[cfe-dev] Discussion: should we enforce access control in C++ attributes?

[John McCall]

I'll admit to only skimming this.  Please bear in mind that other people
have less time to read your messages than you have to write them.

That said, it seems very strange for a method to declare that it
requires a lock to be held when neither it nor its users can actually
access that lock.  That's useless as user documentation because
it's not actionable — I can't actually modify my code in response to
your complaints.

You should instead allow the lock expression to more directly state
what the caller of this method needs to do in order to acquire the lock.
In this case, that means a reference to the lock() method, which is,
not coincidentally, actually public.  Since that method is already
annotated with the lock it manipulates, this should be quite easy to
round-trip in the static analysis.

Going further, in principle, these expressions should really be
access-checked *from the perspective of a valid user of this method*:
that is, they should only be access-checked in the context of the class
when the annotated method is non-public.  For a public method, they
should really be access-checked from a totally unprivileged context.

John.