & (1 &<< bit) != 0
   }
 
   @inlinable
@@ -226,8 +226,8 @@ extension _UnsafeBitset.Word {
   internal mutating func uncheckedInsert(_ bit: Int) -> Bool {
     _internalInvariant(bit >= 0 && bit < UInt.bitWidth)
     let mask: UInt = 1 &<< bit
-    let inserted = unsafe value & mask == 0
-    unsafe value |= mask
+    let inserted = value & mask == 0
+    value |= mask
     return inserted
   }
 
@@ -237,8 +237,8 @@ extension _UnsafeBitset.Word {
   internal mutating func uncheckedRemove(_ bit: Int) -> Bool {
     _internalInvariant(bit >= 0 && bit < UInt.bitWidth)
     let mask: UInt = 1 &<< bit
-    let removed = unsafe value & mask != 0
-    unsafe value &= ~mask
+    let removed = value & mask != 0
+    value &= ~mask
     return removed
   }
 }
@@ -248,50 +248,50 @@ extension _UnsafeBitset.Word {
   var minimum: Int? {
     @inline(__always)
     get {
-      guard unsafe value != 0 else { return nil }
-      return unsafe value.trailingZeroBitCount
+      guard value != 0 else { return nil }
+      return value.trailingZeroBitCount
     }
   }
 
   @inlinable
   var maximum: Int? {
     @inline(__always)
     get {
-      guard unsafe value != 0 else { return nil }
-      return unsafe _UnsafeBitset.Word.capacity &- 1 &- value.leadingZeroBitCount
+      guard value != 0 else { return nil }
+      return _UnsafeBitset.Word.capacity &- 1 &- value.leadingZeroBitCount
     }
   }
 
   @inlinable
   var complement: _UnsafeBitset.Word {
     @inline(__always)
     get {
-      return unsafe _UnsafeBitset.Word(~value)
+      return _UnsafeBitset.Word(~value)
     }
   }
 
   @inlinable
   @inline(__always)
   internal func subtracting(elementsBelow bit: Int) -> _UnsafeBitset.Word {
-    unsafe _internalInvariant(bit >= 0 && bit < _UnsafeBitset.Word.capacity)
+    _internalInvariant(bit >= 0 && bit < _UnsafeBitset.Word.capacity)
     let mask = UInt.max &<< bit
-    return unsafe _UnsafeBitset.Word(value & mask)
+    return _UnsafeBitset.Word(value & mask)
   }
 
   @inlinable
   @inline(__always)
   internal func intersecting(elementsBelow bit: Int) -> _UnsafeBitset.Word {
-    unsafe _internalInvariant(bit >= 0 && bit < _UnsafeBitset.Word.capacity)
+    _internalInvariant(bit >= 0 && bit < _UnsafeBitset.Word.capacity)
     let mask: UInt = (1 as UInt &<< bit) &- 1
-    return unsafe _UnsafeBitset.Word(value & mask)
+    return _UnsafeBitset.Word(value & mask)
   }
 
   @inlinable
   @inline(__always)
   internal func intersecting(elementsAbove bit: Int) -> _UnsafeBitset.Word {
-    unsafe _internalInvariant(bit >= 0 && bit < _UnsafeBitset.Word.capacity)
+    _internalInvariant(bit >= 0 && bit < _UnsafeBitset.Word.capacity)
     let mask = (UInt.max &<< bit) &<< 1
-    return unsafe _UnsafeBitset.Word(value & mask)
+    return _UnsafeBitset.Word(value & mask)
   }
 }
 
@@ -300,15 +300,15 @@ extension _UnsafeBitset.Word {
   internal static var empty: _UnsafeBitset.Word {
     @inline(__always)
     get {
-      return unsafe _UnsafeBitset.Word(0)
+      return _UnsafeBitset.Word(0)
     }
   }
 
   @inlinable
   internal static var allBits: _UnsafeBitset.Word {
     @inline(__always)
     get {
-      return unsafe _UnsafeBitset.Word(UInt.max)
+      return _UnsafeBitset.Word(UInt.max)
     }
   }
 }
@@ -324,29 +324,29 @@ extension _UnsafeBitset.Word: @unsafe Sequence, @unsafe IteratorProtocol {
 
   @inlinable
   internal var count: Int {
-    return unsafe value.nonzeroBitCount
+    return value.nonzeroBitCount
   }
 
