Sema: Fix matchExistentialType() handling of ProtocolCompositionType containing ParameterizedProtocolType

This fixes a soundness hole. We can't just match up the primary
associated types of different protocols.

Author: slavapestov

lib/Sema/CSSimplify.cpp

@@ -4079,65 +4079,74 @@ ConstraintSystem::matchExistentialTypes(Type type1, Type type2,
     }
   }
 
-  auto constraintType1 = type1;
-  if (auto existential = constraintType1->getAs<ExistentialType>())
-    constraintType1 = existential->getConstraintType();
-
-  auto constraintType2 = type2;
-  if (auto existential = constraintType2->getAs<ExistentialType>())
-    constraintType2 = existential->getConstraintType();
-
-  auto ppt1 = constraintType1->getAs<ParameterizedProtocolType>();
-  auto ppt2 = constraintType2->getAs<ParameterizedProtocolType>();
-
-  // With two parameterized protocols, we've already made sure conformance
-  // constraints are satisfied. Try to match the arguments!
-  if (ppt1 && ppt2) {
-    ArrayRef<Type> longerArgs = ppt1->getArgs();
-    ArrayRef<Type> shorterArgs = ppt2->getArgs();
-    // The more constrained of the two types had better be the first type -
-    // otherwise we're forgetting requirements.
-    if (longerArgs.size() < shorterArgs.size()) {
-      return getTypeMatchFailure(locator);
+  // Finally, check parameterized protocol requirements.
+  if (!layout.getParameterizedProtocols().empty()) {
+    SmallVector<std::pair<AssociatedTypeDecl *, Type>, 4> fromReqs;
+
+    if (type1->isExistentialType()) {
+      auto fromLayout = type1->getExistentialLayout();
+      for (auto *parameterizedType : fromLayout.getParameterizedProtocols()) {
+        auto *protoDecl = parameterizedType->getProtocol();
+        auto assocTypes = protoDecl->getPrimaryAssociatedTypes();
+        auto argTypes = parameterizedType->getArgs();
+
+        for (unsigned i : indices(argTypes)) {
+          auto argType = argTypes[i];
+          auto *assocType = assocTypes[i]->getAssociatedTypeAnchor();
+          fromReqs.push_back(std::make_pair(assocType, argType));
+        }
+      }
     }
 
-    // Line up the arguments of the parameterized protocol.
-    // FIXME: Extend the locator path to point to the argument
-    // inducing the requirement.
-    for (const auto &pair : llvm::zip_first(shorterArgs, longerArgs)) {
-      auto result = matchTypes(std::get<0>(pair), std::get<1>(pair),
-                               ConstraintKind::Bind,
-                               subflags, locator);
-      if (result.isFailure())
-        return result;
-    }
-  } else if (ppt1 && type2->isExistentialType()) {
-    // P<T, U, V, ...> converts to (P & Q & ...) trivially...
-    return getTypeMatchSuccess();
-  } else if (ppt2 && type1->isExistentialType()) {
-    // But (P & Q & ...) does not convert to P<T, U, V, ...>
-    return getTypeMatchFailure(locator);
-  } else if (ppt1 || ppt2) {
-    auto parameterized = constraintType1;
-    auto base = constraintType2;
-    if (ppt2)
-      std::swap(parameterized, base);
-
-    // One of the two is parameterized, and the other is a concrete type.
-    // Substitute the base into the requirements of the parameterized type and
-    // discharge the requirements of the parameterized protocol.
-    // FIXME: Extend the locator path to point to the argument
-    // inducing the requirement.
-    SmallVector<Requirement, 2> reqs;
-    parameterized->castTo<ParameterizedProtocolType>()
-                 ->getRequirements(base, reqs);
-    for (const auto &req : reqs) {
-      assert(req.getKind() == RequirementKind::SameType);
-      auto result = matchTypes(req.getFirstType(), req.getSecondType(),
-                               ConstraintKind::Bind,
-                               subflags, locator);
-      if (result.isFailure())
-        return result;
+    for (auto *parameterizedType : layout.getParameterizedProtocols()) {
+      // With two parameterized protocols, we've already made sure conformance
+      // constraints are satisfied. Try to match the arguments!
+      if (type1->isExistentialType()) {
+        auto *protoDecl = parameterizedType->getProtocol();
+        auto assocTypes = protoDecl->getPrimaryAssociatedTypes();
+        auto argTypes = parameterizedType->getArgs();
+
+        for (unsigned i : indices(argTypes)) {
+          auto argType = argTypes[i];
+          auto *assocType = assocTypes[i]->getAssociatedTypeAnchor();
+          bool found = false;
+          for (auto fromReq : fromReqs) {
+            if (fromReq.first == assocType) {
+              // FIXME: Extend the locator path to point to the argument
+              // inducing the requirement.
+              auto result = matchTypes(fromReq.second, argType,
+                                       ConstraintKind::Bind,
+                                       subflags, locator);
+              if (result.isFailure())
+                return result;
+
+              found = true;
+              break;
+            }
+          }
+
+          if (!found)
+            return getTypeMatchFailure(locator);
+        }
+      } else {
+        // The source type is a concrete type.
+        //
+        // Substitute the source into the requirements of the parameterized type
+        // and discharge the requirements of the parameterized protocol.
+        //
+        // FIXME: Extend the locator path to point to the argument
+        // inducing the requirement.
+        SmallVector<Requirement, 2> reqs;
+        parameterizedType->getRequirements(type1, reqs);
+        for (const auto &req : reqs) {
+          assert(req.getKind() == RequirementKind::SameType);
+          auto result = matchTypes(req.getFirstType(), req.getSecondType(),
+                                   ConstraintKind::Bind,
+                                   subflags, locator);
+          if (result.isFailure())
+            return result;
+        }
+      }
     }
   }
 

