
ARM64 CPUs speculatively execute instructions after ERET - devhwrng
https://twitter.com/openbsd/status/1207070753197363200
======
wyldfire
Interesting that BSD [1] and Linux [2] have different patches. AFAICT Linux
uses the speculation barrier and BSD has data+instruction barriers instead.

If you're returning from an exception handler, I'm guessing you don't care how
hard you flush the pipeline? Is one of these more optimal / more safe or are
they mostly equivalent?

[1]
[https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/014_e...](https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/014_eret.patch.sig)

[2]
[https://patchwork.kernel.org/patch/10700361/](https://patchwork.kernel.org/patch/10700361/)

~~~
saagarjha
Is there an actual thing as a “speculation barrier“ instruction on any real
platform? Linux has it be ish/dsb because nothing seems to support it:
[https://github.com/torvalds/linux/blob/cef7298262e9af841fb70...](https://github.com/torvalds/linux/blob/cef7298262e9af841fb70d8673af45caf55300a1/arch/arm64/include/asm/assembler.h#L116)

~~~
mdriley
An actual speculation barrier (SB) instruction was added in later releases of
ARMv8.0:

\- [https://cpu.fyi/d/047#G6.11222648](https://cpu.fyi/d/047#G6.11222648)

\- [https://cpu.fyi/d/047#E9.CHDHDDBE](https://cpu.fyi/d/047#E9.CHDHDDBE)

along with the Consumption of Speculative Data Barrier (CSDB):
[https://cpu.fyi/d/047#G9.10257993](https://cpu.fyi/d/047#G9.10257993)

But, as noted elsewhere in this thread, the canonical choice in most systems
is DSB/ISB. Just one or the other isn't sufficient because they synchronize
different things.

The canonical barriers on other platforms are LFENCE (x86) and SYNC (PowerPC).

For more references, see:

\-
[https://github.com/google/safeside/blob/5fb6f00f/demos/asm/m...](https://github.com/google/safeside/blob/5fb6f00f/demos/asm/measurereadlatency_x86_64.S#L31)

\-
[https://github.com/google/safeside/blob/5fb6f00f/demos/asm/m...](https://github.com/google/safeside/blob/5fb6f00f/demos/asm/measurereadlatency_ppc64le.S#L22)

\-
[https://github.com/google/safeside/blob/5fb6f00f/demos/asm/m...](https://github.com/google/safeside/blob/5fb6f00f/demos/asm/measurereadlatency_aarch64.S#L22)

[disclosure: I work on the Safeside project and wrote cpu.fyi as a side
project]

~~~
saagarjha
Unrelated question: are you using PDF.js to render those?

~~~
mdriley
I am. The goal was to create permalinks to specific sections of CPU reference
PDFs.

[https://github.com/mmdriley/cpu.fyi](https://github.com/mmdriley/cpu.fyi)

~~~
saagarjha
And it does that quite well. Thanks for this!

