zeroize: replace atomic_fence with optimization_barrier (#1252)

newpavlov · web-flow · commit 3a9a3ac9da63 · 2025-12-20T04:29:10.000+03:00
diff --git a/zeroize/src/aarch64.rs b/zeroize/src/aarch64.rs
@@ -1,6 +1,6 @@
 //! [`Zeroize`] impls for ARM64 SIMD registers.
 
-use crate::{Zeroize, atomic_fence, volatile_write};
+use crate::{Zeroize, optimization_barrier, volatile_write};
 
 use core::arch::aarch64::*;
 
@@ -11,7 +11,7 @@ macro_rules! impl_zeroize_for_simd_register {
                 #[inline]
                 fn zeroize(&mut self) {
                     volatile_write(self, unsafe { core::mem::zeroed() });
-                    atomic_fence();
+                    optimization_barrier(self);
                 }
             }
         )+
diff --git a/zeroize/src/barrier.rs b/zeroize/src/barrier.rs
@@ -0,0 +1,91 @@
+/// Observe the referenced data and prevent the compiler from removing previous writes to it.
+///
+/// This function acts like [`core::hint::black_box`] but takes a reference and
+/// does not return the passed value.
+///
+/// It's implemented using the [`core::arch::asm!`] macro on target arches where `asm!` is stable,
+/// i.e. `aarch64`, `arm`, `arm64ec`, `loongarch64`, `riscv32`, `riscv64`, `s390x`, `x86`, and
+/// `x86_64`.
+///
+/// On all other targets it's implemented using [`core::hint::black_box`] and custom `black_box`
+/// implemented using `#[inline(never)]` and `read_volatile`.
+///
+/// # Examples
+/// ```ignore
+/// use core::num::NonZeroU32;
+/// use zeroize::{ZeroizeOnDrop, zeroize_flat_type};
+///
+/// struct DataToZeroize {
+///     buf: [u8; 32],
+///     pos: NonZeroU32,
+/// }
+///
+/// struct SomeMoreFlatData(u64);
+///
+/// impl Drop for DataToZeroize {
+///     fn drop(&mut self) {
+///         self.buf = [0u8; 32];
+///         self.pos = NonZeroU32::new(32).unwrap();
+///         zeroize::optimization_barrier(self);
+///     }
+/// }
+///
+/// impl zeroize::ZeroizeOnDrop for DataToZeroize {}
+///
+/// let mut data = DataToZeroize {
+///     buf: [3u8; 32],
+///     pos: NonZeroU32::new(32).unwrap(),
+/// };
+///
+/// // data gets zeroized when dropped
+/// ```
+pub(crate) fn optimization_barrier<T: ?Sized>(val: &T) {
+    #[cfg(all(
+        not(miri),
+        any(
+            target_arch = "aarch64",
+            target_arch = "arm",
+            target_arch = "arm64ec",
+            target_arch = "loongarch64",
+            target_arch = "riscv32",
+            target_arch = "riscv64",
+            target_arch = "s390x",
+            target_arch = "x86",
+            target_arch = "x86_64",
+        )
+    ))]
+    unsafe {
+        core::arch::asm!(
+            "# {}",
+            in(reg) val as *const T as *const (),
+            options(readonly, preserves_flags, nostack),
+        );
+    }
+    #[cfg(not(all(
+        not(miri),
+        any(
+            target_arch = "aarch64",
+            target_arch = "arm",
+            target_arch = "arm64ec",
+            target_arch = "loongarch64",
+            target_arch = "riscv32",
+            target_arch = "riscv64",
+            target_arch = "s390x",
+            target_arch = "x86",
+            target_arch = "x86_64",
+        )
+    )))]
+    {
+        /// Custom version of `core::hint::black_box` implemented using
+        /// `#[inline(never)]` and `read_volatile`.
+        #[inline(never)]
+        fn custom_black_box(p: *const u8) {
+            let _ = unsafe { core::ptr::read_volatile(p) };
+        }
+
+        core::hint::black_box(val);
+        if size_of_val(val) > 0 {
+            custom_black_box(val as *const T as *const u8);
+        }
+    }
+}
diff --git a/zeroize/src/lib.rs b/zeroize/src/lib.rs
@@ -250,6 +250,9 @@ mod aarch64;
 #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
 mod x86;
 
+mod barrier;
+use barrier::optimization_barrier;
+
 use core::{
     marker::{PhantomData, PhantomPinned},
     mem::{MaybeUninit, size_of},
@@ -259,7 +262,6 @@ use core::{
     },
     ops, ptr,
     slice::IterMut,
-    sync::atomic,
 };
 
 #[cfg(feature = "alloc")]
@@ -300,7 +302,7 @@ where
 {
     fn zeroize(&mut self) {
         volatile_write(self, Z::default());
-        atomic_fence();
+        optimization_barrier(self);
     }
 }
 
