In computing, an uninitialized variable is a variable that is declared but is not set to a definite known value before it is used. It will have some value, but not a predictable one. As such, it is a programming error and a common source of bugs in software.

Example of the C language

A common assumption made by novice programmers is that all variables are set to a known value, such as zero, when they are declared. While this is true for many languages, it is not true for all of them, and so the potential for error is there. Languages such as C use stack space for variables, and the collection of variables allocated for a subroutine is known as a stack frame. While the computer will set aside the appropriate amount of space for the stack frame, it usually does so simply by adjusting the value of the stack pointer, and does not set the memory itself to any new state (typically out of efficiency concerns). Therefore, whatever contents of that memory at the time will appear as initial values of the variables which occupy those addresses. Here's a simple example in C: The final value of is undefined. The answer that it must be 10 assumes that it started at zero, which may or may not be true. Note that in the example, the variable is initialized to zero by the first clause of the statement. Another example can be when dealing with structs. In the code snippet below, we have a which contains some variables describing the information about a student. The function leaks memory contents because it fails to fully initialize the members of. If we take a closer look, in the beginning,, and are initialized. But the initialization of the and members are incorrect. This is because if the length of and character arrays are less than 16 bytes, during the , we fail to fully initialize the entire 16 bytes of memory reserved for each of these members. Hence after 'ing the resulted struct to , we leak some stack memory to the caller. In any case, even when a variable is implicitly initialized to a default value like 0, this is typically not the correct value. Initialized does not mean correct if the value is a default one. (However, default initialization to 0 is a right practice for pointers and arrays of pointers, since it makes them invalid before they are actually initialized to their correct value.) In C, variables with static storage duration that are not initialized explicitly are initialized to zero (or null, for pointers). Not only are uninitialized variables a frequent cause of bugs, but this kind of bug is particularly serious because it may not be reproducible: for instance, a variable may remain uninitialized only in some branch of the program. In some cases, programs with uninitialized variables may even pass software tests.

Impacts

Uninitialized variables are powerful bugs since they can be exploited to leak arbitrary memory or to achieve arbitrary memory overwrite or to gain code execution, depending on the case. When exploiting a software which utilizes address space layout randomization (ASLR), it is often required to know the base address of the software in memory. Exploiting an uninitialized variable in a way to force the software to leak a pointer from its address space can be used to bypass ASLR.

Use in languages

Uninitialized variables are a particular problem in languages such as assembly language, C, and C++, which were designed for systems programming. The development of these languages involved a design philosophy in which conflicts between performance and safety were generally resolved in favor of performance. The programmer was given the burden of being aware of dangerous issues such as uninitialized variables. In other languages, variables are often initialized to known values when created. Examples include: Even in languages where uninitialized variables are allowed, many compilers will attempt to identify the use of uninitialized variables and report them as compile-time errors. Some languages assist this task by offering constructs to handle the initializedness of variables; for example, C# has a special flavour of call-by-reference parameters to subroutines (specified as instead of the usual ), asserting that the variable is allowed to be uninitialized on entry but will be initizalized afterwards.