阅读说明：本技术 推测性缓存存储区 (Speculative cache storage ) 是由 理查德·罗伊·格里森思怀特 于 2018-08-30 设计创作，主要内容包括：装置(2)包括：执行指令的推测性执行的处理电路(4)；主缓存存储区(30)；推测性缓存存储区(32)；以及缓存控制电路(34),该缓存控制电路(34)在处理电路触发的推测性存储器访问保持推测性的情况下,将由推测性存储器访问引起的分配的条目分配给推测性缓存存储区而不是主缓存存储区。这能够帮助防止潜在的安全攻击,这些攻击利用缓存定时侧信道来获取关于由推测性存储器访问引起的对于缓存的分配的信息。(The device (2) comprises: a processing circuit (4) that performs speculative execution of instructions; a primary cache storage area (30); a speculative cache storage area (32); and cache control circuitry (34), the cache control circuitry (34) allocating allocated entries caused by speculative memory accesses to speculative cache memory areas other than the primary cache memory area if the speculative memory accesses triggered by the processing circuitry remain speculative. This can help prevent potential security attacks that utilize the cache timing side channel to obtain information about the allocation of the cache caused by the speculative memory accesses.)

1. An apparatus, comprising:

processing circuitry to perform speculative execution of instructions;

a primary cache storage area;

a speculative cache storage area; and

cache control circuitry to allocate an entry to the speculative cache memory region other than the primary cache memory region that was caused to be allocated by the speculative memory access if the speculative memory access triggered by the processing circuitry remains speculative, wherein:

when the speculative memory access that triggers the allocation of the entry to the speculative cache memory area is a speculative load memory access for loading data from a memory system, the entry allocated to the speculative cache memory area in response to the speculative load memory access specifies the data loaded from the memory system.

2. The apparatus of claim 1, wherein the cache control circuitry is configured to: entries corresponding to speculative or non-speculative memory accesses that are resolved to be correct are exclusively allocated to the primary cache storage.

3. Apparatus as claimed in any one of claims 1 and 2, wherein both said primary cache memory area and said speculative cache memory area are accessible in response to a read triggered by a speculative instruction executed by said processing circuitry.

4. The apparatus of claim 3, wherein the cache control circuitry is configured to: discarding an entry of the speculative cache memory region or disabling the processing circuitry from accessing the entry of the speculative cache memory region in response to the processing circuitry switching from a higher-privilege state to a lower-privilege state.

5. The apparatus of any preceding claim, wherein the cache control circuitry is configured to: transferring entries allocated in response to speculative memory accesses from the speculative cache memory to the primary cache memory after the speculative memory accesses are resolved to be correct.

6. The apparatus of claim 5, wherein the cache control circuitry is configured to: in response to detecting that the speculative memory access is resolved to correct, transferring an entry allocated in response to the speculative memory access directly to the primary cache storage area.

7. The apparatus of claim 5, wherein the cache control circuitry is configured to: a speculative cache transfer operation is periodically performed to determine whether any entries of the speculative cache storage correspond to resolved speculative memory accesses that are resolved to be correct, and to transfer entries corresponding to the resolved speculative memory accesses to the primary cache storage.

8. The apparatus of any preceding claim, wherein the cache control circuitry is configured to: discarding entries in the speculative cache storage area associated with speculative memory accesses that resolve to an incorrect.

9. The apparatus of any preceding claim, wherein the cache control circuitry is to, in response to a speculative cache flush event, discard at least an entry in the speculative cache store associated with one of:

resolved as an incorrect speculative memory access; and

speculative memory accesses that are still to be resolved.

10. The apparatus of claim 9, wherein the cache control circuitry is to discard all entries of the speculative cache memory area in response to the speculative cache flush event.

11. The apparatus of any of claims 9 and 10, wherein the speculative cache flush event comprises: the processing circuit switches between a privileged higher state and a privileged lower state.

12. The apparatus of any of claims 9 and 10, wherein the speculative cache flush event comprises: the processing circuit switches from a privilege-high state to a privilege-low state.

13. The apparatus of any of claims 9 to 12, wherein the speculative cache flush event comprises: processing, by the processing circuitry, of a speculative cache flush instruction.

14. The apparatus of any of claims 8 to 13, wherein the cache control circuitry is configured to: upon discarding an entry of the speculative cache storage area, determining whether data in the discarded entry is dirty, and writing the data to another storage location when the data is dirty.

15. The apparatus of claim 14, wherein the additional storage locations comprise additional levels of cache or memory.

16. The apparatus of claim 14, wherein the additional storage location comprises a location to obtain the data in response to the speculative memory access triggering allocation of the entry to the speculative cache storage area.

17. The apparatus of claim 16, wherein each entry of the speculative cache storage specifies location metadata indicating a location from which the data was obtained.

18. The apparatus of any preceding claim, wherein the speculative cache memory region comprises a cache memory structure separate from the primary cache memory region.

19. The apparatus of any preceding claim, wherein the speculative cache memory area is more associative than the primary cache memory area.

20. The apparatus of claim 19, wherein the speculative cache memory areas are fully associative.

21. The apparatus of any of claims 1-16, wherein the speculative cache memory area comprises a reserved portion of a same cache memory structure that contains the primary cache memory area.

22. The apparatus of claim 21, wherein the cache storage structure is set associative and the speculative cache memory area comprises at least one reserved way of the cache storage structure.

23. A method for an apparatus comprising processing circuitry to perform speculative execution of instructions; a primary cache storage area; and a speculative cache storage area, the method comprising:

in response to a speculative memory access triggered by the processing circuitry, in the event that the speculative memory access remains speculative, allocating an entry to the speculative cache memory region instead of the primary cache memory region, wherein:

when the speculative memory access that triggers the allocation of the entry to the speculative cache memory area is a speculative load memory access for loading data from a memory system, the entry allocated to the speculative cache memory area in response to the speculative load memory access specifies the data loaded from the memory system.

24. An apparatus, comprising:

processing circuitry to perform speculative execution of instructions;

an instruction decoder to decode instructions to control operation of the processing circuitry in accordance with the decoded instructions; wherein:

the instruction decoder controls the processing circuitry to discard or make inaccessible one or more speculative entries from a cache in response to a speculative cache flush instruction, the one or more speculative entries being allocated to the cache in response to a speculative memory access that remains unresolved or is resolved as incorrect.

