[PATCH] D41761: Introduce llvm.nospeculateload intrinsic

[Eli Friedman via Phabricator via llvm-commits]

efriedma added a comment.

> Do we need to explicitly prohibit it in LangRef so that future transformations don't start understanding too much about what speculationsafeload does?

Prohibit what, exactly?  According to current LangRef rules, it's legal to introduce a dead load to an arbitrary pointer (even if the compiler can't prove it's dereferencable).

> do you mean "code that is explicitly protected by speculationsafeload", or "code that doesn't appear to need speculationsafeload in the first place"?

Both, I guess?

I guess I'll describe the uninitialized pointer problem in a little more detail.  The idea is that you have code roughly like this:

  // Code in a function; g is a global int.
  bool b = f1();
  uint8_t* p;
  if (b)
      p = &g;
  g = 10;
  if (b)
      f4(user_array[*p]);

If b is true, we load user_array[10].  If b is false, we speculate `user_array[*p]`, where p is uninitialized (i.e. user-controlled, if you're unlucky).  You now have a variant-1 attack.

There's a lot of potential variants of this.  For example, instead of user_array, we have another speculatively-uninitialized pointer.  Or the load which leaks the data to the user could actually be a speculationsafeload, intended to stop a different variant-1 attack.  Or the code could be spread over multiple functions.  Or the if statement might not be an if statement (there are lots of ways to get a conditional branch in assembly).  Or "p" might be a pointer to a constant pool, so the load-from-undef isn't written in the source code at all.


https://reviews.llvm.org/D41761