Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated references from C11->C23

Local, automatic variables assume unexpected values if they are read before they are initialized.  The The C Standard, 6.7.911, paragraph 1011, specifies [ISO/IEC 9899:20112024]

If an object that has automatic storage duration is not initialized explicitly, its value representation is indeterminate.

See undefined behavior 11.

...

EXP33-C-EX1: Reading uninitialized memory by an lvalue of type unsigned char that could not have been declared with the register storage class does not trigger undefined behavior. The unsigned char type is defined to not have a trap representation, which allows for moving bytes without knowing if they are initialized. (See the C Standard, 6.2.6.1, paragraph 3.) However, ) The requirement that register could not have been used (not merely that it was not used) is because on some architectures, such as the Intel Itanium, registers have a bit to indicate whether or not they have been initialized. The C Standard, 6.3.2.1, paragraph 2, allows such implementations to cause a trap for an object that never had its address taken and is stored in a register if such an object is referred to in any way.

...

Partially Klocwork

ToolVersionCheckerDescription
Astrée
Include Page
Astrée_V
Astrée_V

uninitialized-local-read

uninitialized-variable-use

Fully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-EXP33
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
LANG.MEM.UVARUninitialized variable
Compass/ROSE  

Automatically detects Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well

Coverity
Include Page
Coverity_V
Coverity_V

UNINIT

Implemented
Cppcheck
Include Page
Cppcheck_V
Cppcheck_V

uninitvar
uninitdata
uninitstring
uninitMemberVar
uninitStructMember

Detects uninitialized variables, uninitialized pointers, uninitialized struct members, and uninitialized array elements (However, if one element is initialized, then cppcheck assumes the array is initialized.)
There are FN compared to some other tools because Cppcheck tries to avoid FP in impossible paths.

GCC4.3.5 

Can detect some violations of this rule when the -Wuninitialized flag is used

Cppcheck Premium

Include Page
Cppcheck Premium

Klocwork
Include Page
_V

Klocwork

Cppcheck Premium_V

UNINIT.HEAP.MIGHT
UNINIT.HEAP.MUST
UNINIT.STACK.ARRAY.MIGHT
UNINIT.STACK.ARRAY.MUST UNINIT.STACK.ARRAY.PARTIAL.MUST
UNINIT.STACK.MIGHT
UNINIT.STACK.MUST

 LDRA tool suite Include PageLDRA_VLDRA_V

53 D, 69 D, 631 S, 652 S

Fully implemented

Parasoft C/C++test9.5BD-BP-NOTINITFully implementedParasoft Insure++  Runtime analysisPolyspace Bug FinderR2016a

Non-initialized pointer,
Non-initialized variable

Pointer not initialized before dereference

Variable not initialized before use

PRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_v2961, 2962, 2963, 2966, 2967, 2968, 2971, 2972, 2973, 2976, 2977, 2978Fully implementedPRQA QA-C++ Include Pagecplusplus:PRQA QA-C++_Vcplusplus:PRQA QA-C++_V

2961, 2962, 2963, 2966, 2967, 2968, 2971, 2972, 2973, 2976, 2977, 2978

 Splint3.1.1      RuleChecker Include PageRuleChecker_VRuleChecker_V

uninitialized-local-read

uninitialized-variable-use

Partially checked

Related Vulnerabilities

uninitvar
uninitdata
uninitstring
uninitMemberVar
uninitStructMember
Detects uninitialized variables, uninitialized pointers, uninitialized struct members, and uninitialized array elements (However, if one element is initialized, then cppcheck assumes the array is initialized.)
There are FN compared to some other tools because Cppcheck tries to avoid FP in impossible paths.
GCC4.3.5

Can detect some violations of this rule when the -Wuninitialized flag is used

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

DF2726, DF2727, DF2728, DF2961, DF2962, DF2963, DF2966, DF2967, DF2968, DF2971, DF2972, DF2973, DF2976, DF2977, DF2978

Fully implemented
Klocwork
Include Page
Klocwork_V
Klocwork_V

UNINIT.HEAP.MIGHT
UNINIT.HEAP.MUST
UNINIT.STACK.ARRAY.MIGHT
UNINIT.STACK.ARRAY.MUST
UNINIT.STACK.ARRAY.PARTIAL.MUST
UNINIT.STACK.MIGHT
UNINIT.STACK.MUST