25. A method of data processing, comprising:

decoding an instruction to control operation of the processing circuitry in accordance with the decoded instruction;

performing speculative execution of instructions using the processing circuitry; and

in response to decoding of a speculative cache flush instruction, controlling the processing circuitry to discard or make inaccessible one or more speculative entries from a cache, the one or more speculative entries being allocated to the cache in response to a speculative memory access that remains unresolved or that is resolved as incorrect.

Technical Field

The present technology relates to the field of data processing.

Background

The data processing apparatus may support speculative execution of instructions, where the instructions are executed before it is known whether input operands to the instructions are correct or whether the instructions require execution at all. For example, a processing apparatus may have a branch predictor for predicting the outcome of a branch instruction, so that subsequent instructions can be fetched, decoded and speculatively executed before it is known what the actual outcome of the branch should be. Additionally, some systems may support load speculation in which values loaded from memory are predicted before actual values are actually returned from memory to allow subsequent instructions to be processed more quickly. Other forms of speculation are possible.

Disclosure of Invention

At least some examples provide an apparatus comprising:

processing circuitry to perform speculative execution of instructions;

a primary cache storage area;

a speculative cache storage area; and

cache control circuitry for allocating an allocated entry resulting from a speculative memory access to a speculative cache memory region rather than a primary cache memory region if the speculative memory access triggered by the processing circuitry remains speculative, wherein:

when the speculative memory access triggering the allocation of an entry to a speculative cache memory area is a speculative load memory access for loading data from the memory system, the entry allocated to the speculative cache memory area in response to the speculative load memory access specifies the data loaded from the memory system.

At least some examples provide a method for an apparatus comprising processing circuitry to perform speculative execution of instructions; a primary cache storage area; and a speculative cache storage area, the method comprising:

in response to a speculative memory access triggered by the processing circuitry, in the event that the speculative memory access remains speculative, allocating an entry to a speculative cache memory region rather than a primary cache memory region, wherein:

when the speculative memory access triggering the allocation of an entry to a speculative cache memory area is a speculative load memory access for loading data from the memory system, the entry allocated to the speculative cache memory area in response to the speculative load memory access specifies the data loaded from the memory system.

At least some examples provide an apparatus comprising:

processing circuitry to perform speculative execution of instructions;

an instruction decoder to decode instructions to control operation of the processing circuitry in accordance with the decoded instructions; wherein:

an instruction decoder controls processing circuitry to discard or make inaccessible one or more speculative entries from a cache in response to a speculative cache flush instruction, the one or more speculative entries being allocated to the cache in response to a speculative memory access that remains unresolved or is resolved as incorrect.

At least some examples provide a data processing method comprising:

decoding an instruction to control operation of the processing circuitry in accordance with the decoded instruction;

performing speculative execution of instructions using processing circuitry; and

in response to decoding of a speculative cache flush instruction, control processing circuitry discards or makes inaccessible one or more speculative entries from the cache that were allocated to the cache in response to a speculative memory access that remains unresolved or that was resolved as incorrect.

Drawings

Other aspects, features and advantages of the present technology will become apparent from the following description of examples, which is to be read in connection with the accompanying drawings, wherein:

FIG. 1 schematically shows an example of a data processing apparatus having a primary cache memory area and a speculative cache memory area;

FIG. 2 illustrates an example implementation of a primary cache region and a speculative cache region;

FIG. 3 is a flow chart illustrating controlling cache allocation.

FIG. 4 is a flow diagram illustrating controlling cache allocation after a speculative memory access is resolved; and

FIG. 5 is a flow diagram illustrating a response to a speculative cache flush event.

DETAILED DESCRIPTION OF EMBODIMENT (S) OF INVENTION

The apparatus has processing circuitry for performing speculative execution of instructions, a primary cache storage, a speculative cache storage, and cache control circuitry for allocating allocated entries caused by speculative memory accesses to the speculative cache storage instead of the primary cache storage if the speculative memory accesses triggered by the processing circuitry remain speculative. When the speculative memory access triggering the allocation of an entry to a speculative cache memory area is a speculative load memory access for loading data from the memory system, the entry allocated to the speculative cache memory area in response to the speculative load memory access specifies the data loaded from the memory system.

By providing a separate speculative cache memory area to which entries may be allocated when they relate to speculative memory accesses for which the speculative result has not been resolved as correct or incorrect, this avoids polluting the main cache memory area with entries associated with addresses speculatively accessed by the processing circuitry. This helps prevent potential security attacks that might otherwise exploit the attributes that the effects of speculatively executed instructions might retain in the cache, even after any architectural effects of the speculatively executed instructions are reversed after misspeculation. Such attacks may train a branch predictor or other speculation mechanism to fool privileged higher code into speculatively executing sequences of instructions designed to cause privileged code to access memory addresses according to sensitive information (pattern) so that privileged lower code that cannot access sensitive information may use a cache timing side channel (side channel) to probe which addresses the privileged higher code allocates to or evicts from the cache to give some information that may allow sensitive information to be inferred. By providing a speculative cache memory area separate from the primary cache memory area, entries may be allocated to the speculative cache memory area whilst their corresponding memory accesses remain speculative, which means that the allocation of speculative results does not affect the address at which the entries are cached in the primary cache memory area, thereby reducing the side channel information that can be obtained by measuring the cache access timing, thereby limiting the chances of attacks of the type described above. The cache control circuitry may exclusively allocate entries to the primary cache memory area corresponding to non-speculative memory accesses or entries corresponding to speculative memory accesses that have been resolved to be correct.

The speculative cache memory area may be used for entries allocated in response to speculative load memory accesses (for loading data from the memory system). It is considered counterintuitive to those skilled in the art of data processing systems to use a separate speculative cache storage area to store data speculatively loaded from a memory system, since speculative operations that merely read data from memory (but do not update the data) will typically be allowed to allocate entries in the main cache, since even if the speculation is incorrect, the cached data will still be correct because the speculative loads will not modify the data. However, by allocating an entry for a speculative load operation in a speculative cache memory area rather than a main cache memory area, this avoids disclosing information about the address of the speculative access, thereby reducing the risk of cache timing side channel attacks of the type described above.

Speculative cache storage may also be used for entries allocated to caches in response to speculative store memory accesses (for storing data to a memory system). Alternatively, a separate store buffer provided in the micro-architecture of the processing pipeline may buffer speculative store data prior to writing it to the cache, in which case the use of speculative cache storage in response to a store memory access may not be required.

