Possible uninitialized curlocales[]

[ppisar]

A static analysis on 5.31.1 sources claims that an uninitialized curlocales[] member in locale.c:Perl_init_i18nl10n() can be passed to Safefree(). I believe that that the same flaw exists in the blead sources:

    if (ok < 1) {   /* If we tried to fallback */
        const char* msg;
        if (! setlocale_failure) {  /* fallback succeeded */
           msg = "Falling back to";
        }
        else {  /* fallback failed */
            unsigned int j;

            /* We dropped off the end of the loop, so have to decrement i to
             * get back to the value the last time through */
            i--;

            ok = -1;
            msg = "Failed to fall back to";

            /* To continue, we should use whatever values we've got */

            for (j = 0; j < NOMINAL_LC_ALL_INDEX; j++) {
→               Safefree(curlocales[j]);
                curlocales[j] = savepv(do_setlocale_r(categories[j], NULL));
                DEBUG_LOCALE_INIT(categories[j], NULL, curlocales[j]);
            }
        }

There are only two places where curlocales[] members are initialized:

A place guarded with:

        if (i == 0) {
            unsigned int j;

            if (locwarn) { /* Output failure info only on the first one *

branch. init_i18nl10n() can be called by XS code via init_i18nl14n(aTHX, 0) that will bypass this branch.

And the second place of the initialization is just above that:

#  ifdef LC_ALL

        sl_result[LC_ALL_INDEX] = do_setlocale_c(LC_ALL, trial_locale);
        DEBUG_LOCALE_INIT(LC_ALL, trial_locale, sl_result[LC_ALL_INDEX]);
        if (! sl_result[LC_ALL_INDEX]) {
            setlocale_failure = TRUE;
        }
        else {
            /* Since LC_ALL succeeded, it should have changed all the other
             * categories it can to its value; so we massage things so that the
             * setlocales below just return their category's current values.
             * This adequately handles the case in NetBSD where LC_COLLATE may
             * not be defined for a locale, and setting it individually will
             * fail, whereas setting LC_ALL succeeds, leaving LC_COLLATE set to
             * the POSIX locale. */
            trial_locale = NULL;
        }

#  endif /* LC_ALL */

        if (! setlocale_failure) {
            unsigned int j;
            for (j = 0; j < NOMINAL_LC_ALL_INDEX; j++) {
                curlocales[j]
                        = savepv(do_setlocale_r(categories[j], trial_locale));
                if (! curlocales[j]) {
                    setlocale_failure = TRUE;
                }
                DEBUG_LOCALE_INIT(categories[j], trial_locale, curlocales[j]);
            }

            if (! setlocale_failure) {  /* All succeeded */
                break;  /* Exit trial_locales loop */
            }
        }

If the setlocale_failure is true, e.g. set in the quoted (! sl_result[LC_ALL_INDEX]) condition, then it's possible to never initialize the members of the array.

[ppisar]

By the way, clang comes to the same conclusion:

