On Sat, 31 Aug 2019 at 22:02, Kees Cook <keesc...@chromium.org> wrote: > > On Sat, Aug 31, 2019 at 08:48:56PM +0300, Ard Biesheuvel wrote: > > It's been ~2 years since I looked at this code in detail, but IIRC, it > > looked like the inc-from-zero check was missing from the x86 > > implementation because it requires a load/compare/increment/store > > sequence instead of a single increment instruction taking a memory > > operand. Was there more rationale at the time for omitting this > > particular case, and if so, was it based on a benchmark? Can we run it > > against this implementation as well? > > It was based on providing a protection against the pre-exploitation case > (overflow: "something bad is about to happen, let's stop it") rather > than the post-exploitation case (inc from zero, "something bad already > happened, eek") with absolutely the fewest possible extra cycles, as > various subsystem maintainers had zero tolerance for any measurable > changes in refcounting performance. >
Ah, of course. > I much prefer the full coverage, even if it's a tiny bit slower. And > based on the worse-case timings (where literally nothing else is > happening) it seems like these changes should be WELL under the noise. > Agreed.