Both the main cache memory area and the speculative cache memory area may be accessible in response to a read (load) triggered by a speculative instruction executed by the processing circuitry. Thus, the performance benefits of caching speculatively loaded data may still be realized. An alternative approach to address the above type of attack may be to completely disable caching of speculative entries until the speculation is resolved, but this will compromise performance, as this will mean that subsequent instructions requiring the same data as the previous speculative memory access will not be able to read the cached data until the earlier memory access is resolved, causing a delay. Conversely, by providing a dedicated speculative cache storage area, speculative entries may be distinguished from non-speculative entries in the primary cache storage, but both the primary and speculative caches may still be made accessible, which may help improve performance.

In response to processing circuitry switching from a higher-privilege state to a lower-privilege state, cache control circuitry may discard entries of the speculative cache storage area or disable processing circuitry from accessing entries of the speculative cache storage area. This avoids code associated with a lower privilege state being able to obtain side channel information regarding the impact of cache allocation caused by misspeculated instructions. On the other hand, entries in the primary cache storage may remain accessible in a lower privilege state, but since the primary cache storage has not been contaminated by allocations that remain to be resolved after speculation, an attacker cannot obtain any information about the instructions speculatively executed after the misprediction, and cannot use this as a way to cause the higher privilege state to leak sensitive information. This therefore avoids security attacks of the type described above.

The cache control circuitry may transfer entries allocated in response to speculative memory accesses from the speculative cache memory area to the primary cache memory area after the speculative memory accesses are resolved to be correct. The transfer may be performed directly in response to detecting that the speculative memory access was resolved to be correct, or may be performed at a later time.

For example, in some implementations, the entry is transferred immediately instead of the corresponding access of the allocated entry being resolved, the cache control circuitry may periodically perform a speculative cache transfer operation in which it is determined whether any entry of the speculative cache memory area corresponds to a speculative memory access that is resolved to the correct resolution, and if so, the entry corresponding to the resolved speculative memory access is transferred to the primary cache memory area. In some implementations, such a periodic approach may be easier to implement (higher area efficiency and higher power efficiency). For example, rather than tracking on a single instruction at the instruction level which entries in a speculative cache store correspond to particular memory access instructions, an epoch-based approach may be used in which the resolution of speculative instructions may be tracked at a coarser granularity (e.g., in blocks (epochs) of a certain number of instructions). For example, each entry of the speculative cache storage may include metadata specifying an identifier of the period (instruction block) in which the entry was assigned, and when all instructions of a given period are determined to resolve to correctly speculate, any entry specifying the identifier of the period may then be transferred to the primary cache storage.

Thus, there may be a tradeoff between the accuracy with which entries and instructions can be resolved to correct speculation and the performance and area overhead of tracking this operation. However, in general, by transferring entries from a speculative cache memory region to a primary cache memory region once it is determined that the corresponding memory access was correctly speculated, the transferred entries may remain accessible in the primary cache even if subsequent speculations failed, and thus the entries are discarded from the speculative cache memory region. The transfer also makes entries of the speculative cache memory area available for reallocation to other speculative memory operations.

Note that when an entry is transferred from the speculative cache storage area to the primary cache storage area, the data value to be cached in the entry may not yet be stored within the transferred entry. For example, for some entries, a memory access that allocated the entry may be resolved to be correct before the actual data value to be loaded into the entry is received from another cache or memory. The cache control circuitry may have a cache line fill mechanism that may look up both the speculative cache memory area and the primary cache memory area upon receipt of a previously requested data value from another cache or memory to identify which entry should be updated with the data value returned in response to the cache line fill request, since the entry to be updated may be present in either the primary cache memory area or the speculative cache area, depending on whether the speculation on the memory access correctly resolves to the relative timing of the response to the received cache line fill request.

In some implementations, if a given speculative memory access is resolved to be incorrect, the entry in the speculative cache store associated with the speculative memory access may be discarded. For example, when a branch is determined to be mispredicted, entries in the speculative cache memory area that were allocated in response to memory access instructions following the mispredicted branch may be discarded. Furthermore, the discard may be performed directly in response to detecting that the corresponding speculative memory access is resolved to incorrect, or may be performed later in a periodic check operation to check whether any entries relate to incorrectly speculated memory accesses.

Alternatively, in some cases, discarding entries from a speculative cache store may be performed independently of any knowledge of whether a particular memory access resolved to incorrect speculation. For example, if there is a switch from more trusted code to less trusted code, then a security attack of the type described above may be just a risk. If the processing remains in more trusted code, then it may not be any problem to be able to access the speculative entries in the cache that are still to be resolved. Indeed, while remaining within the code of a given trust level, it may be beneficial for performance to keep speculative entries in the speculative cache store that are still to be resolved to reduce the access time for subsequent accesses to the same data. Thus, in some cases, entries in a speculative cache memory region may be retained until a speculative cache flush (flush) event occurs.

The cache control circuitry may discard at least entries of the speculative cache memory areas associated with speculative memory accesses that are resolved as incorrect or speculative memory accesses that remain to be resolved in response to the speculative cache flush event. If the speculative cache memory area is able to distinguish entries associated with memory accesses that have already been resolved, then these entries do not have to be discarded. However, in some implementations, when a speculative cache flush event occurs, the cache control circuitry may simply discard all entries of the speculative cache memory region. This may reduce the overhead of recording metadata in each entry of the speculative cache storage area to track the speculative result of the corresponding memory access that allocated the entry.

Different types of speculative cache flush events may be defined to trigger the dropping of entries from the speculative cache memory store. In general, a speculative cache flush event may be any event that notifies that there is a risk of: if the results of the speculative memory accesses still to be resolved are still accessible after a speculative cache flush event, the code executing after the speculative cache flush event may obtain information associated with the code executing before the speculative cache flush event.

For example, a speculative cache flush event may include a switch in the privilege level of the processing circuitry. For example, processing circuitry switching between a privileged higher state and a privileged lower state may be considered a flush event and trigger the discarding of at least some entries from a speculative cache store. In particular, the switching of the processing circuitry from a higher privilege state to a lower privilege state may trigger a speculative cache refresh event. Thus, by avoiding the main cache area from being contaminated by entries associated with unresolved speculative memory accesses and dropping entries from the speculative cache area if the privilege level of the processing circuitry is reduced, this may provide a precaution against lower-privileged code being able to use the cache timing side channel to probe access to only those information limited to higher-privileged code that was running before the privilege level change.