perl-5.30.1/locale.c:3775:17: warning: 1st function call argument is an uninitialized value
#                 Safefree(curlocales[j]);
#                 ^~~~~~~~~~~~~~~~~~~~~~~
4. perl-5.30.1/handy.h:2436:21: note: expanded from macro 'Safefree'
# #define Safefree(d)     safefree(MEM_LOG_FREE((Malloc_t)(d)))
#                         ^        ~~~~~~~~~~~~~~~~~~~~~~~~~~~
7. perl-5.30.1/perl.h:1142:23: note: expanded from macro 'safefree'
# #  define safefree    safesysfree
#                       ^
10. perl-5.30.1/embed.h:649:22: note: expanded from macro 'safesysfree'
# #define safesysfree             Perl_safesysfree
#                                 ^
13. perl-5.30.1/locale.c:3294:42: note: Assuming the condition is false
#     const char * const setlocale_init = (PerlEnv_getenv("PERL_SKIP_LOCALE_INIT"))
#                                          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
16. perl-5.30.1/iperlsys.h:565:30: note: expanded from macro 'PerlEnv_getenv'
# #define PerlEnv_getenv(str)             getenv((str))
#                                         ^~~~~~~~~~~~~
19. perl-5.30.1/locale.c:3294:41: note: '?' condition is false
#     const char * const setlocale_init = (PerlEnv_getenv("PERL_SKIP_LOCALE_INIT"))
#                                         ^
22. perl-5.30.1/locale.c:3307:27: note: Assuming 'printwarn' is <= 1
#     const bool locwarn = (printwarn > 1
#                           ^~~~~~~~~~~~~
25. perl-5.30.1/locale.c:3307:27: note: Left side of '||' is false
26. perl-5.30.1/locale.c:3308:41: note: Assuming 'printwarn' is 0
#                           || (          printwarn
#                                         ^~~~~~~~~
29. perl-5.30.1/locale.c:3309:31: note: Left side of '&&' is false
#                               && (    ! bad_lang_use_once
#                               ^
32. perl-5.30.1/locale.c:3455:9: note: Assuming 'PL_C_locale_obj' is non-null
#     if (! PL_C_locale_obj) {
#         ^~~~~~~~~~~~~~~~~
35. perl-5.30.1/locale.c:3455:5: note: Taking false branch
#     if (! PL_C_locale_obj) {
#     ^
38. perl-5.30.1/locale.c:3459:9: note: Left side of '||' is false
#     if (DEBUG_Lv_TEST || debug_initialization) {
#         ^
41. perl-5.30.1/perl.h:4132:25: note: expanded from macro 'DEBUG_Lv_TEST'
# #  define DEBUG_Lv_TEST (0)
#                         ^
44. perl-5.30.1/locale.c:3459:5: note: Taking false branch
#     if (DEBUG_Lv_TEST || debug_initialization) {
#     ^
47. perl-5.30.1/locale.c:3523:5: note: Loop condition is true. Entering loop body
#     for (i= 0; i < trial_locales_count; i++) {
#     ^
50. perl-5.30.1/locale.c:3526:13: note: 'i' is <= 0
#         if (i > 0) {
#             ^~~~~
53. perl-5.30.1/locale.c:3526:9: note: Taking false branch
#         if (i > 0) {
#         ^
56. perl-5.30.1/locale.c:3570:13: note: Assuming the condition is true
#         if (! sl_result[LC_ALL_INDEX]) {
#             ^~~~~~~~~~~~~~~~~~~~~~~~~
59. perl-5.30.1/locale.c:3570:9: note: Taking true branch
#         if (! sl_result[LC_ALL_INDEX]) {
#         ^
62. perl-5.30.1/locale.c:3586:13: note: 'setlocale_failure' is true
#         if (! setlocale_failure) {
#             ^~~~~~~~~~~~~~~~~~~
65. perl-5.30.1/locale.c:3586:9: note: Taking false branch
#         if (! setlocale_failure) {
#         ^
68. perl-5.30.1/locale.c:3605:13: note: 'i' is equal to 0
#         if (i == 0) {
#             ^~~~~~
71. perl-5.30.1/locale.c:3605:9: note: Taking true branch
#         if (i == 0) {
#         ^
74. perl-5.30.1/locale.c:3608:17: note: 'locwarn' is false
#             if (locwarn) { /* Output failure info only on the first one */
#                 ^~~~~~~
77. perl-5.30.1/locale.c:3608:13: note: Taking false branch
#             if (locwarn) { /* Output failure info only on the first one */
#             ^
80. perl-5.30.1/locale.c:3707:17: note: Assuming 'lc_all' is null
