Add unsafe evolution attributes

[jjonescz]

Resolves #125134.

Relates to test plan dotnet/roslyn#81207

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-runtime-compilerservices
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull request overview

Adds two runtime attributes to the public System.Runtime contract to support unsafe-context analysis and module-level memory-safety metadata, with corresponding implementations in System.Private.CoreLib.

Changes:

• Exposes System.Diagnostics.CodeAnalysis.RequiresUnsafeAttribute as a public attribute applicable to constructors/events/methods/properties.
• Introduces System.Runtime.CompilerServices.MemorySafetyRulesAttribute (module-level, editor-browsable never) with a Version payload.
• Implements MemorySafetyRulesAttribute in System.Private.CoreLib and updates RequiresUnsafeAttribute to be public (non-conditional) with updated documentation.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
src/libraries/System.Runtime/ref/System.Runtime.cs	Adds the new public attribute declarations to the System.Runtime reference contract.
src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/MemorySafetyRulesAttribute.cs	Implements MemorySafetyRulesAttribute with version storage and hidden editor-browsing.
src/libraries/System.Private.CoreLib/src/System/Diagnostics/CodeAnalysis/RequiresUnsafeAttribute.cs	Makes RequiresUnsafeAttribute public and expands its applicable targets.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

This PR exposes RequiresUnsafeAttribute publicly and introduces a new MemorySafetyRulesAttribute API, updating the reference surface and adding basic tests to validate constructor behavior.

Changes:

• Add MemorySafetyRulesAttribute to System.Runtime.CompilerServices (ref + implementation) and test its Version roundtrip.
• Make RequiresUnsafeAttribute a public attribute with broader AttributeTargets and add a smoke test.
• Add CoreLib package-validation suppressions for the new/changed APIs.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/libraries/System.Runtime/tests/System.Runtime.Tests/System/Runtime/CompilerServices/AttributesTests.cs	Adds a theory test for MemorySafetyRulesAttribute.Version.
src/libraries/System.Runtime/tests/System.Runtime.Tests/System/Diagnostics/CodeAnalysis/RequiresUnsafeAttributeTests.cs	Adds a minimal constructor smoke test for RequiresUnsafeAttribute.
src/libraries/System.Runtime/ref/System.Runtime.cs	Updates the public ref surface to include RequiresUnsafeAttribute and MemorySafetyRulesAttribute.
src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/MemorySafetyRulesAttribute.cs	Introduces the CoreLib implementation of MemorySafetyRulesAttribute.
src/libraries/System.Private.CoreLib/src/System/Diagnostics/CodeAnalysis/RequiresUnsafeAttribute.cs	Changes RequiresUnsafeAttribute from internal/debug-only to public and updates usage/summary.
src/coreclr/System.Private.CoreLib/CompatibilitySuppressions.xml	Adds compat suppressions for the new attribute and attribute-usage differences.
src/coreclr/nativeaot/System.Private.CoreLib/src/CompatibilitySuppressions.xml	Mirrors the compat suppressions for NativeAOT CoreLib.

---

You can also share your feedback on Copilot code review. Take the survey.

[EgorBo]

Does ILLink strip these attributes? If it does - should we fix it? cc @agocke

[agocke]

The linker doesn’t strip attributes

[EgorBo]

[jkotas]

Does ILLink strip these attributes? If it does - should we fix it?

Linker can strip attributes that are not needed at runtime. It is controlled by https://github.com/dotnet/runtime/blob/main/src/libraries/System.Private.CoreLib/src/ILLink/ILLink.LinkAttributes.Shared.xml

Unless we start reading this attribute at runtime (no plans for that currently), we may want to add it to the trimmed list.

[agocke]

LGTM, matches recent LDM decisions.

[jcouv]

LGTM Thanks (commit 4)

[Copilot]

Pull request overview

This PR introduces the public surface area needed for the C# “unsafe evolution” feature by adding the new module-level MemorySafetyRulesAttribute and making RequiresUnsafeAttribute a public API, then annotating relevant unsafe-entry-point APIs across the runtime and reference assemblies.

