VAX + Spectre

[Paul Koning]

> On Oct 3, 2019, at 8:25 AM, Maciej W. Rozycki <macro at linux-mips.org> wrote:
> 
> On Thu, 3 Oct 2019, Maciej W. Rozycki wrote:
> 
>>> You need an extremely high resolution timer to detect slight differences in
>>> execution time of speculatively-executed threads. The VAX 11/780 certainly did
>>> not do speculative execution, and my guess is that all VAXen did not, either.
>> 
>> The NVAX and NVAX+ implementations include a branch predictor in their 
>> microarchitecture[1], so obviously they do execute speculatively.
> 
> For the record: in NVAX prediction does not extend beyond the instruction 
> fetch unit (I-box in VAX-speak), so there's actually no speculative 
> execution, but only speculative prefetch.

That's a key point.  These vulnerabilities are quite complex and details matter.  They depend on speculation that goes far enough to make data references that produce cache fills, and that those fills persist after the speculative references have been voided.

Branch prediction is only the first step, and as you point out, that alone is nowhere near enough.  For example, if a particular design did speculative execution but not speculative memory references on adresses that miss in the cache, you'd still have no issue.

	paul