#             if (lc_all) {
#                 ^~~~~~
83. perl-5.30.1/locale.c:3707:13: note: Taking false branch
#             if (lc_all) {
#             ^
86. perl-5.30.1/locale.c:3717:17: note: Assuming 'lang' is null
#             if (lang) {
#                 ^~~~
89. perl-5.30.1/locale.c:3717:13: note: Taking false branch
#             if (lang) {
#             ^
92. perl-5.30.1/locale.c:3739:13: note: Loop condition is true. Entering loop body
#             for (j = 0; j < trial_locales_count; j++) {
#             ^
95. perl-5.30.1/locale.c:3740:17: note: Taking false branch
#                 if (strEQ("C", trial_locales[j])) {
#                 ^
98. perl-5.30.1/locale.c:3739:13: note: Loop condition is false. Execution continues on line 3744
#             for (j = 0; j < trial_locales_count; j++) {
#             ^
101. perl-5.30.1/locale.c:3523:5: note: Loop condition is true. Entering loop body
#     for (i= 0; i < trial_locales_count; i++) {
#     ^
104. perl-5.30.1/locale.c:3526:13: note: 'i' is > 0
#         if (i > 0) {
#             ^~~~~
107. perl-5.30.1/locale.c:3526:9: note: Taking true branch
#         if (i > 0) {
#         ^
110. perl-5.30.1/locale.c:3570:13: note: Assuming the condition is true
#         if (! sl_result[LC_ALL_INDEX]) {
#             ^~~~~~~~~~~~~~~~~~~~~~~~~
113. perl-5.30.1/locale.c:3570:9: note: Taking true branch
#         if (! sl_result[LC_ALL_INDEX]) {
#         ^
116. perl-5.30.1/locale.c:3586:13: note: 'setlocale_failure' is true
#         if (! setlocale_failure) {
#             ^~~~~~~~~~~~~~~~~~~
119. perl-5.30.1/locale.c:3586:9: note: Taking false branch
#         if (! setlocale_failure) {
#         ^
122. perl-5.30.1/locale.c:3605:13: note: 'i' is not equal to 0
#         if (i == 0) {
#             ^~~~~~
125. perl-5.30.1/locale.c:3605:9: note: Taking false branch
#         if (i == 0) {
#         ^
128. perl-5.30.1/locale.c:3523:5: note: Loop condition is false. Execution continues on line 3757
#     for (i= 0; i < trial_locales_count; i++) {
#     ^
131. perl-5.30.1/locale.c:3757:9: note: 'ok' is < 1
#     if (ok < 1) {   /* If we tried to fallback */
#         ^~~~~~
134. perl-5.30.1/locale.c:3757:5: note: Taking true branch
#     if (ok < 1) {   /* If we tried to fallback */
#     ^
137. perl-5.30.1/locale.c:3759:13: note: 'setlocale_failure' is true
#         if (! setlocale_failure) {  /* fallback succeeded */
#             ^~~~~~~~~~~~~~~~~~~
140. perl-5.30.1/locale.c:3759:9: note: Taking false branch
#         if (! setlocale_failure) {  /* fallback succeeded */
#         ^
143. perl-5.30.1/locale.c:3774:18: note: The value 0 is assigned to 'j'
#             for (j = 0; j < NOMINAL_LC_ALL_INDEX; j++) {
#                  ^~~~~
146. perl-5.30.1/locale.c:3774:13: note: Loop condition is true. Entering loop body
#             for (j = 0; j < NOMINAL_LC_ALL_INDEX; j++) {
#             ^
149. perl-5.30.1/locale.c:3775:17: note: 1st function call argument is an uninitialized value
#                 Safefree(curlocales[j]);
#                 ^~~~~~~~~~~~~~~~~~~~~~~
152. perl-5.30.1/handy.h:2436:21: note: expanded from macro 'Safefree'
# #define Safefree(d)     safefree(MEM_LOG_FREE((Malloc_t)(d)))
#                         ^        ~~~~~~~~~~~~~~~~~~~~~~~~~~~
155. perl-5.30.1/perl.h:1142:23: note: expanded from macro 'safefree'
# #  define safefree    safesysfree
#                       ^
158. perl-5.30.1/embed.h:649:22: note: expanded from macro 'safesysfree'
# #define safesysfree             Perl_safesysfree
#                                 ^
#  3773|   
#  3774|               for (j = 0; j < NOMINAL_LC_ALL_INDEX; j++) {
#  3775|->                 Safefree(curlocales[j]);
#  3776|                   curlocales[j] = savepv(do_setlocale_r(categories[j], NULL));
#  3777|                   DEBUG_LOCALE_INIT(categories[j], NULL, curlocales[j]);

