fix use-of-uninitialized-value in survive_kalman_tracker_stats#348
Merged
bl4ckb0ne merged 1 commit intocollabora:masterfrom Feb 17, 2026
Merged
Conversation
integration_variance[16] is stack-allocated but variance_tracker_calc() may not write all elements when the tracker had zero observations (counts == 0 or variance.size == 0). The uninitialized array is then read by SV_VERBOSE via LINMATH_VEC7_EXPAND / LINMATH_VEC6_EXPAND. Found by MSan when running test_replays. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Collaborator
|
Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
integration_variance[16]is stack-allocated without initialization insurvive_kalman_tracker_stats().variance_tracker_calc()callsscalend()which divides bymeas->countsand writesmeas->variance.sizeelements. If the tracker had zero observations (no pose or IMU data was ever integrated),countsis 0 and/orvariance.sizeis 0 — soscalendeither writes NaN/Inf or writes nothing, leaving the array uninitialized. The array is then read bySV_VERBOSEviaLINMATH_VEC7_EXPAND/LINMATH_VEC6_EXPAND.Found by MSan when running
test_replays(replay data with a tracker that had no observations beforesurvive_simple_close()).MSan report
==5058==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 survive_kalman_tracker_stats survive_kalman_tracker.c:1490
#1 survive_kalman_tracker_free survive_kalman_tracker.c:1569
#2 survive_destroy_device survive_default_devices.c:699
#3 survive_close survive.c:1043
#4 survive_simple_close survive_api.c:339
Uninitialized value was created by an allocation of 'integration_variance'
#0 survive_kalman_tracker_stats survive_kalman_tracker.c:1488
Impact
Stats-only bug. The uninitialized values are only read for debug logging (
SV_VERBOSElevel 5). No effect on tracking, pose output, or calibration.Change
One line in
src/survive_kalman_tracker.c: