[std-proposals] more security concerns

I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/

If gcc poison were standardized in some fashion, you could write your own
wrappers to those functions with all the [[nodiscard]] you might want.

Control in that case is a little less granular, indeed. Probably if you're
writing [[nodiscard]] on a per-expression basis you are not discarding the
result already.

Regards

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com.

Daniel Gutson

2018-09-28 13:36:27 UTC

Yeah. But please note that this is not only for function calls.

void f()
{
int secret;
....
secret = 0; //removed due to DSE
}

If I declare secret as volatile or write 0s to its address I may prevent
the compiler to use a register impacting in performance. That's why I want
to use the attribute here too.

Post by Andrew Giese
I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/
If gcc poison were standardized in some fashion, you could write your own
wrappers to those functions with all the [[nodiscard]] you might want.
Control in that case is a little less granular, indeed. Probably if you're
writing [[nodiscard]] on a per-expression basis you are not discarding the
result already.
Regards
--
You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-1DpAUkYDVyNmP5H49XyNVDq5_T6UkEVaQGMGA0YEhNGw%40mail.gmail.com.

f***@gmail.com

2018-09-28 14:14:20 UTC

I want to highlight that [[nodiscard]] on functions is not about forcing
the compiler to keep the value, but instead to emit a warning if the user
doesn't use the value.
So meaning would be different.
In that respect, another attribute name might be better.

Also, it is already possible (but cumbersome) to implement already without
volatile:
void f() {
int secret_int;
float secret_float;
/* ... */
secret_int = 0;
secret_float = 0
asm volatile ("" ::"irm"(secret_int), "xm"(secret_float));
}

I would really like an attribute for that, though.

Post by Daniel Gutson
Yeah. But please note that this is not only for function calls.
void f()
{
int secret;
....
secret = 0; //removed due to DSE
}
If I declare secret as volatile or write 0s to its address I may prevent
the compiler to use a register impacting in performance. That's why I want
to use the attribute here too.

Post by Andrew Giese
I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/
If gcc poison were standardized in some fashion, you could write your own
wrappers to those functions with all the [[nodiscard]] you might want.
Control in that case is a little less granular, indeed. Probably if
you're writing [[nodiscard]] on a per-expression basis you are not
discarding the result already.
Regards
--
You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

Daniel Gutson

2018-09-28 14:17:56 UTC

Post by f***@gmail.com
I want to highlight that [[nodiscard]] on functions is not about forcing
the compiler to keep the value, but instead to emit a warning if the user
doesn't use the value.

I'm proposing using [[nodiscard]] for statements rather than for
declarations.
That being said, it would be placed in the function call statement. I want
the compiler to still do DSE where appropriate and at the same time allow
the programmer to thoughtfully prevent it.

So meaning would be different.

Post by f***@gmail.com
In that respect, another attribute name might be better.
Also, it is already possible (but cumbersome) to implement already without
void f() {
int secret_int;
float secret_float;
/* ... */
secret_int = 0;
secret_float = 0
asm volatile ("" ::"irm"(secret_int), "xm"(secret_float));
}
I would really like an attribute for that, though.

Post by Andrew Giese
I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/
If gcc poison were standardized in some fashion, you could write your
own wrappers to those functions with all the [[nodiscard]] you might want.
Control in that case is a little less granular, indeed. Probably if
you're writing [[nodiscard]] on a per-expression basis you are not
discarding the result already.
Regards
--
You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-1tpJj3bSzHgD%3DpxWD2eVokRX3ST2QE-oF6M8z1%3DDTEoQ%40mail.gmail.com.

Daniel Gutson

2018-09-28 14:20:49 UTC

(Clarification)

Post by f***@gmail.com
I want to highlight that [[nodiscard]] on functions is not about forcing
the compiler to keep the value, but instead to emit a warning if the user
doesn't use the value.

In THIS proposal....

Post by Daniel Gutson
I'm proposing using [[nodiscard]] for statements rather than

..in addition to...

for declarations.
That being said, it would be placed in the function call statement. I want

Post by Daniel Gutson
the compiler to still do DSE where appropriate and at the same time allow
the programmer to thoughtfully prevent it.
So meaning would be different.

Post by f***@gmail.com
In that respect, another attribute name might be better.
Also, it is already possible (but cumbersome) to implement already
void f() {
int secret_int;
float secret_float;
/* ... */
secret_int = 0;
secret_float = 0
asm volatile ("" ::"irm"(secret_int), "xm"(secret_float));
}
I would really like an attribute for that, though.

Post by Andrew Giese
I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/
If gcc poison were standardized in some fashion, you could write your
own wrappers to those functions with all the [[nodiscard]] you might want.
Control in that case is a little less granular, indeed. Probably if
you're writing [[nodiscard]] on a per-expression basis you are not
discarding the result already.
Regards
--
You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-1rSKBc6aQh%2BZo7imJb8_1741RPuL0VyyByTcD8zHT_6Q%40mail.gmail.com.

f***@gmail.com

2018-09-28 14:36:36 UTC

I completely understood what you meant, and yes what you are proposing is
compatible with the current language.
I just wanted to highlight that it might be misleading to have the same
attribute with different meaning when it is used on a function declaration,
or on an expression (a declaration is also a statement).

Also, after some thinking, in this case, the goal is not to force the last
assignment, but to force the last value of the variable, wherever the
variable is, even if the variable is both in register and stack.
So in that case, you might be better with a [[undead]] attribute whose
meaning would be that the object might be accessed after its lifetime end
and so the last assignment should be kept and propagated to every storage
of the object:

void f() {
[[undead]] int secret;
/* ... */
secret = 0;
}
That wouldn't mean the lifetime of the object is extended and it becomes
valid to access it afterwards.
It would tell the compiler it should behave as-if the object *could* be
accessed afterwards.

Post by f***@gmail.com
I want to highlight that [[nodiscard]] on functions is not about forcing
the compiler to keep the value, but instead to emit a warning if the user
doesn't use the value.