[jpereira]

Not sure, but we have an embedded app that call perl_construct() and perl_destruct() properly. but, the clang is complaining below the report.

=================================================================
==19174==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1480 byte(s) in 1 object(s) allocated from:
    #0 0x10424ad5d in wrap_malloc (/usr/local/opt/llvm/lib/clang/10.0.1/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x43d5d)
    #1 0x7fff6ae70674 in _duplocale (/usr/lib/system/libsystem_c.dylib:x86_64+0xb674)
    #2 0x7fff6ae70927 in newlocale (/usr/lib/system/libsystem_c.dylib:x86_64+0xb927)
    #3 0x721acf3 in S_emulate_setlocale (/usr/local/opt/perl/lib/perl5/5.32.0/darwin-thread-multi-2level/CORE/libperl.dylib:x86_64+0x135cf3)
    #4 0x721c256 in Perl_init_i18nl10n (/usr/local/opt/perl/lib/perl5/5.32.0/darwin-thread-multi-2level/CORE/libperl.dylib:x86_64+0x137256)
    #5 0x71059f3 in perl_construct (/usr/local/opt/perl/lib/perl5/5.32.0/darwin-thread-multi-2level/CORE/libperl.dylib:x86_64+0x209f3)
    #6 0x70a0fb9 in mod_instantiate (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local/.libs/rlm_perl.dylib:x86_64+0x3fb9)
    #7 0x1030cba47 in _module_instantiate (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-server.dylib:x86_64+0x188a47)
    #8 0x103b5e3e9 in walk_node_in_order (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-util.dylib:x86_64+0x1b53e9)
    #9 0x103b5e42a in walk_node_in_order (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-util.dylib:x86_64+0x1b542a)
    #10 0x103b5e24d in walk_node_in_order (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-util.dylib:x86_64+0x1b524d)
    #11 0x103b5e42a in walk_node_in_order (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-util.dylib:x86_64+0x1b542a)
    #12 0x103b5db4c in rbtree_walk (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-util.dylib:x86_64+0x1b4b4c)
    #13 0x1030d9911 in modules_instantiate (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-server.dylib:x86_64+0x196911)
    #14 0x102f44a56  (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-server.dylib:x86_64+0x1a56)
    #15 0x102e08089 in main (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/./build/bin/local/unit_test_module:x86_64+0x100004089)
    #16 0x7fff6ae15cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)
Direct leak of 1480 byte(s) in 1 object(s) allocated from:
    #0 0x10424ad5d in wrap_malloc (/usr/local/opt/llvm/lib/clang/10.0.1/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x43d5d)
    #1 0x7fff6ae70674 in _duplocale (/usr/lib/system/libsystem_c.dylib:x86_64+0xb674)
    #2 0x7fff6ae70927 in newlocale (/usr/lib/system/libsystem_c.dylib:x86_64+0xb927)
    #3 0x71059d4 in perl_construct (/usr/local/opt/perl/lib/perl5/5.32.0/darwin-thread-multi-2level/CORE/libperl.dylib:x86_64+0x209d4)
    #4 0x70a0fb9 in mod_instantiate (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local/.libs/rlm_perl.dylib:x86_64+0x3fb9)
    #5 0x1030cba47 in _module_instantiate (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-server.dylib:x86_64+0x188a47)
    #6 0x103b5e3e9 in walk_node_in_order (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-util.dylib:x86_64+0x1b53e9)
    #7 0x103b5e42a in walk_node_in_order (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-util.dylib:x86_64+0x1b542a)
    #8 0x103b5e24d in walk_node_in_order (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-util.dylib:x86_64+0x1b524d)
    #9 0x103b5e42a in walk_node_in_order (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-util.dylib:x86_64+0x1b542a)
    #10 0x103b5db4c in rbtree_walk (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-util.dylib:x86_64+0x1b4b4c)
    #11 0x1030d9911 in modules_instantiate (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-server.dylib:x86_64+0x196911)
    #12 0x102f44a56  (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/build/lib/local//.libs/libfreeradius-server.dylib:x86_64+0x1a56)
    #13 0x102e08089 in main (/Users/jpereira/Devel/FreeRADIUS/freeradius-server.git/./build/bin/local/unit_test_module:x86_64+0x100004089)
    #14 0x7fff6ae15cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)
SUMMARY: AddressSanitizer: 2960 byte(s) leaked in 2 allocation(s).

If not related, never mind.

• OSX Moojave
• Xcode 11.7,
• Perl 5, version 32, subversion 0 (v5.32.0) built for darwin-thread-multi-2level
• Clang 10.0.1

[richardleach]

@jpereira your example looks a bit similar to #18108 ?

(I have no idea what PERL_DESTRUCT_LEVEL should be when an embedded app calls perl_destruct though.)

[jpereira]

Ah! yeah, thank you @richardleach

[jkeenan]

@jpereira your example looks a bit similar to #18108 ?

