Add StrictSendableMetatypes to require Sendable requirements on metatypes

Introduce a new experimental feature StrictSendableMetatypes that stops
treating all metatypes as `Sendable`. Instead, metatypes of generic
parameters and existentials are only considered Sendable if their
corresponding instance types are guaranteed to be Sendable.

Start with enforcing this property within region isolation. Track
metatype creation instructions and put them in the task's isolation
domain, so that transferring them into another isolation domain
produces a diagnostic. As an example:

    func f<T: P>(_: T.Type) {
      let x: P.Type = T.self
      Task.detached {
        x.someStaticMethod() // oops, T.Type is not Sendable
      }
    }

Author: DougGregor

include/swift/Basic/Features.def

@@ -446,6 +446,9 @@ EXPERIMENTAL_FEATURE(NonIsolatedAsyncInheritsIsolationFromContext, false)
 /// Allow custom availability domains to be defined and referenced.
 SUPPRESSIBLE_EXPERIMENTAL_FEATURE(CustomAvailability, true)
 
+/// Be strict about the Sendable conformance of metatypes.
+EXPERIMENTAL_FEATURE(StrictSendableMetatypes, true)
+
 #undef EXPERIMENTAL_FEATURE_EXCLUDED_FROM_MODULE_INTERFACE
 #undef EXPERIMENTAL_FEATURE
 #undef UPCOMING_FEATURE

lib/AST/ConformanceLookup.cpp

@@ -381,10 +381,36 @@ static ProtocolConformanceRef getBuiltinMetaTypeTypeConformance(
     Type type, const AnyMetatypeType *metatypeType, ProtocolDecl *protocol) {
   ASTContext &ctx = protocol->getASTContext();
 
-  // All metatypes are Sendable, Copyable, Escapable, and BitwiseCopyable.
+  // All metatypes are Copyable, Escapable, and BitwiseCopyable.
   if (auto kp = protocol->getKnownProtocolKind()) {
     switch (*kp) {
     case KnownProtocolKind::Sendable:
+      // Metatypes are generally Sendable, but under StrictSendableMetatypes we
+      // cannot assume that metatypes based on type parameters are Sendable.
+      if (ctx.LangOpts.hasFeature(Feature::StrictSendableMetatypes)) {
+        Type instanceType = metatypeType->getInstanceType();
+
+        // If the instance type is a type parameter, it is not necessarily
+        // Sendable. There will need to be a Sendable requirement.
+        if (instanceType->isTypeParameter())
+          break;
+
+        // If the instance type is an archetype or existential, check whether
+        // it conforms to Sendable.
+        // FIXME: If the requirement machine were to infer T.Type: Sendable
+        // from T: Sendable, we wouldn't need this for archetypes.
+        if (instanceType->is<ArchetypeType>() ||
+            instanceType->isAnyExistentialType()) {
+          auto instanceConformance = lookupConformance(instanceType, protocol);
+          if (instanceConformance.isInvalid() ||
+              instanceConformance.hasMissingConformance())
+            break;
+        }
+
+        // Every other metatype is Sendable.
+      }
+      LLVM_FALLTHROUGH;
+
     case KnownProtocolKind::Copyable:
     case KnownProtocolKind::Escapable:
     case KnownProtocolKind::BitwiseCopyable:

lib/AST/FeatureSet.cpp

@@ -269,6 +269,7 @@ UNINTERESTING_FEATURE(NonfrozenEnumExhaustivity)
 UNINTERESTING_FEATURE(ClosureIsolation)
 UNINTERESTING_FEATURE(Extern)
 UNINTERESTING_FEATURE(ConsumeSelfInDeinit)
+UNINTERESTING_FEATURE(StrictSendableMetatypes)
 
 static bool usesFeatureBitwiseCopyable2(Decl *decl) {
   if (!decl->getModuleContext()->isStdlibModule()) {