Another example of a speculative cache flush event may be the processing of a speculative cache flush instruction by processing circuitry. By providing speculative cache flush instructions that may be used to trigger the discarding of any entries from the speculative cache storage area that relate to memory accesses that are still resolved to incorrect speculations, this may allow a programmer to explicitly mark a point in code beyond which it may be unsafe to enable visibility of information about cache allocation caused by the speculative instructions. For example, a programmer may include a speculative cache flush instruction at the end of a piece of code for processing sensitive information so that no subsequent code can obtain side channel information that enables it to infer sensitive information. In some cases, a speculative cache flush instruction may be an instruction that also provides another effect, such as an exception return instruction that triggers a return to a lower level of privilege, which may also be interpreted as triggering a flush of a still-to-be-resolved or resolved to an incorrect entry of the speculative cache memory area.

However, it may be useful to provide a dedicated speculative cache flush instruction (i.e. an instruction that appears as an architecture no-op (nop) instruction) that does not provide any other impact at the architecture level but which triggers the cache control circuitry to discard from the speculative cache memory at least the entries allocated by the speculative cache memory still to be resolved or resolved as incorrect memory accesses (or in some cases, which triggers all entries of the speculative cache memory to be discarded). This allows the programmer/compiler (even if no other changes to privilege levels or architectural impacts are required) to mark boundaries in the code beyond which any speculatively allocated entries should be discarded from the cache to further ensure that subsequently executed code cannot obtain side channel information from the measurement cache access timing.

When an entry is discarded from the speculative cache memory area, the entry may simply be invalidated if the data associated with the entry is clean. However, sometimes when an entry needs to be discarded, the data stored in the entry of the speculative cache memory area may be dirty. In some cases, when performing speculative memory accesses, corresponding data need not be fetched from main memory, from which it may be written to speculative cache memory areas if it is already available in another cache within the same processing system (e.g., a cache associated with another processor core or other host device). In this case, the data migrated into the speculative cache memory region may already be dirty when it is in another cache and may not yet be written back into memory, so the data in the speculative cache memory region may still be dirty even though the processing circuitry accessing the speculative cache memory region has not yet updated the data. Thus, if the entry assigned to the speculative cache memory region is simply invalidated, there may be a risk that the latest copy of data from a given address is lost. Thus, when an entry is discarded from the speculative cache memory region, the cache control circuitry may check whether the data stored in the entry is dirty and, if so, write the data to another location.

Another storage location (to which data of entries discarded from the speculative cache storage area is written back) may be a higher level cache or memory. Alternatively, the other storage location may be the location where the data was originally obtained in response to the speculative memory access that triggered the allocation of the entry to the speculative cache storage area. For example, the another location may be a cache in the another processor core or the master. By returning or restoring the data in the discarded speculative entry to the location where the data was originally fetched, this means that after resolution of the memory access as a mis-speculation, the pattern of addresses allocated in the cache throughout the system may be closer to what would occur if the speculative memory access were not performed at all, thereby reducing the chances that an attacker will fetch information about the access pattern of the speculatively executed instructions by measuring the cache timing in another location (e.g., another processor core's cache). This may therefore prevent a second order side channel that may obtain information from a change in coherency state or cache allocation pattern in another cache that the speculatively executed instructions may not directly access. To enable data to be restored to the location from which it was retrieved, each entry of the speculative cache memory store may specify location metadata indicating the location from which the data was obtained.

The speculative cache memory area may be implemented in different ways. In general, a speculative cache memory region may be a physically different cache memory region from the main cache memory region, so the physical location used to cache entries allocated in response to speculative memory accesses (where these accesses remain speculative) is different from those used to cache entries associated with non-speculative memory accesses or speculative memory accesses that have been resolved. This means that when allocations are made in response to a still unresolved speculative memory access, there is no need to discard non-speculative values from the cache, since the physically different regions allocated for speculative and non-speculative entries means that the allocation of speculative cache memory does not affect the allocation already made in the main cache memory. This may be useful because some variants of the above described attacks may gain side-channel insight from the analysis of which addresses are dropped/evicted from the cache, rather than just analyzing which addresses have been allocated into the cache. Thus, providing physically different main and speculative cache memory areas may provide a more effective countermeasure against such attacks than an alternative approach of providing a single shared area with entries available for speculative or non-speculative allocation (but in this case the metadata stored in each entry would distinguish between speculative and non-speculative allocation areas).

In one example, the speculative cache storage area may include a cache storage structure that is distinct from the primary cache storage area. For example, the main cache memory area and the speculative cache memory area may have separate indexing, selection and/or tag comparison circuitry for selecting the location of the cache from which to read or write data having a given memory address. Thus, the primary cache storage and speculative cache storage may have different indexing or marking schemes. The benefit of having a completely separate cache storage structure for the main cache storage and the speculative cache storage is: this allows the associativity, indexing or tagging schemes and the metadata provided for each entry to be designed differently for the primary and speculative cache storage depending on the needs of the primary and speculative cache storage. For example, the speculative region may typically only need to store a relatively small number of entries, which may reasonably often be replaced. Conversely, the main storage area may be designed to handle a larger amount of data, but may use an allocation strategy that may be more energy efficient for long term storage.

For example, a speculative cache memory region may have a higher associativity than a primary cache memory region. That is, the data value associated with a given memory address may be limited to being stored in a particular set of locations in the primary cache storage area and may not be stored outside of these locations. In a speculative cache memory area, there may be a large number of possible locations where a data value associated with a given address may be placed. In some implementations, the speculative cache memory areas may be fully associative such that data associated with any given address may be stored at any entry of the speculative cache memory areas. Instead, the primary cache storage area may be set-associative. This can take advantage of the fact that: that is, the speculative cache memory area may require only relatively few entries and by fully correlating them, this avoids performance penalties due to conflicts between entries allocated in response to different speculatively executed memory operations corresponding to the same group in the group associative structure. Conversely, for a primary cache storage area, because the total number of entries for the primary cache storage area may be greater than the total number of entries for a speculative cache storage area, the set associative allocation scheme may be more energy efficient, since it means that each time the cache is accessed, fewer entries need to be looked up to compare the address tags in order to find which entry stores the data associated with a given address.

