Sema: Ban unavailable deinits.

Destructors are always called if declared, so allowing deinit to be declared as
unavailable (or potentially unavailable) creates a type checking loophole that
allows unavailable code to execute at runtime:

```
class C {
  @available(*, unavailable)
  deinit {
    print("Oops")
  }
}

_ = C() // prints "Oops"
```

Resolves rdar://106409012 and #63854.

Author: tshortli

include/swift/AST/DiagnosticsSema.def

@@ -6122,6 +6122,13 @@ WARNING(availability_query_useless_enclosing_scope, none,
 NOTE(availability_query_useless_enclosing_scope_here, none,
      "enclosing scope here", ())
 
+ERROR(availability_deinit_no_potential, none,
+      "deinitializer cannot be marked potentially unavailable with "
+      "'@available'", ())
+
+ERROR(availability_deinit_no_unavailable, none,
+      "deinitializer cannot be marked unavailable with '@available'", ())
+
 ERROR(availability_global_script_no_potential,
       none, "global variable cannot be marked potentially "
       "unavailable with '@available' in script mode", ())

lib/Sema/TypeCheckAttr.cpp

@@ -1858,33 +1858,14 @@ void AttributeChecker::visitAvailableAttr(AvailableAttr *attr) {
   if (Ctx.LangOpts.DisableAvailabilityChecking)
     return;
 
+  // FIXME: This seems like it could be diagnosed during parsing instead.
   while (attr->IsSPI) {
     if (attr->hasPlatform() && attr->Introduced.has_value())
       break;
     diagnoseAndRemoveAttr(attr, diag::spi_available_malformed);
     break;
   }
 
-  if (auto *PD = dyn_cast<ProtocolDecl>(D->getDeclContext())) {
-    if (auto *VD = dyn_cast<ValueDecl>(D)) {
-      if (VD->isProtocolRequirement()) {
-        if (attr->isActivePlatform(Ctx) ||
-            attr->isLanguageVersionSpecific() ||
-            attr->isPackageDescriptionVersionSpecific()) {
-          auto versionAvailability = attr->getVersionAvailability(Ctx);
-          if (attr->isUnconditionallyUnavailable() ||
-              versionAvailability == AvailableVersionComparison::Obsoleted ||
-              versionAvailability == AvailableVersionComparison::Unavailable) {
-              if (!PD->isObjC()) {
-                diagnoseAndRemoveAttr(attr, diag::unavailable_method_non_objc_protocol);
-                return;
-              }
-            }
-          }
-        }
-    }
-  }
-
   if (attr->isNoAsync()) {
     const DeclContext * dctx = dyn_cast<DeclContext>(D);
     bool isAsyncDeclContext = dctx && dctx->isAsyncContext();
@@ -1911,19 +1892,45 @@ void AttributeChecker::visitAvailableAttr(AvailableAttr *attr) {
       D->getASTContext().Diags.diagnose(
           D->getLoc(), diag::invalid_decl_attribute, attr);
     }
-
   }
 
   // Skip the remaining diagnostics in swiftinterfaces.
   auto *SF = D->getDeclContext()->getParentSourceFile();
   if (SF && SF->Kind == SourceFileKind::Interface)
     return;
 
-  if (!attr->hasPlatform() || !attr->isActivePlatform(Ctx) ||
-      !attr->Introduced.has_value()) {
+  // The remaining diagnostics are only for attributes that are active for the
+  // current target triple.
+  if (!attr->isActivePlatform(Ctx) && !attr->isLanguageVersionSpecific() &&
+      !attr->isPackageDescriptionVersionSpecific())
     return;
+
+  SourceLoc attrLoc = attr->getLocation();
+  auto versionAvailability = attr->getVersionAvailability(Ctx);
+  if (versionAvailability == AvailableVersionComparison::Obsoleted ||
+      versionAvailability == AvailableVersionComparison::Unavailable) {
+    if (auto cannotBeUnavailable =
+            TypeChecker::diagnosticIfDeclCannotBeUnavailable(D)) {
+      diagnose(attrLoc, cannotBeUnavailable.value());
+      return;
+    }
+
+    if (auto *PD = dyn_cast<ProtocolDecl>(D->getDeclContext())) {
+      if (auto *VD = dyn_cast<ValueDecl>(D)) {
+        if (VD->isProtocolRequirement() && !PD->isObjC()) {
+          diagnoseAndRemoveAttr(attr,
+                                diag::unavailable_method_non_objc_protocol);
+          return;
+        }
+      }
+    }
   }
 
