aaronpuchert added a comment. Thread safety attributes want **callers** of a function to have the same attribute, while this change wants **callees** to have the same attribute. So the attributes propagate in different directions.
By contraposition <https://en.wikipedia.org/wiki/Contraposition> the absence of an attribute propagates the other way around as the attribute itself, so you could have a role "untrusted", and callers of untrusted functions would have to be untrusted as well. I guess it depends on how many functions need to be annotated one way or the other, if the TCB-based functions are a small subset of the code then this attribute is better, if most functions are based on the TCB and only some are not, the capability-based approach would be better. CHANGES SINCE LAST ACTION https://reviews.llvm.org/D91898/new/ https://reviews.llvm.org/D91898 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