Post by Andrew Giese
I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/
If gcc poison were standardized in some fashion, you could write your
own wrappers to those functions with all the [[nodiscard]] you might want.
Control in that case is a little less granular, indeed. Probably if
you're writing [[nodiscard]] on a per-expression basis you are not
discarding the result already.
Regards
--
You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

Daniel Gutson

2018-09-28 14:50:41 UTC

I just wanted to give a way to the programmer to tell the compiler that the
statement is important. Later, the compiler may just warn that it would
remove the statement (so the programmer has to look for another mean) or
honor the request by not removing anything (thus impacting in the final
binary).

Post by f***@gmail.com
the last value of the variable, wherever the variable is, even if the
variable is both in register and stack.
So in that case, you might be better with a [[undead]] attribute whose
meaning would be that the object might be accessed after its lifetime end
and so the last assignment should be kept and propagated to every storage
void f() {
[[undead]] int secret;
/* ... */
secret = 0;
}
That wouldn't mean the lifetime of the object is extended and it becomes
valid to access it afterwards.
It would tell the compiler it should behave as-if the object *could* be
accessed afterwards.

Post by f***@gmail.com
I want to highlight that [[nodiscard]] on functions is not about forcing
the compiler to keep the value, but instead to emit a warning if the user
doesn't use the value.

I'm proposing using [[nodiscard]] for statements rather than for
declarations.
That being said, it would be placed in the function call statement. I
want the compiler to still do DSE where appropriate and at the same time
allow the programmer to thoughtfully prevent it.
So meaning would be different.

Post by Daniel Gutson
Yeah. But please note that this is not only for function calls.
void f()
{
int secret;
....
secret = 0; //removed due to DSE
}
If I declare secret as volatile or write 0s to its address I may
prevent the compiler to use a register impacting in performance. That's why
I want to use the attribute here too.

Post by Andrew Giese
I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/
If gcc poison were standardized in some fashion, you could write your
own wrappers to those functions with all the [[nodiscard]] you might want.
Control in that case is a little less granular, indeed. Probably if
you're writing [[nodiscard]] on a per-expression basis you are not
discarding the result already.
Regards
--
You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/c71e2ca9-c5f4-4699-b2c1-b23245eef683%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/c71e2ca9-c5f4-4699-b2c1-b23245eef683%40isocpp.org?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-3rNrze-AUW-FNy6S_FRdWt78LGJyDzDGQPXqsbgHnDoQ%40mail.gmail.com.

Andrew Giese

2018-09-28 15:11:08 UTC

I think the primary opposition will come from the fact that DSE is, for the
moment, an implementation detail of the compiler. So, to have this
standardized, we might also need to standardize DSE.

The name of the attribute will also be endlessly debated I'm sure. The
existing attributes are about informing compilers and programmers of
program correctness (e.g., it's correct to fall through a case label), and
this one is only about compiler optimization. Reusing [[nodiscard]] in this
fashion might be argued to be disruptive, so we need to be ready for that.
On the other hand, the committee likes to avoid new reserved words, so
[[nodiscard]] may be preferable.

Regards
Andy

I just wanted to give a way to the programmer to tell the compiler that
the statement is important. Later, the compiler may just warn that it would
remove the statement (so the programmer has to look for another mean) or
honor the request by not removing anything (thus impacting in the final
binary).

Post by f***@gmail.com
I want to highlight that [[nodiscard]] on functions is not about
forcing the compiler to keep the value, but instead to emit a warning if
the user doesn't use the value.

I'm proposing using [[nodiscard]] for statements rather than for
declarations.
That being said, it would be placed in the function call statement. I
want the compiler to still do DSE where appropriate and at the same time
allow the programmer to thoughtfully prevent it.
So meaning would be different.

Post by Daniel Gutson
Yeah. But please note that this is not only for function calls.
void f()
{
int secret;
....
secret = 0; //removed due to DSE
}
If I declare secret as volatile or write 0s to its address I may
prevent the compiler to use a register impacting in performance. That's why
I want to use the attribute here too.

Post by Andrew Giese
I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/
If gcc poison were standardized in some fashion, you could write your
own wrappers to those functions with all the [[nodiscard]] you might want.
Control in that case is a little less granular, indeed. Probably if
you're writing [[nodiscard]] on a per-expression basis you are not
discarding the result already.
Regards
--
You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it,
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/c71e2ca9-c5f4-4699-b2c1-b23245eef683%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/c71e2ca9-c5f4-4699-b2c1-b23245eef683%40isocpp.org?utm_medium=email&utm_source=footer>
.

--
Whoâs got the sweetest disposition?
One guess, thatâs who?
Whoâd never, ever start an argument?
Who never shows a bit of temperament?
Who's never wrong but always right?
Who'd never dream of starting a fight?
Who get stuck with all the bad luck?
--
You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-3rNrze-AUW-FNy6S_FRdWt78LGJyDzDGQPXqsbgHnDoQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-3rNrze-AUW-FNy6S_FRdWt78LGJyDzDGQPXqsbgHnDoQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4Mo6Cn8rAw%2BsukXyv%3DpsExWBjBehr%2B2G4SDB1sSvm-Rw%40mail.gmail.com.

Daniel Gutson

2018-09-28 15:21:42 UTC

Post by Andrew Giese
I think the primary opposition will come from the fact that DSE is, for
the moment, an implementation detail of the compiler. So, to have this
standardized, we might also need to standardize DSE.

I gently disagree: attributes are exactly targetted to QoI and compiler
implementations, they are ignorable, and they may target either
optimizations or diagnostics. Even the original (current) [[nodiscard]]
targets diagnostics; I'm proposing to extend it to other uses.
[[nodiscard]] used in statements could perfectly target the diagnostics
subsystem as well, but that will be QoI (it could either do nothing, or
prevent discarding).
In no way I pretend to standardize optimizations in general nor DSE in
particular. Otherwise then CSE will arrive, etc.

