Skip methods where stackalloc would escape the new unsafe block

After wrapping a method body in a fresh `unsafe { ... }` block any
`stackalloc` inside has block-scoped safe-to-escape. Assigning that
(directly or through a local) to a parameter / out variable requires
the parameter to have a wider safe-to-escape, which fails with CS9080
/ CS9081 after the wrap. The repo-wide `SkipLocalsInit` policy means
`stackalloc` must stay inside an unsafe context, so there is no
mechanical rewrite that both removes the `unsafe` modifier and keeps
the body compiling for this shape.

The analyzer now detects this combination syntactically and does not
report on the affected declarations - they keep the `unsafe`
modifier and a human can refactor them (extract a helper that takes
the buffer, restructure the stackalloc) if desired.

Conservative check: collect parameter names of the enclosing member,
then skip if the body contains a `stackalloc` AND any simple
assignment whose left-hand side is an identifier matching one of those
parameter names. False positives only mean a few extra methods keep
`unsafe` - safer than emitting code that fails to build.

STJ output regenerated via `dotnet format`; STJ builds clean.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: EgorBo

src/libraries/System.Text.Json/src/System/Text/Json/Document/JsonDocument.TryGetProperty.cs

@@ -245,44 +245,39 @@ public static bool TryDecodeBase64InPlace(Span<byte> utf8Unescaped, [NotNullWhen
             return true;
         }
 
-        public static bool TryDecodeBase64(ReadOnlySpan<byte> utf8Unescaped, [NotNullWhen(true)] out byte[]? bytes)
+        public static unsafe bool TryDecodeBase64(ReadOnlySpan<byte> utf8Unescaped, [NotNullWhen(true)] out byte[]? bytes)
         {
-            // SAFETY-TODO: review this unsafe usage.
-            // Either document why it's safe, refactor to remove it, or mark the enclosing member 'unsafe'.
-            unsafe
-            {
-                byte[]? pooledArray = null;
-
-                Span<byte> byteSpan = utf8Unescaped.Length <= JsonConstants.StackallocByteThreshold ?
-                    stackalloc byte[JsonConstants.StackallocByteThreshold] :
-                    (pooledArray = ArrayPool<byte>.Shared.Rent(utf8Unescaped.Length));
+            byte[]? pooledArray = null;
 
-                OperationStatus status = Base64.DecodeFromUtf8(utf8Unescaped, byteSpan, out int bytesConsumed, out int bytesWritten);
-
-                if (status != OperationStatus.Done)
-                {
-                    bytes = null;
-
-                    if (pooledArray != null)
-                    {
-                        byteSpan.Clear();
-                        ArrayPool<byte>.Shared.Return(pooledArray);
-                    }
+            Span<byte> byteSpan = utf8Unescaped.Length <= JsonConstants.StackallocByteThreshold ?
+                stackalloc byte[JsonConstants.StackallocByteThreshold] :
+                (pooledArray = ArrayPool<byte>.Shared.Rent(utf8Unescaped.Length));
 
-                    return false;
-                }
-                Debug.Assert(bytesConsumed == utf8Unescaped.Length);
+            OperationStatus status = Base64.DecodeFromUtf8(utf8Unescaped, byteSpan, out int bytesConsumed, out int bytesWritten);
 
-                bytes = byteSpan.Slice(0, bytesWritten).ToArray();
+            if (status != OperationStatus.Done)
+            {
+                bytes = null;
 
                 if (pooledArray != null)
                 {
                     byteSpan.Clear();
                     ArrayPool<byte>.Shared.Return(pooledArray);
                 }
 
-                return true;
+                return false;
             }
+            Debug.Assert(bytesConsumed == utf8Unescaped.Length);
+
+            bytes = byteSpan.Slice(0, bytesWritten).ToArray();
+
+            if (pooledArray != null)
+            {
+                byteSpan.Clear();
+                ArrayPool<byte>.Shared.Return(pooledArray);
+            }
+
+            return true;
         }
 
         public static string TranscodeHelper(ReadOnlySpan<byte> utf8Unescaped)

src/libraries/System.Text.Json/src/System/Text/Json/Reader/JsonReaderHelper.Unescaping.cs

@@ -176,31 +176,26 @@ public static bool TryGetValue(ReadOnlySpan<byte> segment, bool isEscaped, out D
             return false;
         }
 
