I was reading the following negative-result-reading-kernel-memory-from-user-mode just to better understand how out-of-order microarchitectures actually work (the link refers to i3-5005u Broadwell CPU).
Consider the following code block speculatively executed:
mov rax, [somekerneladdress] and rax, 1 mov rbx,[rax+Someusermodeaddress]
As far as I can understand, when the last two instructions are speculatively executed the address loaded differs depending on the value loaded from somekerneladdress and thus the address loaded into the cache may cause different cache lines to be loaded (the associated micro-ops are speculatively executed regardless the fact that CPU is in user mode)
My point is: which is the purpose of the second instruction (namely add rax, 1) ? Even without that instruction, that code block is speculatively executed as well, I think.
Does it actually make sense ? Thank you.