Implements zeroization support across all heapless data structures to securely clear sensitive data from memory:

- When the zeroize feature is enabled, the LenType sealed trait now has Zeroize as a supertrait
- This simplifies the bound for deriving Zeroize for VecInner and other types
- Added tests to verify VecView also implements Zeroize correctly

This feature is essential for security-sensitive applications needing to prevent data leaks from memory dumps.

Note: Zeroize initially worked on Vector purely via derivation, however was not complete without proper bound checks. Without these checks, the deref implementation of Zeroize was used instead, which led to incomplete zeroization of the Vector's contents.

Author: zeenix

.github/workflows/build.yml

@@ -48,7 +48,7 @@ jobs:
           components: miri
 
       - name: Run miri
-        run: MIRIFLAGS=-Zmiri-ignore-leaks cargo miri test --features="alloc,defmt,mpmc_large,portable-atomic-critical-section,serde,ufmt,bytes"
+        run: MIRIFLAGS=-Zmiri-ignore-leaks cargo miri test --features="alloc,defmt,mpmc_large,portable-atomic-critical-section,serde,ufmt,bytes,zeroize"
 
   # Run cargo test
   test:
@@ -84,7 +84,7 @@ jobs:
           toolchain: stable
 
       - name: Run cargo test
-        run: cargo test --features="alloc,defmt,mpmc_large,portable-atomic-critical-section,serde,ufmt,bytes"
+        run: cargo test --features="alloc,defmt,mpmc_large,portable-atomic-critical-section,serde,ufmt,bytes,zeroize"
 
   # Run cargo fmt --check
   style:
@@ -176,6 +176,7 @@ jobs:
           cargo check --target="${target}" --features="portable-atomic-critical-section"
           cargo check --target="${target}" --features="serde"
           cargo check --target="${target}" --features="ufmt"
+          cargo check --target="${target}" --features="zeroize"
         env:
           target: ${{ matrix.target }}
 

CHANGELOG.md

@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Implement `defmt::Format` for `CapacityError`.
 - Implement `TryFrom` for `Deque` from array.
 - Switch from `serde` to `serde_core` for enabling faster compilations.
+- Implement `Zeroize` trait for all data structures with the `zeroize` feature to securely clear sensitive data from memory.
 
 ## [v0.9.1] - 2025-08-19
 

Cargo.toml

@@ -47,6 +47,9 @@ ufmt = ["dep:ufmt", "dep:ufmt-write"]
 # Implement `defmt::Format`.
 defmt = ["dep:defmt"]
 
+# Implement `zeroize::Zeroize` trait.
+zeroize = ["dep:zeroize"]
+
 # Enable larger MPMC sizes.
 mpmc_large = []
 
@@ -63,6 +66,7 @@ serde_core = { version = "1", optional = true, default-features = false }
 ufmt = { version = "0.2", optional = true }
 ufmt-write = { version = "0.1", optional = true }
 defmt = { version = "1.0.1", optional = true }
+zeroize = { version = "1.8", optional = true, default-features = false, features = ["derive"] }
 
 # for the pool module
 [target.'cfg(any(target_arch = "arm", target_pointer_width = "32", target_pointer_width = "64"))'.dependencies]

src/binary_heap.rs

@@ -17,6 +17,9 @@ use core::{
     ptr, slice,
 };
 
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
+
 use crate::vec::{OwnedVecStorage, Vec, VecInner, VecStorage, ViewVecStorage};
 
 /// Min-heap
@@ -55,6 +58,11 @@ impl private::Sealed for Min {}
 ///
 /// In most cases you should use [`BinaryHeap`] or [`BinaryHeapView`] directly. Only use this
 /// struct if you want to write code that's generic over both.
+#[cfg_attr(
+    feature = "zeroize",
+    derive(Zeroize),
+    zeroize(bound = "T: Zeroize, S: Zeroize")
+)]
 pub struct BinaryHeapInner<T, K, S: VecStorage<T> + ?Sized> {
     pub(crate) _kind: PhantomData<K>,
     pub(crate) data: VecInner<T, usize, S>,
@@ -882,6 +890,24 @@ mod tests {
         assert_eq!(heap.pop(), None);
     }
 
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_binary_heap_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut heap = BinaryHeap::<u8, Max, 8>::new();
+        for i in 0..8 {
+            heap.push(i).unwrap();
+        }
+
+        assert_eq!(heap.len(), 8);
+        assert_eq!(heap.peek(), Some(&7));
+
+        // zeroized using Vec's implementation
+        heap.zeroize();
+        assert_eq!(heap.len(), 0);
+    }
+
     fn _test_variance<'a: 'b, 'b>(x: BinaryHeap<&'a (), Max, 42>) -> BinaryHeap<&'b (), Max, 42> {
         x
     }

src/c_string.rs

@@ -10,6 +10,9 @@ use core::{
     ops::Deref,
 };
 