@@ -334,7 +336,7 @@ macro_rules! impl_zeroize_for_non_zero {
                         None => unreachable!(),
                     };
                     volatile_write(self, ONE);
-                    atomic_fence();
+                    optimization_barrier(self);
                 }
             }
         )+
@@ -425,7 +427,7 @@ where
         // done so by take().
         unsafe { ptr::write_volatile(self, None) }
 
-        atomic_fence();
+        optimization_barrier(self);
     }
 }
 
@@ -441,7 +443,7 @@ impl<Z> Zeroize for MaybeUninit<Z> {
         // Safety:
         // `MaybeUninit` is valid for any byte pattern, including zeros.
         unsafe { ptr::write_volatile(self, MaybeUninit::zeroed()) }
-        atomic_fence();
+        optimization_barrier(self);
     }
 }
 
@@ -467,7 +469,7 @@ impl<Z> Zeroize for [MaybeUninit<Z>] {
         // and 0 is a valid value for `MaybeUninit<Z>`
         // The memory of the slice should not wrap around the address space.
         unsafe { volatile_set(ptr, MaybeUninit::zeroed(), size) }
-        atomic_fence();
+        optimization_barrier(self);
     }
 }
 
@@ -493,7 +495,7 @@ where
         // `self.len()` is also not larger than an `isize`, because of the assertion above.
         // The memory of the slice should not wrap around the address space.
         unsafe { volatile_set(self.as_mut_ptr(), Z::default(), self.len()) };
-        atomic_fence();
+        optimization_barrier(self);
     }
 }
 
@@ -753,14 +755,6 @@ where
     }
 }
 
-/// Use fences to prevent accesses from being reordered before this
-/// point, which should hopefully help ensure that all accessors
-/// see zeroes after this point.
-#[inline(always)]
-fn atomic_fence() {
-    atomic::compiler_fence(atomic::Ordering::SeqCst);
-}
-
 /// Perform a volatile write to the destination
 #[inline(always)]
 fn volatile_write<T: Copy + Sized>(dst: &mut T, src: T) {
@@ -851,7 +845,7 @@ pub unsafe fn zeroize_flat_type<F: Sized>(data: *mut F) {
     unsafe {
         volatile_set(data as *mut u8, 0, size);
     }
-    atomic_fence()
+    optimization_barrier(&data);
 }
 
 /// Internal module used as support for `AssertZeroizeOnDrop`.
diff --git a/zeroize/src/x86.rs b/zeroize/src/x86.rs
@@ -1,6 +1,6 @@
 //! [`Zeroize`] impls for x86 SIMD registers
 
-use crate::{Zeroize, atomic_fence, volatile_write};
+use crate::{Zeroize, optimization_barrier, volatile_write};
 
 #[cfg(target_arch = "x86")]
 use core::arch::x86::*;
@@ -15,7 +15,7 @@ macro_rules! impl_zeroize_for_simd_register {
                 #[inline]
                 fn zeroize(&mut self) {
                     volatile_write(self, unsafe { core::mem::zeroed() });
-                    atomic_fence();
+                    optimization_barrier(self);
                 }
             }
         )*

