Document Number: N2485
Submitter: Aaron Peter Bachmann
Submission Date: 2020-02-19
Add explicit_memset() as non-optional part of <string.h> to C2X


explicit_memset() or something equivalent is useful to  securely set or erase memory. In Annex K there is memset_s() but Annex K is optional. Since most C-libraries chose not to implement Annex K the option is less useful than desirable.

Prior work


explicit_memset() shall behave like memset(), with the added stipulation that the call to explicit_memset() is guaranteed not to be optimized away.

We prefer ...memset...() over since it allows to set an arbitrary value not just (unsigned char)0.

The name explicit_memset() is used more often than memset_explicit(), so stick with that.

Given the standard uses '_explicit' as suffix already i. e. - atomic_..._explicit() - introducing void *memset_explicit(void *s, int c, size_t len) instead of void *explicit_memset(void *s, int c, size_t len) seems a reasonable alternative.

In order to make explicit_memset() even more useful, a compiler may choose to erase local (partial) copies of *s as well. That is an issue of the quality of the implementation. states: "Therefore, we propose that Annex K be either removed from the next revision of the C standard, or deprecated and then removed."

Proposed wording

After The memset function


add The explicit_memset function


#include <string.h>
void *explicit_memset(void *s, int c, size_t n);


The explicit_memset function copies the value of c (converted to an unsigned char) into each of the first n characters of the object pointed to by s. Unlike memset, any call to the explicit_memset function shall be evaluated strictly according to the rules of the abstract machine as described in ( That is, any call to the explicit_memset function shall assume that the memory indicated by s and n may be accessible in the future and thus contains the values indicated by c.


The explicit_memset function returns the value of s.