That depends how much the compiler can optimize (away). If the next call is free(), it's quite trivial to skip the zeroing and just take the correct branch.
I am still uncertain while people want to just 'zero' it. Filling random data (just one random() call) and then using inline PRNG, then summing the result, storing it globally in volatile would reliable 'zero' the data but it's quite CPU intense.
You still are not guaranteed to clear the buffer like that.
for (int i=0; i<len; i++){
sensitiveBuffer[i]=random();
}
int sum=0;
for (int i=0; i<len; i++){
sum+=sensitiveBuffer[i];
}
volitileVar=sum;
Using loop fusion, the compiler can optimize this to:
int sum=0;
for (int i=0; i<len; i++){
sensitiveBuffer[i]=random();
sum+=sensitiveBuffer[i];
}
volitileVar=sum;
Which it can then optimize to:
int sum=0;
for (int i=0; i<len; i++){
sum+=random();
}
volitileVar=sum;
In fact, as the article points out, the compiler can legally transform:
Why shouldn't the compiler be able to figure out that you sum a series of numbers that aren't used anywhere else, thus don't need to be spilled to RAM?
I am still uncertain while people want to just 'zero' it. Filling random data (just one random() call) and then using inline PRNG, then summing the result, storing it globally in volatile would reliable 'zero' the data but it's quite CPU intense.