search for: all_zeros_mask

Hi, Thanks for your email, I understand that the execution stalls until the predicated state is computed, then we mask pointers with all_zeros_mask if there is a mis-prediction. But I understand that as soon as the condition value is available, the processor can check about it's assumptions and revert back. That is, If the branch prediction is correct during speculation, we mask with all_ones, the processor can follow the predicted branch...

...er2) { if (condition) leak(*pointer1); else leak(*pointer2);} After the applying the mitigation the code resembles like: void leak(int data); void example(int* pointer1, int* pointer2) { uintptr_t predicate_state = all_ones_mask; if (condition) { predicate_state = !condition ? all_zeros_mask : predicate_state; pointer1 &= predicate_state; leak(*pointer1); } else { int value2 = *pointer2 & predicate_state; leak(value2); } } Let's assume that the branch is mispredicted and if body is taken. The value predicate_state mask is depend on the "result of t...

...o the same. > > On Tue, Sep 17, 2019 at 7:57 AM Praveen Velliengiri via llvm-dev < > llvm-dev at lists.llvm.org> wrote: > >> Hi, >> Thanks for your email, I understand that the execution stalls until the >> predicated state is computed, then we mask pointers with all_zeros_mask if >> there is a mis-prediction. But I understand that as soon as the condition >> value is available, the processor can check about it's assumptions and >> revert back. >> >> That is, >> If the branch prediction is correct during speculation, we mask with &g...

...nter2) { if (condition) { // ... lots of code ... leak(*pointer1); } else { // ... more code ... leak(*pointer2); } } ``` This would get transformed into something resembling the following: ``` uintptr_t all_ones_mask = std::numerical_limits<uintptr_t>::max(); uintptr_t all_zeros_mask = 0; void leak(int data); void example(int* pointer1, int* pointer2) { uintptr_t predicate_state = all_ones_mask; if (condition) { predicate_state = !condition ? all_zeros_mask : predicate_state; // ... lots of code ... // // Harden the pointer so it can't be loaded poin...