What is the strict aliasing rule?
Solution 1
A typical situation where you encounter strict aliasing problems is when overlaying a struct (like a device/network msg) onto a buffer of the word size of your system (like a pointer to uint32_t
s or uint16_t
s). When you overlay a struct onto such a buffer, or a buffer onto such a struct through pointer casting you can easily violate strict aliasing rules.
So in this kind of setup, if I want to send a message to something I'd have to have two incompatible pointers pointing to the same chunk of memory. I might then naively code something like this:
typedef struct Msg
{
unsigned int a;
unsigned int b;
} Msg;
void SendWord(uint32_t);
int main(void)
{
// Get a 32-bit buffer from the system
uint32_t* buff = malloc(sizeof(Msg));
// Alias that buffer through message
Msg* msg = (Msg*)(buff);
// Send a bunch of messages
for (int i = 0; i < 10; ++i)
{
msg->a = i;
msg->b = i+1;
SendWord(buff[0]);
SendWord(buff[1]);
}
}
The strict aliasing rule makes this setup illegal: dereferencing a pointer that aliases an object that is not of a compatible type or one of the other types allowed by C 2011 6.5 paragraph 71 is undefined behavior. Unfortunately, you can still code this way, maybe get some warnings, have it compile fine, only to have weird unexpected behavior when you run the code.
(GCC appears somewhat inconsistent in its ability to give aliasing warnings, sometimes giving us a friendly warning and sometimes not.)
To see why this behavior is undefined, we have to think about what the strict aliasing rule buys the compiler. Basically, with this rule, it doesn't have to think about inserting instructions to refresh the contents of buff
every run of the loop. Instead, when optimizing, with some annoyingly unenforced assumptions about aliasing, it can omit those instructions, load buff[0]
and buff[1]
into CPU registers once before the loop is run, and speed up the body of the loop. Before strict aliasing was introduced, the compiler had to live in a state of paranoia that the contents of buff
could change by any preceding memory stores. So to get an extra performance edge, and assuming most people don't type-pun pointers, the strict aliasing rule was introduced.
Keep in mind, if you think the example is contrived, this might even happen if you're passing a buffer to another function doing the sending for you, if instead you have.
void SendMessage(uint32_t* buff, size_t size32)
{
for (int i = 0; i < size32; ++i)
{
SendWord(buff[i]);
}
}
And rewrote our earlier loop to take advantage of this convenient function
for (int i = 0; i < 10; ++i)
{
msg->a = i;
msg->b = i+1;
SendMessage(buff, 2);
}
The compiler may or may not be able to or smart enough to try to inline SendMessage and it may or may not decide to load or not load buff again. If SendMessage
is part of another API that's compiled separately, it probably has instructions to load buff's contents. Then again, maybe you're in C++ and this is some templated header only implementation that the compiler thinks it can inline. Or maybe it's just something you wrote in your .c file for your own convenience. Anyway undefined behavior might still ensue. Even when we know some of what's happening under the hood, it's still a violation of the rule so no well defined behavior is guaranteed. So just by wrapping in a function that takes our word delimited buffer doesn't necessarily help.
So how do I get around this?
-
Use a union. Most compilers support this without complaining about strict aliasing. This is allowed in C99 and explicitly allowed in C11.
union { Msg msg; unsigned int asBuffer[sizeof(Msg)/sizeof(unsigned int)]; };
-
You can disable strict aliasing in your compiler (f[no-]strict-aliasing in gcc))
-
You can use
char*
for aliasing instead of your system's word. The rules allow an exception forchar*
(includingsigned char
andunsigned char
). It's always assumed thatchar*
aliases other types. However this won't work the other way: there's no assumption that your struct aliases a buffer of chars.
Beginner beware
This is only one potential minefield when overlaying two types onto each other. You should also learn about endianness, word alignment, and how to deal with alignment issues through packing structs correctly.
Footnote
1 The types that C 2011 6.5 7 allows an lvalue to access are:
- a type compatible with the effective type of the object,
- a qualified version of a type compatible with the effective type of the object,
- a type that is the signed or unsigned type corresponding to the effective type of the object,
- a type that is the signed or unsigned type corresponding to a qualified version of the effective type of the object,
- an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union), or
- a character type.
Solution 2
The best explanation I have found is by Mike Acton, Understanding Strict Aliasing. It's focused a little on PS3 development, but that's basically just GCC.
From the article:
"Strict aliasing is an assumption, made by the C (or C++) compiler, that dereferencing pointers to objects of different types will never refer to the same memory location (i.e. alias each other.)"
So basically if you have an int*
pointing to some memory containing an int
and then you point a float*
to that memory and use it as a float
you break the rule. If your code does not respect this, then the compiler's optimizer will most likely break your code.
The exception to the rule is a char*
, which is allowed to point to any type.
Solution 3
This is the strict aliasing rule, found in section 3.10 of the C++03 standard (other answers provide good explanation, but none provided the rule itself):
If a program attempts to access the stored value of an object through an lvalue of other than one of the following types the behavior is undefined:
- the dynamic type of the object,
- a cv-qualified version of the dynamic type of the object,
- a type that is the signed or unsigned type corresponding to the dynamic type of the object,
- a type that is the signed or unsigned type corresponding to a cv-qualified version of the dynamic type of the object,
- an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union),
- a type that is a (possibly cv-qualified) base class type of the dynamic type of the object,
- a
char
orunsigned char
type.
C++11 and C++14 wording (changes emphasized):
If a program attempts to access the stored value of an object through a glvalue of other than one of the following types the behavior is undefined:
- the dynamic type of the object,
- a cv-qualified version of the dynamic type of the object,
- a type similar (as defined in 4.4) to the dynamic type of the object,
- a type that is the signed or unsigned type corresponding to the dynamic type of the object,
- a type that is the signed or unsigned type corresponding to a cv-qualified version of the dynamic type of the object,
- an aggregate or union type that includes one of the aforementioned types among its elements or non-static data members (including, recursively, an element or non-static data member of a subaggregate or contained union),
- a type that is a (possibly cv-qualified) base class type of the dynamic type of the object,
- a
char
orunsigned char
type.
Two changes were small: glvalue instead of lvalue, and clarification of the aggregate/union case.
The third change makes a stronger guarantee (relaxes the strong aliasing rule): The new concept of similar types that are now safe to alias.
Also the C wording (C99; ISO/IEC 9899:1999 6.5/7; the exact same wording is used in ISO/IEC 9899:2011 §6.5 ¶7):
An object shall have its stored value accessed only by an lvalue expression that has one of the following types 73) or 88):
- a type compatible with the effective type of the object,
- a qualified version of a type compatible with the effective type of the object,
- a type that is the signed or unsigned type corresponding to the effective type of the object,
- a type that is the signed or unsigned type corresponding to a qualified version of the effective type of the object,
- an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union), or
- a character type.
73) or 88) The intent of this list is to specify those circumstances in which an object may or may not be aliased.
Solution 4
Note
This is excerpted from my "What is the Strict Aliasing Rule and Why do we care?" write-up.
What is strict aliasing?
In C and C++ aliasing has to do with what expression types we are allowed to access stored values through. In both C and C++ the standard specifies which expression types are allowed to alias which types. The compiler and optimizer are allowed to assume we follow the aliasing rules strictly, hence the term strict aliasing rule. If we attempt to access a value using a type not allowed it is classified as undefined behavior(UB). Once we have undefined behavior all bets are off, the results of our program are no longer reliable.
Unfortunately with strict aliasing violations, we will often obtain the results we expect, leaving the possibility the a future version of a compiler with a new optimization will break code we thought was valid. This is undesirable and it is a worthwhile goal to understand the strict aliasing rules and how to avoid violating them.
