Hello, scan-build found a 28-step path where an unitialized value could be used in h2s_htx_bck_make_req_headers().
Here is a shortened version: 4378 idx = htx_get_head(htx); // returns the SL that we skip 4379 while ((idx = htx_get_next(htx, idx)) != -1) { 4380 blk = htx_get_blk(htx, idx); 4381 type = htx_get_blk_type(blk); 4382 4383 if (type == HTX_BLK_UNUSED) 4384 continue; 4385 4386 if (type != HTX_BLK_HDR) // (here, assume condition is true, so control leaves the loop...) 4387 break; 4388 4389 if (unlikely(hdr >= sizeof(list)/sizeof(list[0]) - 1)) 4390 goto fail; 4391 // (... and list will not be initialized.) 4392 list[hdr].n = htx_get_blk_name(htx, blk); 4393 list[hdr].v = htx_get_blk_value(htx, blk); 4394 hdr++; 4395 } ... 4450 /* look for the Host header and place it in :authority */ 4451 auth = ist2(NULL, 0); 4452 for (hdr = 0; hdr < sizeof(list)/sizeof(list[0]); hdr++) { 4453 if (isteq(list[hdr].n, ist(""))) // (here, assume the condition is false, so control keeps in this block...) 4454 break; // end 4455 4456 if (isteq(list[hdr].n, ist("host"))) { 4457 auth = list[hdr].v; // (... auth receives an uninitialized value from list ...) 4458 break; 4459 } 4460 } 4461 } 4462 else { 4463 /* for CONNECT, :authority is taken from the path */ 4464 auth = path; 4465 } 4466 // (... and here auth is evaluated, but it contains whatever uninitialized // data that list had, because its initialization has been jumped over.) 4467 if (auth.ptr && !hpack_encode_header(&outbuf, ist(":authority"), auth)) { 4468 /* output full */ 4469 if (b_space_wraps(&h2c->mbuf)) 4470 goto realign_again; 4471 goto full; 4472 } While this feels like a convoluted or unlikely scenario, the path leading to the use of uninitialized value seems to be correctly unearthed by scan-build. Also, there might be a chance that this path invokes undefined behavior, leading to further surprises. Does this make sense? Cheers, -- Ricardo Nabinger Sanchez http://www.taghos.com.br/