Post by Andrew Giese
The name of the attribute will also be endlessly debated I'm sure. The
existing attributes are about informing compilers and programmers of
program correctness (e.g., it's correct to fall through a case label), and
this one is only about compiler optimization. Reusing [[nodiscard]] in this
fashion might be argued to be disruptive, so we need to be ready for that.
On the other hand, the committee likes to avoid new reserved words, so
[[nodiscard]] may be preferable.
Regards
Andy

I just wanted to give a way to the programmer to tell the compiler that
the statement is important. Later, the compiler may just warn that it would
remove the statement (so the programmer has to look for another mean) or
honor the request by not removing anything (thus impacting in the final
binary).

Post by f***@gmail.com
I want to highlight that [[nodiscard]] on functions is not about
forcing the compiler to keep the value, but instead to emit a warning if
the user doesn't use the value.

I'm proposing using [[nodiscard]] for statements rather than for
declarations.
That being said, it would be placed in the function call statement. I
want the compiler to still do DSE where appropriate and at the same time
allow the programmer to thoughtfully prevent it.
So meaning would be different.

Post by Daniel Gutson
Yeah. But please note that this is not only for function calls.
void f()
{
int secret;
....
secret = 0; //removed due to DSE
}
If I declare secret as volatile or write 0s to its address I may
prevent the compiler to use a register impacting in performance. That's why
I want to use the attribute here too.

Post by Andrew Giese
I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/
If gcc poison were standardized in some fashion, you could write
your own wrappers to those functions with all the [[nodiscard]] you might
want.
Control in that case is a little less granular, indeed. Probably if
you're writing [[nodiscard]] on a per-expression basis you are not
discarding the result already.
Regards
--
You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it,
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/c71e2ca9-c5f4-4699-b2c1-b23245eef683%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/c71e2ca9-c5f4-4699-b2c1-b23245eef683%40isocpp.org?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4Mo6Cn8rAw%2BsukXyv%3DpsExWBjBehr%2B2G4SDB1sSvm-Rw%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4Mo6Cn8rAw%2BsukXyv%3DpsExWBjBehr%2B2G4SDB1sSvm-Rw%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-2Bmpf6LM2b5MJtBtkSRtDOgFWCMM%3DMqMrviETNyRhN-A%40mail.gmail.com.

Andrew Giese

2018-09-28 15:37:04 UTC

All good points. Either way, I'm in favor of it.

El vie., 28 de sep. de 2018 a la(s) 12:11, Andrew Giese (

I just wanted to give a way to the programmer to tell the compiler that
the statement is important. Later, the compiler may just warn that it would
remove the statement (so the programmer has to look for another mean) or
honor the request by not removing anything (thus impacting in the final
binary).

Post by f***@gmail.com
the last value of the variable, wherever the variable is, even if the
variable is both in register and stack.
So in that case, you might be better with a [[undead]] attribute whose
meaning would be that the object might be accessed after its lifetime end
and so the last assignment should be kept and propagated to every storage
void f() {
[[undead]] int secret;
/* ... */
secret = 0;
}
That wouldn't mean the lifetime of the object is extended and it
becomes valid to access it afterwards.
It would tell the compiler it should behave as-if the object *could*
be accessed afterwards.

Post by f***@gmail.com
I want to highlight that [[nodiscard]] on functions is not about
forcing the compiler to keep the value, but instead to emit a warning if
the user doesn't use the value.

I'm proposing using [[nodiscard]] for statements rather than for
declarations.
That being said, it would be placed in the function call statement. I
want the compiler to still do DSE where appropriate and at the same time
allow the programmer to thoughtfully prevent it.
So meaning would be different.

Post by Daniel Gutson
Yeah. But please note that this is not only for function calls.
void f()
{
int secret;
....
secret = 0; //removed due to DSE
}
If I declare secret as volatile or write 0s to its address I may
prevent the compiler to use a register impacting in performance. That's why
I want to use the attribute here too.

Post by Andrew Giese
I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/
If gcc poison were standardized in some fashion, you could write
your own wrappers to those functions with all the [[nodiscard]] you might
want.
Control in that case is a little less granular, indeed. Probably if
you're writing [[nodiscard]] on a per-expression basis you are not
discarding the result already.
Regards
--
You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it,
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it,
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/c71e2ca9-c5f4-4699-b2c1-b23245eef683%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/c71e2ca9-c5f4-4699-b2c1-b23245eef683%40isocpp.org?utm_medium=email&utm_source=footer>
.

--
Whoâs got the sweetest disposition?
One guess, thatâs who?
Whoâd never, ever start an argument?
Who never shows a bit of temperament?
Who's never wrong but always right?
Who'd never dream of starting a fight?
Who get stuck with all the bad luck?
--
You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-3rNrze-AUW-FNy6S_FRdWt78LGJyDzDGQPXqsbgHnDoQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-3rNrze-AUW-FNy6S_FRdWt78LGJyDzDGQPXqsbgHnDoQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4Mo6Cn8rAw%2BsukXyv%3DpsExWBjBehr%2B2G4SDB1sSvm-Rw%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4Mo6Cn8rAw%2BsukXyv%3DpsExWBjBehr%2B2G4SDB1sSvm-Rw%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

--
Whoâs got the sweetest disposition?
One guess, thatâs who?
Whoâd never, ever start an argument?
Who never shows a bit of temperament?
Who's never wrong but always right?
Who'd never dream of starting a fight?
Who get stuck with all the bad luck?
--
You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-2Bmpf6LM2b5MJtBtkSRtDOgFWCMM%3DMqMrviETNyRhN-A%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-2Bmpf6LM2b5MJtBtkSRtDOgFWCMM%3DMqMrviETNyRhN-A%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC54sTj6XV0CdD9KdZ0dt%3D8M%3DoG_cngOKq%3DKPoNsGuegng%40mail.gmail.com.

