RFR: 8361871: [GCC static analyzer] complains about use of uninitialized value ckpObject in p11_util.c
Lutz Schmidt
lucy at openjdk.org
Thu Jul 24 16:35:54 UTC 2025
On Tue, 22 Jul 2025 13:33:05 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:
> Seems the used j*ToCKByteArray helper functions have a potential code path where ckpObject is not written/initialized .
> (we see this when using the gcc flag -fanalyzer)
>
>
> /jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c:1239:16: error: use of uninitialized value 'ckpObject' [CWE-457] [-Werror=analyzer-use-of-uninitialized-value]
> 1239 | return ckpObject;
> | ^~~~~~~~~
>
> /jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c:1246:16: error: use of uninitialized value 'ckpObject' [CWE-457] [-Werror=analyzer-use-of-uninitialized-value]
> 1246 | return ckpObject;
>
>
> /jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c:1290:16: error: use of uninitialized value 'ckpObject' [CWE-457] [-Werror=analyzer-use-of-uninitialized-value]
> 1290 | return ckpObject;
> | ^~~~~~~~~
>
> /jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c:1297:16: error: use of uninitialized value 'ckpObject' [CWE-457] [-Werror=analyzer-use-of-uninitialized-value]
> 1297 | return ckpObject;
Looks good and trivial.
-------------
Marked as reviewed by lucy (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/26427#pullrequestreview-3052390912
More information about the security-dev
mailing list