Conditionally enable bounds checking for unsafe buffer pointers

Currently, bounds checking is only enabled for unsafe buffer pointers
in debug builds. Introduce a new precondition check kind,
`_boundsCheckPrecondition`, and use it for the bounds checking of
unsafe buffer pointers. This check is enabled both in debug builds
and in builds where the experimental feature `UnsafePointerBoundsSafety`
is enabled.

Author: glessard

stdlib/public/core/Assert.swift

@@ -377,6 +377,31 @@ internal func _debugPreconditionFailure(
 #endif
 }
 
+/// Precondition checks for bounds-checking of unsafe pointers.
+///
+/// Debug library precondition checks are on in debug mode and in release
+/// mode with additional bounds safety enabled. If release and unchecked
+/// modes, they are disabled.
+/// They are meant to be used for bounds-safety checks.
+@usableFromInline @_transparent @_alwaysEmitIntoClient
+internal func _boundsCheckPrecondition(
+  _ condition: @autoclosure () -> Bool, _ message: StaticString = StaticString(),
+  file: StaticString = #file, line: UInt = #line
+) {
+#if SWIFT_STDLIB_ENABLE_DEBUG_PRECONDITIONS_IN_RELEASE
+  _precondition(condition(), message, file: file, line: line)
+#else
+  // Only check in debug and release w/ bounds checks.
+  if _isDebugAssertConfiguration() ||
+      _isReleaseAssertWithBoundsSafetyConfiguration() {
+    if !_fastPath(condition()) {
+      _fatalErrorMessage("Fatal error", message, file: file, line: line,
+        flags: _fatalErrorFlags())
+    }
+  }
+#endif
+}
+
 /// Internal checks.
 ///
 /// Internal checks are to be used for checking correctness conditions in the

stdlib/public/core/UnsafeBufferPointer.swift.gyb

@@ -304,16 +304,15 @@ extension Unsafe${Mutable}BufferPointer: ${Mutable}Collection, RandomAccessColle
 
   @inlinable // unsafe-performance
   public func _failEarlyRangeCheck(_ index: Int, bounds: Range<Int>) {
-    // NOTE: In release mode, this method is a no-op for performance reasons.
-    _debugPrecondition(index >= bounds.lowerBound)
-    _debugPrecondition(index < bounds.upperBound)
+    _boundsCheckPrecondition(index >= bounds.lowerBound && index < bounds.upperBound)
   }
 
   @inlinable // unsafe-performance
   public func _failEarlyRangeCheck(_ range: Range<Int>, bounds: Range<Int>) {
-    // NOTE: In release mode, this method is a no-op for performance reasons.
-    _debugPrecondition(range.lowerBound >= bounds.lowerBound)
-    _debugPrecondition(range.upperBound <= bounds.upperBound)
+    _boundsCheckPrecondition(
+      range.lowerBound >= bounds.lowerBound &&
+      range.upperBound <= bounds.upperBound
+    )
   }
 
   @inlinable // unsafe-performance
@@ -365,14 +364,14 @@ extension Unsafe${Mutable}BufferPointer: ${Mutable}Collection, RandomAccessColle
   @inlinable // unsafe-performance
   public subscript(i: Int) -> Element {
     get {
-      _debugPrecondition(i >= 0)
-      _debugPrecondition(i < endIndex)
+      _boundsCheckPrecondition(i >= 0)
+      _boundsCheckPrecondition(i < endIndex)
       return _position._unsafelyUnwrappedUnchecked[i]
     }
 %if Mutable:
     nonmutating _modify {
-      _debugPrecondition(i >= 0)
-      _debugPrecondition(i < endIndex)
+      _boundsCheckPrecondition(i >= 0)
+      _boundsCheckPrecondition(i < endIndex)
       yield &_position._unsafelyUnwrappedUnchecked[i]
     }
 %end
@@ -438,16 +437,16 @@ extension Unsafe${Mutable}BufferPointer: ${Mutable}Collection, RandomAccessColle
     -> Slice<Unsafe${Mutable}BufferPointer<Element>>
   {
     get {
-      _debugPrecondition(bounds.lowerBound >= startIndex)
-      _debugPrecondition(bounds.upperBound <= endIndex)
+      _boundsCheckPrecondition(bounds.lowerBound >= startIndex)
+      _boundsCheckPrecondition(bounds.upperBound <= endIndex)
       return Slice(
         base: self, bounds: bounds)
     }
 %  if Mutable:
     nonmutating set {
-      _debugPrecondition(bounds.lowerBound >= startIndex)
-      _debugPrecondition(bounds.upperBound <= endIndex)
-      _debugPrecondition(bounds.count == newValue.count)
+      _boundsCheckPrecondition(bounds.lowerBound >= startIndex)
+      _boundsCheckPrecondition(bounds.upperBound <= endIndex)
+      _boundsCheckPrecondition(bounds.count == newValue.count)
 