Daniel Gutson

2018-10-07 04:44:14 UTC

Post by f***@gmail.com
I completely understood what you meant, and yes what you are proposing is
compatible with the current language.
I just wanted to highlight that it might be misleading to have the same
attribute with different meaning when it is used on a function declaration,
or on an expression (a declaration is also a statement).
Also, after some thinking, in this case, the goal is not to force the last
assignment, but to force the last value of the variable, wherever the
variable is, even if the variable is both in register and stack.
So in that case, you might be better with a [[undead]] attribute whose
meaning would be that the object might be accessed after its lifetime end
and so the last assignment should be kept and propagated to every storage
void f() {
[[undead]] int secret;
/* ... */
secret = 0;
}
That wouldn't mean the lifetime of the object is extended and it becomes
valid to access it afterwards.
It would tell the compiler it should behave as-if the object *could* be
accessed afterwards.

Actually I would like to tell the compiler that the object should NOT be
accessible afterwards.
Additionally I would like to reuse the existing attribute name, though this
is of least importance now.

Post by f***@gmail.com
I want to highlight that [[nodiscard]] on functions is not about forcing
the compiler to keep the value, but instead to emit a warning if the user
doesn't use the value.

I'm proposing using [[nodiscard]] for statements rather than for
declarations.
That being said, it would be placed in the function call statement. I
want the compiler to still do DSE where appropriate and at the same time
allow the programmer to thoughtfully prevent it.
So meaning would be different.

Post by Daniel Gutson
Yeah. But please note that this is not only for function calls.
void f()
{
int secret;
....
secret = 0; //removed due to DSE
}
If I declare secret as volatile or write 0s to its address I may
prevent the compiler to use a register impacting in performance. That's why
I want to use the attribute here too.

Post by Andrew Giese
I like the idea.
Function poisoning might also serve your needs. E.g.,
https://www.fluentcpp.com/2018/09/04/function-poisoning-in-cpp/
If gcc poison were standardized in some fashion, you could write your
own wrappers to those functions with all the [[nodiscard]] you might want.
Control in that case is a little less granular, indeed. Probably if
you're writing [[nodiscard]] on a per-expression basis you are not
discarding the result already.
Regards
--
You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAO8_tC4kNZ6s-xMXo69n1D3dbOMkqt0fjLU44Uq5TfABp17hQQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google
Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/94d79dd7-ba3b-4bf8-91ed-e5dc02b33670%40isocpp.org?utm_medium=email&utm_source=footer>
.

You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/c71e2ca9-c5f4-4699-b2c1-b23245eef683%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/c71e2ca9-c5f4-4699-b2c1-b23245eef683%40isocpp.org?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-3RRFoPYsyyQAX0w0eshYRytoes00VkoDPLrOPjWjjv3A%40mail.gmail.com.

f***@gmail.com

2018-10-07 09:17:52 UTC

Post by f***@gmail.com
I completely understood what you meant, and yes what you are proposing is
compatible with the current language.
I just wanted to highlight that it might be misleading to have the same
attribute with different meaning when it is used on a function declaration,
or on an expression (a declaration is also a statement).
Also, after some thinking, in this case, the goal is not to force the
last assignment, but to force the last value of the variable, wherever the
variable is, even if the variable is both in register and stack.
So in that case, you might be better with a [[undead]] attribute whose
meaning would be that the object might be accessed after its lifetime end
and so the last assignment should be kept and propagated to every storage
void f() {
[[undead]] int secret;
/* ... */
secret = 0;
}
That wouldn't mean the lifetime of the object is extended and it becomes
valid to access it afterwards.
It would tell the compiler it should behave as-if the object *could* be
accessed afterwards.

Actually I would like to tell the compiler that the object should NOT be
accessible afterwards.

What I said is not "the compiler makes the object accessible", but
"whatever the compiler will do, the object will remain accessible somehow,
and so the correctness of the whole program depends on the last value not
being discarded".

Your view is also correct, but a bit more magic: when this "destroy all the
places where the object is" is performed? (the right answer is: just after
its destructor is called)
While in what I propose, it is done more explicitly when the last value is
assigned.

But both are good. It's just a matter of taste at this point.

However, your first proposal doesn't work that well: ok you tell the
compiler to keep the assignment. But which location is used for this
assignment? All of them? The last one? The main one? A new one?
And if you start standardizing which location should be assigned, then
you're not talking about expressions anymore, but about objects. So
attributes on expressions is not the right tool for you.

Post by Daniel Gutson
Additionally I would like to reuse the existing attribute name, though
this is of least importance now.

Here, I completely disagree. It should not be an already existing attribute
name unless the feature is close enough to the original attribute.
And the new meaning you proposed is (at least for me) too far from the
original, and is misleading.

An attribute is not a keyword, it is easy to create new ones (easier than
repurposing an old one?).

Daniel Gutson

2018-10-07 14:47:23 UTC

Post by f***@gmail.com
I completely understood what you meant, and yes what you are proposing
is compatible with the current language.
I just wanted to highlight that it might be misleading to have the same
attribute with different meaning when it is used on a function declaration,
or on an expression (a declaration is also a statement).
Also, after some thinking, in this case, the goal is not to force the
last assignment, but to force the last value of the variable, wherever the
variable is, even if the variable is both in register and stack.
So in that case, you might be better with a [[undead]] attribute whose
meaning would be that the object might be accessed after its lifetime end
and so the last assignment should be kept and propagated to every storage
void f() {
[[undead]] int secret;
/* ... */
secret = 0;
}
That wouldn't mean the lifetime of the object is extended and it becomes
valid to access it afterwards.
It would tell the compiler it should behave as-if the object *could* be
accessed afterwards.

Actually I would like to tell the compiler that the object should NOT be
accessible afterwards.

What I said is not "the compiler makes the object accessible", but
"whatever the compiler will do, the object will remain accessible somehow,
and so the correctness of the whole program depends on the last value not
being discarded".
Your view is also correct, but a bit more magic: when this "destroy all
the places where the object is" is performed? (the right answer is: just
after its destructor is called)
While in what I propose, it is done more explicitly when the last value is
assigned.
But both are good. It's just a matter of taste at this point.
However, your first proposal doesn't work that well: ok you tell the
compiler to keep the assignment. But which location is used for this
assignment? All of them? The last one? The main one? A new one?
And if you start standardizing which location should be assigned, then
you're not talking about expressions anymore, but about objects. So
attributes on expressions is not the right tool for you.

