是否可以保证不会在 C++ 中优化执行内存写入的代码?

允许 C++ 编译器优化写入内存:

C++ compilers are allowed to optimize away writes into memory:

 {
     //all this code can be eliminated
     char buffer[size];
     std::fill_n( buffer, size, 0);
 }

在处理敏感数据时,典型的方法是使用 volatile* 指针来确保编译器发出内存写入.下面是 Visual C++ 运行时库 (WinNT.h) 中的 SecureZeroMemory() 函数的实现方式:

When dealing with sensitive data the typical approach is using volatile* pointers to ensure that memory writes are emitted by the compiler. Here's how SecureZeroMemory() function in Visual C++ runtime library is implemented (WinNT.h):

FORCEINLINE PVOID RtlSecureZeroMemory(
     __in_bcount(cnt) PVOID ptr, __in SIZE_T cnt )
{
    volatile char *vptr = (volatile char *)ptr;
#if defined(_M_AMD64)
    __stosb((PBYTE )((DWORD64)vptr), 0, cnt);
#else
    while (cnt) {
        *vptr = 0;
        vptr++;
        cnt--;
    }
#endif
    return ptr;
}

该函数将传递的指针转换为 volatile* 指针,然后通过后者写入.但是,如果我在局部变量上使用它:

The function casts the passed pointer to a volatile* pointer and then writes through the latter. However if I use it on a local variable:

char buffer[size];
SecureZeroMemory( buffer, size );

变量本身不是volatile.因此,根据可观察行为的 C++ 标准定义,写入 buffer 不算作可观察行为,并且看起来可以优化掉.

the variable itself is not volatile. So according to C++ Standard definition of observable behavior writes into buffer don't count as observable behavior and looks like it can be optimized away.

现在下面有很多关于页面文件,缓存等的评论,这些评论都是有效的,但我们在这个问题中忽略它们.这个问题的唯一问题是内存写入的代码是否被优化掉了.

Now there're a lot of comments below about page files, caches, etc, which are all valid, but let's just ignore them in this question. The only thing this question is about is whether the code for memory writes is optimized away or not.

是否可以确保写入内存的代码不会在 C++ 中优化掉?SecureZeroMemory() 中的解决方案是否符合 C++ 标准?

Is it possible to ensure that code doing writes into memory is not optimized away in C++? Is the solution in SecureZeroMemory() compliant to C++ Standard?

推荐答案

没有可移植的解决方案.如果它愿意,编译器可以在您在内存中的多个位置使用数据时制作数据的副本,并且任何零函数只能将它当时使用的那个函数归零.任何解决方案都是不可移植的.

There is no portable solution. If it wants to, the compiler could have made copies of the data while you were using it in multiple places in memory and any zero function could zero only the one it's using at that time. Any solution will be non-portable.

相关文章