Potentially uninitialized local variable¶
ID: cpp/uninitialized-local
Kind: path-problem
Security severity: 7.8
Severity: warning
Precision: medium
Tags:
- security
- external/cwe/cwe-665
- external/cwe/cwe-457
Query suites:
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
A local non-static variable of a non-class type has an undefined value before it is initialized. For example, it is incorrect to rely on an uninitialized integer to have the value 0.
Recommendation¶
Review the code and consider whether the variable should have an initializer or whether some path through the program lacks an assignment to the variable.
Example¶
The function absWrong does not initialize the variable j in the case where i = 0. Functions absCorrect1 and absCorrect2 remedy this deficiency by adding an initializer and adding an assignment to one of the paths through the program, respectively.
int absWrong(int i) {
int j;
if (i > 0) {
j = i;
} else if (i < 0) {
j = -i;
}
return j; // wrong: j may not be initialized before use
}
int absCorrect1(int i) {
int j = 0;
if (i > 0) {
j = i;
} else if (i < 0) {
j = -i;
}
return j; // correct: j always initialized before use
}
int absCorrect2(int i) {
int j;
if (i > 0) {
j = i;
} else if (i < 0) {
j = -i;
} else {
j = 0;
}
return j; // correct: j always initialized before use
}
References¶
ISO/IEC 9899:2011: Programming languages - C (Section 6.3.2.1).
Common Weakness Enumeration: CWE-665.
Common Weakness Enumeration: CWE-457.