-        public static bool TryGetEscapedDateTime(ReadOnlySpan<byte> source, out DateTime value)
+        public static unsafe bool TryGetEscapedDateTime(ReadOnlySpan<byte> source, out DateTime value)
         {
-            // SAFETY-TODO: review this unsafe usage.
-            // Either document why it's safe, refactor to remove it, or mark the enclosing member 'unsafe'.
-            unsafe
-            {
-                Debug.Assert(source.Length <= JsonConstants.MaximumEscapedDateTimeOffsetParseLength);
-                Span<byte> sourceUnescaped = stackalloc byte[JsonConstants.MaximumEscapedDateTimeOffsetParseLength];
-
-                Unescape(source, sourceUnescaped, out int written);
-                Debug.Assert(written > 0);
+            Debug.Assert(source.Length <= JsonConstants.MaximumEscapedDateTimeOffsetParseLength);
+            Span<byte> sourceUnescaped = stackalloc byte[JsonConstants.MaximumEscapedDateTimeOffsetParseLength];
 
-                sourceUnescaped = sourceUnescaped.Slice(0, written);
-                Debug.Assert(!sourceUnescaped.IsEmpty);
+            Unescape(source, sourceUnescaped, out int written);
+            Debug.Assert(written > 0);
 
-                if (JsonHelpers.IsValidUnescapedDateTimeOffsetParseLength(sourceUnescaped.Length)
-                    && JsonHelpers.TryParseAsISO(sourceUnescaped, out DateTime tmp))
-                {
-                    value = tmp;
-                    return true;
-                }
+            sourceUnescaped = sourceUnescaped.Slice(0, written);
+            Debug.Assert(!sourceUnescaped.IsEmpty);
 
-                value = default;
-                return false;
+            if (JsonHelpers.IsValidUnescapedDateTimeOffsetParseLength(sourceUnescaped.Length)
+                && JsonHelpers.TryParseAsISO(sourceUnescaped, out DateTime tmp))
+            {
+                value = tmp;
+                return true;
             }
+
+            value = default;
+            return false;
         }
 
         public static bool TryGetValue(ReadOnlySpan<byte> segment, bool isEscaped, out DateTimeOffset value)
@@ -229,31 +224,26 @@ public static bool TryGetValue(ReadOnlySpan<byte> segment, bool isEscaped, out D
             return false;
         }
 
-        public static bool TryGetEscapedDateTimeOffset(ReadOnlySpan<byte> source, out DateTimeOffset value)
+        public static unsafe bool TryGetEscapedDateTimeOffset(ReadOnlySpan<byte> source, out DateTimeOffset value)
         {
-            // SAFETY-TODO: review this unsafe usage.
-            // Either document why it's safe, refactor to remove it, or mark the enclosing member 'unsafe'.
-            unsafe
-            {
-                Debug.Assert(source.Length <= JsonConstants.MaximumEscapedDateTimeOffsetParseLength);
-                Span<byte> sourceUnescaped = stackalloc byte[JsonConstants.MaximumEscapedDateTimeOffsetParseLength];
-
-                Unescape(source, sourceUnescaped, out int written);
-                Debug.Assert(written > 0);
+            Debug.Assert(source.Length <= JsonConstants.MaximumEscapedDateTimeOffsetParseLength);
+            Span<byte> sourceUnescaped = stackalloc byte[JsonConstants.MaximumEscapedDateTimeOffsetParseLength];
 
-                sourceUnescaped = sourceUnescaped.Slice(0, written);
-                Debug.Assert(!sourceUnescaped.IsEmpty);
+            Unescape(source, sourceUnescaped, out int written);
+            Debug.Assert(written > 0);
 
-                if (JsonHelpers.IsValidUnescapedDateTimeOffsetParseLength(sourceUnescaped.Length)
-                    && JsonHelpers.TryParseAsISO(sourceUnescaped, out DateTimeOffset tmp))
-                {
-                    value = tmp;
-                    return true;
-                }
+            sourceUnescaped = sourceUnescaped.Slice(0, written);
+            Debug.Assert(!sourceUnescaped.IsEmpty);
 
-                value = default;
-                return false;
+            if (JsonHelpers.IsValidUnescapedDateTimeOffsetParseLength(sourceUnescaped.Length)
+                && JsonHelpers.TryParseAsISO(sourceUnescaped, out DateTimeOffset tmp))
+            {
+                value = tmp;
+                return true;
             }
+
+            value = default;
+            return false;
         }
 
         public static bool TryGetValue(ReadOnlySpan<byte> segment, bool isEscaped, out Guid value)
@@ -283,31 +273,26 @@ public static bool TryGetValue(ReadOnlySpan<byte> segment, bool isEscaped, out G
             return false;
         }
 
-        public static bool TryGetEscapedGuid(ReadOnlySpan<byte> source, out Guid value)
+        public static unsafe bool TryGetEscapedGuid(ReadOnlySpan<byte> source, out Guid value)
         {
-            // SAFETY-TODO: review this unsafe usage.
-            // Either document why it's safe, refactor to remove it, or mark the enclosing member 'unsafe'.
-            unsafe
-            {
-                Debug.Assert(source.Length <= JsonConstants.MaximumEscapedGuidLength);
+            Debug.Assert(source.Length <= JsonConstants.MaximumEscapedGuidLength);
 
