[PATCH 1/3] New string function explicit_bzero (from OpenBSD).

Paul Eggert eggert@cs.ucla.edu
Thu Sep 15 15:59:00 GMT 2016


On 09/15/2016 06:05 AM, Zack Weinberg wrote:
> +The compiler will not delete a call to this function, even
> +if the object beginning at @var{block} is never referred to again.

That's too strong, no? It'd be OK if the compiler inlined the call, or 
if it deleted the call if LEN is zero. Also, "referred to" is too vague, 
as we don't care whether the block is written to later, only whether it 
is read from. And "beginning at @var{block}" is redundant given the 
previous sentence. I suggest rewording this to "The zeros are written 
even if the object is never read again."

> +Without the call to @code{explicit_bzero}, @var{k} might not need to
> +be stored in memory: depending on the ABI, its value could be returned
Although this info is helpful, it would be even more helpful if the 
example explained how to fix the problem. (Can one declare K to be 
volatile, for example? If not, explain why this does not suffice. Does 
it help to pass &K to explicit_bzero before initializing K? If not, 
explain that too.) If there is no portable way to address the problem, 
the discussion should flat-out say so.

I hate to say it, but multithreading issues might need a brief mention 
too. If some other thread is compromised, a call to explicit_bzero can 
make the current thread more vulnerable, not less.

I must say that after thinking about the above, my opinion of 
explicit_bzero has gone down a bit....



More information about the Libc-alpha mailing list