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
+
 /// A fixed capacity [`CString`](https://doc.rust-lang.org/std/ffi/struct.CString.html).
 ///
 /// It stores up to `N - 1` non-nul characters with a trailing nul terminator.
@@ -18,6 +21,20 @@ pub struct CString<const N: usize, LenT: LenType = usize> {
     inner: Vec<u8, N, LenT>,
 }
 
+#[cfg(feature = "zeroize")]
+impl<const N: usize, LenT: LenType> Zeroize for CString<N, LenT> {
+    fn zeroize(&mut self) {
+        self.inner.zeroize();
+
+        const {
+            assert!(N > 0);
+        }
+
+        // SAFETY: We just asserted that `N > 0`.
+        unsafe { self.inner.push_unchecked(b'\0') };
+    }
+}
+
 impl<const N: usize, LenT: LenType> CString<N, LenT> {
     /// Creates a new C-compatible string with a terminating nul byte.
     ///
@@ -483,6 +500,35 @@ mod tests {
         assert_eq!(Borrow::<CStr>::borrow(&string), c"foo");
     }
 
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_cstring_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut c_string = CString::<32>::from_bytes_with_nul(b"sensitive_password\0").unwrap();
+
+        assert_eq!(c_string.to_str(), Ok("sensitive_password"));
+        assert!(!c_string.to_bytes().is_empty());
+        let original_length = c_string.to_bytes().len();
+        assert_eq!(original_length, 18);
+
+        let new_string = CString::<32>::from_bytes_with_nul(b"short\0").unwrap();
+        c_string = new_string;
+
+        assert_eq!(c_string.to_str(), Ok("short"));
+        assert_eq!(c_string.to_bytes().len(), 5);
+
+        // zeroized using Vec's implementation
+        c_string.zeroize();
+
+        assert_eq!(c_string.to_bytes().len(), 0);
+        assert_eq!(c_string.to_bytes_with_nul(), &[0]);
+
+        c_string.extend_from_bytes(b"new_data").unwrap();
+        assert_eq!(c_string.to_str(), Ok("new_data"));
+        assert_eq!(c_string.to_bytes().len(), 8);
+    }
+
     mod equality {
         use super::*;
 

src/deque.rs

@@ -42,10 +42,14 @@ use core::marker::PhantomData;
 use core::mem::{ManuallyDrop, MaybeUninit};
 use core::{ptr, slice};
 
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
+
 /// Base struct for [`Deque`] and [`DequeView`], generic over the [`VecStorage`].
 ///
 /// In most cases you should use [`Deque`] or [`DequeView`] directly. Only use this
 /// struct if you want to write code that's generic over both.
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub struct DequeInner<T, S: VecStorage<T> + ?Sized> {
     // This phantomdata is required because otherwise rustc thinks that `T` is not used
     phantom: PhantomData<T>,
@@ -1674,4 +1678,29 @@ mod tests {
 
         assert_eq!(Droppable::count(), 0);
     }
+
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_deque_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut deque = Deque::<u8, 16>::new();
+
+        for i in 1..=8 {
+            deque.push_back(i).unwrap();
+        }
+        for i in 9..=16 {
+            deque.push_front(i).unwrap();
+        }
+
+        assert_eq!(deque.len(), 16);
+        assert_eq!(deque.front(), Some(&16));
+        assert_eq!(deque.back(), Some(&8));
+
+        // zeroized using Vec's implementation
+        deque.zeroize();
+
+        assert_eq!(deque.len(), 0);
+        assert!(deque.is_empty());
+    }
 }

src/history_buf.rs

@@ -38,10 +38,14 @@ use core::ops::Deref;
 use core::ptr;
 use core::slice;
 
-mod storage {
-    use core::mem::MaybeUninit;
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
 
+mod storage {
     use super::{HistoryBufInner, HistoryBufView};
+    use core::mem::MaybeUninit;
+    #[cfg(feature = "zeroize")]
+    use zeroize::Zeroize;
 
     /// Trait defining how data for a container is stored.
     ///
@@ -83,6 +87,7 @@ mod storage {
     }
 