To understand more about why we care, we will discuss issues that come up when violating strict aliasing rules, type punning since common techniques used in type punning often violate strict aliasing rules and how to type pun correctly.
Preliminary examples
Let's look at some examples, then we can talk about exactly what the standard(s) say, examine some further examples and then see how to avoid strict aliasing and catch violations we missed. Here is an example that should not be surprising (live example):
int x = 10;
int *ip = &x;
std::cout << *ip << "\n";
*ip = 12;
std::cout << x << "\n";
We have a int* pointing to memory occupied by an int and this is a valid aliasing. The optimizer must assume that assignments through ip could update the value occupied by x.
The next example shows aliasing that leads to undefined behavior (live example):
int foo( float *f, int *i ) {
*i = 1;
*f = 0.f;
return *i;
}
int main() {
int x = 0;
std::cout << x << "\n"; // Expect 0
x = foo(reinterpret_cast<float*>(&x), &x);
std::cout << x << "\n"; // Expect 0?
}
In the function foo we take an int* and a float*, in this example we call foo and set both parameters to point to the same memory location which in this example contains an int. Note, the reinterpret_cast is telling the compiler to treat the the expression as if it had the type specificed by its template parameter. In this case we are telling it to treat the expression &x as if it had type float*. We may naively expect the result of the second cout to be 0 but with optimization enabled using -O2 both gcc and clang produce the following result:
0
1
Which may not be expected but is perfectly valid since we have invoked undefined behavior. A float can not validly alias an int object. Therefore the optimizer can assume the constant 1 stored when dereferencing i will be the return value since a store through f could not validly affect an int object. Plugging the code in Compiler Explorer shows this is exactly what is happening(live example):
foo(float*, int*): # @foo(float*, int*)
mov dword ptr [rsi], 1
mov dword ptr [rdi], 0
mov eax, 1
ret
The optimizer using Type-Based Alias Analysis (TBAA) assumes 1 will be returned and directly moves the constant value into register eax which carries the return value. TBAA uses the languages rules about what types are allowed to alias to optimize loads and stores. In this case TBAA knows that a float can not alias and int and optimizes away the load of i.
Now, to the Rule-Book
What exactly does the standard say we are allowed and not allowed to do? The standard language is not straightforward, so for each item I will try to provide code examples that demonstrates the meaning.
What does the C11 standard say?
The C11 standard says the following in section 6.5 Expressions paragraph 7:
An object shall have its stored value accessed only by an lvalue expression that has one of the following types:88) — a type compatible with the effective type of the object,
int x = 1;
int *p = &x;
printf("%d\n", *p); // *p gives us an lvalue expression of type int which is compatible with int
— a qualified version of a type compatible with the effective type of the object,
int x = 1;
const int *p = &x;
printf("%d\n", *p); // *p gives us an lvalue expression of type const int which is compatible with int
— a type that is the signed or unsigned type corresponding to the effective type of the object,
int x = 1;
unsigned int *p = (unsigned int*)&x;
printf("%u\n", *p ); // *p gives us an lvalue expression of type unsigned int which corresponds to
// the effective type of the object
gcc/clang has an extension and also that allows assigning unsigned int* to int* even though they are not compatible types.
— a type that is the signed or unsigned type corresponding to a qualified version of the effective type of the object,
int x = 1;
const unsigned int *p = (const unsigned int*)&x;
printf("%u\n", *p ); // *p gives us an lvalue expression of type const unsigned int which is a unsigned type
// that corresponds with to a qualified verison of the effective type of the object
— an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union), or
struct foo {
int x;
};
void foobar( struct foo *fp, int *ip ); // struct foo is an aggregate that includes int among its members so it can
// can alias with *ip
foo f;
foobar( &f, &f.x );
— a character type.
int x = 65;
char *p = (char *)&x;
printf("%c\n", *p ); // *p gives us an lvalue expression of type char which is a character type.
// The results are not portable due to endianness issues.
What the C++17 Draft Standard say
The C++17 draft standard in section [basic.lval] paragraph 11 says:
If a program attempts to access the stored value of an object through a glvalue of other than one of the following types the behavior is undefined:63 (11.1) — the dynamic type of the object,
void *p = malloc( sizeof(int) ); // We have allocated storage but not started the lifetime of an object
int *ip = new (p) int{0}; // Placement new changes the dynamic type of the object to int
std::cout << *ip << "\n"; // *ip gives us a glvalue expression of type int which matches the dynamic type
// of the allocated object
(11.2) — a cv-qualified version of the dynamic type of the object,
int x = 1;
const int *cip = &x;
std::cout << *cip << "\n"; // *cip gives us a glvalue expression of type const int which is a cv-qualified
// version of the dynamic type of x
(11.3) — a type similar (as defined in 7.5) to the dynamic type of the object,
(11.4) — a type that is the signed or unsigned type corresponding to the dynamic type of the object,
// Both si and ui are signed or unsigned types corresponding to each others dynamic types
// We can see from this godbolt(https://godbolt.org/g/KowGXB) the optimizer assumes aliasing.
signed int foo( signed int &si, unsigned int &ui ) {
si = 1;
ui = 2;
return si;
}
(11.5) — a type that is the signed or unsigned type corresponding to a cv-qualified version of the dynamic type of the object,
signed int foo( const signed int &si1, int &si2); // Hard to show this one assumes aliasing
(11.6) — an aggregate or union type that includes one of the aforementioned types among its elements or nonstatic data members (including, recursively, an element or non-static data member of a subaggregate or contained union),
struct foo {
int x;
};
// Compiler Explorer example(https://godbolt.org/g/z2wJTC) shows aliasing assumption
int foobar( foo &fp, int &ip ) {
fp.x = 1;
ip = 2;
return fp.x;
}
foo f;
foobar( f, f.x );
(11.7) — a type that is a (possibly cv-qualified) base class type of the dynamic type of the object,
struct foo { int x ; };
struct bar : public foo {};
int foobar( foo &f, bar &b ) {
f.x = 1;
b.x = 2;
return f.x;
}
(11.8) — a char, unsigned char, or std::byte type.
int foo( std::byte &b, uint32_t &ui ) {
b = static_cast<std::byte>('a');
ui = 0xFFFFFFFF;
return std::to_integer<int>( b ); // b gives us a glvalue expression of type std::byte which can alias
// an object of type uint32_t
}
Worth noting signed char is not included in the list above, this is a notable difference from C which says a character type.
What is Type Punning
We have gotten to this point and we may be wondering, why would we want to alias for? The answer typically is to type pun, often the methods used violate strict aliasing rules.
Sometimes we want to circumvent the type system and interpret an object as a different type. This is called type punning, to reinterpret a segment of memory as another type. Type punning is useful for tasks that want access to the underlying representation of an object to view, transport or manipulate. Typical areas we find type punning being used are compilers, serialization, networking code, etc…
Traditionally this has been accomplished by taking the address of the object, casting it to a pointer of the type we want to reinterpret it as and then accessing the value, or in other words by aliasing. For example:
int x = 1 ;
// In C
float *fp = (float*)&x ; // Not a valid aliasing
// In C++
float *fp = reinterpret_cast<float*>(&x) ; // Not a valid aliasing
printf( "%f\n", *fp ) ;
As we have seen earlier this is not a valid aliasing, so we are invoking undefined behavior. But traditionally compilers did not take advantage of strict aliasing rules and this type of code usually just worked, developers have unfortunately gotten used to doing things this way. A common alternate method for type punning is through unions, which is valid in C but undefined behavior in C++ (see live example):
union u1
{
int n;
float f;
} ;
union u1 u;
u.f = 1.0f;
printf( "%d\n”, u.n ); // UB in C++ n is not the active member
This is not valid in C++ and some consider the purpose of unions to be solely for implementing variant types and feel using unions for type punning is an abuse.
