On 09/10/14 12:18, Florian Weimer wrote:
On 10/08/2014 04:15 AM, Sandy Harris wrote:
There are various solutions to this. Linux now has memzero_explicit(),
Open SSH has bzero_explicit(), C11 has memset_s().
Minor nit: The C11 standard still allows memset_s to be optimized away
if this does not cause an observable difference in behavior (in C
terms). I know the intent is different, but this is impossible to
address within the standard, considering the direction in which the
language has developed over the last decades.
How so?
Copying the relevant description (n1570 draft):
Unlike memset, any call to
the memset_s function shall be evaluated strictly according to the
rules of the abstract
machine as described in (5.1.2.3). That is, any call to the memset_s
function shall
assume that the memory indicated by s and n may be accessible in the
future and thus
must contain the values indicated by c.
For all the C compler knows, memset_s library function might be storing
a pointer to s in a
global variable, and checking its value on every libc call (including
exit functions).
The compiler would need to know that memset_s is special (either
intrinsically or thorugh
eg. function attributes). Either way, IMHO an advanced knowledge
allowing to optimize it out
would be a violation of K.3.7.4.1.
The only misbehavior route I see would be the compiler using undefined
behavior elsewhere
for deciding that the whole path is unreachable.
Regards
