Revert "[attributes] Add a facility for enforcing a Trusted Computing Base."

This reverts commit c163aae.
Doesn't compile on some bots
(http://lab.llvm.org:8011/#/builders/98/builds/3387/steps/9/logs/stdio),
breaks tests on bots where it does compile
(http://45.33.8.238/linux/36843/step_7.txt).

Author: nico

clang/include/clang/Basic/Attr.td

@@ -3653,19 +3653,3 @@ def Builtin : InheritableAttr {
   let SemaHandler = 0;
   let Documentation = [Undocumented];
 }
-
-def EnforceTCB : InheritableAttr {
-  let Spellings = [Clang<"enforce_tcb">];
-  let Subjects = SubjectList<[Function]>;
-  let Args = [StringArgument<"TCBName">];
-  let Documentation = [EnforceTCBDocs];
-  bit InheritEvenIfAlreadyPresent = 1;
-}
-
-def EnforceTCBLeaf : InheritableAttr {
-  let Spellings = [Clang<"enforce_tcb_leaf">];
-  let Subjects = SubjectList<[Function]>;
-  let Args = [StringArgument<"TCBName">];
-  let Documentation = [EnforceTCBLeafDocs];
-  bit InheritEvenIfAlreadyPresent = 1;
-}

clang/include/clang/Basic/AttrDocs.td

@@ -5725,28 +5725,3 @@ Attribute docs`_, and `the GCC Inline docs`_.
 }];
   let Heading = "always_inline, __force_inline";
 }
-
-def EnforceTCBDocs : Documentation {
-  let Category = DocCatFunction;
-  let Content = [{
-  The ``enforce_tcb`` attribute can be placed on functions to enforce that a
-  trusted compute base (TCB) does not call out of the TCB. This generates a
-  warning every time a function not marked with an ``enforce_tcb`` attribute is
-  called from a function with the ``enforce_tcb`` attribute. A function may be a
-  part of multiple TCBs. Invocations through function pointers are currently
-  not checked. Builtins are considered to a part of every TCB.
-
-  - ``enforce_tcb(Name)`` indicates that this function is a part of the TCB named ``Name``
-  }];
-}
-
-def EnforceTCBLeafDocs : Documentation {
-  let Category = DocCatFunction;
-  let Content = [{
-  The ``enforce_tcb_leaf`` attribute satisfies the requirement enforced by
-  ``enforce_tcb`` for the marked function to be in the named TCB but does not
-  continue to check the functions called from within the leaf function.
-
-  - ``enforce_tcb_leaf(Name)`` indicates that this function is a part of the TCB named ``Name``
-  }];
-}

clang/include/clang/Basic/DiagnosticSemaKinds.td

@@ -11116,11 +11116,4 @@ def err_probability_not_constant_float : Error<
 def err_probability_out_of_range : Error<
    "probability argument to __builtin_expect_with_probability is outside the "
    "range [0.0, 1.0]">;
-
-// TCB warnings
-def err_tcb_conflicting_attributes : Error<
-  "attributes '%0(\"%2\")' and '%1(\"%2\")' are mutually exclusive">;
-def warn_tcb_enforcement_violation : Warning<
-  "calling %0 is a violation of trusted computing base '%1'">,
-  InGroup<DiagGroup<"tcb-enforcement">>;
 } // end of sema component.

clang/include/clang/Sema/Sema.h

@@ -3210,9 +3210,6 @@ class Sema final {
       Decl *D, const WebAssemblyImportNameAttr &AL);
   WebAssemblyImportModuleAttr *mergeImportModuleAttr(
       Decl *D, const WebAssemblyImportModuleAttr &AL);
-  EnforceTCBAttr *mergeEnforceTCBAttr(Decl *D, const EnforceTCBAttr &AL);
-  EnforceTCBLeafAttr *mergeEnforceTCBLeafAttr(Decl *D,
-                                              const EnforceTCBLeafAttr &AL);
 
   void mergeDeclAttributes(NamedDecl *New, Decl *Old,
                            AvailabilityMergeKind AMK = AMK_Redeclaration);
@@ -12430,8 +12427,6 @@ class Sema final {
   /// attempts to add itself into the container
   void CheckObjCCircularContainer(ObjCMessageExpr *Message);
 
