stdlib: opt out of stack protection in places where there can't be buffer overflows.

We trust the internal implementation of the stdlib to not cause any unintentional buffer overflows.
In such cases we can use the "unprotected" address-to-pointer conversions.
This avoids inserting stack protections where it's not needed.

Author: eeckstein

stdlib/public/core/AnyHashable.swift

@@ -159,9 +159,10 @@ public struct AnyHashable {
     }
 
     self.init(_box: _ConcreteHashableBox(false)) // Dummy value
+    let ptr = UnsafeMutablePointer<AnyHashable>(Builtin.unprotectedAddressOf(&self))
     _makeAnyHashableUpcastingToHashableBaseType(
       base,
-      storingResultInto: &self)
+      storingResultInto: ptr)
   }
 
   internal init<H: Hashable>(_usingDefaultRepresentationOf base: H) {

stdlib/public/core/FloatingPointParsing.swift.gyb

@@ -169,7 +169,7 @@ extension ${Self}: LosslessStringConvertible {
       self.init(Substring(text))
     } else {
       self = 0.0
-      let success = withUnsafeMutablePointer(to: &self) { p -> Bool in
+      let success = _withUnprotectedUnsafeMutablePointer(to: &self) { p -> Bool in
         text.withCString { chars -> Bool in
           switch chars[0] {
           case 9, 10, 11, 12, 13, 32:
@@ -198,7 +198,7 @@ extension ${Self}: LosslessStringConvertible {
   @available(SwiftStdlib 5.3, *)
   public init?(_ text: Substring) {
     self = 0.0
-    let success = withUnsafeMutablePointer(to: &self) { p -> Bool in
+    let success = _withUnprotectedUnsafeMutablePointer(to: &self) { p -> Bool in
       text.withCString { chars -> Bool in
         switch chars[0] {
         case 9, 10, 11, 12, 13, 32:

stdlib/public/core/KeyPath.swift

@@ -1951,7 +1951,8 @@ func _modifyAtWritableKeyPath_impl<Root, Value>(
       keyPath: _unsafeUncheckedDowncast(keyPath,
         to: ReferenceWritableKeyPath<Root, Value>.self))
   }
-  return keyPath._projectMutableAddress(from: &root)
+  let ptr = UnsafePointer<Root>(Builtin.unprotectedAddressOf(&root))
+  return keyPath._projectMutableAddress(from: ptr)
 }
 
 // The release that ends the access scope is guaranteed to happen
@@ -1980,7 +1981,8 @@ func _setAtWritableKeyPath<Root, Value>(
       value: value)
   }
   // TODO: we should be able to do this more efficiently than projecting.
-  let (addr, owner) = keyPath._projectMutableAddress(from: &root)
+  let ptr = UnsafePointer<Root>(Builtin.unprotectedAddressOf(&root))
+  let (addr, owner) = keyPath._projectMutableAddress(from: ptr)
   addr.pointee = value
   _fixLifetime(owner)
   // FIXME: this needs a deallocation barrier to ensure that the
@@ -3277,7 +3279,7 @@ internal struct InstantiateKeyPathBuffer: KeyPathPatternVisitor {
     _internalInvariant(_isPOD(T.self))
     let size = MemoryLayout<T>.size
     let (baseAddress, misalign) = adjustDestForAlignment(of: T.self)
-    withUnsafeBytes(of: value) {
+    _withUnprotectedUnsafeBytes(of: value) {
       _memcpy(dest: baseAddress, src: $0.baseAddress.unsafelyUnwrapped,
               size: UInt(size))
     }

stdlib/public/core/LifetimeManager.swift

@@ -92,7 +92,11 @@ public func _withUnprotectedUnsafeMutablePointer<T, Result>(
   _ body: (UnsafeMutablePointer<T>) throws -> Result
 ) rethrows -> Result
 {
+#if $BuiltinUnprotectedAddressOf
   return try body(UnsafeMutablePointer<T>(Builtin.unprotectedAddressOf(&value)))
+#else
+  return try body(UnsafeMutablePointer<T>(Builtin.addressof(&value)))
+#endif
 }
 
 /// Invokes the given closure with a pointer to the given argument.
@@ -167,7 +171,11 @@ public func _withUnprotectedUnsafePointer<T, Result>(
   _ body: (UnsafePointer<T>) throws -> Result
 ) rethrows -> Result
 {
+#if $BuiltinUnprotectedAddressOf
   return try body(UnsafePointer<T>(Builtin.unprotectedAddressOf(&value)))
+#else
+  return try body(UnsafePointer<T>(Builtin.addressof(&value)))
+#endif
 }
 
 extension String {

stdlib/public/core/MutableCollection.swift

@@ -488,8 +488,13 @@ extension MutableCollection {
 public func swap<T>(_ a: inout T, _ b: inout T) {
   // Semantically equivalent to (a, b) = (b, a).
   // Microoptimized to avoid retain/release traffic.
+#if $BuiltinUnprotectedAddressOf
+  let p1 = Builtin.unprotectedAddressOf(&a)
+  let p2 = Builtin.unprotectedAddressOf(&b)
+#else
   let p1 = Builtin.addressof(&a)
   let p2 = Builtin.addressof(&b)
+#endif
   _debugPrecondition(
     p1 != p2,
     "swapping a location with itself is not supported")