How do we Type Pun correctly?
The standard method for type punning in both C and C++ is memcpy. This may seem a little heavy handed but the optimizer should recognize the use of memcpy for type punning and optimize it away and generate a register to register move. For example if we know int64_t is the same size as double:
static_assert( sizeof( double ) == sizeof( int64_t ) ); // C++17 does not require a message
we can use memcpy:
void func1( double d ) {
std::int64_t n;
std::memcpy(&n, &d, sizeof d);
//...
At a sufficient optimization level any decent modern compiler generates identical code to the previously mentioned reinterpret_cast method or union method for type punning. Examining the generated code we see it uses just register mov (live Compiler Explorer Example).
C++20 and bit_cast
In C++20 we may gain bit_cast (implementation available in link from proposal) which gives a simple and safe way to type-pun as well as being usable in a constexpr context.
The following is an example of how to use bit_cast to type pun a unsigned int to float, (see it live):
std::cout << bit_cast<float>(0x447a0000) << "\n" ; //assuming sizeof(float) == sizeof(unsigned int)
In the case where To and From types don't have the same size, it requires us to use an intermediate struct15. We will use a struct containing a sizeof( unsigned int ) character array (assumes 4 byte unsigned int) to be the From type and unsigned int as the To type.:
struct uint_chars {
unsigned char arr[sizeof( unsigned int )] = {} ; // Assume sizeof( unsigned int ) == 4
};
// Assume len is a multiple of 4
int bar( unsigned char *p, size_t len ) {
int result = 0;
for( size_t index = 0; index < len; index += sizeof(unsigned int) ) {
uint_chars f;
std::memcpy( f.arr, &p[index], sizeof(unsigned int));
unsigned int result = bit_cast<unsigned int>(f);
result += foo( result );
}
return result ;
}
It is unfortunate that we need this intermediate type but that is the current constraint of bit_cast.
Catching Strict Aliasing Violations
We don't have a lot of good tools for catching strict aliasing in C++, the tools we have will catch some cases of strict aliasing violations and some cases of misaligned loads and stores.
gcc using the flag -fstrict-aliasing and -Wstrict-aliasing can catch some cases although not without false positives/negatives. For example the following cases will generate a warning in gcc (see it live):
int a = 1;
short j;
float f = 1.f; // Originally not initialized but tis-kernel caught
// it was being accessed w/ an indeterminate value below
printf("%i\n", j = *(reinterpret_cast<short*>(&a)));
printf("%i\n", j = *(reinterpret_cast<int*>(&f)));
although it will not catch this additional case (see it live):
int *p;
p=&a;
printf("%i\n", j = *(reinterpret_cast<short*>(p)));
Although clang allows these flags it apparently does not actually implement the warnings.
Another tool we have available to us is ASan which can catch misaligned loads and stores. Although these are not directly strict aliasing violations they are a common result of strict aliasing violations. For example the following cases will generate runtime errors when built with clang using -fsanitize=address
int *x = new int[2]; // 8 bytes: [0,7].
int *u = (int*)((char*)x + 6); // regardless of alignment of x this will not be an aligned address
*u = 1; // Access to range [6-9]
printf( "%d\n", *u ); // Access to range [6-9]
The last tool I will recommend is C++ specific and not strictly a tool but a coding practice, don't allow C-style casts. Both gcc and clang will produce a diagnostic for C-style casts using -Wold-style-cast. This will force any undefined type puns to use reinterpret_cast, in general reinterpret_cast should be a flag for closer code review. It is also easier to search your code base for reinterpret_cast to perform an audit.
For C we have all the tools already covered and we also have tis-interpreter, a static analyzer that exhaustively analyzes a program for a large subset of the C language. Given a C verions of the earlier example where using -fstrict-aliasing misses one case (see it live)
int a = 1;
short j;
float f = 1.0 ;
printf("%i\n", j = *((short*)&a));
printf("%i\n", j = *((int*)&f));
int *p;
p=&a;
printf("%i\n", j = *((short*)p));
tis-interpeter is able to catch all three, the following example invokes tis-kernal as tis-interpreter (output is edited for brevity):
./bin/tis-kernel -sa example1.c
...
example1.c:9:[sa] warning: The pointer (short *)(& a) has type short *. It violates strict aliasing
rules by accessing a cell with effective type int.
...
example1.c:10:[sa] warning: The pointer (int *)(& f) has type int *. It violates strict aliasing rules by
accessing a cell with effective type float.
Callstack: main
...
example1.c:15:[sa] warning: The pointer (short *)p has type short *. It violates strict aliasing rules by
accessing a cell with effective type int.
Finally there is TySan which is currently in development. This sanitizer adds type checking information in a shadow memory segment and checks accesses to see if they violate aliasing rules. The tool potentially should be able to catch all aliasing violations but may have a large run-time overhead.
Solution 5
Strict aliasing doesn't refer only to pointers, it affects references as well, I wrote a paper about it for the boost developer wiki and it was so well received that I turned it into a page on my consulting web site. It explains completely what it is, why it confuses people so much and what to do about it. Strict Aliasing White Paper. In particular it explains why unions are risky behavior for C++, and why using memcpy is the only fix portable across both C and C++. Hope this is helpful.
Benoit
Started programming on a good old TRS-80 Model I Spent most of my time working with embedded processors. Everything from 8-bit micros to 32-bit systems. Now teaching for a living.
Updated on June 10, 2021Comments
-
Benoit about 3 years
When asking about common undefined behavior in C, people sometimes refer to the strict aliasing rule.
What are they talking about? -
Matthieu M. over 13 yearsI am coming after the battle it seems.. may
unsigned char*
be used farchar*
instead ? I tend to useunsigned char
rather thanchar
as the underlying type forbyte
because my bytes are not signed and I don't want the weirdness of signed behavior (notably wrt to overflow) -
Thomas Eding about 13 years@Matthieu: Signedness makes no difference to alias rules, so using
unsigned char *
is okay. -
phorgan1 almost 13 yearsYou can alias between references and between a reference and a pointer as well. See my tutorial dbp-consulting.com/tutorials/StrictAliasing.html
-
Ben Voigt almost 13 yearsWhy not
SendToStupidApi(&msg->a)
? -
R. Martinho Fernandes almost 13 yearsIsn't it undefined behaviour to read from an union member different from the last one written to?
-
Andriy Tylychko almost 13 years@Doug T.: as I understand, the same problem is on receiving side too when
StupidAPI
casts back toMsg
, right? And how usingchar*
instead ofunsigned int*
would improve this? -
Cheers and hth. - Alf almost 13 years-1 The code examples in the answer code won't compile as C99.
-
R. Martinho Fernandes almost 13 yearsBollocks, this answer is completely backwards. The example it shows as illegal is actually legal, and the example it shows as legal is actually illegal.
-
Doug T. almost 13 years@R.MartinhoFernandes I reworked this answer quite a bit to hopefully be more accurate and clarify things. In the original example it was assumed that SendToStupidApi would dereference the type punned pointer thus violating strict aliasing. I also took out the reinterpret_cast that is of course not C. And added a note that the union solution violates the spec but is supported by most compilers.
