[cfe-users] Prospects of Clang acquiring an equivalent of MSVC's /QSpectre?

Dallman, John via cfe-users cfe-users at lists.llvm.org
Thu Feb 15 07:43:45 PST 2018

As far as I've been able to learn, the only way to avoid security vulnerabilities due to Spectre variant 1 (CVE-2017-5753, "bounds check bypass") is to insert fences to control the relevant speculative reads. I'm interested in doing this because I work on a numerical modelling library that is used in many applications, which are used to handle valuable information. There's been at least one piece of malware that specifically targeted one of those applications, so I work at a moderate level of paranoia.

I've found information about __builtin_load_no_speculate, but inserting those by hand into ten million lines of branchy C code that's under active development is not an attractive prospect.

MSVC has recently gained a /QSpectre option that tries to do this for you (https://blogs.msdn.microsoft.com/vcblog/2018/01/15/spectre-mitigations-in-msvc/). While this can't be completely fool-proof, I can well believe that it will do as good a job as bored humans, and is much cheaper.

Are there any plans to add something equivalent to Clang?

John Dallman

Siemens Industry Software Limited is a limited company registered in England and Wales.
Registered number: 3476850.
Registered office: Faraday House, Sir William Siemens Square, Frimley, Surrey, GU16 8QD.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-users/attachments/20180215/45728be3/attachment.html>

More information about the cfe-users mailing list