Post by Daniel Gutson
Additionally I would like to reuse the existing attribute name, though
this is of least importance now.

Here, I completely disagree.

Ok let's not discuss this.

It should not be an already existing attribute name unless the feature is

Post by f***@gmail.com
close enough to the original attribute.
And the new meaning you proposed is (at least for me) too far from the
original, and is misleading.
An attribute is not a keyword, it is easy to create new ones (easier than
repurposing an old one?).
--
You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/dba0bf6d-92da-440e-8e61-af336cacd537%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/dba0bf6d-92da-440e-8e61-af336cacd537%40isocpp.org?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-1cyt1gnCvvtrE%2BJOW0s%3Dwab%3D0eU1APYzdrwejxjqc1zg%40mail.gmail.com.

Andrew Giese

2018-10-08 19:02:59 UTC

What about using [[nodiscard]] as a null-statement?

Similar to how [[fallthrough]] is a null statement intended to indicate to
the compiler and reader that the fallthrough is intentional, a
[[nodiscard]] after an assignment or a memset should indicate that the
previous statement was intentional and should not be discarded.

e.g.

memset(password, 0, PASSWORD_SIZE);
[[nodiscard]]; // intentionally store before a free
free(password);

Post by f***@gmail.com
I completely understood what you meant, and yes what you are proposing
is compatible with the current language.
I just wanted to highlight that it might be misleading to have the same
attribute with different meaning when it is used on a function declaration,
or on an expression (a declaration is also a statement).
Also, after some thinking, in this case, the goal is not to force the
last assignment, but to force the last value of the variable, wherever the
variable is, even if the variable is both in register and stack.
So in that case, you might be better with a [[undead]] attribute whose
meaning would be that the object might be accessed after its lifetime end
and so the last assignment should be kept and propagated to every storage
void f() {
[[undead]] int secret;
/* ... */
secret = 0;
}
That wouldn't mean the lifetime of the object is extended and it
becomes valid to access it afterwards.
It would tell the compiler it should behave as-if the object *could*
be accessed afterwards.

Actually I would like to tell the compiler that the object should NOT be
accessible afterwards.

What I said is not "the compiler makes the object accessible", but
"whatever the compiler will do, the object will remain accessible somehow,
and so the correctness of the whole program depends on the last value not
being discarded".
Your view is also correct, but a bit more magic: when this "destroy all
the places where the object is" is performed? (the right answer is: just
after its destructor is called)
While in what I propose, it is done more explicitly when the last value
is assigned.
But both are good. It's just a matter of taste at this point.
However, your first proposal doesn't work that well: ok you tell the
compiler to keep the assignment. But which location is used for this
assignment? All of them? The last one? The main one? A new one?
And if you start standardizing which location should be assigned, then
you're not talking about expressions anymore, but about objects. So
attributes on expressions is not the right tool for you.

Post by Daniel Gutson
Additionally I would like to reuse the existing attribute name, though
this is of least importance now.

Here, I completely disagree.

Ok let's not discuss this.
It should not be an already existing attribute name unless the feature is

m***@gmail.com

2018-10-09 00:38:21 UTC

That could be easily broken if someone replaced memset() with another
super_memset() function or similar which did more than one write. How would
the compiler know which write inside of the memset() function it has to
keep? Would it only work for memset and assignments? I don't like the idea
of an attribute that only works for memset() but not other functions.

Post by Andrew Giese
What about using [[nodiscard]] as a null-statement?
Similar to how [[fallthrough]] is a null statement intended to indicate to
the compiler and reader that the fallthrough is intentional, a
[[nodiscard]] after an assignment or a memset should indicate that the
previous statement was intentional and should not be discarded.
e.g.
memset(password, 0, PASSWORD_SIZE);
[[nodiscard]]; // intentionally store before a free
free(password);

Andrew Giese

2018-10-09 01:55:03 UTC

Post by m***@gmail.com
That could be easily broken if someone replaced memset() with another
super_memset() function or similar which did more than one write

I'm not sure it's any more easy to break than [[fallthrough]] is by, say,
the introduction of a new case label that shouldn't be fallen into (which
has bitten me before).

How would the compiler know which write inside of the memset() function it

Post by m***@gmail.com
has to keep?

I think all I'd want it to mean is that the compiler should, under no
circumstances, discard the statement directly above the [[nodiscard]] null
statement. That is, it's a signal of intent that "I want all the side
effects of the above statement to happen". Devs must be careful during
refactoring. Fortunately, whether the store was discarded or not can likely
be tested via unit testing.

I'm no compiler expert, so I don't know the practicalities of something
like this.

Regards,
-Andy

Daniel Gutson

2018-10-09 02:24:37 UTC

Post by m***@gmail.com
That could be easily broken if someone replaced memset() with another
super_memset() function or similar which did more than one write. How would
the compiler know which write inside of the memset() function it has to
keep? Would it only work for memset and assignments? I don't like the idea
of an attribute that only works for memset() but not other functions.

That's why I'm struggling to explain that this attribute is statement-wise
rather than for annotating function *calls* only

Post by m***@gmail.com

Post by Andrew Giese
What about using [[nodiscard]] as a null-statement?
Similar to how [[fallthrough]] is a null statement intended to indicate
to the compiler and reader that the fallthrough is intentional, a
[[nodiscard]] after an assignment or a memset should indicate that the
previous statement was intentional and should not be discarded.
e.g.
memset(password, 0, PASSWORD_SIZE);
[[nodiscard]]; // intentionally store before a free
free(password);
--

You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/bf24037e-142a-4730-84e0-1886f6235e45%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/bf24037e-142a-4730-84e0-1886f6235e45%40isocpp.org?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-1nTmSAMa4zOg5tAbm%3DrspsbMv0Z_sBfpTTHHvauJKiJg%40mail.gmail.com.

f***@gmail.com

2018-10-09 08:18:34 UTC

That's why I'm struggling to explain that this attribute is statement-wise
rather than for annotating function *calls* only

Your very first example is not suited for an attribute on a statement, but
for an attribute on the object itself because you don't know (and will
never know) where the object is (in register? in memory? both?) and on
which location the last assignment is done.
Even if you could force the assignment both in register and in memory, are
you sure the assignment in register has overridden the right register?
So enforcing that the last assignment is done gives you almost nothing in
that case (That's why I proposed the [[undead]] attribute, but alternatives
are fine).