Fully implemented
LDRA tool suite
Include Page
LDRA_V
LDRA_V

53 D, 69 D, 631 S, 652 S

Fully implemented

Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-EXP33-a

Avoid use before initialization

Parasoft Insure++

Include Page
Parasoft_V
Parasoft_V


Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

530, 603, 644, 901

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule EXP33-C


Checks for:

  • Non-initialized variable
  • Non-initialized pointer

Rule partially covered

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V573, V614, V670, V679, V1050

RuleChecker
Include Page
RuleChecker_V
RuleChecker_V

uninitialized-local-read

Partially checked
Splint3.1.1

TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

initialisation
Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

CVE-2009-1888 results from a violation of this rule. Some versions of SAMBA (up to 3.3.5) call a function that takes in two potentially uninitialized variables involving access rights. An CVE-2009-1888 results from a violation of this rule. Some versions of SAMBA (up to 3.3.5) call a function that takes in two potentially uninitialized variables involving access rights. An attacker can exploit these coding errors to bypass the access control list and gain access to protected files [xorl 2009].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

2009].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardMSC00-C. Compile cleanly at high warning levelsPrior to 2018-01-12: CERT: Unspecified Relationship
CERT C Secure Coding StandardMSC01-C. Strive for logical completenessPrior to 2018-01-12: CERT: Unspecified Relationship
CERT CEXP53-CPP. Do not read uninitialized memoryPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Initialization of Variables [LAV]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Referencing uninitialized memory [uninitref]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-4562017-07-05: CERT: Exact
CWE 2.11CWE-4572017-07-05: CERT: Exact
CWE 2.11CWE-7582017-07-05: CERT: Rule subset of CWE
CWE 2.11CWE-9082017-07-05: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-119 and EXP33-C


  • Intersection( CWE-119, EXP33-C) = Ø



  • EXP33-C is about reading uninitialized memory, but this memory is considered part of a valid buffer (on the stack, or returned by a heap function). No buffer overflow is involved.


CWE-676 and EXP33-C


  • Intersection( CWE-676, EXP33-C) = Ø



  • EXP33-C implies that memory allocation functions (e.g., malloc()) are dangerous because they do not initialize the memory they reserve. However, the danger is not in their invocation, but rather reading their returned memory without initializing it.


CWE-758 and EXP33-C

Independent( INT34-C, INT36-C, MSC37-C, FLP32-C, EXP33-C, EXP30-C, ERR34-C, ARR32-C)

CWE-758 = Union( EXP33-C, list) where list =


  • Undefined behavior that results from anything other than reading uninitialized memory


CWE-665 and EXP33-C

Intersection( CWE-665, EXP33-C) = Ø

CWE-665 is about correctly initializing items (usually objects), not reading them later. EXP33-C is about reading memory later (that has not been initialized).

CWE-908 and EXP33-C

CWE-908 = Union( EXP33-C, list) where list =


  • Use of uninitialized items besides raw memory (objects, disk space, etc)


New CWE-CERT mappings:

CWE-123 and EXP33-C

Intersection( CWE-123, EXP33-C) = Ø

EXP33-C is only about reading uninitialized memory, not writing, whereas CWE-123 is about writing.

CWE-824 and EXP33-C

EXP33-C = Union( CWE-824, list) where list =


  • Read of uninitialized memory that does not represent a pointer


Bibliography

[Flake 2006] 
[ISO/IEC 9899:20112024]Subclause 6.7.911, "Initialization"
Subclause 6.2.6.1, "General"
Subclause 6.3.2.1, "Lvalues, Arrays, and Function Designators"
[Mercy 2006] 
[VU#925211] 
[Wang 2012]"More Randomness or Less"
[xorl 2009]"CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read"

...


...

Image Modified Image Modified Image Modified