-
ninjalj over 12 yearsI don't think the union solution violates the intent of C99, and it does not violate C11 (it was removed from appendix J). See: open-std.org/jtc1/sc22/wg14/www/docs/dr_283.htm
-
ninjalj over 12 yearsAs per my comment to stackoverflow.com/questions/6359629/…: C99 says that the bytes that don't correspond to the last stored member take unspecified values (potentially implying that it's legal to read from members which share all its bytes with the last stored member), but then lists reading from a member other than the last stored as UB. C1X changes that, defining as UB reading from bytes that do not correspond to the last stored member.
-
Ben Voigt over 12 years@Kos: That's cool, thanks! Can you also comment on whether strict aliasing was required by C89/90? (I seem to recall not, that it was introduced at the same time as the
restrict
keyword, but I'm not sure). -
curiousguy over 12 years"Strict aliasing doesn't refer only to pointers, it affects references as well" Actually, it refers to lvalues. "using memcpy is the only fix portable" Hear!
-
phorgan1 over 12 yearsLook at the C89 Rationale cs.technion.ac.il/users/yechiel/CS/C++draft/rationale.pdf section 3.3 which talks about it.
-
Pavel P over 11 yearsGreat answer. I have a similar question where I had to alias a struct onto a char array because I had to portably ensure alignment of the struct's memory. stackoverflow.com/questions/14170010/…
-
hdante over 11 yearsThis answer does not define what strict aliasing is. I also think this example is not correct, since the memory is being accessed by a struct that contains compatible types to the effective type of the memory (unsigned, assuming 32 bit values everywhere).
-
Nubok almost 11 yearsThe answer tells using char* avoids this problem. Doesn't also passing the buffer as a void* parameter of a function solve this problem?
-
Jonathan Leffler almost 11 years
-
philippe lhardy over 10 yearsif you add a second short * j to check() and use it ( *j = 7 ) then optimization disapear since ggc does not not if h and j are not actualy point to same value. yes optimisation is really smart.
-
nonsensickle over 10 yearsYour
uint32_t* buff = malloc(sizeof(Msg));
and the subsequent unionunsigned int asBuffer[sizeof(Msg)];
buffer declarations will have different sizes and neither is correct. Themalloc
call is relying on the 4 byte alignment under the hood (don't do it) and the union will be 4 times bigger than it needs to be... I understand that it is for clarity but it bugs me none-the-less... -
Peter - Reinstate Monica about 10 yearsIsn't the "wrong" example on top well defined if uint32_t is a typedef for unsigned int? Because
Msg
qualifies for "an aggregate or union type that includes one of the aforementioned types [here: uint32_t. -ps] among its elements", doesn't it? -
Grzegorz about 10 yearsI can't stand the fact that
char b[4]; *(int*)b=0;
does not work butint* i=*(int*)b; *i=0;
does. I am calling for creating an anti strict aliasing movement where optimizer is forcing people to add extra declarations to avoid the issue. I understand that there can be some special case where warning actually should be an error but in the example above? come on! I am working on an old code that did not have this problem before, and I have hundreds of places to 'fix' (make less readable.) -
Ben Voigt about 10 years@Grzegorz: So use
-fno-strict-aliasing
when you compile, but then you aren't using C (or C++). Anyway, both pieces of code in your comment are wrong. The second won't even compile, since you have mismatching indirection in an initialization. -
Shafik Yaghmour almost 10 yearsSee my answer here for the relevant quotes, especially the footnotes but type punning through unions has always been allowed in C although it was poorly worded at first. You my want to clarify your answer.
-
Yakov Galka over 9 yearsThe "Another Broken version, referencing a twice" section of the paper makes no sense. Even if there were a sequence point, it would not give the right result. Perhaps you meant to use shift operators instead of shift assignments? But then the code is well-defined and does the right thing.
-
M.M over 9 yearsIt is permitted to have different pointer types to the same data. Where strict aliasing comes in is when the same memory location is written through one pointer type and read through another. Also, some different types are permitted (e.g.
int
and a struct which contains anint
). -
M.M over 9 yearsThis example is unclear. It shows
unsigned int
being aliased asuint32_t
. However it is implementation-defined whetherunsigned int
is compatible withuint32_t
. Ifuint32_t
is a typedef forunsigned int
then the code actually has no strict aliasing violation, otherwise it does. I'd suggest editing it so that the two types are clearly incompatible. -
Shafik Yaghmour over 9 yearsI think you need to reconsider your example, if uint32_t is unsigned int then given my answer here there should be no strict aliasing violation.
-
David R Tribble over 9 yearsTo address @nonsensickle's observation, the union declaration should have this member declaration instead:
unsigned int asBuffer[sizeof(Msg)/sizeof(unsigned int)]
. -
nonsensickle over 9 years@DavidRTribble Thanks for addressing it. May I also suggest to you to mention the other two options that this article talks about, i.e. memcpy and the restrict keyword, in your answer (for completeness)? Other than that, good work! Tough topic...
-
slashmais over 9 yearsGood paper. My take: (1) this aliasing-'problem' is an over-reaction to bad programming - trying to protect the bad programmer from his/her bad habits. If the programmer has good habits then this aliasing is just a nuisance and the checks can safely be turned off. (2) Compiler-side optimization should only be done in well-known cases and should when in doubt strictly follow the source-code; forcing the programmer to write code to cater for the compiler's idiosyncrasies is, simply put, wrong. Even worse to make it part of the standard.
-
supercat about 9 years@slashmais: I suspect that much of the horribleness of modern C stems from a belief that it is bad to add new directives and features to a language to tell a compiler what inferences it should make, but better to have the use of certain language features invoke inferences which, while consistent with the baseline requirements for what compilers must do, would break code that relies upon common and useful extensions that many implementations had historically provided at little or no cost.
-
this almost 9 years@DougT. I appears I though you were sending msg instead of buff, which is violating strict aliasing( so the code is correct ). My bad :-////.
-
Doug T. almost 9 years@this all is forgiven. This is a hard topic and I appreciate having an opportunity to double check :)
-
jiggunjer almost 9 yearsSo what is the canonical way to legally use the same memory with variables of 2 different types? or does everyone just copy?
-
Aaron McDaid almost 9 yearsI think the issue of optimizations that may or may not be possible can actually be unhelpful sometimes. The reason I say this is the I have constructed code where such optimizations weren't possible anyway, and was still told that the code is UB. So maybe, the optimization story is part of the history of the strict aliasing rule; but today, the today the effect of the rule is more drastic. Casting a pointer, and immediately reading from it, will be undefined generally (except for the specific exceptions around unions and compatible types).
-
curiousguy almost 9 years@Grzegorz "I can't stand the fact that" source?
-
curiousguy almost 9 yearsHow can you use an lvalue of class type?
-
Ben Voigt almost 9 years@curiousguy: Any way that class allows. Seriously, I'm not going to write you an entire C++ book listing all the things that you can do with a class instance. One notable thing you can't do with an lvalue of class type is bind an rvalue reference to it.
-
Ben Voigt almost 9 years@curiousguy: In
std::cout << "Hello World.\n";
,std::cout
is an lvalue with class type. -
curiousguy almost 9 years@BenVoigt Are you saying "section 3.10 of the C++03 standard" applies to
std::cout
? -
curiousguy almost 9 years@slashmais (1) "is an over-reaction to bad programming" Nonsense. It is a rejection of the bad habits. You do that? You pay the price: no guarantee for you! (2) Well known cases? Which ones? The strict aliasing rule should be "well known"!
-
curiousguy almost 9 years@supercat No, modern C is the result of an incompetent re-design by people with no understanding of compiler design, optimization, or the formalism of a specification. It looks like a train crash.
-
supercat almost 9 years@curiousguy: Reading your last comments to me and slashmais I'm not quite clear what you're trying to say about which versions of C. Perhaps we could discuss in a chat session? Protocol specifications make key distinctions which are missing in the C standard with regard to what compilers must provide vs what programs may legitimately rely upon, and between things implementations may do if convenient, things they should do if at all practical, and things they must do to be regarded as compliant On the other hand, C was written I think before such specs became common.