In other embodiments, the speculative cache memory area may be implemented as a reserved portion of the same cache memory structure that includes the primary cache memory area. For example, although the speculative cache memory areas may still be physically distinct from the primary cache memory areas, such that allocation of the speculative cache memory areas does not require any discarding of non-speculative entries in the primary cache memory areas, they may form part of the same cache memory structure, e.g., using a common indexing/marking scheme. For example, the cache storage structure may include a set-associative cache, and the speculative cache memory area may include at least one reserved way of the cache storage structure.

The apparatus may have processing circuitry for executing speculatively executed instructions and an instruction decoder for decoding instructions to control the operation of the processing circuitry in accordance with the decoded instructions. The instruction decoder may control the processing circuitry to discard or make unavailable from the cache access one or more speculative entries allocated to the cache in response to the speculative memory access still remaining unresolved or having been resolved as incorrect in response to a speculative cache flush instruction. This may help to reduce vulnerability to attacks of the type described above by providing instructions at the architectural level of the type that a programmer may use to ensure that there are no remaining speculative entries in the cache.

Fig. 1 schematically shows an example of a data processing device 2. It will be appreciated that this is merely a high-level representation of a subset of the components of the apparatus, and that the apparatus may comprise many other components not shown. The apparatus 2 comprises processing circuitry 4 for performing data processing in response to instructions decoded by an instruction decoder 6. Instruction decoder 6 decodes instructions fetched from instruction cache 8 to generate control signals 10 for controlling processing circuitry 4 to perform the corresponding processing operations represented by the instructions. The processing circuitry 4 comprises one or more execution units 12 for performing operations on values stored in registers 14 to generate result values to be written back to the registers. For example, the execution units may include an arithmetic/logic unit (ALU) to perform arithmetic or logical operations, a floating point unit to perform operations using floating point operands, and/or a vector processing unit to perform vector operations on operands comprising multiple independent data elements. The processing circuit further comprises a memory access unit (or load/store unit) 15 for controlling data transfer between the registers 14 and the memory system. The memory system includes an instruction cache 8, a data cache 16, and other storage provided downstream of the data cache 16 and the instruction cache 8, such as other levels of cache (e.g., level 2 or level 3 caches) and a main memory 18. In response to a load operation, memory access circuitry 15 controls the memory system to return data associated with a given address and to write the loaded data to register 14. In response to a store operation, memory access circuitry 15 writes the value from register 14 to the memory system.

As shown in fig. 1, the apparatus 2 may have at least one form of speculation mechanism 20 for predicting the expected behaviour of certain instructions to be processed by the processing circuitry 4 and controlling the apparatus to speculatively execute subsequent instructions in dependence on the expected result of previous instructions. For example, the speculation mechanism 20 may include a branch predictor for predicting the taken/not-taken outcome of a branch instruction and/or for predicting the target address of a branch instruction so that subsequent instructions may be fetched, decoded and speculatively executed without waiting for the actual branch outcome to be resolved. If the branch prediction turns out to be incorrect, the architectural effect of subsequently executed speculative instructions on the register 14 may be reversed and the architectural state in the register 14 may be restored to the point where the branch was encountered, and then after the branch, an alternate instruction path may be executed. However, if the branch is correctly predicted, this allows for improved performance by filling the pipeline with subsequent instructions earlier.

Another example of speculation mechanism 20 may be a load speculation unit that may predict data to be loaded from a memory system before that data is actually returned so that subsequent instructions may be speculatively executed using the predicted data value. If the prediction is later proven to be incorrect, the subsequent speculative instruction may be cancelled again and the architectural state in register 14 restored to the point where the speculative load was encountered.

Thus, such speculative execution of instructions by processing circuitry 4 before it is actually known whether the input of the instructions is correct or whether the instructions require execution at all would be very beneficial in providing high processor performance. However, it has recently been recognized that if such speculation results in a memory access being speculatively executed, the allocation to cache 16 triggered by the speculative memory access may remain visible even if the speculative instruction resolves to a mispredicted or mispredicted instruction and the architectural impact of the speculatively re-executed instruction has been reversed. This may then allow subsequently executed code to investigate which data was loaded by earlier code by using the cache timing side channel. The rationale for the cache timing side channel is that the pattern of allocation to the cache (specifically which cache groups have been used for allocation) can be determined by measuring the time it takes to access an entry previously in the cache or by measuring the time to access an already allocated entry. This can then be used to determine which addresses have been allocated in the cache.

Recently, a speculative based cache timing side channel using speculative memory reads has been proposed. Speculative memory reads are typical of high-level microprocessors and are part of an overall function that achieves very high performance. By performing speculative memory reads (or other changes in the program stream) to cacheable locations other than architecturally unresolved branches and further using the results of these reads themselves to form the addresses of other speculative memory reads that result in the allocation to the cache of entries whose addresses represent the value of the first speculative read. If untrusted code is able to control speculation with a first speculative read that results in a location that is otherwise inaccessible to untrusted code, but the effect of a second speculative allocation in cache may be measured by the untrusted code, then this will become an available side channel.

For any form of monitoring software, untrusted software typically passes the data value to be used as an offset into an array or similar structure to be accessed by trusted software. For example, an application (untrusted) may ask for information about an open file based on the file descriptor ID. Of course, the monitoring software will check if the offset is within the appropriate range before using it, so the software for this example can be written using the following form:

in modern microprocessors, processor implementations may typically perform data accesses speculatively (implied by line 9 in the code above) to establish values prior to executing the branch associated with the undried _ offset _ from _ user range check (implied by line 7). The processor running this code at the supervisor level (e.g., the OS kernel or hypervisor) may be loaded speculatively from anywhere in ordinary memory accessible to the supervisor level, as determined by the out-of-range value of un-trusted _ offset _ from _ user that is passed by untrusted software. This is not an architectural problem because if the speculation is incorrect, the loaded value will be discarded by the hardware.

However, the higher level processor may use the speculatively loaded values for further speculation. It is this further speculation that the side channel utilization is based on speculative buffering timing. For example, the foregoing example may be extended to the following form:

in this example, the "value" loaded from memory using the address calculated from arr1- > data in combination with undried _ offset _ from _ user (line 10) is then used as the basis for further memory accesses (line 13). Thus, the speculative load of value 2(value2) comes from the address derived from the data that was speculatively loaded for the value. If a speculative load of value2 by the processor results in an allocation into the cache, a portion of the address of the load may be inferred using the standard cache timing side channel. Since the address depends on the data in the value, a side channel may be used to infer a portion of the data of the value. By applying this method to different bits of the value, the entirety of the data of the value may be determined (in multiple speculative executions). Thus, the untrusted software can access any location accessible to the monitoring software by providing an over-range amount of untrusted _ offset _ from _ user, and therefore this method can be used by the untrusted software to recover the value of any memory accessible to the monitoring software.

