Section 3.5.1 "Transient Execution": show an example of cpu speculation that is not based on branch prediction

[kbeyls]

See TODO in text.

[koutheir]

Microarchitectural branches can also participate in speculation. The following function, for example, divides a floating-point constant by its input, and that input could be zero:

double divide_a_value(double a) {
    return 3.0 / a;
}

; AArch64 disassembly
divide_a_value(double):
        fmov    d1, #3.00000000
        fdiv    d0, d1, d0
        ret

• If that input value is zero, then the result of the division will be Not a Number (NaN), and the CPU might trap. Trapping causes a saving of the execution state, then a branch to a trap handler. On POSIX systems, the trap can cause the handler of the SIGFPE signal to be executed.
• If that input value is not zero, then the division can proceed without traps.

[koutheir]

Computing addresses may take a few instructions to perform (so, multiple cycles). When loading a value from a computed address for the second time, the CPU may speculate that a computed address used to load a value remains the same, allowing it to start loading the value, this second time, from the previous address, before the actual address, that should be used, is computed. Once the address computation is finished, it is compared to the speculated address, and if it is the same, then the speculatively-loaded value can be used directly. Otherwise, a new load is started.