-
supercat almost 9 years@curiousguy: While I'm not privvy to all the discussions leading up to various versions of the Standard, I suspect a major problem was a political need to avoid declaring any members' implementations "non-normative". It's useful to have a language which could be implemented on a sign-magnitude machine in such a fashion as to allow it to run a substantial fraction of code written in C. It's far less useful to say that because the meaning of left-shifting a negative number or casting an oversized
unsigned value to
int` is not well-defined on such machines, the Standard should impose... -
supercat almost 9 years...no requirements on the behavior of such operations even on two's-complement machines. Further, there are many case where code which will work pre-2009 compilers totalling 99%+ of the market can be faster and more readable than any code which must meet the same requirements when fed into any actual or theoretical Standard-compliant compiler. Failure to define a normative standard for behaviors which were widely-supported is detrimental to both source-code readability and machine-code efficiency--ironic given that the supposed justification for hyper-modernism is "optimization".
-
Grzegorz almost 9 years@curiousguy: I am afraid I do not understand the question :) Can you rephrase it, please? If it still matters, of course.
-
curiousguy almost 9 years@Grzegorz What makes you think that
int* i=*(int*)b; *i=0;
works? -
davmac almost 9 yearsMike Acton's page is flawed. The part of "Casting through a union (2)", at least, is downright wrong; the code he claims is legal is not.
-
Chris Culter over 8 yearsThe example has drifted over time, and it now needs to be cleaned up. SendWord is declared to take a pointer-to-uint32_t, but it is then called on a uint32_t. And the commend "// Get a 32-bit buffer from the system" precedes an allocation of sizeof(Msg), which will be 64 bits on most popular implementations. I can't tell which errors are intentional, to point out the violation of strict aliasing, and which are accidents. What is the intended meaning?
-
supercat over 8 years@curiousguy: Having cleared up a few points of confusion, it is clear that the C language with the aliasing rules makes it impossible for programs to implement type-agnostic memory pools. Some kinds of program can get by with malloc/free, but others need memory management logic better tailored to the tasks at hand. I wonder why the C89 rationale used such a crummy example of the reason for the aliasing rule, since their example makes it seem like the rule won't pose any major difficulty in performing any reasonable task.
-
curiousguy over 8 years@supercat It's a very unsettling conclusion.
-
supercat over 8 yearsIf one has an lvalue of a structure type, takes the address of a member, and passes that to a function that uses it as a pointer to the member type, would that be regarded as accessing an object of the member type (legal), or an object of the structure type (forbidden)? A lot of code assumes it's legal to access structures in such fashion, and I think a lot of people would squawk at a rule which was understood as forbidding such actions, but it's unclear what the exact rules are. Further, unions and structures are treated the same, but sensible rules for each should be different.
-
Ben Voigt over 8 years@supercat: The way the rule for structures is worded, the actual access is always to the primitive type. Then access via a reference to the primitive type is legal because the types match, and access via a reference to the containing structure type is legal because it's specially permitted.
-
supercat over 8 years@BenVoigt: Under that interpretation, if
S1
andS2
are structures withint x;
as their first field, and which require nothing coarser thanint
alignment, then givenvoid blah(S1 *p1, S2, *p2
);` a compiler would not be allowed to make any assumptions about aliasing betweenp1->x
andp2->x
. because they could both identify storage of typeint
. I don't think that's what was intended. -
Ben Voigt over 8 years@supercat: Check out "common initial subsequence". Aliasing between
p1->x
andp2->x
is perfectly legal. -
supercat over 8 years@BenVoigt: Given
union { struct S1 s1; struct S2 s2; } u;
, if both structures start withint x
, then an assignment tou.s1.x
is also an assignment tou.s1.x
. That doesn't imply that they legitimately alias when not accessed through unionu
. -
Ben Voigt over 8 years@supercat: So you claim that it would be invalid to call
blah(&u.s1, &u.s2)
? By what rule? -
supercat over 8 years@BenVoigt: Given
typedef struct { int x; float y;} S1; typedef struct { int x; int y;} S2; typedef union { S1 s1; S2 s2;} U; void wow1(S1 *p1, S2 *p2) { p1->x++; p2->x^=1; p1->x--; p2->x^=1; }
gcc will compile the function as a do-nothing-and-return. -
supercat over 8 years@BenVoigt: If gcc sees the definition of
wow1
when it compiles a call towow(&u->s1, &u->s2);
it produces weird behavior which is consistent with neither the recognized-aliasing nor the non-aliasing case. -
Ben Voigt over 8 yearsHmm, I see that the common initial sequence rule only allows reading. So we could do
bar(S1* p1, const S2* p2) { p1->x = p2->x+1; p1->x = p2->x-1; }
and see what happens. Could be that gcc doesn't implement common initial sequence correctly. -
Ben Voigt over 8 years@supercat: Also, why are you using
typedef
? We're talking about C++ aren't we? -
supercat over 8 years@BenVoigt: I don't think the common initial sequence works unless accesses are done via the union. See goo.gl/HGOyoK to see what gcc is doing. If accessing an lvalue of union type via an lvalue of a member type (not using union-member-access operator) was legal, then
wow(&u->s1,&u->s2)
would need to be legal even when a pointer is used to modifyu
, and that would negate most optimizations that the aliasing rule was designed to facilitate. -
Ben Voigt over 8 years@supercat: Not really, common initial sequence only allows aliasing
int S1::x
withint S2::x
and notfloat S1::y
withint S2::y
. That's still a very powerful optimization rule. -
supercat over 8 years@BenVoigt: My focus is on C, though gcc behavior here is identical in both C and C++ modes. In C++ the proper way to create structures with a recognized common initial subsequence would be to use inheritance, which would clearly be 100% legal, but that's not an option in C.
-
Ben Voigt over 8 years@supercat: Actually, you couldn't use inheritance and the union. Common initial sequence rule only applies to standard-layout types, which is broken by inheritance.
-
supercat over 8 years@BenVoigt: Though even in C++, I think that if S1 and S2 shared a common base SB, it would be legal to alias an S1* and an SB*, or an S2* and an SB*, but not to alias an S1* with an S2* even if code was only using members common to both.
-
supercat over 8 years@BenVoigt: Is it not possible to use inheritance with PODS? The only case where a compiler would have to store any type-related information when inheriting from a PODS and not adding any virtual members would be if it were legal to use
delete
on a base-type pointer to eliminate a derived-type object, and I don't think that's legal, is it? -
Ben Voigt over 8 years@supercat: The rule is that a class that singly-inherits a standard-layout type and has no non-static data members of its own is also standard-layout. Or if it inherits an empty base class, the derived type can add non-static data members and still be standard-layout. But as soon as you have non-static data members at multiple different inheritance levels, you lose standard-layout.
-
supercat over 8 years@BenVoigt: My suspicion is that the rules almost "work", but that the rule would be useless for compilers if it didn't let them pretend some defined behavior was UB, and would make the language almost useless for programmers if compilers didn't treat some forms of UB predictably.
