Uninitialized variable

From HandWiki

In computing, an uninitialized variable is a variable that is declared but is not set to a definite known value before it is used. It will have some value, but not a predictable one. As such, it is a programming error and a common source of bugs in software.

Example of the C language

A common assumption made by novice programmers is that all variables are set to a known value, such as zero, when they are declared. While this is true for many languages, it is not true for all of them, and so the potential for error is there. Languages such as C use stack space for variables, and the collection of variables allocated for a subroutine is known as a stack frame. While the computer will set aside the appropriate amount of space for the stack frame, it usually does so simply by adjusting the value of the stack pointer, and does not set the memory itself to any new state (typically out of efficiency concerns). Therefore, whatever contents of that memory at the time will appear as initial values of the variables which occupy those addresses.

Here's a simple example in C:

void count( void )
{
    int k, i;
    
    for (i = 0; i < 10; i++)
    {
        k = k + 1;
    }
    
    printf("%d", k);
}

The final value of k is undefined. The answer that it must be 10 assumes that it started at zero, which may or may not be true. Note that in the example, the variable i is initialized to zero by the first clause of the for statement.

Another example can be when dealing with structs. In the code snippet below, we have a struct student which contains some variables describing the information about a student. The function register_student leaks memory contents because it fails to fully initialize the members of struct student new_student. If we take a closer look, in the beginning, age, semester and student_number are initialized. But the initialization of the first_name and last_name members are incorrect. This is because if the length of first_name and last_name character arrays are less than 16 bytes, during the strcpy,[1] we fail to fully initialize the entire 16 bytes of memory reserved for each of these members. Hence after memcpy()'ing the resulted struct to output,[2] we leak some stack memory to the caller.

struct student {
    unsigned int age;
    unsigned int semester;
    char first_name[16];
    char last_name[16];
    unsigned int student_number;
};

int register_student(struct student *output, int age, char *first_name, char *last_name)
{
    // If any of these pointers are Null, we fail.
    if (!output || !first_name || !last_name)
    {
        printf("Error!\n");
        return -1;
    }

    // We make sure the length of the strings are less than 16 bytes (including the null-byte)
    // in order to avoid overflows
    if (strlen(first_name) > 15 ||  strlen(last_name) > 15) {
      printf("first_name and last_name cannot be longer than 16 characters!\n");
      return -1;
    }

    // Initializing the members
    struct student new_student;
    new_student.age = age;
    new_student.semester = 1;
    new_student.student_number = get_new_student_number();
    
    strcpy(new_student.first_name, first_name);
    strcpy(new_student.last_name, last_name);

    //copying the result to output
    memcpy(output, &new_student, sizeof(struct student));
    return 0;
}

In any case, even when a variable is implicitly initialized to a default value like 0, this is typically not the correct value. Initialized does not mean correct if the value is a default one. (However, default initialization to 0 is a right practice for pointers and arrays of pointers, since it makes them invalid before they are actually initialized to their correct value.) In C, variables with static storage duration that are not initialized explicitly are initialized to zero (or null, for pointers).[3]

Not only are uninitialized variables a frequent cause of bugs, but this kind of bug is particularly serious because it may not be reproducible: for instance, a variable may remain uninitialized only in some branch of the program. In some cases, programs with uninitialized variables may even pass software tests.

Impacts

Uninitialized variables are powerful bugs since they can be exploited to leak arbitrary memory or to achieve arbitrary memory overwrite or to gain code execution, depending on the case. When exploiting a software which utilizes address space layout randomization (ASLR), it is often required to know the base address of the software in memory. Exploiting an uninitialized variable in a way to force the software to leak a pointer from its address space can be used to bypass ASLR.

Use in languages

Uninitialized variables are a particular problem in languages such as assembly language, C, and C++, which were designed for systems programming. The development of these languages involved a design philosophy in which conflicts between performance and safety were generally resolved in favor of performance. The programmer was given the burden of being aware of dangerous issues such as uninitialized variables.

In other languages, variables are often initialized to known values when created. Examples include:

  • VHDL initializes all standard variables into special 'U' value. It is used in simulation, for debugging, to let the user to know when the don't care initial values, through the multi-valued logic, affect the output.
  • Java does not have uninitialized variables. Fields of classes and objects that do not have an explicit initializer and elements of arrays are automatically initialized with the default value for their type (false for boolean, 0 for all numerical types, null for all reference types).[4] Local variables in Java must be definitely assigned to before they are accessed, or it is a compile error.
  • Python initializes local variables to NULL (distinct from None) and raises an UnboundLocalError when such a variable is accessed before being (re)initialized to a valid value.
  • D initializes all variables unless explicitly specified by the programmer not to.

Even in languages where uninitialized variables are allowed, many compilers will attempt to identify the use of uninitialized variables and report them as compile-time errors. Some languages assist this task by offering constructs to handle the initializedness of variables; for example, C# has a special flavour of call-by-reference parameters to subroutines (specified as out instead of the usual ref), asserting that the variable is allowed to be uninitialized on entry but will be initizalized afterwards.

See also

References

Further reading