Hello SG12/UB folks,
Here's what I'd want SG12's help on: assume that there's a need for some sort of "secure clearing of memory", how do we fit this into the abstract machine? What behavior do we specify, what do we leave open, while meeting the stated security goals?
Asking for clarification:
int i; // i is live and uninitialized
int i = 2;
secure_clear(&i, sizeof(i));
// is i still a live int, and if so, is it considered uninitialized?
From both an SG12 and an LEWG point of view, it scares me to have a mechanism to turn an initialized int into an uninitialized int.
Sidebar: It looks like C++20 already added such a mechanism :-(. I didn't realize that the behavior for calling a pseudo-destructor had changed for C++20
[diff.cpp17.basic], as that has implications for library and I don't remember the change going through both SG12 and LEWG (if it did, please disregard).
In C++17 and prior, the following code had no preconditions):
std::vector<int> Copy(std::vector<int> const& v)
{ return v; }
Now it does have an undocumented precondition, which makes it a breaking change.
--