search

babelouest / rhonabwy

Javascript Object Signing and Encryption (JOSE) library - JWK, JWKS, JWS, JWE and JWT
https://babelouest.github.io/rhonabwy/
GNU Lesser General Public License v2.1
45 stars 21 forks source link

maybe-uninitialized warning in r_jws_serialize #1

Closed nlgranger closed 4 years ago

nlgranger commented 4 years ago

GCC9 raises a warning for an maybe uninitialized variable in r_jws_serialize (src/jws.c:268). The if/else branches are missing a default or adj is missing an initial value.

rhonabwy-src/src/jws.c: In function 'r_jws_serialize':
rhonabwy-src/src/jws.c:301:31: error: 'adj' may be used uninitialized in this function [-Werror=maybe-uninitialized]
  301 |           s_out_padding = adj - s.size;
      |                           ~~~~^~~~~~~~
rhonabwy-src/src/jws.c:268:16: note: 'adj' was declared here
  268 |   unsigned int adj;
      |                ^~~

On a related topic, I'm not sure adjusting CFLAGS in the cmake scripts is idiomatic anymore, even to add -Wall -Werror flags (for example or this), though I don't have an opinion on that myself tbh.

babelouest commented 4 years ago

Hello @nlgranger ,

Thanks for the report, another gcc-9 over-the-top static analyzer I forgot to make. I fixed it in the last commit.

babelouest commented 4 years ago

Concerning the other topic, I would agree with you but I find it safer to let these flags in the cmake file, therefore travis ci ou github ci can insult me when I forgot some best practices.

Also, in Debian distribution for example, all the -W flags are enabled by default when you build the package, so to avoid patching the upstream source code too often, I prefer being safe and let the compiler be strict.