|
70 | 70 |
|
71 | 71 | #include <vector> |
72 | 72 |
|
| 73 | +#define DEBUG_TYPE "Serialization" |
| 74 | + |
73 | 75 | using namespace swift; |
74 | 76 | using namespace swift::serialization; |
75 | 77 | using namespace llvm::support; |
@@ -3088,6 +3090,171 @@ class Serializer::DeclSerializer : public DeclVisitor<DeclSerializer> { |
3088 | 3090 | } |
3089 | 3091 | } |
3090 | 3092 |
|
| 3093 | + /// Determine if \p decl is safe to deserialize when it's public |
| 3094 | + /// or otherwise needed by the client in normal builds, this should usually |
| 3095 | + /// correspond to logic in type-checking ensuring these safe decls don't |
| 3096 | + /// refer to implementation details. We have to be careful not to mark |
| 3097 | + /// anything needed by a client as unsafe as the client will reject reading |
| 3098 | + /// it, but at the same time keep the safety checks precise to avoid |
| 3099 | + /// XRef errors and such. |
| 3100 | + /// |
| 3101 | + /// \p decl should be either an \c ExtensionDecl or a \c ValueDecl. |
| 3102 | + static bool declIsDeserializationSafe(const Decl *decl) { |
| 3103 | + if (auto ext = dyn_cast<ExtensionDecl>(decl)) { |
| 3104 | + // Consider extensions as safe as their extended type. |
| 3105 | + auto nominalType = ext->getExtendedNominal(); |
| 3106 | + if (!nominalType || |
| 3107 | + !declIsDeserializationSafe(nominalType)) |
| 3108 | + return false; |
| 3109 | + |
| 3110 | + // We can mark the extension unsafe only if it has no public members. |
| 3111 | + auto members = ext->getMembers(); |
| 3112 | + int membersCount = 0; |
| 3113 | + auto hasSafeMembers = std::any_of(members.begin(), members.end(), |
| 3114 | + [&membersCount](const Decl *D) -> bool { |
| 3115 | + membersCount ++; |
| 3116 | + if (auto VD = dyn_cast<ValueDecl>(D)) |
| 3117 | + return declIsDeserializationSafe(VD); |
| 3118 | + return true; |
| 3119 | + }); |
| 3120 | + if (hasSafeMembers) |
| 3121 | + return true; |
| 3122 | + |
| 3123 | + // We can mark the extension unsafe only if it has no public |
| 3124 | + // conformances. |
| 3125 | + auto protocols = ext->getLocalProtocols( |
| 3126 | + ConformanceLookupKind::OnlyExplicit); |
| 3127 | + bool hasSafeConformances = std::any_of(protocols.begin(), |
| 3128 | + protocols.end(), |
| 3129 | + declIsDeserializationSafe); |
| 3130 | + if (hasSafeConformances) |
| 3131 | + return true; |
| 3132 | + |
| 3133 | + // Truly empty extensions are safe, it may happen in swiftinterfaces. |
| 3134 | + if (membersCount == 0 && protocols.size() == 0) |
| 3135 | + return true; |
| 3136 | + |
| 3137 | + return false; |
| 3138 | + } |
| 3139 | + |
| 3140 | + auto value = cast<ValueDecl>(decl); |
| 3141 | + |
| 3142 | + // A decl is safe if formally accessible publicly. |
| 3143 | + auto accessScope = value->getFormalAccessScope(/*useDC=*/nullptr, |
| 3144 | + /*treatUsableFromInlineAsPublic=*/true); |
| 3145 | + if (accessScope.isPublic()) |
| 3146 | + return true; |
| 3147 | + |
| 3148 | + // Testable allows access to internal details. |
| 3149 | + if (value->getDeclContext()->getParentModule()->isTestingEnabled() && |
| 3150 | + accessScope.isInternal()) |
| 3151 | + return true; |
| 3152 | + |
| 3153 | + if ( auto accessor = dyn_cast<AccessorDecl>(value)) |
| 3154 | + // Accessors are as safe as their storage. |
| 3155 | + if (declIsDeserializationSafe(accessor->getStorage())) |
| 3156 | + return true; |
| 3157 | + |
| 3158 | + // Frozen fields are always safe. |
| 3159 | + if (auto var = dyn_cast<VarDecl>(value)) { |
| 3160 | + if (var->isLayoutExposedToClients()) |
| 3161 | + return true; |
| 3162 | + |
| 3163 | + // Consider all lazy var storage as "safe". |
| 3164 | + // FIXME: We should keep track of what lazy var is associated to the |
| 3165 | + // storage for them to preserve the same safeness. |
| 3166 | + if (var->isLazyStorageProperty()) |
| 3167 | + return true; |
| 3168 | + |
| 3169 | + // Property wrappers storage is as safe as the wrapped property. |
| 3170 | + if (VarDecl *wrapped = var->getOriginalWrappedProperty()) |
