To expand on my statement about the LKMM's weakness regarding control constructs, here is a litmus test to illustrate the issue. You might want to add this to one of the archives. Alan C crypto-control-data (* * LB plus crypto-control-data plus data * * Expected result: allowed * * This is an example of OOTA and we would like it to be forbidden. * The WRITE_ONCE in P0 is both data-dependent and (at the hardware level) * control-dependent on the preceding READ_ONCE. But the dependencies are * hidden by the form of the conditional control construct, hence the * name "crypto-control-data". The memory model doesn't recognize them. *) {} P0(int *x, int *y) { int r1; r1 = 1; if (READ_ONCE(*x) == 0) r1 = 0; WRITE_ONCE(*y, r1); } P1(int *x, int *y) { WRITE_ONCE(*x, READ_ONCE(*y)); } exists (0:r1=1)