wallet: Fix use of uninitialized value bnb_used in CWallet::CreateTransaction(...)

[practicalswift]

Avoid use of uninitialized value bnb_used in CWallet::CreateTransaction(...).

[maflcko]

This is a return value, so it is never uninitialized.

[practicalswift]

@MarcoFalke In the case of !pick_new_inputs && nValueIn - nValueToSelect > 0 && !IsDust(newTxOut, discard_rate) then an uninitialized bnb_used is read?

[promag]

If pick_new_inputs == false then below bnb_used can be used right? Other output vars (nValueIn and setCoins) are also initialized here.

[promag]

I think the correct fix is to move this out of the loop scope, so it doesn't loose the value since the last coin selection iteration. So move here:

bitcoin/src/wallet/wallet.cpp

Lines 2835 to 2843 in fad42e8

	nFeeRet = 0;
	bool pick_new_inputs = true;
	CAmount nValueIn = 0;
	// BnB selector is the only selector used when this is true.
	// That should only happen on the first pass through the loop.
	coin_selection_params.use_bnb = nSubtractFeeFromAmount == 0; // If we are doing subtract fee from recipient, then don't use BnB
	// Start with no fee and loop until there is enough fee
	while (true)

Because there are 2 cases that skip "pick new inputs":

bitcoin/src/wallet/wallet.cpp

Lines 2987 to 2991 in fad42e8

	if (nFeeRet >= fee_needed_with_change + minimum_value_for_change) {
	pick_new_inputs = false;
	nFeeRet = fee_needed_with_change;
	continue;
	}

bitcoin/src/wallet/wallet.cpp

Lines 3024 to 3028 in fad42e8

	// If subtracting fee from recipients, we now know what fee we
	// need to subtract, we have no reason to reselect inputs
	if (nSubtractFeeFromAmount > 0) {
	pick_new_inputs = false;
	}

And when that happens use_bnb can be used uninitialized.

[DrahtBot]

No more conflicts as of last run.

[promag]

FYI also not initialized in

bitcoin/src/bench/coin_selection.cpp

Line 48 in d96bdd7

bool bnb_used;

But there it should be ok.

[practicalswift]

@MarcoFalke Is my reasoning correct or do your comment still stand? :-)

[practicalswift]

@promag Thanks for reviewing. Anything changes needed to get an utACK or Concept ACK from you? :-)

[maflcko]

We really should have a test case that exercises the logic if !pick_new_inputs. Otherwise it is hard to reason about the correctness of this patch.

[practicalswift]

@MarcoFalke I was asking about the statement "it is never uninitialized". That was a misunderstanding?

[maflcko]

Whenever it is returned, it is initialized. However, if it is not returned, we shouldn't be reading from it, so I was asking about a test case that exercises that exact code path.

[DrahtBot]

The last travis run for this pull request was 59 days ago and is thus outdated. To trigger a fresh travis build, this pull request should be closed and re-opened.

[practicalswift]

@MarcoFalke I originally found this issue by using static analysis but I rediscovered it using dynamic analysis as well. It turns out that this is triggered simply running the test suite under UBSan :-)

wallet/wallet.cpp:2757:59: runtime error: load of value 112, which is not a valid value for type 'bool' !=

See https://travis-ci.org/bitcoin/bitcoin/jobs/429944903#L3960

[maflcko]

Imo this shouldn't be initialized to false. This just silences the bug without fixing it. Imo it should be set to false only when !pick_new_inputs?

[practicalswift]

@MarcoFalke Thanks for reviewing! Addressed feedback. Please re-review :-)

[maflcko]

utACK a23a7f6

[maflcko]

Interesting, I couldn't reproduce this locally with ./configure --with-sanitizers=bool CC=clang CXX=clang++ && make -j 16 src/bitcoind && ./test/functional/rpc_fundrawtransaction.py. Could someone else try this?

[achow101]

utACK a23a7f6

[practicalswift]

Removed "potential" in the title since this use of uninitialized value has been observed also during run-time :-)