Sema: Ban unavailable stored properties.

Marking a stored property as unavailable with `@available` should be banned,
just like it already is banned for potential unavailability. Unavailable code
is not supposed be reachable at runtime, but unavailable properties with
storage create a back door into executing arbitrary unavailable code at
runtime:

```
@available(*, unavailable)
struct Unavailable {
  init() {
    print("Unavailable.init()")
  }
}

struct S {
  @available(*, unavailable)
  var x = Unavailable()
}

_ = S() // prints "Unavailable.init()"
```

Resolves rdar://107449845

Author: tshortli

CHANGELOG.md

@@ -4,6 +4,28 @@ _**Note:** This is in reverse chronological order, so newer entries are added to
 
 ## Swift 5.9
 
+* Marking stored properties as unavailable with `@available` has been banned,
+  closing an unintentional soundness hole that had allowed arbitrary
+  unavailable code to run and unavailable type metadata to be used at runtime:
+  
+  ```swift
+  @available(*, unavailable)
+  struct Unavailable {
+    init() {
+      print("Unavailable.init()")
+    }
+  }
+
+  struct S {
+    @available(*, unavailable)
+    var x = Unavailable()
+  }
+
+  _ = S() // prints "Unavailable.init()"
+  ```
+  
+  Marking `deinit` as unavailable has also been banned for similar reasons.
+
 * [SE-0366][]:
 
   The lifetime of a local variable value can be explicitly ended using the

include/swift/AST/DiagnosticsSema.def

@@ -6133,10 +6133,18 @@ ERROR(availability_global_script_no_potential,
       none, "global variable cannot be marked potentially "
       "unavailable with '@available' in script mode", ())
 
+ERROR(availability_global_script_no_unavailable,
+      none, "global variable cannot be marked unavailable "
+      "with '@available' in script mode", ())
+
 ERROR(availability_stored_property_no_potential,
       none, "stored properties cannot be marked potentially unavailable with "
       "'@available'", ())
 
+ERROR(availability_stored_property_no_unavailable,
+      none, "stored properties cannot be marked unavailable with '@available'",
+      ())
+
 ERROR(availability_enum_element_no_potential,
       none, "enum cases with associated values cannot be marked potentially unavailable with "
       "'@available'", ())

lib/Sema/TypeCheckAttr.cpp

@@ -4520,6 +4520,24 @@ TypeChecker::diagnosticIfDeclCannotBeUnavailable(const Decl *D) {
     return diag::availability_deinit_no_unavailable;
   }
 
+  if (auto *VD = dyn_cast<VarDecl>(D)) {
+    if (!VD->hasStorageOrWrapsStorage())
+      return None;
+
+    if (parentIsUnavailable(D))
+      return None;
+
+    // Do not permit unavailable script-mode global variables; their initializer
+    // expression is not lazily evaluated, so this would not be safe.
+    if (VD->isTopLevelGlobal())
+      return diag::availability_global_script_no_unavailable;
+
+    // Globals and statics are lazily initialized, so they are safe for
+    // unavailability.
+    if (!VD->isStatic() && !D->getDeclContext()->isModuleScopeContext())
+      return diag::availability_stored_property_no_unavailable;
+  }
+
   return None;
 }
 

test/Sema/availability_script_mode.swift

@@ -0,0 +1,34 @@
+// RUN: %target-typecheck-verify-swift -target %target-cpu-apple-macosx10.50
+
+// REQUIRES: OS=macosx
+
+struct AlwaysAvailable {}
+
+@available(macOS, introduced: 10.50)
+struct Available10_50 {}
+
+@available(macOS, introduced: 10.51)
+struct Available10_51 {}
+
+@available(macOS, unavailable)
+struct UnavailableOnMacOS {}
+
+@available(*, unavailable)
+struct UnavailableUnconditionally {}
+
+var alwaysAvailableVar: AlwaysAvailable = .init() // Ok
+
+@available(macOS, introduced: 10.50)
+var availableOn10_50Var: Available10_50 = .init() // Ok
+
+// Script-mode globals have eagerly executed initializers so it isn't safe for
+// them to be unavailable.
+
+@available(macOS, introduced: 10.51) // expected-error {{global variable cannot be marked potentially unavailable with '@available' in script mode}}
+var potentiallyUnavailableVar: Available10_51 = .init()
+
+@available(macOS, unavailable) // expected-error {{global variable cannot be marked unavailable with '@available' in script mode}}
+var unavailableOnMacOSVar: UnavailableOnMacOS = .init()
+
+@available(*, unavailable) // expected-error {{global variable cannot be marked unavailable with '@available' in script mode}}
+var unconditionallyUnavailableVar: UnavailableUnconditionally = .init()

