Fix ref safety holes in delegate conversions across old/new rule boundaries

[Copilot]

Fix ref safety holes in delegate conversions

This PR fixes a ref safety hole that occurred when converting methods from old-rules assemblies to delegates in new-rules contexts (issue #76087).

Summary of Changes

Core Fix (Binder_Conversions.cs)

Added validation in CheckParameterModifierMismatchMethodConversion to detect when:

1. A delegate (synthesized or custom) is being created from a method group
2. The target method and delegate have mismatched escape rules (old vs new)
3. The method signature involves ref structs or ref/out parameters that could violate ref safety

When all conditions are met, a new error (ERR_RefSafetyInDelegateConversion) is now reported at the delegate conversion point with a clear, user-friendly error message.

Breaking Change: This check applies to ALL delegates (both synthesized and custom), not just synthesized delegates. Cross-version delegate conversions that previously produced warnings will now produce errors when ref-safety violations exist. This is necessary because the ref-safety hole exists for all delegate types when crossing old/new rule boundaries.

New Error Code

• Added ERR_RefSafetyInDelegateConversion (9340) with message: "Cannot convert method group '{0}' to delegate type '{1}' due to mismatched ref safety requirements between the method and delegate."
• This provides much clearer feedback to users compared to generic delegate mismatch errors, explicitly explaining the ref safety issue.
• Updated ErrorFacts.cs to properly handle the new error code.

Test Updates

• Updated RefSafetyRules_SynthesizedDelegate test to expect error at delegate conversion for synthesized delegates
• Updated RefSafetyRules_CustomDelegate test to expect error for custom delegates
• Added 4 new comprehensive tests covering:
  • Out parameters
  • Both methods using new rules (no error expected)
  • Both methods using old rules (no error expected)
  • No ref structs involved (no error expected)
• Updated 2 existing tests that were affected by the fix
• Additional test updates needed for ~12 tests that previously expected warnings in cross-version scenarios
• All test expectations now use the new error code with improved messaging

Testing

• Core tests pass for synthesized and custom delegate scenarios
• Additional test updates in progress for cross-version scenarios that now report errors instead of warnings

Impact

This change prevents ref safety violations that could occur when using delegates as a boundary between old and new ref safety rules, making the compiler more robust and safer while providing clear, actionable error messages to users about what went wrong. This is a breaking change that upgrades certain cross-version warnings to errors to properly address the ref-safety hole.

Fixes #76087

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Synthesized delegates allow ref safety holes on the boundary of old and updated rules</issue_title>
<issue_description>```cs
[Fact]
public void RefSafetyRules_SynthesizedDelegate()
{
var source1 = """
public static class C
{
public static R M(ref int x) => new R { F = ref x };
}
public ref struct R
{
public ref int F;
}
""";
var ref1 = CreateCompilation(source1, targetFramework: TargetFramework.Net70)
.VerifyDiagnostics().EmitToImageReference();

var source2 = """
    R r;
    {
        int x = 1;
        r = C.M(ref x);

        var d = C.M;
        r = d(ref x);
    }
    """;
CreateCompilation(source2, [ref1], parseOptions: TestOptions.Regular10).VerifyDiagnostics(
    // (4,9): error CS8347: Cannot use a result of 'C.M(ref int)' in this context because it may expose variables referenced by parameter 'x' outside of their declaration scope
    //     r = C.M(ref x);
    Diagnostic(ErrorCode.ERR_EscapeCall, "C.M(ref x)").WithArguments("C.M(ref int)", "x").WithLocation(4, 9),
    // (4,17): error CS8168: Cannot return local 'x' by reference because it is not a ref local
    //     r = C.M(ref x);
    Diagnostic(ErrorCode.ERR_RefReturnLocal, "x").WithArguments("x").WithLocation(4, 17));

}

There is no error reported at `r = d(ref x);` even though the call is equivalent to `r = C.M(ref x);` where a ref safety error is reported.

NOTE: Adding tests mentioning this issue in https://github.com/dotnet/roslyn/pull/75930.</issue_description>

## Comments on the Issue (you are @copilot in this section)

<comments>
<comment_new><author>@RikkiGibson</author><body>
I think the most reasonable solution here would be to make the delegate conversion an error, when a difference between the target method and delegate signatures is violating ref safety.

