On Fri, Nov 10, 2017 at 2:09 PM, Jorge Almeida <jjalme...@gmail.com> wrote: > On Fri, Nov 10, 2017 at 4:25 PM, R0b0t1 <r03...@gmail.com> wrote: >> Hello, >> > >> >> I'm having trouble finding the article again, but these functions look >> very similar to Microsoft's extensions to the C standard. There is a >> good case to be made that they are counterproductive. > > Yes, it looks like it. No wonder, if it's MS inspired. But what I care > about is the fact that it's not optimized away, not the boundaries > checking stuff. It's hard to believe that it is practically impossible > to clean up a buffer, unless one is willing to forego all > optimizations: > > http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html >
I really think there is a deeper issue here then, which is that the compiler takes a lot of liberties when translating a program description into machine code. There have been suggestions made that this makes very nearly all compilers unsuitable for high reliability purposes. Cryptographic or user security code is likely a candidate for the label "high reliability." To further explain why the additions are counterproductive: the programmer still has to remember to use them. It is just as likely that the programmer will forget to use memset_s properly as any of the other functions in string.h (possibly by forgetting to sanitize input i.e. the memory segment boundaries). > >>> Of course, what would really solve the optimize-into-oblivion problem >>> is a pragma that when invoked on a particular block of code (maybe >>> only a function definition) would tell the compiler to do what the >>> programmer says rather than viewing a function as a kind of black box. >>> >> >> This would probably be useful. It may be wise to reimplement important >> functionality. >> > No idea how difficult it would be to implement, of course. There might > even exist a C keyword for that. After all, the C standard states the > "as-if" rule, it might as well establish such an exception. > Sorry, I misrepresented what I meant. I meant to suggest reimplementing, apart from a standard library, any critical code. This is generally recommended against but unless there is a hand-tuned version that has been guaranteed to work around quirks in your compiler, you are now the person who has to write and maintain that hand-tuned version. If you don't mind I might post this concern to the GCC mailing list, or you can take it up if you want. Cheers, R0b0t1