Hi Richard, I wonder how to use this builtin correctly. Frankly it sounds like way too complicated.
Do you expect we need to use this stuff on every array access now, or is that just a theoretical thing that can only happen with jave byte code interpreters? If I assume there is an array of int, then the correct way to check the array bounds would be something like: int a[N]; int x = __builtin_load_no_speculate(ptr, a, a+N); But what if ptr points to the last byte of a[N-1] ? This would load 3 bytes past the array, right ? Then you would have to write: x = __builtin_load_no_speculate(ptr, a, (char*)(a+N) - 3); which is just horrible, wouldn't it be better to fold that into the condition: I mean, instead of... if (cmpptr >= lower && cmpptr < upper) ...use something like: if (cmpptr >= lower && cmpptr <= upper - sizeof(TYP)) And what happens if the untrusted pointer is unaligned? Wouldn't that also give quite surprising values to speculate with? Bernd.