-
supercat over 8 years@BenVoigt: Hmm... that seems a shame, since there should be a useful way of creating a type whose layout was equivalent to
struct derived1 { base1 b; int anothermember;}
and allowing it to be used as either abase1
or ` derived1, without having to use
b.` to access base members. -
Ben Voigt over 8 years@supercat: Consider:
struct B { double x; char y; }; struct D1 : B { char z; }; struct D2 { B b; char z; };
Is it legal forD1::z
to overlap the padding inD1::B
? What aboutD2::z
andD2::b
? (Assume an 8-bit machine so thatsizeof(double) == alignof(double) = 8
) -
supercat over 8 years@BenVoigt: Your point being that it is worthwhile to allow a derived type to be smaller than the sum of the base type and the new elements? I can see there would be benefit in that. Still, I would suggest that the usefulness of both C and C++ will be significantly hampered if there's no way to have a function accept a pointer to an arbitrary structure type with a known initial prefix. As noted, passing pointers to union members does not work, and there's no reason in the Standard why it should be legal to work with a pointer to even one union member if it's not legal to use more than that.
-
Ben Voigt over 8 years@supercat: Well, even with gcc's interpretation of strict aliasing, it is straightforward to "have a function accept a pointer to an arbitrary structure type with a known initial prefix". It's only when you have two such pointers, that overlap, that trouble arises. BTW my thought experiment is addressed here: stackoverflow.com/a/19950151/103167
-
supercat over 8 years@BenVoigt: The authors of gcc are very keen to point out that even if today's version of gcc lets programmers get away with violating the rules, programmers have no right to complain if tomorrow's gcc punishes them. If the Standard says that code which receives a pointer to an arbitrary structure with a known initial prefix and uses it as a pointer to a different structure with the same prefix invokes UB, it doesn't matter what today's gcc does or does not do with such code.
-
supercat over 8 years@BenVoigt: It's too bad that the Standard didn't define separate "sizeof" and "strideof" operators; that wold have made it possible for an implementation allow objects to have a size which was not a multiple of their alignment.
-
John Hascall over 8 yearsThis code is total garbage. The signature for
main
is wrong. It either needs to usestruct Msg
or addtypedef struct Msg Msg;
The type ofSendword()
's argument in wrong. It doesn't have the needed#include
s. And older compilers won't accept thefor ( int i ...
construct. -
Doug T. over 8 years@JohnHascall Thanks. You're right. I'd love to see it cleaned up. Its community wiki, do you have enough rep to edit it?
-
Doug T. over 8 years@ChrisCulter I believe my original intention many many years back was to have those
unsigned ints
be 32 bits. -
John Hascall over 8 years@Doug T. I don't think I do
-
skimon over 8 years@DougT. what does "use a union" mean in your answer. I ask because searching i cannot find a definitive answer. As far as i can understand (And im not 100% sure on this) - It seems that if you cast to the union* it is still undefined and that in order for it to be defined you need to first copy the data to a union access it through the type-pun built into the union.
-
yano about 8 years@skimon what you say sounds right to me (I learned about strict aliasing ~10 hrs ago, however). You need to access the data in the union directly from a union member, not an alias to the union member. If you read the
-fstrict_aliasing
flag in thisgcc
manual, it has an example of unions: gcc.gnu.org/onlinedocs/gcc-5.3.0/gcc.pdf on page 149. Of course this is justgcc
and not theC
orC++
standards. -
supercat about 8 years@davmac: The authors of C89 never intended that it should force programmers to jump through hoops. I find thoroughly bizarre the notion that a rule that exists for the sole purpose of optimization should be interpreted in such fashion as to require programmers to write code that redundantly copies data in the hopes that an optimizer will remove the redundant code.
-
kchoi almost 8 years@curiousguy, most compiler suites out there are including -fstrict-aliasing as default on -O3 and this hidden contract is forced on the users who've never heard of the TBAA and wrote code like how a system programmer might. I don't mean to sound disingenuous to system programmers, but this kind of optimization should be left outside of default opt of -O3 and should be an opt-in optimization for those that know what TBAA is. It is not fun looking at compiler 'bug' that turns out to be user code violating TBAA, especially tracking down the source level violation in user code.
-
supercat almost 8 years@kchoi: At minimum, compilers should by default recognize certain patterns that indicate that aliasing is likely; if a
T*
is cast to aU*
, for example, ensure that any operations onT*
which precede the cast also precede any uses of the resultingU*
, and any operations onT*
that follow the cast also follow any uses of the resultingU*
which occurs before them. In some cases that would block what might otherwise have been useful optimizations, but it would be far more likely to make code work more cheaply than if the code had to usechar*
and the compiler had to... -
supercat almost 8 years...consequently expect that the
U*
might alias anything, rather than only having to expect that within a certain range of code it might access aT
. I really doubt the authors of the C89 Standard would have taken seriously anyone who warned that unless they explicitly authorize such a pattern (using the cast pointer strictly between the next and subsequent access with the original type), compilers would optimize them out even on platforms where they would otherwise be useful, but unfortunately such obtuse behavior is now fashionable. -
supercat over 7 years@ShafikYaghmour: C89 clearly allowed implementers to select the cases in which they would or would not usefully recognize type punning through unions. An implementation could, for example, specify that for a write to one type followed by a read of another to be recognized as type punning, if the programmer did either of the following between the write and the read: (1) evaluate an lvalue containing the union type [taking the address of a member would qualify, if done at the right point in the sequence]; (2) convert a pointer to one type into a pointer to the other, and access via that ptr.
-
supercat over 7 years@ShafikYaghmour: An implementation could also specify e.g. that type punning between integer and floating-point values would only work reliably if code executed an
fpsync()
directive between writing as fp and reading as int or vice versa [on implementations with separate integer and FPU pipelines and caches, such a directive might be expensive, but not as costly as having the compiler perform such synchronization on every union access]. Or an implementation could specify that the resulting value will never be usable except in circumstances using Common Initial Sequences. -
supercat over 7 years@ShafikYaghmour: Under C89, implementations could forbid most forms of type punning, including via unions, but the equivalence between pointers to unions and pointers to their members implied that type punning was allowed in implementations that didn't expressly forbid it.
-
supercat over 7 yearsTo make things more fun, use pointers to types which aren't compatible but have the same size and representation (on some systems that's true of e.g.
long long*
andint64_t
*). One might expect that a sane compiler should recognize that along long*
andint64_t*
could access the same storage if they're stored identically, but such treatment is no longer fashionable. -
Palec over 6 years@Antonio: The link works for me. Maybe a temporary or regional issue. If the problem occurs again, please link to the latest snapshot in Internet Archive.
-
Palec over 6 years@Antonio: Just checked again, and when I click the link in this answer, I get the right article, no 404. Firefox 56 on Windows 10. No idea where this might have gone wrong for you.
-
Antonio over 6 years@Palec Pretty amazing, must be something with my work network. Indeed on my Android phone it loads.
-
AnT stands with Russia over 6 years@curiousguy: "Can't have unions"? Firstly, the original/primary purpose of unions is not in any way related to aliasing at all. Secondly, the modern language spec explicitly permits using unions for aliasing. The compiler is required to notice that a union is used and treat the situation is a special way.
-
curiousguy over 6 years@AnT "the original/primary purpose of unions is not in any way related to aliasing at all" What? That's the only purpose of a union. That the definition of a union: different objects at the same address.
-
AnT stands with Russia over 6 years@curiousguy: False. Firstly, the original conceptual idea behind unions was that at any moment there's only one member object "active" in the given union object, while the others simply don't exist. So, there are no "different objects at the same address" as you seem to believe. Secondly, aliasing violations everyone is talking about is about accessing one object as a different object, not about simply having two objects with the same address. As long as there is no type-punning access, there no problem. That was the original idea. Later, type-punning through unions was allowed.
-
AnT stands with Russia over 6 yearsThere are other contexts in C language which might produce "different objects at the same address". For example, declaring
int a[2]; double b;
might result in the "imaginary" array elementa[2]
having the same address asb
. The language does not consider this a problem. You just have to remember that onlyb
is accessible, whilea[2]
can only be "pointed to", but cannot be accessed. -
curiousguy over 6 years@AnT Then how do you write to a member of a union B after a member A has been written?
