From 8ffcc7d49633f3ef291a0f3f7c41d694c1448586 Mon Sep 17 00:00:00 2001 From: Brian Smith Date: Tue, 28 Oct 2025 09:16:55 -0700 Subject: [PATCH] Revert "optimize constant_time_conditional_memxor for gcc". This reverts commit 9b3ef1b3d34d09c40b999d05ca6a92c77a9345e3. It seems like the casts in the loop violate strict aliasing rules. This may result in a performance regression when GCC is used instead of Clang, as this code path was added specifically for GCC to address this performance difference. --- crypto/internal.h | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/crypto/internal.h b/crypto/internal.h index be12a1cc01..cd41ee4f67 100644 --- a/crypto/internal.h +++ b/crypto/internal.h @@ -263,17 +263,6 @@ static inline void constant_time_conditional_memxor(void *dst, const void *src, debug_assert_nonsecret(!buffers_alias(dst, n, src, n)); aliasing_uint8_t *out = dst; const aliasing_uint8_t *in = src; -#if defined(__GNUC__) && !defined(__clang__) - // gcc 13.2.0 doesn't automatically vectorize this loop regardless of barrier - typedef aliasing_uint8_t v32u8 __attribute__((vector_size(32), aligned(1), may_alias)); - size_t n_vec = n&~(size_t)31; - v32u8 masks = ((aliasing_uint8_t)mask-(v32u8){}); // broadcast - for (size_t i = 0; i < n_vec; i += 32) { - *(v32u8*)&out[i] ^= masks & *(v32u8 const*)&in[i]; - } - out += n_vec; - n -= n_vec; -#endif for (size_t i = 0; i < n; i++) { out[i] ^= value_barrier_w(mask) & in[i]; }