stdlib: add the swift_clearSensitive runtime function

Author: eeckstein

include/swift/AST/FeatureAvailability.def

@@ -74,6 +74,7 @@ FEATURE(IsolatedAny,                                    (5, 11))
 FEATURE(TaskExecutor,                                   FUTURE)
 FEATURE(Differentiation,                                FUTURE)
 FEATURE(InitRawStructMetadata,                          FUTURE)
+FEATURE(ClearSensitive,                                 FUTURE)
 
 #undef FEATURE
 #undef FUTURE

include/swift/Runtime/Heap.h

@@ -42,6 +42,9 @@ void *swift_slowAllocTyped(size_t bytes, size_t alignMask, MallocTypeId typeId);
 SWIFT_RUNTIME_EXPORT
 void swift_slowDealloc(void *ptr, size_t bytes, size_t alignMask);
 
+SWIFT_RUNTIME_EXPORT
+void swift_clearSensitive(void *ptr, size_t bytes);
+
 /// Allocate and construct an instance of type \c T.
 ///
 /// \param args The arguments to pass to the constructor for \c T.

include/swift/Runtime/RuntimeFunctions.def

@@ -2825,6 +2825,13 @@ FUNCTION(ExceptionPersonality,
          EFFECT(NoEffect),
          UNKNOWN_MEMEFFECTS)
 
+FUNCTION(ClearSensitive, swift_clearSensitive, C_CC, ClearSensitiveAvailability,
+         RETURNS(VoidTy),
+         ARGS(PtrTy, SizeTy),
+         ATTRS(NoUnwind),
+         EFFECT(NoEffect),
+         UNKNOWN_MEMEFFECTS)
+
 #undef RETURNS
 #undef ARGS
 #undef ATTRS

lib/IRGen/IRGenModule.cpp

@@ -969,6 +969,14 @@ namespace RuntimeConstants {
     return RuntimeAvailability::AlwaysAvailable;
   }
 
+  RuntimeAvailability ClearSensitiveAvailability(ASTContext &Context) {
+    auto featureAvailability = Context.getClearSensitiveAvailability();
+    if (!isDeploymentAvailabilityContainedIn(Context, featureAvailability)) {
+      return RuntimeAvailability::ConditionallyAvailable;
+    }
+    return RuntimeAvailability::AlwaysAvailable;
+  }
+
 } // namespace RuntimeConstants
 
 // We don't use enough attributes to justify generalizing the

stdlib/public/core/EmbeddedRuntime.swift

@@ -338,3 +338,16 @@ func arc4random_buf(buf: UnsafeMutableRawPointer, nbytes: Int)
 public func swift_stdlib_random(_ buf: UnsafeMutableRawPointer, _ nbytes: Int) {
   arc4random_buf(buf: buf, nbytes: nbytes)
 }
+
+@_cdecl("swift_clearSensitive")
+@inline(never)
+public func swift_clearSensitive(buf: UnsafeMutableRawPointer, nbytes: Int) {
+  // TODO: use memset_s if available
+  // Though, it shouldn't make too much difference because the `@inline(never)` should prevent
+  // the optimizer from removing the loop below.
+  let bytePtr = buf.assumingMemoryBound(to: UInt8.self)
+  for i in 0..<nbytes {
+    bytePtr[i] = 0
+  }
+}
+

stdlib/public/runtime/Heap.cpp

@@ -21,6 +21,7 @@
 #include "swift/shims/RuntimeShims.h"
 #include <algorithm>
 #include <stdlib.h>
+#include <string.h>
 #if defined(__APPLE__) && SWIFT_STDLIB_HAS_DARWIN_LIBMALLOC
 #include "swift/Basic/Lazy.h"
 #include <malloc/malloc.h>
@@ -146,3 +147,10 @@ static void swift_slowDeallocImpl(void *ptr, size_t alignMask) {
 void swift::swift_slowDealloc(void *ptr, size_t bytes, size_t alignMask) {
   swift_slowDeallocImpl(ptr, alignMask);
 }
+
+void swift::swift_clearSensitive(void *ptr, size_t bytes) {
+  // TODO: use memset_s if available
+  // Though, it shouldn't make too much difference because the optimizer cannot remove
+  // the following memset without inlining this library function.
+  memset(ptr, 0, bytes);
+}

test/abi/macOS/arm64/stdlib.swift

@@ -562,6 +562,7 @@ Added: __swift_exceptionPersonality
 Added: _swift_willThrowTypedImpl
 Added: __swift_willThrowTypedImpl
 Added: __swift_enableSwizzlingOfAllocationAndRefCountingFunctions_forInstrumentsOnly
+Added: _swift_clearSensitive
 
 // Runtime bincompat functions for Concurrency runtime to detect legacy mode
 Added: _swift_bincompat_useLegacyNonCrashingExecutorChecks

test/abi/macOS/x86_64/stdlib-asserts.swift

@@ -60,3 +60,5 @@ Added: _OBJC_CLASS_$__TtCs20__StaticArrayStorage
 Added: _OBJC_METACLASS_$__TtCs20__StaticArrayStorage
 
 // Runtime Symbols
+Added: _swift_clearSensitive
+