Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!newsreader4.netcologne.de!news.netcologne.de!.POSTED!not-for-mail
From: Beloumi <beloumi@riseup.net>
Newsgroups: comp.lang.java.security
Subject: Zeroization and compiler optimization
Date: Sun, 04 Jan 2015 17:52:49 +0100
Organization: news.netcologne.de
Lines: 19
Distribution: world
Message-ID: <m8br50$a9j$1@newsreader4.netcologne.de>
NNTP-Posting-Host: cable-78-34-11-120.netcologne.de
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: newsreader4.netcologne.de 1420390368 10547 78.34.11.120 (4 Jan 2015 16:52:48 GMT)
X-Complaints-To: abuse@netcologne.de
NNTP-Posting-Date: Sun, 4 Jan 2015 16:52:48 +0000 (UTC)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
Xref: csiph.com comp.lang.java.security:307

Sensitive data like keys and passwords should be zeroized immediately
which is usually done by Arrays.fill(...).
A compiler may treat this as dead code and it may be eliminated by an
optimization.
Does anybody knows if this is the case for common Java compilers like
javac, ejc... ?
And if so, would the following code prevent such optimizations?

Arrays.fill(input,  (byte) 0);
boolean success = true;
for (byte b : input) {
   if (b != 0) {
      success = false;
      break;
   }
}
if (success == false) {
   System.err.println("zeroization failed");
}