| 3171 | + if (declIsDeserializationSafe(wrapped)) |
| 3172 | + return true; |
| 3173 | + } |
| 3174 | + |
| 3175 | + return false; |
| 3176 | + } |
| 3177 | + |
| 3178 | + /// Write a \c DeserializationSafetyLayout record only when \p decl is unsafe |
| 3179 | + /// to deserialize. |
| 3180 | + /// |
| 3181 | + /// \sa declIsDeserializationSafe |
| 3182 | + void writeDeserializationSafety(const Decl *decl) { |
| 3183 | + using namespace decls_block; |
| 3184 | + |
| 3185 | + auto DC = decl->getDeclContext(); |
| 3186 | + if (!DC->getParentModule()->isResilient()) |
| 3187 | + return; |
| 3188 | + |
| 3189 | + // Everything should be safe in a swiftinterface. So, don't emit any safety |
| 3190 | + // record when building a swiftinterface in release builds. Debug builds |
| 3191 | + // instead print inconsistencies. |
| 3192 | + auto parentSF = DC->getParentSourceFile(); |
| 3193 | + bool fromModuleInterface = parentSF && |
| 3194 | + parentSF->Kind == SourceFileKind::Interface; |
| 3195 | +#if NDEBUG |
| 3196 | + if (fromModuleInterface) |
| 3197 | + return; |
| 3198 | +#endif |
| 3199 | + |
| 3200 | + // Private imports allow safe access to everything. |
| 3201 | + if (DC->getParentModule()->arePrivateImportsEnabled()) |
| 3202 | + return; |
| 3203 | + |
| 3204 | + // Ignore things with no access level. |
| 3205 | + // Note: There's likely room to report some of these as unsafe to prevent |
| 3206 | + // failures. |
| 3207 | + if (isa<GenericTypeParamDecl>(decl) || |
| 3208 | + isa<OpaqueTypeDecl>(decl) || |
| 3209 | + isa<ParamDecl>(decl) || |
| 3210 | + isa<EnumCaseDecl>(decl) || |
| 3211 | + isa<EnumElementDecl>(decl)) |
| 3212 | + return; |
| 3213 | + |
| 3214 | + if (!isa<ValueDecl>(decl) && !isa<ExtensionDecl>(decl)) |
| 3215 | + return; |
| 3216 | + |
| 3217 | + // Don't look at decls inside functions and |
| 3218 | + // check the ValueDecls themselves. |
| 3219 | + auto declIsSafe = DC->isLocalContext() || |
| 3220 | + declIsDeserializationSafe(decl); |
| 3221 | +#ifdef NDEBUG |
| 3222 | + // In release builds, bail right away if the decl is safe. |
| 3223 | + // In debug builds, wait to bail after the debug prints and asserts. |
| 3224 | + if (declIsSafe) |
| 3225 | + return; |
| 3226 | +#endif |
| 3227 | + |
| 3228 | + // Write a human readable name to an identifier. |
| 3229 | + SmallString<64> out; |
| 3230 | + llvm::raw_svector_ostream outStream(out); |
| 3231 | + if (auto val = dyn_cast<ValueDecl>(decl)) { |
| 3232 | + outStream << val->getName(); |
| 3233 | + } else if (auto ext = dyn_cast<ExtensionDecl>(decl)) { |
| 3234 | + outStream << "extension "; |
| 3235 | + if (auto nominalType = ext->getExtendedNominal()) |
| 3236 | + outStream << nominalType->getName(); |
| 3237 | + } |
| 3238 | + auto name = S.getASTContext().getIdentifier(out); |
| 3239 | + |
| 3240 | + LLVM_DEBUG( |
| 3241 | + llvm::dbgs() << "Serialization safety, " |
| 3242 | + << (declIsSafe? "safe" : "unsafe") |
| 3243 | + << ": '" << name << "'\n"; |
| 3244 | + assert((declIsSafe || !fromModuleInterface) && |
| 3245 | + "All swiftinterface decls should be deserialization safe"); |
| 3246 | + ); |
| 3247 | + |
| 3248 | +#ifndef NDEBUG |
| 3249 | + if (declIsSafe) |
| 3250 | + return; |
| 3251 | +#endif |
| 3252 | + |
| 3253 | + auto abbrCode = S.DeclTypeAbbrCodes[DeserializationSafetyLayout::Code]; |
| 3254 | + DeserializationSafetyLayout::emitRecord(S.Out, S.ScratchRecord, abbrCode, |
| 3255 | + S.addDeclBaseNameRef(name)); |
| 3256 | + } |
| 3257 | + |
3091 | 3258 | void writeForeignErrorConvention(const ForeignErrorConvention &fec) { |
3092 | 3259 | using namespace decls_block; |
3093 | 3260 |
|
@@ -3405,6 +3572,8 @@ class Serializer::DeclSerializer : public DeclVisitor<DeclSerializer> { |
3405 | 3572 | if (D->isInvalid()) |
3406 | 3573 | writeDeclErrorFlag(); |
3407 | 3574 |
|
| 3575 | + writeDeserializationSafety(D); |
| 3576 | + |
3408 | 3577 | // Emit attributes (if any). |
3409 | 3578 | for (auto Attr : D->getAttrs()) |
3410 | 3579 | writeDeclAttribute(D, Attr); |
|
0 commit comments