lib/SILOptimizer/Analysis/RegionAnalysis.cpp

@@ -2952,9 +2952,10 @@ CONSTANT_TRANSLATION(WitnessMethodInst, AssignFresh)
 CONSTANT_TRANSLATION(IntegerLiteralInst, AssignFresh)
 CONSTANT_TRANSLATION(FloatLiteralInst, AssignFresh)
 CONSTANT_TRANSLATION(StringLiteralInst, AssignFresh)
-// Metatypes are Sendable, but AnyObject isn't
-CONSTANT_TRANSLATION(ObjCMetatypeToObjectInst, AssignFresh)
-CONSTANT_TRANSLATION(ObjCExistentialMetatypeToObjectInst, AssignFresh)
+// Metatypes are often, but not always, Sendable, but AnyObject isn't
+CONSTANT_TRANSLATION(ObjCMetatypeToObjectInst, Assign)
+CONSTANT_TRANSLATION(ObjCExistentialMetatypeToObjectInst, Assign)
+CONSTANT_TRANSLATION(MetatypeInst, AssignFresh)
 
 //===---
 // Assign
@@ -2998,6 +2999,10 @@ CONSTANT_TRANSLATION(UncheckedEnumDataInst, Assign)
 CONSTANT_TRANSLATION(UncheckedOwnershipConversionInst, Assign)
 CONSTANT_TRANSLATION(IndexRawPointerInst, Assign)
 
+CONSTANT_TRANSLATION(InitExistentialMetatypeInst, Assign)
+CONSTANT_TRANSLATION(OpenExistentialMetatypeInst, Assign)
+CONSTANT_TRANSLATION(ObjCToThickMetatypeInst, Assign)
+
 // These are used by SIL to aggregate values together in a gep like way. We
 // want to look at uses of structs, not the struct uses itself. So just
 // propagate.
@@ -3095,7 +3100,6 @@ CONSTANT_TRANSLATION(EndUnpairedAccessInst, Ignored)
 CONSTANT_TRANSLATION(HopToExecutorInst, Ignored)
 CONSTANT_TRANSLATION(InjectEnumAddrInst, Ignored)
 CONSTANT_TRANSLATION(DestroyNotEscapedClosureInst, Ignored)
-CONSTANT_TRANSLATION(MetatypeInst, Ignored)
 CONSTANT_TRANSLATION(EndApplyInst, Ignored)
 CONSTANT_TRANSLATION(AbortApplyInst, Ignored)
 CONSTANT_TRANSLATION(DebugStepInst, Ignored)
@@ -3127,15 +3131,6 @@ CONSTANT_TRANSLATION(ExistentialMetatypeInst, Require)
 // These can take a parameter. If it is non-Sendable, use a require.
 CONSTANT_TRANSLATION(GetAsyncContinuationAddrInst, Require)
 
-//===---
-// Asserting If Non Sendable Parameter
-//
-
-// Takes metatypes as parameters and metatypes today are always sendable.
-CONSTANT_TRANSLATION(InitExistentialMetatypeInst, AssertingIfNonSendable)
-CONSTANT_TRANSLATION(OpenExistentialMetatypeInst, AssertingIfNonSendable)
-CONSTANT_TRANSLATION(ObjCToThickMetatypeInst, AssertingIfNonSendable)
-
 //===---
 // Terminators
 //

lib/SILOptimizer/Utils/SILIsolationInfo.cpp

@@ -805,6 +805,12 @@ SILIsolationInfo SILIsolationInfo::get(SILInstruction *inst) {
     }
   }
 
+  /// Consider non-Sendable metatypes to be task-isolated, so they cannot cross
+  /// into another isolation domain.
+  if (auto *mi = dyn_cast<MetatypeInst>(inst)) {
+    return SILIsolationInfo::getTaskIsolated(mi);
+  }
+
   // Check if we have an ApplyInst with nonisolated.
   //
   // NOTE: We purposely avoid using other isolation info from an ApplyExpr since

