On Tue, May 8, 2018 at 4:19 AM Martin Vaeth <mar...@mvath.de> wrote: > Rich Freeman <ri...@gentoo.org> wrote: > > > > Higher-level languages will probably become nearly immune to Spectre just > > as most are nearly immune to buffer overflows.
> Quite the opposite: Higher-level languages *always* do some checks > for array-length etc, and it is the _checks_ which are vulnerable. > You can only make them non-vulnerable by making them horribly slow > (by omitting speculative execution completely for the corresponding > conditionals). Sure, but my point is that you CAN make them non-vulnerable by changing the compiler. On the other hand, if somebody manually does a range check in C the only way to fix it is to either fix the source code (which is about as likely to work as trying to prevent programmers from create buffer overflows), or use heuristics to figure out what is going on and apply the fixes automatically. That is going to be just as slow, and the compiler might not be able to catch every situation where it applies. The compiler doesn't have to guess where the range checks are in a high-level language because it is the compiler that is doing the range checks in the first place. -- Rich