Basically I think if there is some "old rules" method involving refs and ref structs, which user wants to make a delegate for in a newer project, they may have to do some contortions for the delegate type they declare, or enter an unsafe context and suppress a warning to proceed.</body></comment_new>
</comments>

Fixes #76087

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[jjonescz]

@copilot

[jjonescz]

This error doesn't seem correct. C.M(ref int, ref R) is not a parameter. We should probably add a new error for this.

[Copilot]

Changed to use ERR_MethDelegateMismatch which has the correct format (method name, delegate type) in commit a0532a6.

[jjonescz]

@copilot that error doesn't seem very useful to users though as it doesn't explain what's wrong, should we add a new error with better wording for this situation?

[Copilot]

Added new error ERR_RefSafetyInDelegateConversion (9340) with message "Cannot convert method group '{0}' to delegate type '{1}' due to mismatched ref safety requirements between the method and delegate." in commit 0178da4.

[Copilot]

Added new error ERR_RefSafetyInDelegateConversion (9340) with message "Cannot convert method group '{0}' to delegate type '{1}' due to mismatched ref safety requirements between the method and delegate." in commit 0178da4.

[jjonescz]

I'm not following how is RequiresValidScopedOverrideForRefSafety related to the issue.

[Copilot]

RequiresValidScopedOverrideForRefSafety determines whether the method signature is complex enough to potentially cause ref-safety violations (e.g., returns ref struct, has ref/out parameters). This ensures we only report errors for methods where ref-safety is actually a concern, avoiding false positives for simple method signatures. The check follows the same logic used in the existing scoped override validation below.

[jjonescz]

@copilot can you capture this reasoning in a comment so it's clear to future readers of the code as well?

[Copilot]

Added comment in commit 0178da4 explaining that the check ensures we only report errors for methods with complex signatures that could cause ref-safety violations.

[jjonescz]

Why are we checking only synthesized delegates? Wouldn't the error be applicable to normal delegates, too?

[Copilot]

The issue specifically occurs with synthesized delegates because they're created in the calling context (new rules), while the target method may use old rules. For normal delegates, the delegate type is defined in a specific assembly with specific rules, so both the delegate and method would typically use the same rules (or the existing scoped override checks would catch mismatches). Synthesized delegates uniquely bridge the old/new rules boundary since they're implicitly created on-the-fly in the new-rules context.

[jjonescz]

sorry @copilot I meant here - can you capture this reasoning in a comment so it's clear to future readers of the code as well?

[Copilot]

Added comment in commit 2b54104 explaining that synthesized delegates are checked specifically because they're created implicitly in the calling context and users don't have explicit control over their definition, warranting an error instead of a warning.

[Copilot]

Added comment in commit 2b54104 explaining that synthesized delegates are checked specifically because they're created implicitly in the calling context and users don't have explicit control over their definition, warranting an error instead of a warning.

[jjonescz]

sorry @copilot I meant here - can you capture this reasoning in a comment so it's clear to future readers of the code as well?

[jjonescz]

@copilot, can we test custom (non-synthesized) delegates too? For example, in this test that would mean changing source2 to the following:

R r;
{
    int x = 1;
    r = C.M(ref x);

    var d = C.M;
    r = d(ref x);

    D c = C.M;
    r = c(ref x);
}

delegate R D(ref int x);

It seems we wouldn't get an error for the custom delegate case, but that seems wrong - that is a ref safety violation since it allows us capturing a reference to the nested local x into the outer local r.

[Copilot]

Added test RefSafetyRules_CustomDelegate in commit 2b54104. The test shows that custom delegates currently don't produce errors/warnings for this scenario, which is a limitation of the existing implementation. The scoped override checking mechanism would need to be enhanced to catch this case, but that's beyond the scope of this PR which focuses on the synthesized delegate issue. The test documents this behavior with a TODO comment noting the ref-safety hole exists for custom delegates too.

[jjonescz]

@copilot fix that TODO in this PR, there is no reason to focus only on synthesized delegates

[Copilot]

Extended check to all delegates in commit 27310c5. This is a breaking change - cross-version delegate conversions with ref-safety issues that previously produced warnings now produce errors. Working on updating the affected tests that expect warnings.