-  void CheckTCBEnforcement(const CallExpr *TheCall, const FunctionDecl *Callee);
-
   void AnalyzeDeleteExprMismatch(const CXXDeleteExpr *DE);
   void AnalyzeDeleteExprMismatch(FieldDecl *Field, SourceLocation DeleteLoc,
                                  bool DeleteWasArrayForm);

clang/lib/Sema/SemaChecking.cpp

@@ -75,7 +75,6 @@
 #include "llvm/ADT/SmallString.h"
 #include "llvm/ADT/SmallVector.h"
 #include "llvm/ADT/StringRef.h"
-#include "llvm/ADT/StringSet.h"
 #include "llvm/ADT/StringSwitch.h"
 #include "llvm/ADT/Triple.h"
 #include "llvm/Support/AtomicOrdering.h"
@@ -4570,8 +4569,6 @@ bool Sema::CheckFunctionCall(FunctionDecl *FDecl, CallExpr *TheCall,
   if (!FnInfo)
     return false;
 
-  CheckTCBEnforcement(TheCall, FDecl);
-
   CheckAbsoluteValueFunction(TheCall, FDecl);
   CheckMaxUnsignedZero(TheCall, FDecl);
 
@@ -16062,37 +16059,3 @@ ExprResult Sema::SemaBuiltinMatrixColumnMajorStore(CallExpr *TheCall,
 
   return CallResult;
 }
-
-/// \brief Enforce the bounds of a TCB
-/// CheckTCBEnforcement - Enforces that every function in a named TCB only
-/// directly calls other functions in the same TCB as marked by the enforce_tcb
-/// and enforce_tcb_leaf attributes.
-void Sema::CheckTCBEnforcement(const CallExpr *TheCall,
-                               const FunctionDecl *Callee) {
-  const FunctionDecl *Caller = getCurFunctionDecl();
-
-  // Calls to builtins are not enforced.
-  if (!Caller || !Caller->hasAttr<EnforceTCBAttr>() ||
-      Callee->getBuiltinID() != 0)
-    return;
-
-  // Search through the enforce_tcb and enforce_tcb_leaf attributes to find
-  // all TCBs the callee is a part of.
-  llvm::StringSet<> CalleeTCBs;
-  for_each(Callee->specific_attrs<EnforceTCBAttr>(),
-           [&](const auto *A) { CalleeTCBs.insert(A->getTCBName()); });
-  for_each(Callee->specific_attrs<EnforceTCBLeafAttr>(),
-           [&](const auto *A) { CalleeTCBs.insert(A->getTCBName()); });
-
-  // Go through the TCBs the caller is a part of and emit warnings if Caller
-  // is in a TCB that the Callee is not.
-  for_each(
-      Caller->specific_attrs<EnforceTCBAttr>(),
-      [&](const auto *A) {
-        StringRef CallerTCB = A->getTCBName();
-        if (CalleeTCBs.count(CallerTCB) == 0) {
-          Diag(TheCall->getExprLoc(), diag::warn_tcb_enforcement_violation)
-              << Callee << CallerTCB;
-        }
-      });
-}

clang/lib/Sema/SemaDecl.cpp

@@ -2612,10 +2612,6 @@ static bool mergeDeclAttribute(Sema &S, NamedDecl *D,
     NewAttr = S.mergeImportModuleAttr(D, *IMA);
   else if (const auto *INA = dyn_cast<WebAssemblyImportNameAttr>(Attr))
     NewAttr = S.mergeImportNameAttr(D, *INA);
-  else if (const auto *TCBA = dyn_cast<EnforceTCBAttr>(Attr))
-    NewAttr = S.mergeEnforceTCBAttr(D, *TCBA);
-  else if (const auto *TCBLA = dyn_cast<EnforceTCBLeafAttr>(Attr))
-    NewAttr = S.mergeEnforceTCBLeafAttr(D, *TCBLA);
   else if (Attr->shouldInheritEvenIfAlreadyPresent() || !DeclHasAttr(D, Attr))
     NewAttr = cast<InheritableAttr>(Attr->clone(S.Context));
 

clang/lib/Sema/SemaDeclAttr.cpp

@@ -7517,75 +7517,6 @@ static void handleCFGuardAttr(Sema &S, Decl *D, const ParsedAttr &AL) {
   D->addAttr(::new (S.Context) CFGuardAttr(S.Context, AL, Arg));
 }
 
