https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96662
Bug ID: 96662 Summary: s390x uses clc taking variable execution time in crypto code Product: gcc Version: 11.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: target Assignee: unassigned at gcc dot gnu.org Reporter: mpolacek at gcc dot gnu.org Target Milestone: --- In this test case: void bar (void); void f1 (unsigned short *p) { if (p[0] < p[1]) bar (); } void f2 (unsigned int *p) { if (p[0] < p[1]) bar (); } void f3 (unsigned long long *p) { if (p[0] < p[1]) bar (); } void f4 (unsigned short *p) { if (p[0] != p[1]) bar (); } void f5 (unsigned int *p) { if (p[0] != p[1]) bar (); } void f6 (unsigned long long *p) { if (p[0] != p[1]) bar (); } void f7 (short int *p) { if (p[0] != p[1]) bar (); } void f8 (int *p) { if (p[0] != p[1]) bar (); } void f9 (long long *p) { if (p[0] != p[1]) bar (); } GCC generates clc on s390x. That is problematical in crypto code, because clc works like memcmp, which has a variable execution time. So it is theoretically possible to gauge some information by measuring how long the operation takes (for 128 or 255 byte long comparisons). Other arches supposedly generate instructions that take constant time, therefore don't suffer from this issue.