...
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Compass/ROSE | Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well. | ||||||||
| Coverity | 6.5 | UNINIT | Fully Implemented | ||||||
| 5.0 | NO_EFFECT | Can find cases of an uninitialized variable being used before it is initialized, although it cannot detect cases of uninitialized members of a struct. Because Coverity Prevent cannot discover all violations of this rule, further verification is necessary. | |||||||
| Fortify SCA | Can detect violations of this rule, but will return false positives if the initialization was done in another function. | ||||||||
| GCC | 4.3.5 | Can detect some violations of this rule when the | |||||||
| 9.1 | UNINIT.HEAP.MIGHT | ||||||||
| 57 D | Fully implemented. | |||||||
| PRQA QA-C |
| 2961 (D) 2962 (A) 2963 (S) 2971 (D) 2972 (A) | Fully implemented. | ||||||
| Splint | 3.1.1 |
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| CERT C++ Secure Coding Standard | EXP33-CPP. Do not reference uninitialized memory |
| ISO/IEC TR 24772 | Initialization of variables [LAV] |
| ISO/IEC TS 17961 (Draft) | Referencing uninitialized memory [uninitref] |
Bibliography
| [Flake 2006] | |
| [ISO/IEC 9899:2011] | Section 6.7.9, "Initialization" |
| [Mercy 2006] | |
| [Wang 2012] | "More Randomness or Less" |
| [xorl 2009] | "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read" |
...