To expand on my statement about the LKMM's weakness regarding control
constructs, here is a litmus test to illustrate the issue. You might
want to add this to one of the archives.
Alan
C crypto-control-data
(*
* LB plus crypto-control-data plus data
*
* Expected result: allowed
*
* This is an example of OOTA and we would like it to be forbidden.
* The WRITE_ONCE in P0 is both data-dependent and (at the hardware level)
* control-dependent on the preceding READ_ONCE. But the dependencies are
* hidden by the form of the conditional control construct, hence the
* name "crypto-control-data". The memory model doesn't recognize them.
*)
{}
P0(int *x, int *y)
{
int r1;
r1 = 1;
if (READ_ONCE(*x) == 0)
r1 = 0;
WRITE_ONCE(*y, r1);
}
P1(int *x, int *y)
{
WRITE_ONCE(*x, READ_ONCE(*y));
}
exists (0:r1=1)