test/Constraints/existential_metatypes.swift

@@ -117,5 +117,5 @@ func parameterizedExistentials() {
   pp = ppp // expected-error{{cannot assign value of type '(any PP4<Int>).Type' to type '(any P4<Int>).Type'}}
 
   var ppt: any PP4<Int>.Type
-  pt = ppt
+  pt = ppt // expected-error {{cannot assign value of type 'any PP4<Int>.Type' to type 'any P4<Int>.Type'}}
 }

test/Constraints/parameterized_existential_unrelated_args.swift

@@ -0,0 +1,34 @@
+// RUN: %target-typecheck-verify-swift
+
+// We used to accept this in Swift 6.0, but it's incorrect;
+// the primary associated types of a derived protocol might
+// be completely unrelated to those of a base protocol.
+
+protocol P<A> : Q {
+  associatedtype A
+}
+
+protocol Q<B> {
+  associatedtype B
+
+  func getB() -> B
+}
+
+struct S<T>: P {
+  typealias A = T
+  typealias B = Array<T>
+
+  var t: T
+
+  func getB() -> Array<T> {
+    return [t]
+  }
+}
+
+var p: any P<String> = S<String>(t: "hello world")
+var q: any Q<String> = p // expected-error {{cannot convert value of type 'any P<String>' to specified type 'any Q<String>'}}
+
+// Previously we accepted the above conversion, and then getB()
+// would return something that was dynamically Array<String>
+// and not String as expected.
+print(q.getB())

test/Constraints/parameterized_existentials.swift

@@ -17,7 +17,7 @@ func f2(x: any P<Int>) -> any P {
 
 func f3(x: any P<Int>) -> any P<String> {
   // FIXME: Misleading diagnostic
-  return x // expected-error {{cannot convert return expression of type 'String' to return type 'Int'}}
+  return x // expected-error {{cannot convert return expression of type 'Int' to return type 'String'}}
 }
 
 struct G<T> {}

test/SILGen/parameterized_existentials.swift

@@ -6,20 +6,12 @@ protocol P<T, U, V> {
   associatedtype V
 }
 
-protocol Q<X, Y, Z> : P {
-  associatedtype X
-  associatedtype Y
-  associatedtype Z
-}
+protocol Q<T, U, V> : P {}
 
 struct S: Q {
   typealias T = Int
   typealias U = String
   typealias V = Float
-
-  typealias X = Int
-  typealias Y = String
-  typealias Z = Float
 }
 
 struct R<T, U, V> {
@@ -83,9 +75,9 @@ func upcastResult() {
 
   reuse({ () -> S in S() })
 
-  // CHECK: [[RES_Q_FN:%.*]] = function_ref @$s13parameterized12upcastResultyyFAA1Q_pSi1XAaCPRts_SS1YAERtsSf1ZAERtsXPyXEfU0_ : $@convention(thin) () -> @out any Q<Int, String, Float>
+  // CHECK: [[RES_Q_FN:%.*]] = function_ref @$s13parameterized12upcastResultyyFAA1Q_pSi1TAA1PPRts_SS1UAFRtsSf1VAFRtsXPyXEfU0_ : $@convention(thin) () -> @out any Q<Int, String, Float>
   // CHECK: [[THICK_NOESCAPE_RES_Q_FN:%.*]] = thin_to_thick_function [[RES_Q_FN]] : $@convention(thin) () -> @out any Q<Int, String, Float> to $@noescape @callee_guaranteed () -> @out any Q<Int, String, Float>
-  // CHECK: [[P_TO_Q_RES_THUNK_FN:%.*]] = function_ref @$s13parameterized1Q_pSi1XAaBPRts_SS1YADRtsSf1ZADRtsXPIgr_AA1P_pSi1TAaJPRts_SS1UALRtsSf1VALRtsXPIegr_TR : $@convention(thin) (@guaranteed @noescape @callee_guaranteed () -> @out any Q<Int, String, Float>) -> @out any P<Int, String, Float>
+  // CHECK: [[P_TO_Q_RES_THUNK_FN:%.*]] = function_ref @$s13parameterized1Q_pSi1TAA1PPRts_SS1UAERtsSf1VAERtsXPIgr_AaD_pSiAFRS_SSAHRSSfAJRSXPIegr_TR : $@convention(thin) (@guaranteed @noescape @callee_guaranteed () -> @out any Q<Int, String, Float>) -> @out any P<Int, String, Float>
   // CHECK: [[PARTIAL_P_TO_Q_RES_THUNK_FN:%.*]] = partial_apply [callee_guaranteed] [[P_TO_Q_RES_THUNK_FN]]([[THICK_NOESCAPE_RES_Q_FN]]) : $@convention(thin) (@guaranteed @noescape @callee_guaranteed () -> @out any Q<Int, String, Float>) -> @out any P<Int, String, Float>
   // CHECK: [[NOESCAPE_PARTIAL_P_TO_Q_RES_THUNK_FN:%.*]] = convert_escape_to_noescape [not_guaranteed] [[PARTIAL_P_TO_Q_RES_THUNK_FN]] : $@callee_guaranteed () -> @out any P<Int, String, Float> to $@noescape @callee_guaranteed () -> @out any P<Int, String, Float>
   // CHECK: [[REUSE_FN:%.*]] = function_ref @$s13parameterized5reuseyyAA1P_pSi1TAaCPRts_SS1UAERtsSf1VAERtsXPyXEF : $@convention(thin) (@guaranteed @noescape @callee_guaranteed () -> @out any P<Int, String, Float>) -> ()