Changes:

• Add System.Runtime.CompilerServices.MemorySafetyRulesAttribute (module-level, versioned) and corresponding unit test coverage.
• Promote System.Diagnostics.CodeAnalysis.RequiresUnsafeAttribute to a public attribute and apply it broadly to unsafe APIs (CoreLib + ref assemblies) so compilers/analyzers can enforce unsafe-context call sites.
• Update reference assemblies (and related tests / project files) to reflect the new/updated attributes on public APIs.

Reviewed changes

Copilot reviewed 46 out of 49 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/mono/System.Private.CoreLib/src/System/Reflection/Metadata/AssemblyExtensions.cs	Annotates unsafe metadata access API with RequiresUnsafe.
src/mono/System.Private.CoreLib/src/System/Reflection/Emit/DynamicILInfo.cs	Annotates unsafe pointer-based overloads with RequiresUnsafe.
src/mono/System.Private.CoreLib/src/System/ArgIterator.cs	Annotates unsafe constructor overload with RequiresUnsafe.
src/libraries/System.Threading.ThreadPool/ref/System.Threading.ThreadPool.cs	Adds RequiresUnsafeAttribute to unsafe ThreadPool API in ref.
src/libraries/System.Threading.Overlapped/ref/System.Threading.Overlapped.cs	Adds RequiresUnsafeAttribute to unsafe Overlapped APIs in ref.
src/libraries/System.Text.Encoding.Extensions/ref/System.Text.Encoding.Extensions.cs	Adds RequiresUnsafeAttribute to pointer-based encoding APIs in ref.
src/libraries/System.Runtime/tests/System.Runtime.Tests/System/Runtime/CompilerServices/AttributesTests.cs	Adds unit tests for MemorySafetyRulesAttribute.Version.
src/libraries/System.Runtime/tests/System.Runtime.Tests/System/Diagnostics/CodeAnalysis/RequiresUnsafeAttributeTests.cs	New unit test ensuring RequiresUnsafeAttribute is constructible.
src/libraries/System.Runtime/tests/System.Runtime.Tests/System.Runtime.Tests.csproj	Includes new RequiresUnsafeAttributeTests file in the test project.
src/libraries/System.Runtime/ref/System.Runtime.cs	Adds new MemorySafetyRulesAttribute and exposes RequiresUnsafeAttribute in the ref surface; annotates many unsafe members.
src/libraries/System.Runtime.Loader/ref/System.Runtime.Loader.cs	Adds RequiresUnsafeAttribute to AssemblyExtensions.TryGetRawMetadata in ref.
src/libraries/System.Runtime.InteropServices/src/System/Runtime/InteropServices/Marshalling/StrategyBasedComWrappers.cs	Annotates unsafe COM vtable computation override with RequiresUnsafe.
src/libraries/System.Runtime.InteropServices/ref/System.Runtime.InteropServices.cs	Annotates multiple unsafe interop APIs with RequiresUnsafeAttribute in ref.
src/libraries/System.Reflection.Emit.Lightweight/ref/System.Reflection.Emit.Lightweight.cs	Annotates pointer-based DynamicILInfo methods with RequiresUnsafeAttribute in ref.
src/libraries/System.Private.CoreLib/src/System/Threading/ThreadPool.Windows.cs	Annotates unsafe ThreadPool API with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Threading/ThreadPool.Wasi.cs	Annotates unsafe ThreadPool API (PNSE path) with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Threading/ThreadPool.Browser.cs	Annotates unsafe ThreadPool API with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Sse41.PlatformNotSupported.cs	Annotates unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Sse3.PlatformNotSupported.cs	Adds CodeAnalysis using + annotates unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Sse2.PlatformNotSupported.cs	Annotates unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Sse.PlatformNotSupported.cs	Annotates unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Bmi2.PlatformNotSupported.cs	Adds CodeAnalysis using + annotates unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Avx512Vbmi2.PlatformNotSupported.cs	Annotates unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Avx512DQ.PlatformNotSupported.cs	Annotates unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Avx512BW.PlatformNotSupported.cs	Annotates unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Avx10v2.PlatformNotSupported.cs	Annotates unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Avx10v1.PlatformNotSupported.cs	Annotates many unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/X86/Avx.PlatformNotSupported.cs	Annotates unsafe pointer overloads with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/Wasm/PackedSimd.cs	Annotates numerous unsafe pointer load/store intrinsics with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/Intrinsics/Arm/Sve2.cs	Annotates unsafe pointer-based SVE2 APIs with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/InteropServices/ObjectiveC/ObjectiveCMarshal.cs	Adds CodeAnalysis using + annotates unsafe initialization API with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/InteropServices/NativeMemory.Windows.cs	Adds CodeAnalysis using + annotates unsafe memory APIs with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/InteropServices/Java/JavaMarshal.Unsupported.cs	Adds CodeAnalysis using + annotates unsafe Java marshalling APIs with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/InteropServices/ComWrappers.PlatformNotSupported.cs	Annotates unsafe COM-related APIs with RequiresUnsafe.
src/libraries/System.Private.CoreLib/src/System/Runtime/CompilerServices/MemorySafetyRulesAttribute.cs	New attribute type representing memory safety rules version (module-level).
src/libraries/System.Private.CoreLib/src/System/Diagnostics/CodeAnalysis/RequiresUnsafeAttribute.cs	Updates RequiresUnsafeAttribute to the new public API shape/usage.
src/libraries/System.Private.CoreLib/src/System.Private.CoreLib.Shared.projitems	Includes new MemorySafetyRulesAttribute.cs in CoreLib shared compilation items.
src/libraries/System.Numerics.Vectors/ref/System.Numerics.Vectors.cs	Annotates unsafe vector load/store APIs with RequiresUnsafeAttribute in ref.
src/libraries/System.Diagnostics.Tracing/ref/System.Diagnostics.Tracing.cs	Annotates unsafe EventSource core write APIs with RequiresUnsafeAttribute in ref.
src/coreclr/System.Private.CoreLib/src/System/ArgIterator.cs	Annotates unsafe constructor overload with RequiresUnsafe.
src/coreclr/nativeaot/System.Private.CoreLib/src/System/Runtime/InteropServices/Java/JavaMarshal.NativeAot.cs	Adds CodeAnalysis using + annotates unsafe Java marshalling APIs with RequiresUnsafe.
src/coreclr/nativeaot/System.Private.CoreLib/src/System/Reflection/Metadata/AssemblyExtensions.cs	Adds CodeAnalysis using + annotates unsafe metadata access API with RequiresUnsafe.
src/coreclr/nativeaot/System.Private.CoreLib/src/System/Reflection/Emit/DynamicILInfo.cs	Adds CodeAnalysis using + annotates unsafe pointer-based overloads with RequiresUnsafe.
src/coreclr/nativeaot/System.Private.CoreLib/src/System/ArgIterator.cs	Adds CodeAnalysis using + annotates unsafe constructor overload with RequiresUnsafe.