-                Span<byte> utf8Unescaped = stackalloc byte[JsonConstants.MaximumEscapedGuidLength];
-                Unescape(source, utf8Unescaped, out int written);
-                Debug.Assert(written > 0);
+            Span<byte> utf8Unescaped = stackalloc byte[JsonConstants.MaximumEscapedGuidLength];
+            Unescape(source, utf8Unescaped, out int written);
+            Debug.Assert(written > 0);
 
-                utf8Unescaped = utf8Unescaped.Slice(0, written);
-                Debug.Assert(!utf8Unescaped.IsEmpty);
+            utf8Unescaped = utf8Unescaped.Slice(0, written);
+            Debug.Assert(!utf8Unescaped.IsEmpty);
 
-                if (utf8Unescaped.Length == JsonConstants.MaximumFormatGuidLength
-                    && Utf8Parser.TryParse(utf8Unescaped, out Guid tmp, out _, 'D'))
-                {
-                    value = tmp;
-                    return true;
-                }
-
-                value = default;
-                return false;
+            if (utf8Unescaped.Length == JsonConstants.MaximumFormatGuidLength
+                && Utf8Parser.TryParse(utf8Unescaped, out Guid tmp, out _, 'D'))
+            {
+                value = tmp;
+                return true;
             }
+
+            value = default;
+            return false;
         }
 
 #if NET

src/libraries/System.Text.Json/src/System/Text/Json/Reader/JsonReaderHelper.cs

@@ -535,104 +535,99 @@ private bool ConsumeLiteralMultiSegment(ReadOnlySpan<byte> literal, JsonTokenTyp
             return true;
         }
 
-        private bool CheckLiteralMultiSegment(ReadOnlySpan<byte> span, ReadOnlySpan<byte> literal, out int consumed)
+        private unsafe bool CheckLiteralMultiSegment(ReadOnlySpan<byte> span, ReadOnlySpan<byte> literal, out int consumed)
         {
-            // SAFETY-TODO: review this unsafe usage.
-            // Either document why it's safe, refactor to remove it, or mark the enclosing member 'unsafe'.
-            unsafe
-            {
-                Debug.Assert(span.Length > 0 && span[0] == literal[0] && literal.Length <= JsonConstants.MaximumLiteralLength);
+            Debug.Assert(span.Length > 0 && span[0] == literal[0] && literal.Length <= JsonConstants.MaximumLiteralLength);
 
-                Span<byte> readSoFar = stackalloc byte[JsonConstants.MaximumLiteralLength];
-                int written = 0;
+            Span<byte> readSoFar = stackalloc byte[JsonConstants.MaximumLiteralLength];
+            int written = 0;
 
-                long prevTotalConsumed = _totalConsumed;
-                SequencePosition copy = _currentPosition;
-                if (span.Length >= literal.Length || IsLastSpan)
+            long prevTotalConsumed = _totalConsumed;
+            SequencePosition copy = _currentPosition;
+            if (span.Length >= literal.Length || IsLastSpan)
+            {
+                _bytePositionInLine += FindMismatch(span, literal);
+
+                int amountToWrite = AmountToWrite(span, _bytePositionInLine, readSoFar, written);
+                span.Slice(0, amountToWrite).CopyTo(readSoFar);
+                written += amountToWrite;
+                goto Throw;
+            }
+            else
+            {
+                if (!literal.StartsWith(span))
                 {
                     _bytePositionInLine += FindMismatch(span, literal);
-
                     int amountToWrite = AmountToWrite(span, _bytePositionInLine, readSoFar, written);
                     span.Slice(0, amountToWrite).CopyTo(readSoFar);
                     written += amountToWrite;
                     goto Throw;
                 }
-                else
-                {
-                    if (!literal.StartsWith(span))
-                    {
-                        _bytePositionInLine += FindMismatch(span, literal);
-                        int amountToWrite = AmountToWrite(span, _bytePositionInLine, readSoFar, written);
-                        span.Slice(0, amountToWrite).CopyTo(readSoFar);
-                        written += amountToWrite;
-                        goto Throw;
-                    }
 
-                    ReadOnlySpan<byte> leftToMatch = literal.Slice(span.Length);
+                ReadOnlySpan<byte> leftToMatch = literal.Slice(span.Length);
 