+  // The remaining diagnostics are only for attributes with introduced versions
+  // for specific platforms.
+  if (!attr->hasPlatform() || !attr->Introduced.has_value())
+    return;
+
   // Make sure there isn't a more specific attribute we should be using instead.
   // findMostSpecificActivePlatform() is O(N), so only do this if we're checking
   // an iOS attribute while building for macCatalyst.
@@ -1934,8 +1941,6 @@ void AttributeChecker::visitAvailableAttr(AvailableAttr *attr) {
     }
   }
 
-  SourceLoc attrLoc = attr->getLocation();
-
   // Find the innermost enclosing declaration with an availability
   // range annotation and ensure that this attribute's available version range
   // is fully contained within that declaration's range. If there is no such
@@ -4459,6 +4464,10 @@ Optional<Diag<>>
 TypeChecker::diagnosticIfDeclCannotBePotentiallyUnavailable(const Decl *D) {
   auto *DC = D->getDeclContext();
 
+  // A destructor is always called if declared.
+  if (auto *DD = dyn_cast<DestructorDecl>(D))
+    return diag::availability_deinit_no_potential;
+
   if (auto *VD = dyn_cast<VarDecl>(D)) {
     if (!VD->hasStorageOrWrapsStorage())
       return None;
@@ -4493,6 +4502,27 @@ TypeChecker::diagnosticIfDeclCannotBePotentiallyUnavailable(const Decl *D) {
   return None;
 }
 
+Optional<Diag<>>
+TypeChecker::diagnosticIfDeclCannotBeUnavailable(const Decl *D) {
+  auto parentIsUnavailable = [](const Decl *D) -> bool {
+    if (auto *parent =
+            AvailabilityInference::parentDeclForInferredAvailability(D)) {
+      return parent->getSemanticUnavailableAttr() != None;
+    }
+    return false;
+  };
+
+  // A destructor is always called if declared.
+  if (auto *DD = dyn_cast<DestructorDecl>(D)) {
+    if (parentIsUnavailable(D))
+      return None;
+
+    return diag::availability_deinit_no_unavailable;
+  }
+
+  return None;
+}
+
 static bool shouldBlockImplicitDynamic(Decl *D) {
   if (D->getAttrs().hasAttribute<NonObjCAttr>() ||
       D->getAttrs().hasAttribute<SILGenNameAttr>() ||

lib/Sema/TypeChecker.h

@@ -1060,6 +1060,11 @@ TypeRefinementContext *getOrBuildTypeRefinementContext(SourceFile *SF);
 Optional<Diag<>>
 diagnosticIfDeclCannotBePotentiallyUnavailable(const Decl *D);
 
+/// Returns a diagnostic indicating why the declaration cannot be annotated
+/// with an @available() attribute indicating it is unavailable or None if this
+/// is allowed.
+Optional<Diag<>> diagnosticIfDeclCannotBeUnavailable(const Decl *D);
+
 /// Same as \c checkDeclarationAvailability but doesn't give a reason for
 /// unavailability.
 bool isDeclarationUnavailable(

test/Sema/availability_deinit.swift

@@ -0,0 +1,52 @@
+// RUN: %target-typecheck-verify-swift -target %target-cpu-apple-macosx10.50
+
+// REQUIRES: OS=macosx
+
+@available(*, unavailable)
+class Unavailable {
+  deinit {}
+}
+
+@available(*, unavailable)
+class UnavailableWithUnavailableDeinit {
+  @available(*, unavailable)
+  deinit {}
+}
+
+@available(*, unavailable)
+enum UnavailableEnum {
+  class NestedWithUnavailableDeinit {
+    @available(*, unavailable)
+    deinit {}
+  }
+}
+
+class DeinitUnavailable {
+  @available(*, unavailable) // expected-error {{deinitializer cannot be marked unavailable with '@available'}}
+  deinit {}
+}
+
+class DeinitUnavailableMacOS {
+  @available(macOS, unavailable) // expected-error {{deinitializer cannot be marked unavailable with '@available'}}
+  deinit {}
+}
+
+class AvailableAtDeploymentTargetDeinit {
+  @available(macOS 10.50, *)
+  deinit {}
+}
+
+class PotentiallyUnavailableDeinit {
+  @available(macOS 10.51, *) // expected-error {{deinitializer cannot be marked potentially unavailable with '@available'}}
+  deinit {}
+}
+
+@available(macOS 10.51, *)
+func funcAvailable10_51() {}
+
+class AlwaysAvailable { // expected-note {{add @available attribute to enclosing class}}
+  deinit {
+    funcAvailable10_51() // expected-error {{'funcAvailable10_51()' is only available in macOS 10.51 or newer}}
+    // expected-note@-1 {{add 'if #available' version check}}
+  }
+}