Is gcc allowed to eliminate writes in a destructor?
Martin Sebor
msebor@redhat.com
Wed May 20 17:58:00 GMT 2015
On 05/20/2015 03:59 AM, Jonathan Wakely wrote:
> On 20 May 2015 at 10:49, Avi Kivity wrote:
>> He's talking about an incorrect program. Wiping the object can detect a
>> use-after-free or otherwise cause the program to crash earlier rather than
>> later.
>
> I know. My point is that the compiler is always allowed to perform
> optimisations that are invisible to correct programs.
>
> An incorrect program has undefined behaviour, and not seeing those
> writes happen is one possible way that undefined behaviour can express
> itself.
FWIW, there was enough of a security concern with this (valid
and otherwise useful) optimization due to the possibility of
it leading to unintended information exposure in buggy programs
that C agreed to add a memset_s to (the optional) Annex K when
it rolled in TR 24731-1. The function prevents compilers from
optimizing away writes to objects even if they appear not to
be otherwise used. Some background on the added function can
be found in the original proposal here:
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1381.pdf
Martin
More information about the Gcc-help
mailing list