Compiler may remove function memset for the purposes of optimization (with the usage of the argument -O3) in that piece of code: File: support/passwd_common.c int get_password(struct passwd_ctx *ctx) { ... if (apr_password_get("New password: ", buf, &bufsize) != 0) goto err_too_long; ... memset(buf, '\0', sizeof(buf)); .... } GitHub link: https://github.com/apache/httpd/blob/trunk/support/passwd_common.c#L165 If the file is compiled with -O3 argument after we use a command objdump -dr passwd_common.o the listing will not contain that memset function call.
if needed, 'apr_crypto_memzero()' in APR trunk can be taken and used for that.