[agocke]

@jjonescz Do we need to apply MemorySafetyRules to the project somehow in order to make the compiler happy? The VMR is seeing

System.Private.CoreLib/src/System/IO/UnmanagedMemoryStream.cs(154,10): error CS9368: RequiresUnsafeAttribute is only valid under the updated memory safety rules.

[jjonescz]

Do we need to apply MemorySafetyRules to the project somehow in order to make the compiler happy? The VMR is seeing

System.Private.CoreLib/src/System/IO/UnmanagedMemoryStream.cs(154,10): error CS9368: RequiresUnsafeAttribute is only valid under the updated memory safety rules.

Yes, <Features>$(Features);updated-memory-safety-rules</Features> until we have a public API for it (dotnet/roslyn#82791)

[jkotas]

Do we need to apply MemorySafetyRules to the project somehow in order to make the compiler happy?

dotnet/runtime has a ton of sources that compile for both current .NET version and downlevel .NET versions. Is this error going to require all RequiresUnsafe annotations to be under an ifdef for current version?

[jjonescz]

It's just a warning (in your case probably promoted to an error), so we could just suppress it.

[EgorBo]

Do we need to apply MemorySafetyRules to the project somehow in order to make the compiler happy?

dotnet/runtime has a ton of sources that compile for both current .NET version and downlevel .NET versions. Is this error going to require all RequiresUnsafe annotations to be under an ifdef for current version?

in my PR in #125894 I moved the attribute to Common so it works as a pollyfil (can be made internal for non-.NET 11)

[jjonescz]

FYI, last commit adds the [RequiresUnsafe] attribute to APIs that already had it but only partially, e.g., only in CoreCLR definition but not in ref assemblies or Mono (which ApiCompat doesn't like now that the attribute is public).

I'm planning to merge this PR once the CI is green.