mconditional-branch, Qconditional-branch

Lets you identify and fix code that may be vulnerable to speculative execution side-channel attacks, which can leak your secure data as a result of bad speculation of a conditional branch direction.

Syntax

Linux:

-mconditional-branch=keyword

Windows:

/Qconditional-branch:keyword

Arguments

keyword

Indicates to the compiler what action to take. Possible values are:

keep

Tells the compiler to not attempt any vulnerable code detection or fixing. This is equivalent to not specifying the -mconditional-branch option.

pattern-report

Tells the compiler to perform a search of vulnerable code patterns in the compilation and report all occurrences to stderr.

pattern-fix

Tells the compiler to perform a search of vulnerable code patterns in the compilation and generate code to ensure that the identified data accesses are not executed speculatively. It will also report any fixed patterns to stderr.

This setting does not guarantee total mitigation, it only fixes cases where all components of the vulnerability can be seen or determined by the compiler. The pattern detection will be more complete if advanced optimization options are specified or are in effect, such as option O3 and option -ipo (or /Qipo).

all-fix

Tells the compiler to fix all of the vulnerable code so that it is either not executed speculatively, or there is no observable side-channel created from their speculative execution. Since it is a complete mitigation against Spectre variant 1 attacks, this setting will have the most run-time performance cost.

In contrast to the pattern-fix setting, the compiler will not attempt to identify the exact conditional branches that may have led to the mis-speculated execution.

all-fix-lfence

This is the same as specifying setting all-fix.

all-fix-cmov

Tells the compiler to treat any path where speculative execution of a memory load creates vulnerability (if mispredicted). The compiler automatically adds mitigation code along any vulnerable paths found, but it uses a different method then the one used for all-fix (or all-fix-lfence).

This method uses CMOVcc instruction execution, which constrains speculative execution. Thus, it is used for keeping track of the predicate value, which is updated on each conditional branch.

To prevent Spectre v.1 attack, each memory load that is potentially vulnerable is bitwise ORed with the predicate to mask out the loaded value if the code is on a mispredicted path.

This is analogous to the Clang compiler's option to do Speculative Load Hardening.

This setting is only supported on Intel® 64 architecture-based systems.

Default

-mconditional-branch=keep and /Qconditional-branch:keep

The compiler does not attempt any vulnerable code detection or fixing.

Description

This option lets you identify code that may be vulnerable to speculative execution side-channel attacks, which can leak your secure data as a result of bad speculation of a conditional branch direction. Depending on the setting you choose, vulnerabilities may be detected and code may be generated to attempt to mitigate the security risk.

IDE Equivalent

Visual Studio: Code Generation [Intel C++] > Spectre Variant 1 Mitigation

Eclipse: None

Alternate Options

None

Para obtener información más completa sobre las optimizaciones del compilador, consulte nuestro Aviso de optimización.