-
-template <typename AttrTy>
-static const AttrTy *findEnforceTCBAttrByName(Decl *D, StringRef Name) {
-  auto Attrs = D->specific_attrs<AttrTy>();
-  auto I = llvm::find_if(Attrs,
-                         [Name](const AttrTy *A) {
-                           return A->getTCBName() == Name;
-                         });
-  return I == Attrs.end() ? nullptr : *I;
-}
-
-template <typename AttrTy, typename ConflictingAttrTy>
-static void handleEnforceTCBAttr(Sema &S, Decl *D, const ParsedAttr &AL) {
-  StringRef Argument;
-  if (!S.checkStringLiteralArgumentAttr(AL, 0, Argument))
-    return;
-
-  // A function cannot be have both regular and leaf membership in the same TCB.
-  if (const ConflictingAttrTy *ConflictingAttr =
-      findEnforceTCBAttrByName<ConflictingAttrTy>(D, Argument)) {
-    // We could attach a note to the other attribute but in this case
-    // there's no need given how the two are very close to each other.
-    S.Diag(AL.getLoc(), diag::err_tcb_conflicting_attributes)
-      << AL.getAttrName()->getName() << ConflictingAttr->getAttrName()->getName()
-      << Argument;
-
-    // Error recovery: drop the non-leaf attribute so that to suppress
-    // all future warnings caused by erroneous attributes. The leaf attribute
-    // needs to be kept because it can only suppresses warnings, not cause them.
-    D->dropAttr<EnforceTCBAttr>();
-    return;
-  }
-
-  D->addAttr(AttrTy::Create(S.Context, Argument, AL));
-}
-
-template <typename AttrTy, typename ConflictingAttrTy>
-static AttrTy *mergeEnforceTCBAttrImpl(Sema &S, Decl *D, const AttrTy &AL) {
-  // Check if the new redeclaration has different leaf-ness in the same TCB.
-  StringRef TCBName = AL.getTCBName();
-  if (const ConflictingAttrTy *ConflictingAttr =
-      findEnforceTCBAttrByName<ConflictingAttrTy>(D, TCBName)) {
-    S.Diag(ConflictingAttr->getLoc(), diag::err_tcb_conflicting_attributes)
-      << ConflictingAttr->getAttrName()->getName()
-      << AL.getAttrName()->getName() << TCBName;
-
-    // Add a note so that the user could easily find the conflicting attribute.
-    S.Diag(AL.getLoc(), diag::note_conflicting_attribute);
-
-    // More error recovery.
-    D->dropAttr<EnforceTCBAttr>();
-    return nullptr;
-  }
-
-  ASTContext &Context = S.getASTContext();
-  return ::new(Context) AttrTy(Context, AL, AL.getTCBName());
-}
-
-EnforceTCBAttr *Sema::mergeEnforceTCBAttr(Decl *D, const EnforceTCBAttr &AL) {
-  return mergeEnforceTCBAttrImpl<EnforceTCBAttr, EnforceTCBLeafAttr>(
-      *this, D, AL);
-}
-
-EnforceTCBLeafAttr *Sema::mergeEnforceTCBLeafAttr(
-    Decl *D, const EnforceTCBLeafAttr &AL) {
-  return mergeEnforceTCBAttrImpl<EnforceTCBLeafAttr, EnforceTCBAttr>(
-      *this, D, AL);
-}
-
 //===----------------------------------------------------------------------===//
 // Top Level Sema Entry Points
 //===----------------------------------------------------------------------===//
@@ -8289,14 +8220,6 @@ static void ProcessDeclAttribute(Sema &S, Scope *scope, Decl *D,
   case ParsedAttr::AT_UseHandle:
     handleHandleAttr<UseHandleAttr>(S, D, AL);
     break;
-
-  case ParsedAttr::AT_EnforceTCB:
-    handleEnforceTCBAttr<EnforceTCBAttr, EnforceTCBLeafAttr>(S, D, AL);
-    break;
-
-  case ParsedAttr::AT_EnforceTCBLeaf:
-    handleEnforceTCBAttr<EnforceTCBLeafAttr, EnforceTCBAttr>(S, D, AL);
-    break;
   }
 }