I was refering both compilers not knowing about memset_s definition and
those that do. For the later, the compiler knows that memset_s won't store
s in a global variable, but the semantic of "shall assume that the memory
indicated by s and n may be accessible in the future and thus must contain
the values indicated by c" would be equivalent in this aspect to "the
pointer
is stored in a global variable".
That shouldn't be a problem.
My point was that both things (removing + correct behaviour) could not
be done.
(I was midly expecting someone to readily present a counterexample, though)
This is an interesting point. I agree that the compiler could reorder
the memset_s call,
but I don't think that more than delaying it a few statements for which
it can prove
they don't access that area. the next library call (even if it is in the
C spec, remember
that the way they are implemented is not defined).

Thus, the zeroed contents might not be immediatly available for an
omniscient inspector,
but they would in a small delta. Or, if we have a bizarre architecture
needing a barrier in
order to "commit" the memory write, that shall be performed by memset_s
for fullfilling
the "must contain the values indicated by c" requeriment.

It is true that you may need special instructions for ensuring the new
value from a concurrent
thread (I don't consider memset_s suitable for clearing a spinlock), but
C doesn't deal with
threads or shared memory, thus you are . Then you either use another
primitive to synchronize
them (and at that point the memory will have to be memsetted), or they
are in a race condition
and there's nothing specified for what it may contain.

I also speculated with the idea of a processor that optimized the
microcode in such a way that ended
up removing the memset_s call, but concluded that (in addition of the
cpu requiring such global
knowledge not to be realistic) then memset_s would have to include its
special barriers for fulfilling
the "shall assume that the memory indicated by s and n may be accessible
in the future and thus
must contain the values indicated by c" if it was otherwise implemented
with such instructions that
would allow the processor not to store the values in memory.
And is architecture specific and not portable. IMHO memset_s serves the
task equally well, with the benefit
of being a standard function.




PS: As I was finishing this email, I thought the following dull
implementation (error checking skipped):

errno_t memset_s(void *s, rsize_t smax, int c, rsize_t n) {
size_t i; unsigned char *tmp;
tmp = malloc(n);
for (i = 0; i < n; i++) {
tmp[i] = ((unsigned char *)s)[i] ^(unsigned char) c;
}
for (i = 0; i < n; i++) {
((unsigned char *)s)[i] ^= tmp[i];
}
}

Although completely missing the point, I think it would be conformant.*
If you know that a specific implementation
is flawed, please avoid it (you can use a replacement) or, better yet,
replace your libc with a good one.

I agree there may have to be some machine-dependent code, but
it seems to me it should be in the definition of memset_s(). The
library code (or the compiler if it provides it as a built-in) should
deal with this so application programmers do not have to.

That is one of the main reasons to have library functions. Almost
any programmer could write a version of memset() easily, but we
use the library function instead and let library implementers
worry about things like optimizing for a particular word size or
using assembler for speed. Similarly, making memset_s() live
up to the spec is a problem for the library implementers.

Currently glibc, at least on my Ubuntu box, does not have
memset_s(), so Linux kernel code has memzero_explicit().
That is OK as a short-term solution, but memsets_s() would
be a cleaner solution.

This is a different problem: While the compiler must wipe X, the compiler
might have stored copies somewhere else (typically in the stack, although
it would be possible to leave sensitive data in registers that aren't
overwritten
later).

It's not even that hard to come up with an example where calling
memset_s causes the creation of another copy which is the only one which
is being cleared:

#include <stddef.h>

struct key {
unsigned long long low;
unsigned long long high;
};

struct key get_key(void);
void use_key(struct key);

void secure_clear_memory(void *, size_t);

void
without_clear(void)
{
struct key k;
k = get_key();
use_key(k);
}

void
with_clear(void)
{
struct key k;
k = get_key();
use_key(k);
secure_clear_memory(&k, sizeof(k));
}

without_clear:
subq $8, %rsp
call get_key
movq %rdx, %rsi
movq %rax, %rdi
call use_key
addq $8, %rsp
ret

with_clear:
subq $24, %rsp
call get_key
movq %rax, %rdi
movq %rdx, %rsi
movq %rax, (%rsp)
movq %rdx, 8(%rsp)
call use_key
movq %rsp, %rdi
movl $16, %esi
call secure_clear_memory
addq $24, %rsp
ret