test/Sema/availability_stored_unavailable.swift

@@ -0,0 +1,78 @@
+// RUN: %target-typecheck-verify-swift -parse-as-library
+
+// REQUIRES: OS=macosx
+
+@available(macOS, unavailable)
+struct UnavailableMacOSStruct {}
+
+@available(*, unavailable)
+public struct UniversallyUnavailableStruct {}
+
+// Ok, initialization of globals is lazy and boxed.
+@available(macOS, unavailable)
+var unavailableMacOSGlobal: UnavailableMacOSStruct = .init()
+
+@available(*, unavailable)
+var universallyUnavailableGlobal: UniversallyUnavailableStruct = .init()
+
+struct GoodAvailableStruct {
+  // Ok, computed property.
+  @available(macOS, unavailable)
+  var unavailableMacOS: UnavailableMacOSStruct {
+    get { UnavailableMacOSStruct() }
+  }
+
+  // Ok, initialization of static vars is lazy and boxed.
+  @available(macOS, unavailable)
+  static var staticUnavailableMacOS: UnavailableMacOSStruct = .init()
+}
+
+@available(macOS, unavailable)
+struct GoodUnavailableMacOSStruct {
+  var unavailableMacOS: UnavailableMacOSStruct = .init()
+  lazy var lazyUnavailableMacOS: UnavailableMacOSStruct = .init()
+
+  // Ok, the container is unavailable.
+  @available(macOS, unavailable)
+  var unavailableMacOSExplicit: UnavailableMacOSStruct = .init()
+}
+
+@available(macOS, unavailable)
+struct GoodNestedUnavailableMacOSStruct {
+  struct Inner {
+    var unavailableMacOS: UnavailableMacOSStruct = .init()
+    lazy var lazyUnavailableMacOS: UnavailableMacOSStruct = .init()
+
+    // Ok, the container is unavailable.
+    @available(macOS, unavailable)
+    var unavailableMacOSExplicit: UnavailableMacOSStruct = .init()
+  }
+}
+
+@available(*, unavailable)
+struct GoodUniversallyUnavailableStruct {
+  var universallyUnavailable: UniversallyUnavailableStruct = .init()
+  lazy var lazyUniversallyUnavailable: UniversallyUnavailableStruct = .init()
+
+  @available(*, unavailable)
+  var universallyUnavailableExplicit: UniversallyUnavailableStruct = .init()
+}
+
+struct BadStruct {
+  // expected-error@+1 {{stored properties cannot be marked unavailable with '@available'}}
+  @available(macOS, unavailable)
+  var unavailableMacOS: UnavailableMacOSStruct = .init()
+
+  // expected-error@+1 {{stored properties cannot be marked unavailable with '@available'}}
+  @available(macOS, unavailable)
+  lazy var lazyUnavailableMacOS: UnavailableMacOSStruct = .init()
+
+  // expected-error@+1 {{stored properties cannot be marked unavailable with '@available'}}
+  @available(*, unavailable)
+  var universallyUnavailable: UniversallyUnavailableStruct = .init()
+}
+
+enum GoodAvailableEnum {
+  @available(macOS, unavailable)
+  case unavailableMacOS(UnavailableMacOSStruct)
+}

test/Sema/availability_versions.swift

@@ -57,11 +57,6 @@ func functionAvailableOn10_51() {
       // expected-note@-1 {{add 'if #available' version check}}
 }
 
-// Don't allow script-mode globals to marked potentially unavailable. Their
-// initializers are eagerly executed.
-@available(OSX, introduced: 10.51) // expected-error {{global variable cannot be marked potentially unavailable with '@available' in script mode}}
-var potentiallyUnavailableGlobalInScriptMode: Int = globalFuncAvailableOn10_51()
-
 // Still allow other availability annotations on script-mode globals
 @available(OSX, deprecated: 10.51)
 var deprecatedGlobalInScriptMode: Int = 5