       // FIXME: swift-3-indexing-model: tests.
       if !newValue.isEmpty {
@@ -472,8 +471,8 @@ extension Unsafe${Mutable}BufferPointer: ${Mutable}Collection, RandomAccessColle
   @inlinable // unsafe-performance
   public func swapAt(_ i: Int, _ j: Int) {
     guard i != j else { return }
-    _debugPrecondition(i >= 0 && j >= 0)
-    _debugPrecondition(i < endIndex && j < endIndex)
+    _boundsCheckPrecondition(i >= 0 && j >= 0)
+    _boundsCheckPrecondition(i < endIndex && j < endIndex)
     let pi = (_position! + i)
     let pj = (_position! + j)
     let tmp = pi.move()
@@ -554,7 +553,7 @@ extension Unsafe${Mutable}BufferPointer {
     // We only do this in debug builds to prevent a measurable performance
     // degradation wrt passing around pointers not wrapped in a BufferPointer
     // construct.
-    _debugPrecondition(
+    _boundsCheckPrecondition(
       slice.startIndex >= 0 && slice.endIndex <= slice.base.count,
       "Invalid slice")
     let base = slice.base.baseAddress?.advanced(by: slice.startIndex)
@@ -1029,7 +1028,7 @@ extension Unsafe${Mutable}BufferPointer {
   @inlinable
   @_alwaysEmitIntoClient
   public func initializeElement(at index: Index, to value: Element) {
-    _debugPrecondition(startIndex <= index && index < endIndex)
+    _boundsCheckPrecondition(startIndex <= index && index < endIndex)
     let p = baseAddress._unsafelyUnwrappedUnchecked.advanced(by: index)
     p.initialize(to: value)
   }
@@ -1047,7 +1046,7 @@ extension Unsafe${Mutable}BufferPointer {
   @inlinable
   @_alwaysEmitIntoClient
   public func moveElement(from index: Index) -> Element {
-    _debugPrecondition(startIndex <= index && index < endIndex)
+    _boundsCheckPrecondition(startIndex <= index && index < endIndex)
     return baseAddress._unsafelyUnwrappedUnchecked.advanced(by: index).move()
   }
 
@@ -1062,7 +1061,7 @@ extension Unsafe${Mutable}BufferPointer {
   @inlinable
   @_alwaysEmitIntoClient
   public func deinitializeElement(at index: Index) {
-    _debugPrecondition(startIndex <= index && index < endIndex)
+    _boundsCheckPrecondition(startIndex <= index && index < endIndex)
     let p = baseAddress._unsafelyUnwrappedUnchecked.advanced(by: index)
     p.deinitialize(count: 1)
   }

test/stdlib/BoundsCheckTraps.swift

@@ -0,0 +1,39 @@
+// RUN: %empty-directory(%t)
+// RUN: %target-build-swift %s -o %t/a.out_Debug -Onone
+// RUN: %target-build-swift %s -o %t/a.out_Release -O
+// RUN: %target-build-swift %s -o %t/a.out_ReleaseWithBoundsSafety -O -enable-experimental-feature UnsafePointerBoundsSafety
+// RUN: %target-codesign %t/a.out_Debug
+// RUN: %target-codesign %t/a.out_Release
+// RUN: %target-codesign %t/a.out_ReleaseWithBoundsSafety
+//
+// RUN: %target-run %t/a.out_Debug
+// RUN: %target-run %t/a.out_Release
+// RUN: %target-run %t/a.out_ReleaseWithBoundsSafety
+// REQUIRES: executable_test
+// REQUIRES: asserts
+// UNSUPPORTED: OS=wasi
+
+import StdlibUnittest
+
+let testSuiteSuffix = _isDebugAssertConfiguration() ? "_debug"
+  : _isReleaseAssertConfiguration() ? "_release" : "_releaseWithBoundsSafety"
+
+var BoundsCheckTraps = TestSuite("BoundsCheckTraps" + testSuiteSuffix)
+
+BoundsCheckTraps.test("UnsafeMutableBufferPointer")
+  .skip(.custom(
+    { _isFastAssertConfiguration() || _isReleaseAssertConfiguration() },
+    reason: "this trap is not guaranteed to happen"))
+  .code {
+  expectCrashLater()
+  var array = [1, 2, 3]
+  array.withUnsafeBufferPointer { buffer in
+    print(buffer[3])
+  }
+  array.withUnsafeMutableBufferPointer { buffer in
+    buffer[3] = 17
+  }
+  _blackHole(array)
+}
+
+runAllTests()