Modern processors have many different types of caches including instruction caches, data caches, and branch prediction caches. In the case where the allocation of entries in these caches is determined by the value of any part of some data loaded based on an untrusted input, such a side channel may in principle be stimulated.

By way of overview of such mechanisms, it should be understood that the underlying hardware techniques mean that code that may pass through a branch may be speculatively executed, and thus any sequence of accesses to memory after the branch may be speculatively executed. In such speculation, where a speculatively loaded value is then used to construct the address of a second load or indirect branch that may also be speculatively executed, the second load or indirect branch may leave an indication of the value loaded by the first speculative load (in such a way that the value may be read using timed analysis of the cache by code that cannot read the value). This overview means that many code sequences that are typically generated leak information into cache allocation patterns that can be read by other, less privileged software. The most severe form of this problem is that described earlier in this section, where lower privileged software can choose what values to reveal in this way.

It is therefore desirable to provide a countermeasure against such attacks. As shown in fig. 1, a cache such as the level one data cache 16 may be provided with a physically distinct main cache storage area 30 and speculative cache storage area 32 to help prevent the types of attacks described above. Figure 2 schematically illustrates an example of a primary cache storage area 30 and a speculative cache storage area 32 in more detail. The buffer control circuit 34 controls the allocation of buffers. As shown in fig. 2, the cache control circuitry 34 controls allocation such that when the allocation of an entry to the cache 16 is triggered by a speculative memory access, then the speculative cache memory section 32 is allocated instead of the primary cache section 30 whilst the speculative memory access remains speculative. Allocation of the primary cache storage area 30, on the other hand, is made only in response to non-speculative memory accesses or in response to speculative memory accesses resolved to be correct. This therefore avoids the primary cache being tainted by entries that are still speculative or have resolved to a failed speculation. Once a speculative memory access is resolved to be correct, the entry allocated to speculative cache storage 32 in response to the memory access may be transferred to the primary cache.

While processing remains at the same privilege level, all entries in primary cache 30 and speculative cache 32 are accessible to read requests or load instructions. However, when certain flush events occur (e.g., events indicating that there may be a risk of an attack of the type described above), entries may be dropped or made inaccessible from the speculative cache to prevent code executing after the speculative cache flush event from seeing those speculative allocations. This discarding may be done, for example, in response to a decrease in the privilege level of processing circuitry 4. Processing circuitry 4 may operate in one of a plurality of privilege states associated with different rights to access data. Typically, in the privileged higher state, processing circuitry 4 may access some data that is not accessible by processing circuitry when operating in the privileged lower state. For example, the privileged higher state may be a kernel-level (or operating system-level) privilege state, while the privileged lower state may be an application-level state in which applications executing while at the application privilege level may be excluded from accessing certain data accessible at the kernel level. By discarding the contents of speculative cache region 32 when there is a switch from a higher-privilege state to a lower-privilege state (e.g., on an exception return), this means that the lower-privilege code can then only see cache allocations made in response to non-speculative or resolved memory accesses, to avoid using the cache timing side channel to investigate which entries are allocated by speculatively executed instructions to circumvent the security protection provided by the privilege control mechanism.

In the example of fig. 2, primary cache storage 30 and speculative cache storage 32 are implemented as completely separate cache storage structures with different associativity and different cache index schemes. In this example, the primary cache storage is set associative (N-way set associative, e.g., N-4 in this example). Thus, data associated with a particular address can only be placed in a set of N locations identified by a set index derived from the memory address, and each of the N locations of the set includes tag information 36 identifying a portion of the address, which tag information 36 can be compared to a corresponding tag portion of data in the address to be sought when querying the cache to determine whether any of the entries of the indexed set of entries actually stores the data of the address.

Instead, speculative cache storage 32 may be implemented as a relatively small buffer of, for example, 8 or 16 entries, and may be provided as a fully associative cache structure such that data of any address may be stored in any entry of the speculative cache storage. In this case, the full address 38 of the data associated with a given entry may be stored in that entry to enable a lookup of whether the speculative cache stores any data corresponding to the required target address. Fully associative implementations of speculative caches may more effectively avoid set conflicts that result in data that must be discarded from the speculative cache.

In addition to the tag 36 and stored data, each entry 35 may specify metadata (not explicitly shown in FIG. 2) for controlling cache allocation or coherency in the main cache storage area. For example, the metadata may include valid information specifying whether the entry is valid, coherency state information specifying the coherency state of the corresponding data (e.g., whether the data is clean or dirty, or whether it is shared with a cache in other master devices in a larger processing system including the processor core 2 of FIG. 1), and/or eviction policy information for controlling which of the set of entries 35 is evicted in the absence of an available entry ready to accept allocation of a new entry to the cache.

Conversely, for speculative caches, the metadata 40 stored in each entry 37 may have a different form than the metadata in the primary cache storage. For example, any metadata for the primary cache and entries 378 in the speculative cache 32 described above may also store additional information such as speculative tracking information for tracking the correspondence between entries of the speculative cache 32 and speculatively executed instructions (or speculatively executed instruction blocks) processed by the processing circuitry 4. In some cases, metadata 40 may identify the particular address of the speculative load instruction that triggered the allocation of entry 37 in speculative cache region 32. In practice, however, tracing on an instruction-by-instruction basis may be more complex than reasonable tracing, and other implementations may trace speculation at a coarser granularity. For example, metadata 40 may specify an identifier of a particular instruction block (slot) to be executed by processing circuitry 4. When all instructions in a block are resolved to correct speculations, then this may trigger the transfer of any entries 37 of the speculative cache storage area 32 that are tagged with an identifier of the corresponding instruction block from the speculative cache to the primary cache storage area 30.

In some cases, metadata 40 specified in entry 37 of speculative cache storage 32 may also include information identifying the location in entry 37 from which the data was obtained when the data was loaded into this allocated entry. This location may be other caches or main memory 18, as shown in FIG. 1, or in a multi-processor system, caches associated with different processor cores. For example, a system may include multiple instances of a processor as shown in FIG. 1, or may include other masters having different configurations but also including caches. In this case, metadata 40 may specify the location of the particular cache from which the data was fetched, such that if entry 37 of speculative cache storage area 32 needs to be discarded and the data in that entry is dirty, the data may be written back to the location from which it was fetched, and need not be written back to main memory. In some cases, this may be performed faster. Furthermore, writing data back to the location from which the data came may mean that there are fewer changes in the cache allocation in the other cache, which reduces the chances that an attacker can obtain information about the behavior of incorrectly speculatively executed instructions from an analysis of the cache allocation throughout the system.