-                    SequencePosition startPosition = _currentPosition;
-                    int startConsumed = _consumed;
-                    int alreadyMatched = literal.Length - leftToMatch.Length;
-                    while (true)
+                SequencePosition startPosition = _currentPosition;
+                int startConsumed = _consumed;
+                int alreadyMatched = literal.Length - leftToMatch.Length;
+                while (true)
+                {
+                    _totalConsumed += alreadyMatched;
+                    _bytePositionInLine += alreadyMatched;
+                    if (!GetNextSpan())
                     {
-                        _totalConsumed += alreadyMatched;
-                        _bytePositionInLine += alreadyMatched;
-                        if (!GetNextSpan())
+                        _totalConsumed = prevTotalConsumed;
+                        consumed = default;
+                        _currentPosition = copy;
+                        if (IsLastSpan)
                         {
-                            _totalConsumed = prevTotalConsumed;
-                            consumed = default;
-                            _currentPosition = copy;
-                            if (IsLastSpan)
-                            {
-                                goto Throw;
-                            }
-                            return false;
+                            goto Throw;
                         }
+                        return false;
+                    }
 
-                        int amountToWrite = Math.Min(span.Length, readSoFar.Length - written);
-                        span.Slice(0, amountToWrite).CopyTo(readSoFar.Slice(written));
-                        written += amountToWrite;
+                    int amountToWrite = Math.Min(span.Length, readSoFar.Length - written);
+                    span.Slice(0, amountToWrite).CopyTo(readSoFar.Slice(written));
+                    written += amountToWrite;
 
-                        span = _buffer;
+                    span = _buffer;
 
-                        if (span.StartsWith(leftToMatch))
-                        {
-                            HasValueSequence = true;
-                            SequencePosition start = new SequencePosition(startPosition.GetObject(), startPosition.GetInteger() + startConsumed);
-                            SequencePosition end = new SequencePosition(_currentPosition.GetObject(), _currentPosition.GetInteger() + leftToMatch.Length);
-                            ValueSequence = _sequence.Slice(start, end);
-                            consumed = leftToMatch.Length;
-                            return true;
-                        }
-
-                        if (!leftToMatch.StartsWith(span))
-                        {
-                            _bytePositionInLine += FindMismatch(span, leftToMatch);
+                    if (span.StartsWith(leftToMatch))
+                    {
+                        HasValueSequence = true;
+                        SequencePosition start = new SequencePosition(startPosition.GetObject(), startPosition.GetInteger() + startConsumed);
+                        SequencePosition end = new SequencePosition(_currentPosition.GetObject(), _currentPosition.GetInteger() + leftToMatch.Length);
+                        ValueSequence = _sequence.Slice(start, end);
+                        consumed = leftToMatch.Length;
+                        return true;
+                    }
 
-                            amountToWrite = AmountToWrite(span, _bytePositionInLine, readSoFar, written);
-                            span.Slice(0, amountToWrite).CopyTo(readSoFar.Slice(written));
-                            written += amountToWrite;
+                    if (!leftToMatch.StartsWith(span))
+                    {
+                        _bytePositionInLine += FindMismatch(span, leftToMatch);
 
-                            goto Throw;
-                        }
+                        amountToWrite = AmountToWrite(span, _bytePositionInLine, readSoFar, written);
+                        span.Slice(0, amountToWrite).CopyTo(readSoFar.Slice(written));
+                        written += amountToWrite;
 
-                        leftToMatch = leftToMatch.Slice(span.Length);
-                        alreadyMatched = span.Length;
+                        goto Throw;
                     }
-                }
 
-                static int AmountToWrite(ReadOnlySpan<byte> span, long bytePositionInLine, ReadOnlySpan<byte> readSoFar, int written)
-                {
-                    return Math.Min(
-                        readSoFar.Length - written,
-                        Math.Min(span.Length, (int)bytePositionInLine + 1));
+                    leftToMatch = leftToMatch.Slice(span.Length);
+                    alreadyMatched = span.Length;
                 }
-            Throw:
-                _totalConsumed = prevTotalConsumed;
-                consumed = default;
-                _currentPosition = copy;
-                throw GetInvalidLiteralMultiSegment(readSoFar.Slice(0, written).ToArray());
             }
+
+            static int AmountToWrite(ReadOnlySpan<byte> span, long bytePositionInLine, ReadOnlySpan<byte> readSoFar, int written)
+            {
+                return Math.Min(
+                    readSoFar.Length - written,
+                    Math.Min(span.Length, (int)bytePositionInLine + 1));
+            }
+        Throw:
+            _totalConsumed = prevTotalConsumed;
+            consumed = default;
+            _currentPosition = copy;
+            throw GetInvalidLiteralMultiSegment(readSoFar.Slice(0, written).ToArray());
         }
 
         private static int FindMismatch(ReadOnlySpan<byte> span, ReadOnlySpan<byte> literal)