You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@zookeeper.apache.org by "Damien Diederen (Jira)" <ji...@apache.org> on 2020/10/05 13:25:00 UTC

[jira] [Assigned] (ZOOKEEPER-3954) use of uninitialized data in zookeeper-client/zookeeper-client-c/src/zookeeper.c:free_auth_completion

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-3954?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Damien Diederen reassigned ZOOKEEPER-3954:
------------------------------------------

    Assignee: Damien Diederen

> use of uninitialized data in zookeeper-client/zookeeper-client-c/src/zookeeper.c:free_auth_completion
> -----------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3954
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3954
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: c client
>    Affects Versions: 3.6.2
>            Reporter: Michael Hudson-Doyle
>            Assignee: Damien Diederen
>            Priority: Minor
>
> When compiled with {{-O3}} and {{gcc-10}} (which is the default for Ubuntu on ppc64el), compilation fails like this:
> {code}
> /bin/bash ./libtool -tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I./include -I./tests -I./generated -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Werror -g -O3 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -MT zookeeper.lo -MD -MP -MF .deps/zookeeper.Tpo -c -o zookeeper.lo `test -f 'src/zookeeper.c' || echo './'`src/zookeeper.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I./include -I./tests -I./generated -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Werror -g -O3 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -MT zookeeper.lo -MD -MP -MF .deps/zookeeper.Tpo -c src/zookeeper.c -fPIC -DPIC -o .libs/zookeeper.o
> src/zookeeper.c: In function 'free_completions': 
> src/zookeeper.c:284:9: error: 'a_list.next' may be used uninitialized in this function [-Werror=maybe-uninitialized] 
> 284 | tmp = a_list>next; 
>     | ~~~^~~~~~~~~~~~~ 
> cc1: all warnings being treated as errors
> {code}
>  What's happening here is that free_auth_completions is being inlined into free_completions, and this lets gcc see that members of a_list are being accessed without initialization. I don't know anything like enough about this code to see if this is a bug in code paths that are actually taken but at a glance it's certainly not obviously impossible: if the two if conditions at the top level of free_completions evaluate false, the function effectively looks like this:
>  
> {code:c}
> void free_completions(zhandle_t *zh,int callCompletion,int reason)
> { 
>  auth_completion_list_t a_list; 
>  free_auth_completion(&a_list); 
> } 
> {code}
> so it's pretty clear that a_list is backed by uninitialized stack memory. Explicitly initializing the variable with "{{a_list = \{NULL, NULL, NULL}}}" makes the warning go away.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)