At 02:22 PM 11/8/2002 +0000, Vincent Penquerc'h wrote:
On Fri, Nov 08, 2002 at 08:35:06AM -0500, Patrick Chkoreff wrote: > That's an interesting idea. You'd take the pointer returned by alloca and > pass it to memset. How could the optimizer possibly know that the pointerWith GCC, it's a builtin, so it will know.
Gotcha.
> I was thinking the only way to really stymie the optimizer might be to have
> the program flow depend on something read from a file! You could have a
> file with a single 0 word in it. At the beginning of your program, just
> one time, you say this:
I'm afraid optimizations could remove this too. The point, if I understand
it correctly, is that operations on memory have, from the compiler's POV,
a zero lifetime, since the block is freed just afterwards. So, whether you
write zero or anything else there, this write can be discarded, since it's
not used afterwards. Dead write, kind of.
You got me thinking again, and I think you're right. Allow me to simulate the optimizer's "thinking."
Here's the original code:
if (!fool_opt) sensitive = 0;
if (!sensitive) die_horribly_because_this_should_never_happen();
Here is a logical equivalent:
if (fool_opt) {
if (!sensitive) die_horribly_because_this_should_never_happen();
} else {
sensitive = 0;
if (!sensitive) die_horribly_because_this_should_never_happen();
}
Now the compiler can optimize the else case as follows:
if (fool_opt) {
if (!sensitive) die_horribly_because_this_should_never_happen();
} else {
die_horribly_because_this_should_never_happen();
}
This is logically equivalent to:
if (!fool_opt || !sensitive) die_horribly_because_this_should_never_happen();
So you're correct, the compiler can view the "sensitive = 0" statement as a "dead write" as you say.
DOH!!! :-o
So it sounds like Welschenbach's var-arg trick is still the best bet at this point for a "portable" zeroize technique.
-- Patrick
http://fexl.com
