On 05/20/2015 03:59 AM, Jonathan Wakely wrote:
On 20 May 2015 at 10:49, Avi Kivity wrote:
He's talking about an incorrect program. Wiping the object can detect a
use-after-free or otherwise cause the program to crash earlier rather than
later.
I know. My point is that the compiler is always allowed to perform
optimisations that are invisible to correct programs.
An incorrect program has undefined behaviour, and not seeing those
writes happen is one possible way that undefined behaviour can express
itself.
FWIW, there was enough of a security concern with this (valid
and otherwise useful) optimization due to the possibility of
it leading to unintended information exposure in buggy programs
that C agreed to add a memset_s to (the optional) Annex K when
it rolled in TR 24731-1. The function prevents compilers from
optimizing away writes to objects even if they appear not to
be otherwise used. Some background on the added function can
be found in the original proposal here:
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1381.pdf
Martin
