More on in-memory zeroisation

Leichter, Jerry leichter_jerrold at
Mon Dec 10 16:03:14 EST 2007

| > There was a discussion on this list a year or two back about
| > problems in using memset() to zeroise in-memory data, specifically
| > the fact that optimising compilers would remove a memset() on
| > (apparently) dead data in the belief that it wasn't serving any
| > purpose.
| Then, s/memset(?,0,?)/(memset)(?,0,?)/ to get rid of compiler
| in-lining.
| Ref: ANSI X3.159-1989, section 4.1.6 (Use of C standard library
| functions)
I don't have te C89 spec handy (just the C99 spec, which is laid
out differently), but from what I recall, this construct guarantees
nothing of the sort.

Most standard library functions can be implemented as macros.  Using the
construct (f)(args) guarantees that you get the actual function f,
rather than the macro f.  However, that doesn't say anything about
whether f is actually invoked at run time.  That comes under the "acts
as if" rule:  If the compiler can prove that the state of the C
(notional) virtual machine is the same whether f is actually invoked or
not, it can elide the call.  Nothing says that memset() can't actually
be defined in the appropriate header, as a static (or, in C99, inline)
function.  Then the compiler can look at the implementation and "prove"
that a memset() to a dead variable can be elided....

							-- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list