(I have no idea what PERL_DESTRUCT_LEVEL should be when an embedded app calls perl_destruct though.)

#18108 was closed several months ago on the grounds that no action needed to be taken.

Can we infer that this ticket is also closable?

Thank you very much.
Jim Keenan

[richardleach]

Can we infer that this ticket is also closable?

I'm not sure - the LeakSanitizer errors are expected without PERL_DESTRUCT_LEVEL=2, but the first couple of bits of issue content look like a separate thing. Maybe @khw is able to look those over at some point?

[jkeenan]

By the way, clang comes to the same conclusion:

perl-5.30.1/locale.c:3775:17: warning: 1st function call argument is an uninitialized value
#                 Safefree(curlocales[j]);
#                 ^~~~~~~~~~~~~~~~~~~~~~~
4. perl-5.30.1/handy.h:2436:21: note: expanded from macro 'Safefree'
# #define Safefree(d)     safefree(MEM_LOG_FREE((Malloc_t)(d)))
#                         ^        ~~~~~~~~~~~~~~~~~~~~~~~~~~~
7. perl-5.30.1/perl.h:1142:23: note: expanded from macro 'safefree'
# #  define safefree    safesysfree
#                       ^
10. perl-5.30.1/embed.h:649:22: note: expanded from macro 'safesysfree'
# #define safesysfree             Perl_safesysfree
#                                 ^
13. perl-5.30.1/locale.c:3294:42: note: Assuming the condition is false
#     const char * const setlocale_init = (PerlEnv_getenv("PERL_SKIP_LOCALE_INIT"))
#                                          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
16. perl-5.30.1/iperlsys.h:565:30: note: expanded from macro 'PerlEnv_getenv'
# #define PerlEnv_getenv(str)             getenv((str))
#                                         ^~~~~~~~~~~~~
19. perl-5.30.1/locale.c:3294:41: note: '?' condition is false
#     const char * const setlocale_init = (PerlEnv_getenv("PERL_SKIP_LOCALE_INIT"))
#                                         ^
22. perl-5.30.1/locale.c:3307:27: note: Assuming 'printwarn' is <= 1
#     const bool locwarn = (printwarn > 1
#                           ^~~~~~~~~~~~~
25. perl-5.30.1/locale.c:3307:27: note: Left side of '||' is false
26. perl-5.30.1/locale.c:3308:41: note: Assuming 'printwarn' is 0
#                           || (          printwarn
#                                         ^~~~~~~~~
29. perl-5.30.1/locale.c:3309:31: note: Left side of '&&' is false
#                               && (    ! bad_lang_use_once
#                               ^
32. perl-5.30.1/locale.c:3455:9: note: Assuming 'PL_C_locale_obj' is non-null
#     if (! PL_C_locale_obj) {
#         ^~~~~~~~~~~~~~~~~
35. perl-5.30.1/locale.c:3455:5: note: Taking false branch
#     if (! PL_C_locale_obj) {
#     ^
38. perl-5.30.1/locale.c:3459:9: note: Left side of '||' is false
#     if (DEBUG_Lv_TEST || debug_initialization) {
#         ^
41. perl-5.30.1/perl.h:4132:25: note: expanded from macro 'DEBUG_Lv_TEST'
# #  define DEBUG_Lv_TEST (0)
#                         ^
44. perl-5.30.1/locale.c:3459:5: note: Taking false branch
#     if (DEBUG_Lv_TEST || debug_initialization) {
#     ^
47. perl-5.30.1/locale.c:3523:5: note: Loop condition is true. Entering loop body
#     for (i= 0; i < trial_locales_count; i++) {
#     ^
50. perl-5.30.1/locale.c:3526:13: note: 'i' is <= 0
#         if (i > 0) {
#             ^~~~~
53. perl-5.30.1/locale.c:3526:9: note: Taking false branch
#         if (i > 0) {
#         ^
56. perl-5.30.1/locale.c:3570:13: note: Assuming the condition is true
#         if (! sl_result[LC_ALL_INDEX]) {
#             ^~~~~~~~~~~~~~~~~~~~~~~~~
59. perl-5.30.1/locale.c:3570:9: note: Taking true branch
#         if (! sl_result[LC_ALL_INDEX]) {
#         ^
62. perl-5.30.1/locale.c:3586:13: note: 'setlocale_failure' is true
#         if (! setlocale_failure) {
#             ^~~~~~~~~~~~~~~~~~~
65. perl-5.30.1/locale.c:3586:9: note: Taking false branch
#         if (! setlocale_failure) {
#         ^
68. perl-5.30.1/locale.c:3605:13: note: 'i' is equal to 0
#         if (i == 0) {
#             ^~~~~~
71. perl-5.30.1/locale.c:3605:9: note: Taking true branch
#         if (i == 0) {
#         ^
74. perl-5.30.1/locale.c:3608:17: note: 'locwarn' is false
