Zero initialization

Posted Apr 11, 2021 4:23 UTC (Sun) by milesrout (subscriber, #126894)
In reply to: Zero initialization by excors
Parent article: Cook: Security things in Linux v5.9

>it sounded like milesrout thought code that relied on the automatic initialisation would be "wrong" even in that new language where its behaviour is well-defined, so I was wondering why it'd be any wronger that existing C code that relies on the automatic initialisation of statics (which seems to be widely accepted as a reasonable and safe thing to do).

Of course code that relies on the automatic initialisation wouldn't be wrong. The problem is that wrong code that fails to initialise a variable has no way of giving warnings, because the compiler or static analysis tool has no way to detect that 'zero' is an invalid or unwanted value for that variable in that bit of code.

If I write 'struct foo f;' and then a code path fails to initialise f somewhere, at present the compiler can at least attempt to warn me that I've failed to do so. If It's implicitly zero-initialised then the compiler has no way to know whether:

1. I intended to not initialise it, because I'm relying on automatic zero-initialisation of variables, OR
2. I forgot to initialise it, but it's okay because zero is what I would have initialised it to anyway, OR
3. I forgot to initialise it, and it being zero means there's a gaping security hole in my code.

My concerns have nothing to do with performance.