Although FIG. 2 illustrates an embodiment in which the speculative cache region 32 is completely independent of the primary cache region 30, another implementation may provide a single set associative structure as illustrated by the primary region 30 of FIG. 2, but retaining at least one way 44 of the set associative structure for storing speculatively allocated entries while the other way 44 is dedicated to non-speculative allocation. This may provide similar protection against the attacks described above.

In one example, a speculative cache may be implemented as follows. In addition to the existing cache, a "speculative cache" 32 may be provided that holds speculatively added memory accesses. For example, a speculative cache may comprise a fully associative buffer (e.g., N-8, 16, or 32) of size N cache lines, which behaves as another "cache way," but has the following attributes:

1) as a result of the speculative access, entries are allocated into the speculative cache and they are marked with speculative period information indicating the block of instructions that caused the entry to be allocated; this information is used for other memory accesses or with metadata that can determine whether the accesses associated with entries in speculative cache 32 pass/fail their speculation or are still speculative.

2) Entries that pass through speculation may be allocated to main cache 30.

3) Entries that fail speculation cannot be allocated in primary cache 30, but may remain until the exception level changes.

4) When privileges are reduced (i.e., exception returns), entries in the speculative cache 30 that fail speculation are discarded (if they are clean) or written back (if they are dirty, the latter case may be due to dirty lines migrating from other locations into the speculative cache 30).

Fig. 3 shows a flow chart illustrating a method of controlling cache allocation. At step 50 cache control circuitry 34 determines that an entry needs to be allocated into the cache, for example when a load instruction is encountered and, therefore, when the requested address is not already cached in cache 16, memory access circuitry 15 requests data to be loaded from the memory system. At step 52, the cache control circuitry determines whether the allocation is in response to holding a speculative memory access. If so, then at step 54, the entry is allocated into the speculative cache area 32. If the allocation is not in response to holding a speculative memory access, then at step 56 the primary cache storage area 30 is allocated.

Alternatively, in some embodiments, rather than attempting to determine whether a memory access was speculatively performed at the time of cache allocation, the cache controller 34 may simply initially allocate any new entries into the speculative cache memory area and then transfer the new entries to the primary cache memory area 30 once the corresponding memory access or instruction block has been resolved to be correctly predicted. In this case, the cache controller 34 may not be able to make any direct allocation of new entries to the main cache 30 other than by transferring the entries from the speculative cache. Thus, even if some memory accesses are performed non-speculatively, they may still be allocated into the speculative cache storage area, but may be transferred into the primary cache relatively quickly (e.g., as part of a block transfer) if they have resolved correctly.

Figure 4 shows a flow chart illustrating the function of the cache controller 34 once a speculative memory access is resolved. At step 60, it is determined that the particular speculative memory access has been resolved. At step 62, it is determined whether the speculation is correct. If the speculation is correct, the entry allocated to speculative cache storage 32 in response to the speculative memory access may be transferred from speculative cache storage 32 to primary cache storage 30 at step 64. This transfer may occur directly in response to determining that the speculation is correct, or may occur at some later time. For example, instead of checking whether each instruction can transfer the corresponding entry, another approach may be to provide a periodic check operation that is performed from time to time. When performing the check operation, the cache controller may step through each entry of the speculative cache region 32 to check whether it corresponds to a block of one or more instructions that have been fully resolved to be correct, and if so, any of these entries may be transferred to the primary cache region 30, and the entries associated with the instructions still to be resolved may be retained in the speculative cache region.

On the other hand, if it is determined at step 62 that the speculation that resulted in the speculative memory access was resolved to incorrect, then at step 66 the entry associated with the memory access may be discarded or made inaccessible in speculative cache memory area 32 without being transferred to primary cache area 30. When an entry is discarded or made inaccessible, if the data in the entry is indicated as dirty, the data is written back to another storage location, which may be another level of cache or main memory 18, or may be the location in the metadata 40 indicated as the location from which the entry retrieved the data at the time of the previous allocation, at step 68.

In an alternative implementation of the process of fig. 4, steps 66 and 68 may be omitted, and the entries of the speculative cache storage area 32 may not need to be actually discarded when it is determined that some speculatively executed instructions were erroneously speculatively executed. Even if the entry remains in the speculative cache storage area 32 after the speculation was resolved to be incorrect, it is still possible that subsequent instructions still need to access the same data. This type of attack risk may occur if the code subsequently switches to less privileged code or code that should not gain access to certain sensitive information. However, if the code executing after the misprediction is still privileged or allowed to access sensitive information despite the misprediction, there is no problem retaining the allocation associated with the incorrectly speculated instruction within speculative cache 32. In fact, retaining these entries may provide performance benefits because subsequent instructions may attempt to access the same address location even if there is misspeculation. Thus, in some cases, the discarding may not be done while resolving speculative instructions, but in response to a separate flush event that may be triggered when switching to portions of code that should not access certain sensitive information.

Fig. 5 is a flowchart showing the processing of such a refresh event. At step 70, a speculative cache flush event occurs. For example, the event may be a decrease in the privilege level at which processing circuitry 4 is running, such as an exception return or a switch from a privileged state to a less privileged state. Furthermore, another example of a flush event may be the processing circuit 4 executing a speculative cache flush instruction. That is, the instruction decoder 6 may support an instruction set architecture that defines certain subsets of instructions as speculative cache flush instructions, which, when executed, may trigger the cache controller 34 to discard any entries in the speculative cache storage area 32 that relate to unresolved speculative memory accesses or memory accesses that are resolved to being mispredicted. This may allow a programmer or compiler to explicitly mark the point in the code where speculative allocations should be discarded from the cache to avoid subsequent code snooping operations to previously executed code by the side-channel approach described above. For example, the speculative cache flush instruction may be a dedicated instruction with no other architectural impact, i.e., an architectural NOP instruction.