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	//! [`Zeroize`] impls for ARM64 SIMD registers.
`2`	`2`
`3`		`-use crate::{Zeroize, atomic_fence, volatile_write};`
	`3`	`+use crate::{Zeroize, optimization_barrier, volatile_write};`
`4`	`4`
`5`	`5`	`use core::arch::aarch64::*;`
`6`	`6`
`@@ -11,7 +11,7 @@ macro_rules! impl_zeroize_for_simd_register {`
`11`	`11`	`#[inline]`
`12`	`12`	`fn zeroize(&mut self) {`
`13`	`13`	`volatile_write(self, unsafe { core::mem::zeroed() });`
`14`		`- atomic_fence();`
	`14`	`+ optimization_barrier(self);`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`	`)+`
Original file line number	Diff line number	Diff line change
`@@ -250,6 +250,9 @@ mod aarch64;`
`250`	`250`	`#[cfg(any(target_arch = "x86", target_arch = "x86_64"))]`
`251`	`251`	`mod x86;`
`252`	`252`
	`253`	`+mod barrier;`
	`254`	`+use barrier::optimization_barrier;`
	`255`	`+`
`253`	`256`	`use core::{`
`254`	`257`	`marker::{PhantomData, PhantomPinned},`
`255`	`258`	`mem::{MaybeUninit, size_of},`
`@@ -259,7 +262,6 @@ use core::{`
`259`	`262`	`},`
`260`	`263`	`ops, ptr,`
`261`	`264`	`slice::IterMut,`
`262`		`- sync::atomic,`
`263`	`265`	`};`
`264`	`266`
`265`	`267`	`#[cfg(feature = "alloc")]`
`@@ -300,7 +302,7 @@ where`
`300`	`302`	`{`
`301`	`303`	`fn zeroize(&mut self) {`
`302`	`304`	`volatile_write(self, Z::default());`
`303`		`- atomic_fence();`
	`305`	`+ optimization_barrier(self);`
`304`	`306`	`}`
`305`	`307`	`}`
`306`	`308`
`@@ -334,7 +336,7 @@ macro_rules! impl_zeroize_for_non_zero {`
`334`	`336`	`None => unreachable!(),`
`335`	`337`	`};`
`336`	`338`	`volatile_write(self, ONE);`
`337`		`- atomic_fence();`
	`339`	`+ optimization_barrier(self);`
`338`	`340`	`}`
`339`	`341`	`}`
`340`	`342`	`)+`
`@@ -425,7 +427,7 @@ where`
`425`	`427`	`// done so by take().`
`426`	`428`	`unsafe { ptr::write_volatile(self, None) }`
`427`	`429`
`428`		`- atomic_fence();`
	`430`	`+ optimization_barrier(self);`
`429`	`431`	`}`
`430`	`432`	`}`
`431`	`433`
`@@ -441,7 +443,7 @@ impl<Z> Zeroize for MaybeUninit<Z> {`
`441`	`443`	`// Safety:`
`442`	`444`	// `MaybeUninit` is valid for any byte pattern, including zeros.
`443`	`445`	`unsafe { ptr::write_volatile(self, MaybeUninit::zeroed()) }`
`444`		`- atomic_fence();`
	`446`	`+ optimization_barrier(self);`
`445`	`447`	`}`
`446`	`448`	`}`
`447`	`449`
`@@ -467,7 +469,7 @@ impl<Z> Zeroize for [MaybeUninit<Z>] {`
`467`	`469`	// and 0 is a valid value for `MaybeUninit<Z>`
`468`	`470`	`// The memory of the slice should not wrap around the address space.`
`469`	`471`	`unsafe { volatile_set(ptr, MaybeUninit::zeroed(), size) }`
`470`		`- atomic_fence();`
	`472`	`+ optimization_barrier(self);`
`471`	`473`	`}`
`472`	`474`	`}`
`473`	`475`
`@@ -493,7 +495,7 @@ where`
`493`	`495`	// `self.len()` is also not larger than an `isize`, because of the assertion above.
`494`	`496`	`// The memory of the slice should not wrap around the address space.`
`495`	`497`	`unsafe { volatile_set(self.as_mut_ptr(), Z::default(), self.len()) };`
`496`		`- atomic_fence();`
	`498`	`+ optimization_barrier(self);`
`497`	`499`	`}`
`498`	`500`	`}`
`499`	`501`
`@@ -753,14 +755,6 @@ where`
`753`	`755`	`}`
`754`	`756`	`}`
`755`	`757`
`756`		`-/// Use fences to prevent accesses from being reordered before this`
`757`		`-/// point, which should hopefully help ensure that all accessors`
`758`		`-/// see zeroes after this point.`
`759`		`-#[inline(always)]`
`760`		`-fn atomic_fence() {`
`761`		`- atomic::compiler_fence(atomic::Ordering::SeqCst);`
`762`		`-}`
`763`		`-`
`764`	`758`	`/// Perform a volatile write to the destination`
`765`	`759`	`#[inline(always)]`
`766`	`760`	`fn volatile_write<T: Copy + Sized>(dst: &mut T, src: T) {`
`@@ -851,7 +845,7 @@ pub unsafe fn zeroize_flat_type<F: Sized>(data: *mut F) {`
`851`	`845`	`unsafe {`
`852`	`846`	`volatile_set(data as *mut u8, 0, size);`
`853`	`847`	`}`
`854`		`- atomic_fence()`
	`848`	`+ optimization_barrier(&data);`
`855`	`849`	`}`
`856`	`850`
`857`	`851`	/// Internal module used as support for `AssertZeroizeOnDrop`.
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	//! [`Zeroize`] impls for x86 SIMD registers
`2`	`2`
`3`		`-use crate::{Zeroize, atomic_fence, volatile_write};`
	`3`	`+use crate::{Zeroize, optimization_barrier, volatile_write};`
`4`	`4`
`5`	`5`	`#[cfg(target_arch = "x86")]`
`6`	`6`	`use core::arch::x86::*;`
`@@ -15,7 +15,7 @@ macro_rules! impl_zeroize_for_simd_register {`
`15`	`15`	`#[inline]`
`16`	`16`	`fn zeroize(&mut self) {`
`17`	`17`	`volatile_write(self, unsafe { core::mem::zeroed() });`
`18`		`- atomic_fence();`
	`18`	`+ optimization_barrier(self);`
`19`	`19`	`}`
`20`	`20`	`}`
`21`	`21`	`)*`