[API Proposal]: Unsafe evolution attributes

[jjonescz]

Background and motivation

Attributes needed for the unsafe evolution C# language feature (dotnet/roslyn#81207).

API Proposal

namespace System.Runtime.CompilerServices
{
    [AttributeUsage(AttributeTargets.Constructor | AttributeTargets.Event | AttributeTargets.Method | AttributeTargets.Property, Inherited = false, AllowMultiple = false)]
    public sealed class RequiresUnsafeAttribute : Attribute { }
}

namespace System.Runtime.CompilerServices
{
    [AttributeUsage(AttributeTargets.Module, Inherited = false, AllowMultiple = false)]
    public sealed class MemorySafetyRulesAttribute : Attribute
    {
        public MemorySafetyRulesAttribute(int version) { Version = version; }
        public int Version;
    }
}

API Usage

The MemorySafetyRulesAttribute is used by the compiler (it is disallowed to use it in source). The compiler applies it to a module when updated memory safety rules are enabled.

The RequiresUnsafeAttribute is used by users but can be also applied by the compiler implicitly for extern members.

class C
{
    [RequiresUnsafe] public void M() { }
}

Alternative Designs

Since the RequiresUnsafe attribute is to be used by users, perhaps it should live in System.Diagnostics.CodeAnalysis instead - in fact, it's already defined there internally:

runtime/src/libraries/System.Private.CoreLib/src/System/Diagnostics/CodeAnalysis/RequiresUnsafeAttribute.cs

Line 16 in 9511672

internal sealed class RequiresUnsafeAttribute : Attribute

Risks

No response

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-runtime-compilerservices
See info in area-owners.md if you want to be subscribed.

[hamarb123]

Sholdn't it also be allowed on fields? It seems to be mentioned in https://github.com/dotnet/designs/blob/main/accepted/2025/memory-safety/caller-unsafe.md that it should be:

unsafe will also be allowed on field declarations. This allows code to indicate that part of an unsafe contract is carried within a field. For example, the following simplified code appears in the dotnet/runtime core framework:

public class ArrayWrapper<T>
{
    private Array _array;

    public T GetItem(int index)
    {
        var typedArray = Unsafe.As<T[]>(ref _array);
        return typedArray[index];
    }
}

So unless this scenario has been deemed irrelevant in the last 4 months (in which case I would like to understand why, as I would have used this), then it should have AttributeTargets.Field I would think.

[333fred]

It's an open question for the proposal. We will bring it up in review and get pre-approval to make the change should LDM sign off.

[agocke]

Current namespace is System.Diagnostics.CodeAnalysis. That's what I'd prefer.