#             if (locwarn) { /* Output failure info only on the first one */
#                 ^~~~~~~
77. perl-5.30.1/locale.c:3608:13: note: Taking false branch
#             if (locwarn) { /* Output failure info only on the first one */
#             ^
80. perl-5.30.1/locale.c:3707:17: note: Assuming 'lc_all' is null
#             if (lc_all) {
#                 ^~~~~~
83. perl-5.30.1/locale.c:3707:13: note: Taking false branch
#             if (lc_all) {
#             ^
86. perl-5.30.1/locale.c:3717:17: note: Assuming 'lang' is null
#             if (lang) {
#                 ^~~~
89. perl-5.30.1/locale.c:3717:13: note: Taking false branch
#             if (lang) {
#             ^
92. perl-5.30.1/locale.c:3739:13: note: Loop condition is true. Entering loop body
#             for (j = 0; j < trial_locales_count; j++) {
#             ^
95. perl-5.30.1/locale.c:3740:17: note: Taking false branch
#                 if (strEQ("C", trial_locales[j])) {
#                 ^
98. perl-5.30.1/locale.c:3739:13: note: Loop condition is false. Execution continues on line 3744
#             for (j = 0; j < trial_locales_count; j++) {
#             ^
101. perl-5.30.1/locale.c:3523:5: note: Loop condition is true. Entering loop body
#     for (i= 0; i < trial_locales_count; i++) {
#     ^
104. perl-5.30.1/locale.c:3526:13: note: 'i' is > 0
#         if (i > 0) {
#             ^~~~~
107. perl-5.30.1/locale.c:3526:9: note: Taking true branch
#         if (i > 0) {
#         ^
110. perl-5.30.1/locale.c:3570:13: note: Assuming the condition is true
#         if (! sl_result[LC_ALL_INDEX]) {
#             ^~~~~~~~~~~~~~~~~~~~~~~~~
113. perl-5.30.1/locale.c:3570:9: note: Taking true branch
#         if (! sl_result[LC_ALL_INDEX]) {
#         ^
116. perl-5.30.1/locale.c:3586:13: note: 'setlocale_failure' is true
#         if (! setlocale_failure) {
#             ^~~~~~~~~~~~~~~~~~~
119. perl-5.30.1/locale.c:3586:9: note: Taking false branch
#         if (! setlocale_failure) {
#         ^
122. perl-5.30.1/locale.c:3605:13: note: 'i' is not equal to 0
#         if (i == 0) {
#             ^~~~~~
125. perl-5.30.1/locale.c:3605:9: note: Taking false branch
#         if (i == 0) {
#         ^
128. perl-5.30.1/locale.c:3523:5: note: Loop condition is false. Execution continues on line 3757
#     for (i= 0; i < trial_locales_count; i++) {
#     ^
131. perl-5.30.1/locale.c:3757:9: note: 'ok' is < 1
#     if (ok < 1) {   /* If we tried to fallback */
#         ^~~~~~
134. perl-5.30.1/locale.c:3757:5: note: Taking true branch
#     if (ok < 1) {   /* If we tried to fallback */
#     ^
137. perl-5.30.1/locale.c:3759:13: note: 'setlocale_failure' is true
#         if (! setlocale_failure) {  /* fallback succeeded */
#             ^~~~~~~~~~~~~~~~~~~
140. perl-5.30.1/locale.c:3759:9: note: Taking false branch
#         if (! setlocale_failure) {  /* fallback succeeded */
#         ^
143. perl-5.30.1/locale.c:3774:18: note: The value 0 is assigned to 'j'
#             for (j = 0; j < NOMINAL_LC_ALL_INDEX; j++) {
#                  ^~~~~
146. perl-5.30.1/locale.c:3774:13: note: Loop condition is true. Entering loop body
#             for (j = 0; j < NOMINAL_LC_ALL_INDEX; j++) {
#             ^
149. perl-5.30.1/locale.c:3775:17: note: 1st function call argument is an uninitialized value
#                 Safefree(curlocales[j]);
#                 ^~~~~~~~~~~~~~~~~~~~~~~
152. perl-5.30.1/handy.h:2436:21: note: expanded from macro 'Safefree'
# #define Safefree(d)     safefree(MEM_LOG_FREE((Malloc_t)(d)))
#                         ^        ~~~~~~~~~~~~~~~~~~~~~~~~~~~
155. perl-5.30.1/perl.h:1142:23: note: expanded from macro 'safefree'
# #  define safefree    safesysfree
#                       ^
158. perl-5.30.1/embed.h:649:22: note: expanded from macro 'safesysfree'
# #define safesysfree             Perl_safesysfree
#                                 ^
#  3773|   
#  3774|               for (j = 0; j < NOMINAL_LC_ALL_INDEX; j++) {
#  3775|->                 Safefree(curlocales[j]);
#  3776|                   curlocales[j] = savepv(do_setlocale_r(categories[j], NULL));
#  3777|                   DEBUG_LOCALE_INIT(categories[j], NULL, curlocales[j]);