-
AnT stands with Russia over 6 years@curiousguy: By definition, writing into a union member "activates" that member and "deactivates" all other members.
-
curiousguy over 6 years@AnT And how would you do that? Is there an operator "activate" in C?
-
curiousguy over 6 yearsLet us continue this discussion in chat.
-
Suraj Jain over 6 years@BenVoigt Does this stackoverflow.com/questions/34826036/… have undefined behaviour due to strict aliasing rule, or not, I am little confused
-
Ben Voigt over 6 years@SurajJain: No, that one is ok. The strict aliasing rule allows reading an object through both its actual type, and also through a
char*
(to see the individual bytes making up the object). -
alfC over 6 yearsThe link is broken. Archived link: web.archive.org/web/20171221170757/http://…
-
NeilB over 6 yearswith restrict keyword, at step 3, shouldn't it be save result to 'b' only? It sounds as if the result of the summation will be stored in 'a' as well. Does it 'b' need to be reloaded again?
-
Myst over 6 years@NeilB - Yap you're right. We're only saving
b
(not reloading it) and reloadinga
. I hope it's clearer now. -
supercat over 6 yearsType-based aliasing may have offered some benefits prior to
restrict
, but I would think that the latter would in most circumstances be more effective, and loosening some constraints onregister
would allow it to fill in some of the cases whererestrict
wouldn't help. I'm not sure it was ever "important" to treat the Standard as fully describing all cases where programmers should expect compilers to recognize evidence of aliasing, rather than merely describing places where compilers must presume aliasing even when no particular evidence of it exists. -
supercat about 6 yearsIt may be worthwhile to note that the list of allowed types does not allow for a struct or union object to be accessed using lvalues of member type. A quality compiler should treat an access to an lvalue or pointer which is freshly derived from one of another type as an access to the original object, but a compiler's ability to recognize such things is a Quality of Implementation issue rather than a conformance one, and the Standard deliberately makes no attempt to mandate that implementations be of adequate quality to be suitable for any particular purpose.
-
supercat about 6 years@skimon: Code that does almost anything with structs or unions will be reliant upon compilers writers to refrain from doing stupid things that the Standard would allow. Something like
struct S { int x; } s = {0}; s.x=1;
invokes UB becauseint
is not one of the types that may be used to access an object of typestruct S
. Obviously a compiler would have to be really stupid not to process something like that in useful fashion, and I don't know of any that are deliberately that bad, but some seem read the Standard as inviting behaviors that are almost as dumb. -
supercat about 6 years@curiousguy: With regard to the code in the chat, a quality compiler will recognize that an access made to an lvalue or pointer which is freshly derived from one of another type as being an access or potential access to the original. So given
int *p = u.a;
, a quality compiler should recognize accesses to*p
as accesses tou
until code does something elseu
without involvinga
, or execution enters a function or loop wherein that occurs. Since the lvalueu
is allowed to access any members thereof, pointers that are freshly derived from it should be able to do likewise. -
supercat about 6 years@curiousguy: The question of when compilers must recognize derived pointers and lvalues is a quality-of-implementation issue, and the authors of the Standard deliberately refrained from trying to mandate that conforming implementations must be of sufficient quality to be useful for any particular purpose. I doubt they imagined that compiler writers would try to use the standard to justify writing low-quality implementations.
-
supercat almost 6 yearsThe C Standard uses the term "object" to refer to a number of different concepts. Among them, a sequence of bytes that are exclusively allocated to some purpose, a not-necessarily-exclusive reference to a sequence of bytes to/from which a value of a particular type could be written or read, or such a reference that actually has been or will be accessed in some context. I don't think there's any sensible way to define the term "Object" that would be consistent with all the way the Standard uses it.
-
supercat almost 6 years@AnT: The special guarantees about Common Initial Sequences were part of C before unions were. If would be meaningless to guarantee that any part of a Common Initial Sequence can be inspected using any structure type that contains it, if the corresponding portions of the structs in question didn't exist simultaneously.
-
jrh almost 6 yearsWell put, it would be interesting to read a proposal of sorts that was more or less "what the standards committee could have done" that achieved their goals without introducing as much complexity.
-
supercat almost 6 years@jrh: I think it would be pretty simple. Recognize that 1. For aliasing to occur during a particular execution of a function or loop, two different pointers or lvalues must be used during that execution to address the same storage in conflicting fashon; 2. Recognize that in contexts where one pointer or lvalue is freshly visibly derived from another, an access to the second is an access to the first; 3. Recognize that the rule is not intended to apply in cases that don't actually involve aliasing.
-
supercat almost 6 yearsThe exact circumstances where a compiler recognizes a freshly-derived lvalue may be a Quality-of-Implementation issue, but any remotely-decent compiler should be able to recognize forms that gcc and clang deliberately ignore.
-
Bhargav Rao almost 6 yearsComments are not for extended discussion; this conversation has been moved to chat.
-
Jonathan Leffler over 5 years@DougT. The c++-faq tag was recently removed from this question. Is that change appropriate? Please flag this comment 'no longer needed' when you've read it, or respond to me and I'll delete it.
-
Gabriel over 5 yearsIf I could, +10, well written and explained, also from both sides, compiler writers and programmers... the only criticism: It would be nice to have counter examples above, to see what is prohibited by the standard, its not obvious kind of :-)
-
Mirko over 5 yearsOn a 32 bit machine, malloc(sizeof(Msg)) returns a 64 bit buffer, and on a 64 bit machine, it returs a 128 bit buffer. It's a 32-bit buffer only on 16-bit machines.
-
Mirko over 5 yearsAlso, you should free malloc'd memory.
-
Derek Zhang about 5 yearsMsg msg = (Msg)malloc(sizeof(Msg)); will this violate strict aliasing?
-
S.S. Anne almost 5 yearsGrr... x64 is a Microsoft convention. Use amd64 or x86_64 instead.
-
curiousguy over 4 yearsNote that although loading from main RAM is very slow (and can stall the CPU core for a long time if following operations depend on the result), loading from L1 cache is pretty fast, and so is writing to a cache line that was recently writing to by the same core. So all but the first read or write to an address will usually be reasonably fast: the difference between reg/mem addr access is smaller than the difference between cached/uncached mem addr.
-
Myst over 4 years@curiousguy - although you're correct, "fast" in this case is relative. The L1 cache is probably still an order of magnitude slower than CPU registers (I think more than 10 times slower). In addition, the
restrict
keyword minimizes not only the speed of the operations but their number as well, which could be meaningful... I mean, after all, the fastest operation is no operation at all :) -
lanyusea over 4 yearswill the strict aliasing rule breaking make our program slower? or the compiler still optimize the code in that way but may cause some undefined behavior like SIGBUS?
-
Gro-Tsen over 4 yearsVery good answer. I only regret that the initial examples are given in C++, which makes it hard to follow for people like me who only know or care about C and have no idea what
reinterpret_cast
might do or whatcout
might mean. (It's all right to mention C++ but the original question was about C and IIUC these examples could just as validly be written in C.) -
FrankHB over 4 years@supercat Incorrect. Despite your imagination, it is actually fairly consistent. In ISO C it is defined as "region of data storage in the execution environment, the contents of which can represent values". In ISO C++ there is a similar definition. Your comment is even more irrelevant than the answer because all you mentioned are ways of representation to refer objects' content, while the answer illustrates the C++ concept (glvalue) of a kind of expressions that tightly relates to the identity of objects. And all aliasing rules are basically relevant to the identity but not the content.