   @inlinable
   internal var underestimatedCount: Int {
-    return unsafe count
+    return count
   }
 
   @inlinable
   internal var isEmpty: Bool {
     @inline(__always)
     get {
-      return unsafe value == 0
+      return value == 0
     }
   }
 
   /// Return the index of the lowest set bit in this word,
   /// and also destructively clear it.
   @inlinable
   internal mutating func next() -> Int? {
-    guard unsafe value != 0 else { return nil }
-    let bit = unsafe value.trailingZeroBitCount
-    unsafe value &= value &- 1       // Clear lowest nonzero bit.
+    guard value != 0 else { return nil }
+    let bit = value.trailingZeroBitCount
+    value &= value &- 1       // Clear lowest nonzero bit.
     return bit
   }
 }

stdlib/public/core/ContiguouslyStored.swift

@@ -42,7 +42,7 @@ extension Array: _HasContiguousBytes {
   }
 }
 extension ContiguousArray: _HasContiguousBytes {}
-extension UnsafeBufferPointer: _HasContiguousBytes {
+extension UnsafeBufferPointer: @unsafe _HasContiguousBytes {
   @inlinable @inline(__always)
   @safe
   func withUnsafeBytes<R>(
@@ -53,7 +53,7 @@ extension UnsafeBufferPointer: _HasContiguousBytes {
     return try unsafe body(UnsafeRawBufferPointer(start: ptr, count: len))
   }
 }
-extension UnsafeMutableBufferPointer: _HasContiguousBytes {
+extension UnsafeMutableBufferPointer: @unsafe _HasContiguousBytes {
   @inlinable @inline(__always)
   @safe
   func withUnsafeBytes<R>(
@@ -64,7 +64,7 @@ extension UnsafeMutableBufferPointer: _HasContiguousBytes {
     return try unsafe body(UnsafeRawBufferPointer(start: ptr, count: len))
   }
 }
-extension UnsafeRawBufferPointer: _HasContiguousBytes {
+extension UnsafeRawBufferPointer: @unsafe _HasContiguousBytes {
   @inlinable @inline(__always)
   @safe
   func withUnsafeBytes<R>(
@@ -73,7 +73,7 @@ extension UnsafeRawBufferPointer: _HasContiguousBytes {
     return try unsafe body(self)
   }
 }
-extension UnsafeMutableRawBufferPointer: _HasContiguousBytes {
+extension UnsafeMutableRawBufferPointer: @unsafe _HasContiguousBytes {
   @inlinable @inline(__always)
   @safe
   func withUnsafeBytes<R>(

stdlib/public/core/Dictionary.swift

@@ -838,7 +838,7 @@ extension Dictionary: ExpressibleByDictionaryLiteral {
     for (key, value) in elements {
       let (bucket, found) = native.find(key)
       _precondition(!found, "Dictionary literal contains duplicate keys")
-      unsafe native._insert(at: bucket, key: key, value: value)
+      native._insert(at: bucket, key: key, value: value)
     }
     self.init(_native: native)
   }
@@ -904,11 +904,11 @@ extension Dictionary {
     }
     @inline(__always)
     _modify {
-      let (bucket, found) = unsafe _variant.mutatingFind(key)
+      let (bucket, found) = _variant.mutatingFind(key)
       let native = _variant.asNative
       if !found {
         let value = defaultValue()
-        unsafe native._insert(at: bucket, key: key, value: value)
+        native._insert(at: bucket, key: key, value: value)
       }
       let address = unsafe native._values + bucket.offset
       defer { _fixLifetime(self) }
@@ -1458,7 +1458,7 @@ extension Dictionary {
       }
       _modify {
         let native = _variant.ensureUniqueNative()
-        let bucket = unsafe native.validatedBucket(for: position)
+        let bucket = native.validatedBucket(for: position)
         let address = unsafe native._values + bucket.offset
         defer { _fixLifetime(self) }
         yield unsafe &address.pointee
@@ -1491,9 +1491,9 @@ extension Dictionary {
 #endif
       let isUnique = _variant.isUniquelyReferenced()
       let native = _variant.asNative
-      let a = unsafe native.validatedBucket(for: i)
-      let b = unsafe native.validatedBucket(for: j)
-      unsafe _variant.asNative.swapValuesAt(a, b, isUnique: isUnique)
+      let a = native.validatedBucket(for: i)
+      let b = native.validatedBucket(for: j)
+      _variant.asNative.swapValuesAt(a, b, isUnique: isUnique)
     }
   }
 }

stdlib/public/core/DictionaryBridging.swift

@@ -98,12 +98,12 @@ final internal class _SwiftDictionaryNSEnumerator<Key: Hashable, Value>
 
