Oh I see now. Just to double check, then something like the following would
be broken too, because is basically the same as the code above, and well, it
doesn't make much sense to store the value returned by macro
array_index_nospec into x, correct?:
Correct, broken:
bool foo(int x)
{
if(x >= MAX)
return false;
Under speculation we may not return here when x is greater than max.
x = array_index_nospec(x, MAX);
x is now sanitized under speculation to zero, but the compiler would
likely just throw this away because nothing consumes it.
return true;
}
int vulnerable(int x)
{
if(!foo(x))
return -1;
cpu might speculate that this branch is not taken...
temp = array[x];
...so x had better be bounded here, otherwise Spectre.