However, for other purposes I think it's fine (the memset example on heap
memory) and here I completely agree that an attribute on the statement is
the right way to do (I just disagree on the name of of the attribute
because I find it misleading).
I also want to mention here, that it is already possible to do it with
inline asm (not standard).

Daniel Gutson

2018-10-09 10:41:06 UTC

That's why I'm struggling to explain that this attribute is
statement-wise rather than for annotating function *calls* only

Are you saying that the object may undergo internal copies for optimization
purposes (e.g. if it is in a register it may be copied to other registers
as a temporal)? It could also be arithmetically operated in other registers
which would still turn it recoverable by applying the reverse operation.
Hm. Is that what you are saying?

So enforcing that the last assignment is done gives you almost nothing in

Post by f***@gmail.com
that case (That's why I proposed the [[undead]] attribute, but alternatives
are fine).
However, for other purposes I think it's fine (the memset example on heap
memory) and here I completely agree that an attribute on the statement is
the right way to do (I just disagree on the name of of the attribute
because I find it misleading).
I also want to mention here, that it is already possible to do it with
inline asm (not standard).
--
You received this message because you are subscribed to the Google Groups
"ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/e7edc1e3-a9b3-421c-a72f-623d6c34b104%40isocpp.org
<https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/e7edc1e3-a9b3-421c-a72f-623d6c34b104%40isocpp.org?utm_medium=email&utm_source=footer>
.

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CAFdMc-0-p7rOo3MYrfa%2Bx_zc21h58fZb_Qt5a1g6ocasCqyJXw%40mail.gmail.com.

f***@gmail.com

2018-10-09 12:24:32 UTC

That's why I'm struggling to explain that this attribute is
statement-wise rather than for annotating function *calls* only

Are you saying that the object may undergo internal copies for
optimization purposes (e.g. if it is in a register it may be copied to
other registers as a temporal)? It could also be arithmetically operated in
other registers which would still turn it recoverable by applying the
reverse operation.
Hm. Is that what you are saying?

Yes for the first, no (but maybe yes) for the second:
Yes the compiler might duplicate the object in register for optimizations
purposes (eg: as a consequence of the SSA form). And yes, those registers
might outilive the function call (callee-saved vs caller-saved).
Actually, it might be even worse: a compiler can put you local object in
register, and because of the register pressure, the compiler spills your
object off to the stack, at a different place.

For your second point, I didn't think about it yet. So I didn't take it
into consideration when I proposed the [[undead]] attribute. But if your
goal is security, then you would also need to take into consideration this.
Let's imagine an attribute [[secret]].
Every object marked as [[secret]] will be cleaned before function exit.
This cleaning means set to zero every location that still contains the
object (known to the compiler).
Also, in order to not deduce the secret from other temporaries, any value
depending on a [[secret]] object is also marked implicitly as [[secret]].

This does not address cache persistency, but it can be covered if the
[[secret]] can take an optional argument to ensure cache lines related to
this object are flushed (done by the compiler).

With this, you start to have a pretty strong security plan for stack
objects. But the heap objects cannot be marked as secret. So for that,
maybe you could mark the delete statement as [[secret]] and let the
compiler do the same thing for heap objects.
And also, a [[secret]] reference would need mark every dependant objects as
[[secret]], but the referenced object itself would not be cleaned.
Here I'm just throwing ideas into the wild, but I think you get the idea.

All in all, I think it is possible to improve security with such
attributes, but I don't think an attribute on statements is the right way.

Post by Daniel Gutson
So enforcing that the last assignment is done gives you almost nothing in

Miguel Ojeda

2018-10-09 12:41:57 UTC

Hi Florian,

For your second point, I didn't think about it yet. So I didn't take it into consideration when I proposed the [[undead]] attribute. But if your goal is security, then you would also need to take into consideration this.
Let's imagine an attribute [[secret]].
Every object marked as [[secret]] will be cleaned before function exit.
This cleaning means set to zero every location that still contains the object (known to the compiler).

This sounds very similar to secure_val, but as a variable attribute.

Also, in order to not deduce the secret from other temporaries, any value depending on a [[secret]] object is also marked implicitly as [[secret]].
This does not address cache persistency, but it can be covered if the [[secret]] can take an optional argument to ensure cache lines related to this object are flushed (done by the compiler).
With this, you start to have a pretty strong security plan for stack objects. But the heap objects cannot be marked as secret. So for that, maybe you could mark the delete statement as [[secret]] and let the compiler do the same thing for heap objects.

I would say users should not care where or how the value is stored.
Having to mark delete statements with an attribute seems odd. As a
user, I would simply prefer to be able to mark my type T with
[[secret]] and then *that* could be put into the heap. That is the
reason I went for a template, because it looked natural to wrap values
with it:

std::secure_val<int> my_very_secret_number;
std::secure_val<char [N]> my_private_key;

etc.

And also, a [[secret]] reference would need mark every dependant objects as [[secret]], but the referenced object itself would not be cleaned.
Here I'm just throwing ideas into the wild, but I think you get the idea.
All in all, I think it is possible to improve security with such attributes, but I don't think an attribute on statements is the right way.

Indeed, I think a better idea is to work on the storage side, not on
the statement level.

Cheers,
Miguel

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CANiq72kBPp9uONTPvC7L9n8%2BrtnXtE12MM_YJQDw1JsbVQ9frA%40mail.gmail.com.

f***@gmail.com

2018-10-09 12:56:29 UTC

Post by Miguel Ojeda
Hi Florian,

Post by f***@gmail.com
For your second point, I didn't think about it yet. So I didn't take it

into consideration when I proposed the [[undead]] attribute. But if your
goal is security, then you would also need to take into consideration this.