   @objc
   internal func nextObject() -> AnyObject? {
-    if unsafe nextBucket == endBucket {
+    if nextBucket == endBucket {
       return nil
     }
-    let bucket = unsafe nextBucket
+    let bucket = nextBucket
     unsafe nextBucket = base.hashTable.occupiedBucket(after: nextBucket)
-    return unsafe self.bridgedKey(at: bucket)
+    return self.bridgedKey(at: bucket)
   }
 
   @objc(countByEnumeratingWithState:objects:count:)
@@ -119,7 +119,7 @@ final internal class _SwiftDictionaryNSEnumerator<Key: Hashable, Value>
       unsafe theState.mutationsPtr = _fastEnumerationStorageMutationsPtr
     }
 
-    if unsafe nextBucket == endBucket {
+    if nextBucket == endBucket {
       unsafe state.pointee = theState
       return 0
     }
@@ -411,7 +411,7 @@ final internal class _SwiftDeferredNSDictionary<Key: Hashable, Value>
     // Only need to bridge once, so we can hoist it out of the loop.
     let bridgedKeys = unsafe bridgeKeys()
     for i in 0..<count {
-      if unsafe bucket == endBucket { break }
+      if bucket == endBucket { break }
 
       unsafe unmanagedObjects[i] = unsafe _key(at: bucket, bridgedKeys: bridgedKeys)
       stored += 1

stdlib/public/core/DictionaryBuilder.swift

@@ -136,47 +136,47 @@ extension _NativeDictionary {
     // Each iteration of the loop below processes an unprocessed element, and/or
     // reduces the size of the unprocessed region, while ensuring the above
     // invariants.
-    var bucket = unsafe _HashTable.Bucket(offset: initializedCount - 1)
-    while unsafe bucket.offset >= 0 {
+    var bucket = _HashTable.Bucket(offset: initializedCount - 1)
+    while bucket.offset >= 0 {
       if unsafe hashTable._isOccupied(bucket) {
         // We've moved an element here in a previous iteration.
-        unsafe bucket.offset -= 1
+        bucket.offset -= 1
         continue
       }
       // Find the target bucket for this entry and mark it as in use.
       let target: Bucket
       if _isDebugAssertConfiguration() || allowingDuplicates {
         let (b, found) = unsafe find(_keys[bucket.offset])
         if found {
-          unsafe _internalInvariant(b != bucket)
+          _internalInvariant(b != bucket)
           _precondition(allowingDuplicates, "Duplicate keys found")
           // Discard duplicate entry.
           unsafe uncheckedDestroy(at: bucket)
           unsafe _storage._count -= 1
-          unsafe bucket.offset -= 1
+          bucket.offset -= 1
           continue
         }
         unsafe hashTable.insert(b)
-        unsafe target = unsafe b
+        target = b
       } else {
         let hashValue = unsafe self.hashValue(for: _keys[bucket.offset])
         unsafe target = unsafe hashTable.insertNew(hashValue: hashValue)
       }
 
-      if unsafe target > bucket {
+      if target > bucket {
         // The target is outside the unprocessed region.  We can simply move the
         // entry, leaving behind an uninitialized bucket.
-        unsafe moveEntry(from: bucket, to: target)
+        moveEntry(from: bucket, to: target)
         // Restore invariants by lowering the region boundary.
-        unsafe bucket.offset -= 1
-      } else if unsafe target == bucket {
+        bucket.offset -= 1
+      } else if target == bucket {
         // Already in place.
-        unsafe bucket.offset -= 1
+        bucket.offset -= 1
       } else {
         // The target bucket is also in the unprocessed region. Swap the current
         // item into place, then try again with the swapped-in value, so that we
         // don't lose it.
-        unsafe swapEntry(target, with: bucket)
+        swapEntry(target, with: bucket)
       }
     }
     // When there are no more unprocessed entries, we're left with a valid