> When using gcc static analyzer (-fanalyzer) with gcc 13.2 the following issue > is reported : > > /jdk/src/jdk.management/linux/native/libmanagement_ext/UnixOperatingSystem.c: > In function 'get_jvmticks': > /jdk/src/jdk.management/linux/native/libmanagement_ext/UnixOperatingSystem.c:208:24: > warning: use of uninitialized value 'systemTicks' [CWE-457] > [-Wanalyzer-use-of-uninitialized-value] > 208 | pticks->usedKernel = systemTicks; > > > vsscanf usually/normally reads the systemTicks info from /proc file system. > see > https://github.com/openjdk/jdk/blob/45726a1f8b8f76586037867a32b82f8ab9b96937/src/jdk.management/linux/native/libmanagement_ext/UnixOperatingSystem.c#L163 > but we never check that the *exact* number of params is read with vsscanf : > n = vsscanf(tmp, fmt, args); > So potentially we could get a non complete info without systemTicks and the > call would still succeed.
Matthias Baesken has updated the pull request incrementally with one additional commit since the last revision: Avoid initialization ------------- Changes: - all: https://git.openjdk.org/jdk/pull/26962/files - new: https://git.openjdk.org/jdk/pull/26962/files/cb0f8dfc..daf31fe6 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=26962&range=02 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=26962&range=01-02 Stats: 2 lines in 1 file changed: 0 ins; 0 del; 2 mod Patch: https://git.openjdk.org/jdk/pull/26962.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/26962/head:pull/26962 PR: https://git.openjdk.org/jdk/pull/26962