Post by f***@gmail.com
Let's imagine an attribute [[secret]].
Every object marked as [[secret]] will be cleaned before function exit.
This cleaning means set to zero every location that still contains the

object (known to the compiler).
This sounds very similar to secure_val, but as a variable attribute.

Yes it is similar. But I think attribute is more appropriate because those
security issues are not about C++: in order to read a destroyed value, you
need to use undefined behavior somehow.

Post by f***@gmail.com
Also, in order to not deduce the secret from other temporaries, any

value depending on a [[secret]] object is also marked implicitly as
[[secret]].

Post by f***@gmail.com
This does not address cache persistency, but it can be covered if the

[[secret]] can take an optional argument to ensure cache lines related to
this object are flushed (done by the compiler).

Post by f***@gmail.com
With this, you start to have a pretty strong security plan for stack

The problem is, when you create an object on the heap, on don't really own
the object. that's why it needs a special treatment.
Maybe marking the pointer type as [[secret]] could solve the issue.
If you delete a [[secret]] pointer, then the compiler needs to ensure every
location is cleaned afterwards.

Post by Miguel Ojeda
As a
user, I would simply prefer to be able to mark my type T with
[[secret]] and then *that* could be put into the heap. That is the
reason I went for a template, because it looked natural to wrap values
std::secure_val<int> my_very_secret_number;
std::secure_val<char [N]> my_private_key;
etc.

The problem with your template approach is: you don't have the cascade of
the secret property, so temporaries depending on your secure_val will not
be cleaned.
Also, your template is not safely implementable in C++: you need
cooperation from the compiler in the same way as with the attribute,
because of the possible mutliple locations of your object.

Maybe we would need to have this in type system itself (very hard) with a
new qualifier.

Post by f***@gmail.com
And also, a [[secret]] reference would need mark every dependant objects

as [[secret]], but the referenced object itself would not be cleaned.

Post by f***@gmail.com
Here I'm just throwing ideas into the wild, but I think you get the

idea.

Post by f***@gmail.com
All in all, I think it is possible to improve security with such

attributes, but I don't think an attribute on statements is the right way.
Indeed, I think a better idea is to work on the storage side, not on
the statement level.
Cheers,
Miguel

Miguel Ojeda

2018-10-09 13:54:22 UTC

Post by Miguel Ojeda
Hi Florian,

This sounds very similar to secure_val, but as a variable attribute.

Yes it is similar. But I think attribute is more appropriate because those security issues are not about C++: in order to read a destroyed value, you need to use undefined behavior somehow.

I am not sure what you mean by "are not about C++" or by "reading a
destroyed value". Do you mean you want to have compiler support so
that other languages (like C) can take advantage of it?

Note that there are C++-only attributes; and that, anyway, it would be
nice to have a concrete use case (e.g. secure_val) where such features
could be used.

I would say users should not care where or how the value is stored.
Having to mark delete statements with an attribute seems odd.

The problem is, when you create an object on the heap, on don't really own the object. that's why it needs a special treatment.
Maybe marking the pointer type as [[secret]] could solve the issue.

Yes, exactly, that is why secure_val is a template: in my view, it has
to be applied the type; not on statements (Daniel's original proposal)
or variables (your initial [[secret]] proposal). If you create a type
attribute, then it could be used itself to implement (part of)
secure_val.

If you delete a [[secret]] pointer, then the compiler needs to ensure every location is cleaned afterwards.

The problem with your template approach is: you don't have the cascade of the secret property, so temporaries depending on your secure_val will not be cleaned.

It depends. Note that the accesses to the secret value must go through
access(). This is intended so that code inside that block may be
treated specially by the compiler. The examples given in the proposal
about how this can be used are encryption (compiler support not needed
in principle), disabling speculation (compiler support needed), etc.

Also, your template is not safely implementable in C++: you need cooperation from the compiler in the same way as with the attribute, because of the possible mutliple locations of your object.

Of course it isn't, that is the whole point of secure_val. :-)

Let me put it this way: I would love secure_val to be implementable in
C++ (or at least part of it, e.g. the auto-clear [[secret]] part that
you are discussing). However, it is not clear yet how many things we
would need to add to the language or how. Some things, like
Spectre-class vulnerabilities, are still being researched. Therefore,
I suggested secure_val first to make the most common use case
concrete, and at the same time give developers a simple solution to
it. Since secure_val does not force almost anything on the vendors
(except the auto-clear), it can be updated to provide further
guarantees as time goes on.

Cheers,
Miguel

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CANiq72mHdtv1H87QQWjRQzAa_BkCgr4SU9C2iOr7aJxGJJqf%2Bw%40mail.gmail.com.

f***@gmail.com

2018-10-09 14:12:37 UTC

Post by Miguel Ojeda
Hi Florian,

Post by f***@gmail.com
For your second point, I didn't think about it yet. So I didn't take

it into consideration when I proposed the [[undead]] attribute. But if your
goal is security, then you would also need to take into consideration this.

Post by f***@gmail.com
Let's imagine an attribute [[secret]].
Every object marked as [[secret]] will be cleaned before function

exit.

Post by f***@gmail.com
This cleaning means set to zero every location that still contains

the object (known to the compiler).

Post by Miguel Ojeda
This sounds very similar to secure_val, but as a variable attribute.

Yes it is similar. But I think attribute is more appropriate because

those security issues are not about C++: in order to read a destroyed
value, you need to use undefined behavior somehow.
I am not sure what you mean by "are not about C++" or by "reading a
destroyed value". Do you mean you want to have compiler support so
that other languages (like C) can take advantage of it?

No, I mean these security issues arise beyond the scope of C++.
As far as C++ is concerned, you cannot access a destroyed value (so the
secret remains secret).
Any attempt in doing that leads to undefined behaviours: meaning the result
does not depends on C++ semantic anymore.
So if every single undefined behavior would crash the program instant
(which is actually valid), there would be no secret leaking issue at all.