test/Concurrency/sendable_metatype.swift

@@ -0,0 +1,86 @@
+// RUN: %target-typecheck-verify-swift -swift-version 6 -enable-experimental-feature StrictSendableMetatypes -emit-sil -o /dev/null
+
+// REQUIRES: concurrency
+// REQUIRES: swift_feature_StrictSendableMetatypes
+
+
+protocol Q {
+  static func g()
+}
+
+nonisolated func acceptMeta<T>(_: T.Type) { }
+
+// -------------------------------------------------------------------------
+// Non-Sendable metatype instances that cross into other isolation domains.
+// -------------------------------------------------------------------------
+nonisolated func staticCallThroughMeta<T: Q>(_: T.Type) {
+  let x = T.self
+  Task.detached { // expected-error{{risks causing data races}}
+    x.g() // expected-note{{closure captures 'x' which is accessible to code in the current task}}
+  }
+}
+
+nonisolated func passMeta<T: Q>(_: T.Type) {
+  let x = T.self
+  Task.detached { // expected-error{{risks causing data races}}
+    acceptMeta(x) // expected-note{{closure captures 'x' which is accessible to code in the current task}}
+  }
+}
+
+nonisolated func staticCallThroughMetaSmuggled<T: Q>(_: T.Type) {
+  let x: Q.Type = T.self
+  Task.detached { // expected-error{{risks causing data races}}
+    x.g() // expected-note{{closure captures 'x' which is accessible to code in the current task}}
+  }
+}
+
+nonisolated func passMetaSmuggled<T: Q>(_: T.Type) {
+  let x: Q.Type = T.self
+  Task.detached { // expected-error{{risks causing data races}}
+    acceptMeta(x) // expected-note{{closure captures 'x' which is accessible to code in the current task}}
+  }
+}
+
+nonisolated func passMetaSmuggledAny<T: Q>(_: T.Type) {
+  let x: Any.Type = T.self
+  Task.detached { // expected-error{{risks causing data races}}
+    acceptMeta(x) // expected-note{{closure captures 'x' which is accessible to code in the current task}}
+  }
+}
+
+// -------------------------------------------------------------------------
+// Sendable metatype instances that cross into other isolation domains.
+// -------------------------------------------------------------------------
+nonisolated func passMetaWithSendable<T: Sendable & Q>(_: T.Type) {
+  let x = T.self
+  Task.detached {
+    acceptMeta(x) // okay, because T is Sendable implies T.Type: Sendable
+    x.g() // okay, because T is Sendable implies T.Type: Sendable
+  }
+}
+
+nonisolated func passMetaWithSendableSmuggled<T: Sendable & Q>(_: T.Type) {
+  let x: any (Q & Sendable).Type = T.self
+  Task.detached {
+    acceptMeta(x) // okay, because T is Sendable implies T.Type: Sendable
+    x.g() // okay, because T is Sendable implies T.Type: Sendable
+  }
+}
+
+// -------------------------------------------------------------------------
+// Sendable requirements on metatypes
+// -------------------------------------------------------------------------
+
+nonisolated func passMetaWithMetaSendable<T: Q>(_: T.Type) where T.Type: Sendable {
+  // FIXME: Bogus errors below because we don't currently handle constraints on
+  // metatypes.
+  let x = T.self
+  Task.detached { // expected-error{{risks causing data races}}
+    acceptMeta(x) // expected-note{{closure captures 'x' which is accessible to code in the current task}}
+                  // should be okay, because T is Sendable implies T.Type: Sendable
+    x.g() // okay, because T is Sendable implies T.Type: Sendable
+  }
+}
+
+// TODO: Cannot currently express an existential or opaque type where the
+// metatype is Sendable.

test/Concurrency/sendable_metatype_typecheck.swift

@@ -0,0 +1,25 @@
+// RUN: %target-typecheck-verify-swift -swift-version 6 -enable-experimental-feature StrictSendableMetatypes
+
+// REQUIRES: concurrency
+// REQUIRES: swift_feature_StrictSendableMetatypes
+
+// This test checks for typecheck-only diagnostics involving non-sendable
+// metatypes.
+
+protocol Q {
+  static func g()
+}
+
+nonisolated func acceptMeta<T>(_: T.Type) { }
+
+nonisolated func staticCallThroughMeta<T: Q>(_: T.Type) {
+  Task.detached {
+    T.g()
+  }
+}
+
+nonisolated func passMeta<T: Q>(_: T.Type) {
+  Task.detached {
+    acceptMeta(T.self)
+  }
+}