In response to the occurrence of a speculative cache flush event at step 70, at step 72, the cache controller 34 controls the cache 16 to discard at least those entries 37 allocated in response to speculative memory accesses that have not yet resolved or that have resolved as a failure (mispredicted). In some cases, only such unresolved or failed speculative entries may be discarded, while entries associated with memory accesses that have resolved to the correct block need not be discarded (e.g., a periodic sweep to check for entries to be transferred to primary cache 30 may not have been performed since those entries resolved to be correct). However, in practice, the overhead associated with checking whether an entry is resolved or unresolved may not be justified, and a simpler approach may be to discard all entries of the speculative cache region 32 in response to a speculative cache flush event. Regardless of whether all entries are discarded or only those that did not resolve or fail are discarded, if the data in the discarded entries is dirty, the write back operation to another storage location may be performed again, similar to step 68 of FIG. 4.

In this application, the word "configured to … …" is used to indicate that an element of an apparatus has a configuration capable of performing the defined operation. Herein, "configuration" refers to an arrangement or manner of interconnection of hardware or software. For example, the apparatus may have dedicated hardware providing the defined operations, or a processor or other processing device may be programmed to perform the functions. "configured to" does not mean that the device elements need to be changed in any way to provide the defined operation.

Although illustrative embodiments have been described in detail herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various changes and modifications can be effected therein by one skilled in the art without departing from the scope or spirit of the invention as defined by the appended claims. Further example arrangements are listed in the following clauses:

(1) an apparatus, comprising:

processing circuitry to perform speculative execution of instructions;

a primary cache storage area;

a speculative cache storage area; and

cache control circuitry for allocating entries that a speculative memory access causes to be allocated to the speculative cache memory region instead of the primary cache memory region if the speculative memory access triggered by the processing circuitry remains speculative.

(2) The apparatus of clause 1, wherein the cache control circuitry is configured to: entries corresponding to non-speculative or speculative memory accesses that are resolved to be correct are exclusively allocated to the primary cache storage.

(3) The apparatus according to any of clauses 1 and 2, wherein the main cache memory area and the speculative cache memory area are both accessible in response to a read triggered by a speculative instruction executed by the processing circuitry.

(4) The apparatus of clause 3, wherein the cache control circuitry is configured to: the entry of the speculative cache memory region is discarded or made inaccessible to the processing circuitry in response to the processing circuitry switching from the higher-privilege state to the lower-privilege state.

(5) The apparatus of any of the preceding clauses, wherein the cache control circuitry is configured to: after the speculative memory accesses are resolved to be correct, entries allocated in response to the speculative memory accesses are transferred from the speculative cache memory area to the primary cache memory area.

(6) The apparatus of clause 5, wherein the cache control circuitry is configured to: in response to detecting that the speculative memory access was resolved to correct, the entry allocated in response to the speculative memory access is transferred directly to the primary cache storage area.

(7) The apparatus of clause 5, wherein the cache control circuitry is configured to periodically perform speculative cache transfer operations to determine whether any entries of the speculative cache storage area correspond to speculative memory accesses resolved correctly and to transfer entries corresponding to resolved speculative memory accesses to the primary cache storage area.

(8) The apparatus according to any of the preceding clauses wherein the cache control circuitry is configured to discard entries in the speculative cache storage area associated with speculative memory accesses that resolve to incorrect.

(9) The apparatus of any of the preceding clauses wherein the cache control circuitry is to, in response to a speculative cache flush event, discard at least an entry in the speculative cache memory area associated with one of:

resolved as an incorrect speculative memory access; and

speculative memory accesses that are still to be resolved.

(10) The apparatus of clause 9, wherein the cache control circuitry is to discard all entries of the speculative cache memory area in response to the speculative cache flush event.

(11) The apparatus of any of clauses 9 and 10, wherein the speculative cache flush event comprises: the processing circuit switches between a privileged higher state and a privileged lower state.

(12) The apparatus of any of clauses 9 and 10, wherein the speculative cache flush event comprises: the processing circuit switches from the privilege-high state to the privilege-low state.

(13) The apparatus of any of clauses 9 to 12, wherein the speculative cache flush event comprises: processing of a speculative cache flush instruction by processing circuitry.

(14) The apparatus of any of clauses 8 to 13, wherein the cache control circuitry is configured to: when an entry of a speculative cache memory region is discarded, it is determined whether data in the discarded entry is dirty, and the data is written to another memory location when the data is dirty.

(15) The apparatus of clause 14, wherein the additional storage locations comprise additional levels of cache or memory.

(16) The apparatus of clause 14, wherein the additional storage location comprises a location to obtain the data in response to the speculative memory access triggering the allocation of the entry to the speculative cache storage area.

(17) The apparatus of clause 16, wherein each entry of the speculative cache storage area specifies location metadata indicating a location from which the data was obtained.

(18) The apparatus of any of the preceding clauses wherein the speculative cache memory area comprises a cache memory structure separate from the primary cache memory area.

(19) The apparatus of any of the preceding clauses wherein the speculative cache memory areas have a higher associativity than the primary cache memory area.

(20) The apparatus of clause 19, wherein the speculative cache memory areas are fully associated.

(21) The apparatus of any of clauses 1-16, wherein the speculative cache memory area comprises a reserved portion of the same cache memory structure that comprises the primary cache memory area.

(22) The apparatus of clause 21, wherein the cache storage structure is set-associative and the speculative cache memory area comprises at least one reserved way of the cache storage structure.

(23) A method for an apparatus comprising processing circuitry to perform speculative execution of instructions; a primary cache storage area; and a speculative cache storage area, the method comprising:

in response to a speculative memory access triggered by the processing circuitry, an entry is allocated to a speculative cache memory region instead of the primary cache memory region in the event that the speculative memory access remains speculative.

(24) An apparatus, comprising:

processing circuitry to perform speculative execution of instructions;

an instruction decoder to decode instructions to control operation of the circuitry in accordance with the decoded instructions; wherein:

an instruction decoder, in response to a speculative cache flush instruction, controls processing circuitry to discard or make inaccessible one or more speculative entries from the cache that were allocated to the cache in response to a speculative memory access that remains unresolved or that was resolved as incorrect.

(25) A method of data processing, comprising:

decoding an instruction to control operation of the processing circuitry in accordance with the decoded instruction;

performing speculative execution of instructions using processing circuitry; and

in response to decoding of a speculative cache flush instruction, control processing circuitry discards or makes inaccessible one or more speculative entries from the cache that were allocated to the cache in response to the speculative memory access remaining unresolved or resolved as incorrect.