Add CSWINRT2018 analyzer for reads from write-only Span<T> parameters

[Sergio0694]

Summary

Adds a new Roslyn analyzer (CSWINRT2018, severity Warning) that detects when the implementation of an authored Windows Runtime method reads from a Span<T> parameter. Such parameters are projected as write-only fill arrays in the Windows Runtime ABI, so reading from them is not supported.

Motivation

In the Windows Runtime ABI, array parameters use one of three conventions:

• ReadOnlySpan<T> -> pass array ([in], read-only)
• out T[] -> receive array ([out] with byref)
• Span<T> -> fill array ([out] without byref)

A fill array is write-only: the implementation is handed a caller-allocated buffer that it is expected to fill, and reading the existing contents is not supported (see this write-up on WinRT array parameters). Until now nothing flagged accidental reads from such a parameter, which can lead to subtle, hard-to-diagnose bugs in authored components. This analyzer surfaces the most common mistakes at compile time, while being careful to avoid false positives on legitimate write-only usage.

What it detects

For a by-value System.Span<T> parameter of a Windows Runtime-exposed method, the analyzer reports a read when it sees:

• Indexer reads: var x = span[i], Foo(span[i]), ref readonly var x = ref span[i], Foo(in span[i]), span[i]++, span[i] += 1
• Conversions of the span to ReadOnlySpan<T> (implicit or explicit), including when passed as an argument
• foreach iteration over the span

Avoiding false positives

The analyzer only runs when authoring a component (CsWinRTComponent is true), and only for by-value Span<T> parameters of methods that are actually part of the ABI surface: public methods and constructors, or explicit implementations of public interfaces, declared on public, top-level classes. It intentionally does not warn on:

• Write-only usages: span[i] = value, out/ref arguments, writable ref aliases (ref var x = ref span[i]), and writable ref foreach loop variables (which can be used to fill all elements)
• Non-indexer members such as span.Length and span.IsEmpty
• Parameters on private/internal methods, nested types, structs, or local functions, and ReadOnlySpan<T> parameters

Reads that flow through aliasing or a call to another method taking a Span<T> are an accepted blind spot, since the analyzer cannot reason about the callee's behavior.

Changes

• src/Authoring/WinRT.SourceGenerator2/Diagnostics/DiagnosticDescriptors.cs: add the CSWINRT2018 (WriteOnlySpanParameterRead) descriptor.
• src/Authoring/WinRT.SourceGenerator2/AnalyzerReleases.Shipped.md: register CSWINRT2018 under the 3.0.0 release.
• src/Authoring/WinRT.SourceGenerator2/Diagnostics/Analyzers/WriteOnlySpanParameterAnalyzer.cs: new analyzer (operation-based detection for indexer reads, ReadOnlySpan<T> conversions, and foreach).
• src/Tests/SourceGenerator2Test/Test_WriteOnlySpanParameterAnalyzer.cs: tests covering the warning cases and the write-only / non-exposed cases that must stay silent.