     // One sealed layer of indirection to hide the internal details (The MaybeUninit).
+    #[cfg_attr(feature = "zeroize", derive(Zeroize))]
     pub struct HistoryBufStorageInner<T: ?Sized> {
         pub(crate) buffer: T,
     }
@@ -148,6 +153,7 @@ use self::storage::HistoryBufSealedStorage;
 ///
 /// In most cases you should use [`HistoryBuf`] or [`HistoryBufView`] directly. Only use this
 /// struct if you want to write code that's generic over both.
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub struct HistoryBufInner<T, S: HistoryBufStorage<T> + ?Sized> {
     // This phantomdata is required because otherwise rustc thinks that `T` is not used
     phantom: PhantomData<T>,
@@ -938,6 +944,39 @@ mod tests {
         assert_eq!(DROP_COUNT.load(Ordering::SeqCst), 3);
     }
 
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_history_buf_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut buffer = HistoryBuf::<u8, 8>::new();
+        for i in 0..8 {
+            buffer.write(i);
+        }
+
+        assert_eq!(buffer.len(), 8);
+        assert_eq!(buffer.recent(), Some(&7));
+
+        // Clear to mark formerly used memory as unused, to make sure that it also gets zeroed
+        buffer.clear();
+
+        buffer.write(20);
+        assert_eq!(buffer.len(), 1);
+        assert_eq!(buffer.recent(), Some(&20));
+
+        buffer.zeroize();
+
+        assert_eq!(buffer.len(), 0);
+        assert!(buffer.is_empty());
+
+        // Check that all underlying memory actually got zeroized
+        unsafe {
+            for a in buffer.data.buffer {
+                assert_eq!(a.assume_init(), 0);
+            }
+        }
+    }
+
     fn _test_variance<'a: 'b, 'b>(x: HistoryBuf<&'a (), 42>) -> HistoryBuf<&'b (), 42> {
         x
     }

src/index_map.rs

@@ -8,6 +8,9 @@ use core::{
     ops, slice,
 };
 
+#[cfg(feature = "zeroize")]
+use zeroize::Zeroize;
+
 use hash32::{BuildHasherDefault, FnvHasher};
 
 use crate::Vec;
@@ -66,6 +69,7 @@ use crate::Vec;
 pub type FnvIndexMap<K, V, const N: usize> = IndexMap<K, V, BuildHasherDefault<FnvHasher>, N>;
 
 #[derive(Clone, Copy, Eq, PartialEq)]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 struct HashValue(u16);
 
 impl HashValue {
@@ -80,6 +84,7 @@ impl HashValue {
 
 #[doc(hidden)]
 #[derive(Clone)]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub struct Bucket<K, V> {
     hash: HashValue,
     key: K,
@@ -88,6 +93,7 @@ pub struct Bucket<K, V> {
 
 #[doc(hidden)]
 #[derive(Clone, Copy, PartialEq)]
+#[cfg_attr(feature = "zeroize", derive(Zeroize))]
 pub struct Pos {
     // compact representation of `{ hash_value: u16, index: u16 }`
     // To get the most from `NonZero` we store the *value minus 1*. This way `None::Option<Pos>`
@@ -138,6 +144,11 @@ macro_rules! probe_loop {
     }
 }
 
+#[cfg_attr(
+    feature = "zeroize",
+    derive(Zeroize),
+    zeroize(bound = "K: Zeroize, V: Zeroize")
+)]
 struct CoreMap<K, V, const N: usize> {
     entries: Vec<Bucket<K, V>, N, usize>,
     indices: [Option<Pos>; N],
@@ -722,8 +733,14 @@ where
 ///     println!("{}: \"{}\"", book, review);
 /// }
 /// ```
+#[cfg_attr(
+    feature = "zeroize",
+    derive(Zeroize),
+    zeroize(bound = "K: Zeroize, V: Zeroize")
+)]
 pub struct IndexMap<K, V, S, const N: usize> {
     core: CoreMap<K, V, N>,
+    #[cfg_attr(feature = "zeroize", zeroize(skip))]
     build_hasher: S,
 }
 
@@ -1988,4 +2005,28 @@ mod tests {
         let map: FnvIndexMap<usize, f32, 4> = Default::default();
         assert_eq!(map, map);
     }
+
+    #[test]
+    #[cfg(feature = "zeroize")]
+    fn test_index_map_zeroize() {
+        use zeroize::Zeroize;
+
+        let mut map: FnvIndexMap<u8, u8, 8> = FnvIndexMap::new();
+        for i in 1..=8 {
+            map.insert(i, i * 10).unwrap();
+        }
+
+        assert_eq!(map.len(), 8);
+        assert!(!map.is_empty());
+
+        // zeroized using Vec's implementation
+        map.zeroize();
+
+        assert_eq!(map.len(), 0);
+        assert!(map.is_empty());
+
+        map.insert(1, 10).unwrap();
+        assert_eq!(map.len(), 1);
+        assert_eq!(map.get(&1), Some(&10));
+    }
 }