That's what I mean when I say it is not about C++.

I don't necessarily want to have it for other languages (but it would be
good if we do).

Note that there are C++-only attributes; and that, anyway, it would be
nice to have a concrete use case (e.g. secure_val) where such features
could be used.

Post by f***@gmail.com
Also, in order to not deduce the secret from other temporaries, any

value depending on a [[secret]] object is also marked implicitly as
[[secret]].

Post by f***@gmail.com
This does not address cache persistency, but it can be covered if the

[[secret]] can take an optional argument to ensure cache lines related to
this object are flushed (done by the compiler).

Post by f***@gmail.com
With this, you start to have a pretty strong security plan for stack

objects. But the heap objects cannot be marked as secret. So for that,
maybe you could mark the delete statement as [[secret]] and let the
compiler do the same thing for heap objects.

Post by Miguel Ojeda
I would say users should not care where or how the value is stored.
Having to mark delete statements with an attribute seems odd.

The problem is, when you create an object on the heap, on don't really

own the object. that's why it needs a special treatment.

Post by f***@gmail.com
Maybe marking the pointer type as [[secret]] could solve the issue.

true.

Post by f***@gmail.com
If you delete a [[secret]] pointer, then the compiler needs to ensure

every location is cleaned afterwards.

The problem with your template approach is: you don't have the cascade

of the secret property, so temporaries depending on your secure_val will
not be cleaned.
It depends. Note that the accesses to the secret value must go through
access(). This is intended so that code inside that block may be
treated specially by the compiler. The examples given in the proposal
about how this can be used are encryption (compiler support not needed
in principle), disabling speculation (compiler support needed), etc.

Your encryption use case actually needs compiler support if your compiler
is "smart" enough to duplicate your object location.

Post by f***@gmail.com
Also, your template is not safely implementable in C++: you need

cooperation from the compiler in the same way as with the attribute,
because of the possible mutliple locations of your object.
Of course it isn't, that is the whole point of secure_val. :-)
Let me put it this way: I would love secure_val to be implementable in
C++ (or at least part of it, e.g. the auto-clear [[secret]] part that
you are discussing). However, it is not clear yet how many things we
would need to add to the language or how. Some things, like
Spectre-class vulnerabilities, are still being researched. Therefore,
I suggested secure_val first to make the most common use case
concrete, and at the same time give developers a simple solution to
it. Since secure_val does not force almost anything on the vendors
(except the auto-clear), it can be updated to provide further
guarantees as time goes on.

The auto-clear does require compiler support if you want a proper/safe
implementation of it.
But you're right: it can be done incrementally.

Cheers,
Florian

Miguel Ojeda

2018-10-09 14:31:46 UTC

Post by Miguel Ojeda
I am not sure what you mean by "are not about C++" or by "reading a
destroyed value". Do you mean you want to have compiler support so
that other languages (like C) can take advantage of it?

No, I mean these security issues arise beyond the scope of C++.

Agreed, but I am not following what you mean by that (see below).

Post by f***@gmail.com
As far as C++ is concerned, you cannot access a destroyed value (so the secret remains secret).
Any attempt in doing that leads to undefined behaviours: meaning the result does not depends on C++ semantic anymore.
So if every single undefined behavior would crash the program instant (which is actually valid), there would be no secret leaking issue at all.

This is not only about code in the same process reading an old value
(the undefined behavior that I suspect you are talking about). You
also have other things, like core dumps, external agents... Of course,
all outside the scope of C++ in that sense.

In any case, regardless of that, I am not sure why you said "I think
attribute is more appropriate because those security issues are not
about C++". How is that related to this being implemented as an
attribute or not?

Post by f***@gmail.com
That's what I mean when I say it is not about C++.

Agreed.

Post by f***@gmail.com
I don't necessarily want to have it for other languages (but it would be good if we do).

Ditto.

Post by Miguel Ojeda
It depends. Note that the accesses to the secret value must go through
access(). This is intended so that code inside that block may be
treated specially by the compiler. The examples given in the proposal
about how this can be used are encryption (compiler support not needed
in principle), disabling speculation (compiler support needed), etc.

Your encryption use case actually needs compiler support if your compiler is "smart" enough to duplicate your object location.

That is why I said "in principle" :-)

Also, your template is not safely implementable in C++: you need cooperation from the compiler in the same way as with the attribute, because of the possible mutliple locations of your object.

Of course it isn't, that is the whole point of secure_val. :-)
Let me put it this way: I would love secure_val to be implementable in
C++ (or at least part of it, e.g. the auto-clear [[secret]] part that
you are discussing). However, it is not clear yet how many things we
would need to add to the language or how. Some things, like
Spectre-class vulnerabilities, are still being researched. Therefore,
I suggested secure_val first to make the most common use case
concrete, and at the same time give developers a simple solution to
it. Since secure_val does not force almost anything on the vendors
(except the auto-clear), it can be updated to provide further
guarantees as time goes on.

The auto-clear does require compiler support if you want a proper/safe implementation of it.

I am confused: that is what I said, no?

By the way, to avoid confusion: the [[secret]] portion of the
auto-clear requires compiler support. The simple part of zero'ing
memory on destruction (in the sense of calling a secure clear function
that is not optimized away) can be done --- even if as a
workaround/hack --- without compiler support (as some projects/OSs
implement already).

Cheers,
Miguel

--
You received this message because you are subscribed to the Google Groups "ISO C++ Standard - Future Proposals" group.
To unsubscribe from this group and stop receiving emails from it, send an email to std-proposals+***@isocpp.org.
To post to this group, send email to std-***@isocpp.org.
To view this discussion on the web visit https://groups.google.com/a/isocpp.org/d/msgid/std-proposals/CANiq72m6M2YY50UGGKnr4GD7VXtS7isG1nQHh9MhKHFbG97bJw%40mail.gmail.com.

Daniel Gutson

2018-10-09 12:57:38 UTC