[cfe-dev] Static analyzer: dead store false positives
Christopher Jefferson
chris at bubblescope.net
Tue Mar 15 10:52:57 PDT 2011
On 15 Mar 2011, at 17:48, Trevor Harmon wrote:
> My app includes a third-party SHA-1 implementation that does some local variable wiping, I assume for security reasons. It looks like this:
>
> void SHA1Transform(...) {
> u_int32_t a, b, c, d, e;
> ....
> /* Wipe variables */
> a = b = c = d = e = 0;
> }
Unless you compiler this code without optimisation (and even then), it is very likely the compiler will optimise away those wipes and leave the values in memory, or registers, or wherever it feels like.
If you made the variables volatile there is a better chance you would get the result you want, and I would expect clang wouldn't flag them (at least, it shouldn't). Of course that might also well lead to lower performance.
Chris
More information about the cfe-dev
mailing list