stdlib/public/core/Random.swift

@@ -158,7 +158,12 @@ public struct SystemRandomNumberGenerator: RandomNumberGenerator, Sendable {
   @inlinable
   public mutating func next() -> UInt64 {
     var random: UInt64 = 0
-    swift_stdlib_random(&random, MemoryLayout<UInt64>.size)
+#if $BuiltinUnprotectedAddressOf
+    let ptr = UnsafeMutablePointer<UInt64>(Builtin.unprotectedAddressOf(&random))
+#else
+    let ptr = UnsafeMutablePointer<UInt64>(Builtin.addressof(&random))
+#endif
+    swift_stdlib_random(ptr, MemoryLayout<UInt64>.size)
     return random
   }
 }

stdlib/public/core/SmallString.swift

@@ -221,7 +221,7 @@ extension _SmallString {
   ) rethrows -> Result {
     let count = self.count
     var raw = self.zeroTerminatedRawCodeUnits
-    return try Swift.withUnsafeBytes(of: &raw) {
+    return try Swift._withUnprotectedUnsafeBytes(of: &raw) {
       let rawPtr = $0.baseAddress._unsafelyUnwrappedUnchecked
       // Rebind the underlying (UInt64, UInt64) tuple to UInt8 for the
       // duration of the closure. Accessing self after this rebind is undefined.

stdlib/public/core/StringSwitch.swift

@@ -68,23 +68,20 @@ func _findStringSwitchCaseWithCache(
   string: String,
   cache: inout _OpaqueStringSwitchCache) -> Int {
 
-  return withUnsafeMutableBytes(of: &cache) {
-    (bufPtr: UnsafeMutableRawBufferPointer) -> Int in
-
-    let oncePtr = bufPtr.baseAddress!
-    let cacheRawPtr = oncePtr + MemoryLayout<Builtin.Word>.stride
-    let cachePtr = cacheRawPtr.bindMemory(to: _StringSwitchCache.self, capacity: 1)
-    var context = _StringSwitchContext(cases: cases, cachePtr: cachePtr)
-    withUnsafeMutablePointer(to: &context) { (context) -> () in
-      Builtin.onceWithContext(oncePtr._rawValue, _createStringTableCache,
-                              context._rawValue)
-    }
-    let cache = cachePtr.pointee;
-    if let idx = cache[string] {
-      return idx
-    }
-    return -1
+  let ptr = UnsafeMutableRawPointer(Builtin.unprotectedAddressOf(&cache))
+  let oncePtr = ptr
+  let cacheRawPtr = oncePtr + MemoryLayout<Builtin.Word>.stride
+  let cachePtr = cacheRawPtr.bindMemory(to: _StringSwitchCache.self, capacity: 1)
+  var context = _StringSwitchContext(cases: cases, cachePtr: cachePtr)
+  withUnsafeMutablePointer(to: &context) { (context) -> () in
+    Builtin.onceWithContext(oncePtr._rawValue, _createStringTableCache,
+                            context._rawValue)
+  }
+  let cache = cachePtr.pointee;
+  if let idx = cache[string] {
+    return idx
   }
+  return -1
 }
 
 /// Builds the string switch case.

stdlib/public/core/UnicodeScalar.swift

@@ -524,7 +524,7 @@ extension Unicode.Scalar {
 
     // The first code unit is in the least significant byte of codeUnits.
     codeUnits = codeUnits.littleEndian
-    return try Swift.withUnsafePointer(to: &codeUnits) {
+    return try Swift._withUnprotectedUnsafePointer(to: &codeUnits) {
       return try $0.withMemoryRebound(to: UInt8.self, capacity: 4) {
         return try body(UnsafeBufferPointer(start: $0, count: utf8Count))
       }

stdlib/public/core/UnsafeRawBufferPointer.swift.gyb

@@ -1092,7 +1092,11 @@ public func _withUnprotectedUnsafeBytes<T, Result>(
   of value: T,
   _ body: (UnsafeRawBufferPointer) throws -> Result
 ) rethrows -> Result {
+#if $BuiltinUnprotectedAddressOf
   let addr = UnsafeRawPointer(Builtin.unprotectedAddressOfBorrow(value))
+#else
+  let addr = UnsafeRawPointer(Builtin.addressof(value))
+#endif
   let buffer = UnsafeRawBufferPointer(start: addr, count: MemoryLayout<T>.size)
   return try body(buffer)
 }

stdlib/public/core/VarArgs.swift

@@ -215,9 +215,15 @@ public func _encodeBitsAsWords<T>(_ x: T) -> [Int] {
   _internalInvariant(!result.isEmpty)
   var tmp = x
   // FIXME: use UnsafeMutablePointer.assign(from:) instead of memcpy.
+#if $BuiltinUnprotectedAddressOf
+  _memcpy(dest: UnsafeMutablePointer(result._baseAddressIfContiguous!),
+          src: UnsafeMutablePointer(Builtin.unprotectedAddressOf(&tmp)),
+          size: UInt(MemoryLayout<T>.size))
+#else
   _memcpy(dest: UnsafeMutablePointer(result._baseAddressIfContiguous!),
           src: UnsafeMutablePointer(Builtin.addressof(&tmp)),
           size: UInt(MemoryLayout<T>.size))
+#endif
   return result
 }