@ppisar, is the output you cited above from Perl's make process or from something non-Perl?

If the former, can you supply the output of ./perl -Ilib -V:config_args so that we can try to reproduce?

Thank you very much.
Jim Keenan

[ppisar]

The log was copied from Coverity tool which uses a plugin for the clang compiler to analyze the compilation units. I don't have an interactive access. According to a log, Configure was invoked like this: /bin/sh Configure -des -Doptimize=none '-Dccflags=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' '-Dldflags=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' '-Dccdlflags=-Wl,--enable-new-dtags -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' '-Dlddlflags=-shared -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' -Dshrpdir=/usr/lib64 -DDEBUGGING=-g -Dversion=5.30.1 -Dmyhostname=localhost ***@***.*** -Dcc=gcc '-Dcf_by=Red Hat, Inc.' -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl5/5.30 -Dsitearch=/usr/local/lib64/perl5/5.30 -Dprivlib=/usr/share/perl5 -Dvendorlib=/usr/share/perl5/vendor_perl -Darchlib=/usr/lib64/perl5 -Dvendorarch=/usr/lib64/perl5/vendor_perl -Darchname=x86_64-linux-thread-multi '-Dlibpth=/usr/local/lib64 /lib64 /usr/lib64' -Duseshrplib -Dusethreads -Duseithreads -Dusedtrace=/usr/bin/dtrace -Duselargefiles -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl=n -Ubincompat5005 -Uversiononly '-Dpager=/usr/bin/less -isr' -Dd_gethostent_r_proto -Ud_endhostent_r_proto -Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto -Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin -Dusesitecustomize -Duse64bitint The -specs referer to an additional toolchain configuration. $ cat /usr/lib/rpm/redhat/redhat-hardened-cc1 *cc1_options: + %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}} $ cat /usr/lib/rpm/redhat/redhat-annobin-cc1 *cc1_options: + %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin} $ cat /usr/lib/rpm/redhat/redhat-hardened-ld *self_spec: + %{!static:%{!shared:%{!r:-pie}}}

[hvds]

@khwilliamson I've had a look at the code, and @ppisar's analysis looks valid to me. I think we should be zeroing curlocales up-front, something like:

--- a/locale.c
+++ b/locale.c
@@ -3386,6 +3386,9 @@ Perl_init_i18nl10n(pTHX_ int printwarn)
     my_strlcpy(PL_locale_utf8ness, C_and_POSIX_utf8ness,
                sizeof(PL_locale_utf8ness));
 
+    /* See https://github.com/Perl/perl5/issues/17824 */
+    Zero(curlocales, NOMINAL_LC_ALL_INDEX, char *);
+
 #  ifdef USE_THREAD_SAFE_LOCALE
 #    ifdef WIN32
 

[khwilliamson]

I'm fine with this change. I kind of suspect that clang is wrong. but there is no harm in doing this as a precaution.

The code is quite complicated, and I've been tempted to see if it could be simplified at various times.

[hvds]

I've created PR #18811 to address this.

[khwilliamson]

That PR is now merged