[jira] [Created] (ZOOKEEPER-3954) use of uninitialized data in zookeeper-client/zookeeper-client-c/src/zookeeper.c:free_auth_completion

[Michael Hudson-Doyle (Jira)]

Michael Hudson-Doyle created ZOOKEEPER-3954:
-----------------------------------------------

             Summary: use of uninitialized data in 
zookeeper-client/zookeeper-client-c/src/zookeeper.c:free_auth_completion
                 Key: ZOOKEEPER-3954
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3954
             Project: ZooKeeper
          Issue Type: Bug
          Components: c client
    Affects Versions: 3.6.2
            Reporter: Michael Hudson-Doyle


When compiled with {{-O3}} and {{gcc-10}} (which is the default for Ubuntu on 
ppc64el), compilation fails like this:
{code:shell}
/bin/bash ./libtool -tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I./include 
-I./tests -I./generated -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Werror -g -O3 
-fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat 
-Werror=format-security -MT zookeeper.lo -MD -MP -MF .deps/zookeeper.Tpo -c -o 
zookeeper.lo `test -f 'src/zookeeper.c' || echo './'`src/zookeeper.c libtool: 
compile: gcc -DHAVE_CONFIG_H -I. -I./include -I./tests -I./generated 
-Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Werror -g -O3 
-fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat 
-Werror=format-security -MT zookeeper.lo -MD -MP -MF .deps/zookeeper.Tpo -c 
src/zookeeper.c -fPIC -DPIC -o .libs/zookeeper.o src/zookeeper.c: In function 
'free_completions': src/zookeeper.c:284:9: error: 'a_list.next' may be used 
uninitialized in this function [-Werror=maybe-uninitialized] 284 | tmp = 
a_list>next; | ~~~^~~~~~~~~~~~~ cc1: all warnings being treated as errors{code}
 What's happening here is that free_auth_completions is being inlined into 
free_completions, and this lets gcc see that members of a_list are being 
accessed without initialization. I don't know anything like enough about this 
code to see if this is a bug in code paths that are actually taken but at a 
glance it's certainly not obviously impossible: if the two if conditions at the 
top level of free_completions evaluate false, the function effectively looks 
like this:
 
{code:c}
void free_completions(zhandle_t *zh,int callCompletion,int reason)
{ 
 auth_completion_list_t a_list; 
 free_auth_completion(&a_list); 
} 
{code}

so it's pretty clear that a_list is backed by uninitialized stack memory. 
Explicitly initializing the variable with "a_list = {NULL, NULL, NULL}" makes 
the warning go away.
 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)