-
supercat over 4 years@FrankHB: If one declares
int foo;
, what is accessed by the lvalue expression*(char*)&foo
? Is that an object of typechar
? Does that object come into existence at the same time asfoo
? Would writing tofoo
change the stored value of that aforementioned object of typechar
? If so, is there any rule that would allow the stored value of an object of typechar
to be accessed using an lvalue of typeint
? -
supercat over 4 years@FrankHB: In the absence of 6.5p7, one could simply say that every region of storage simultaneously contains all objects of every type that could fit in that region of storage, and that accessing that region of storage simultaneously accesses all of them. Interpreting in such fashion the use of the term "object" in 6.5p7, however, would forbid doing much of anything with non-character-type lvalues, which would clearly be an absurd result and totally defeat the purpose of the rule. Further, the concept of "object" used everywhere other than 6.5p6 has a static compile-time type, but...
-
supercat over 4 years...6.5p6 adds a notion of "Effective Type" whose corner cases are very badly broken, ambiguous, and unworkable. Bizarrely, even though the "Effective Type" notion of 6.5p6 is clearly based upon the stated rationale for Defect Report #028, whose authors said that because writing one union member and reading another is Implementation-Defined behavior, using a pointer to do so is Undefined Behavior, the rule as written fails to actually handle the corner case described in Defect Report #028.
-
supercat over 4 years@FrankHB: Also, on a platform where a write to e.g.
GPIOA->BSSR = x;
would atomically behave in a fashion equivalent toGPIOA->ODR = GPIOA->ODR | (x & 0xFFFF) & ~(x>>16);
, but reads ofGPIOA->BSSR
always yield zero, wouldGPIOA->BSSR
be an "object" given that values written to its upper bits aren't actually stored anyplace, or would an attempt to writeGPIOA->BSSR
be Undefined Behavior on the basis thatGPIOA->BSSR
isn't an object? -
FrankHB over 4 years@supercat In C, an lvalue (as an expression) always has a statically determined type. That type is used in the access to the object it referred to, and there is no way to simultaneously access "all of them" even before taking 6.5p7 into account. I fail to see how it "defeat the purpose of the rule". (And to be clear, which rule, exactly?)
-
FrankHB over 4 yearsDR 028 is about the dynamically determined type of objects not explicitly introduced by declarations. This is not the case of union members which are declared, even though they are not created upon their declarations.
-
FrankHB over 4 years... I agree the notion of effective type does not handle the lifetime issues well (as C++'s dynamic type), but the purpose of the notion is simply not for the union members. So, don't expect it will reproduce the exact same restrictions as the accesses on union members.
-
FrankHB over 4 years@supercat An object designating an register is usually needed to be qualified by
volatile
. The additional value adjustment is virtually the access from the external environment, if necessary. It won't be undefined just because of not being an object introduced by a declaration (although the declaration to introduce such volatile lvalues can not be strictly conforming). -
supercat over 4 yearsIf an implementation given
int foo{float *fp, int *ip) { if (*ip) *fp = 1.0; return *ip;}
, if an implementation were required to handle the case wherefp
andip
identified items in the same union, the code required to do so would be completely independent of the type of union involved, so the semantics need not be affected by what kind of union might exist, or whether any union in fact existed. The purpose of DR #028 was to say that such handling wasn't necessary, but the stated rationale was completely nonsensical. Also, I'm interested in your answer to the first question: if... -
supercat over 4 yearssizeof(int) is 4, does the declaration
int i;
create four objects of each character typein addition to one of type
int? I see no way to apply a consistent definition of "object" which would allow for operations on both
*(char*)&i` andi
. Finally, there's nothing in the Standard that allows even avolatile
-qualified pointer to access hardware registers that don't meet the definition of "object". -
supercat over 4 years@lanyusea: The "strict aliasing rule" will improve the performance of programs that still work, but gcc/clang interpretation will cause some programs that would have behaved usefully to instead behave nonsensically. The Standard can be interpreted in a way that would allow 90% of the performance improvements, plus some that clang/gcc miss, while still processing most of the useful constructs that are broken by their interpretation, but the authors of clang/gcc are heavily invested in their refusal to interpret it in such fashion.
-
Michael IV about 4 yearsRegarding type puning: so if I write an array of some type X into file , then read from that file this array into memory pointed with void* , then I cast that pointer to the real type of the data in order to use it - that's undefined behavior?
-
Aviv Cohn about 4 yearsSo I know this is old. Quick question: The last paragraph says "... An object shall have its stored value accessed only by an lvalue expression that has one of the following types ...". If the "object" is a pointer, is "its stored value" the address it stores, or the object pointed to by that address? The former option makes sense to me, the second not so much.
-
Aviv Cohn about 4 yearsPhrased differently: Why is this code wrong?
A* a = malloc(sizeof(A)); B* b = (B*) a;
. Is it wrong because the stored value ofa
is an address toA
, and the lvalue expressionB*
is not compatible with it? Or is it wrong because the stored value ofa
is an object of typeA
, and the lvalueB
is not compatible with it? -
Aviv Cohn about 4 yearsCan anybody elaborate on "an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union)". What does it exactly mean, and how is this exception to the rule commonly used?
-
Ben Voigt about 4 years@AvivCohn: It's not wrong.
a
and*a
are two different objects. The access toa
is fine, because it is done with typeA*
(the result of the access is then converted, but that doesn't change the access type). Doing*b
would be wrong. DoingA* c = (A*)b;
is fine and it is guaranteed thatc == a
. Note that pointers from sources other thanmalloc
could have alignment issues in addition to strict aliasing issues. -
Aviv Cohn about 4 years@BenVoigt So the only illegal thing in terms of strict aliasing is the actual dereferencing, right? Meaning we can assign pointers to different pointer types all we want, as long as dereferencing happens on a compatible pointer type?
-
Ben Voigt about 4 years@AvivCohn: To be super precise, the forbidden thing is accessing the object resulting from dereferencing. Merely playing with pointer conversions and arithmetic cannot violate strict aliasing (although it may violate other rules).
-
Aviv Cohn about 4 years@BenVoigt I understand. Quick question, actually clarifying what I meant to ask in the first place: As we know the standard says "... An object shall have its stored value accessed only by an lvalue expression that has one of the following types ...". In the case of a pointer-type, the "stored value" means the address stored in the variable, correct? I.e. - the stored value (the address) in the object (the pointer) can only be accessed by a compatible lvalue (one that describes a compatible pointer).
-
Ben Voigt about 4 years@AvivCohn: That's correct. If in your example, the type
A
is actuallyint*
andB
is actuallyfloat*
then*b
will again lead to a strict aliasing violation. -
Nubcake about 4 yearsI'm a little bit confused, why would you ever want to use
-fno-strict-aliasing
if violating the strict aliasing rule causes UB? -
chux - Reinstate Monica about 4 yearsThe exception is wider than
char *
--> Applies to any character type. -
polynomial_donut almost 4 yearsAdding the definition of 'effective type', including an exact standard reference, would improve this answer a lot. I take it the effectice type is the last type information that has been used for the object, if there is any (taken from here, but this doesn't point to the standard)
-
supercat over 3 years@Nubcake: Because, in the words of the Committee expressed in the published Rationale, when the Standard use the term "Undefined Behavior", it among other things, "...identifies areas of possible conforming language extension: the implementor may augment the language by providing a definition of the officially undefined behavior." A religion has formed around the idea the Standard characterizes as "broken" any program whose behavior it regards as UB, ignoring the fact that the phrase "non-portable or erroneous" in no way excludes "non-portable but correct".
-
Bogdan over 3 yearsWhy
cip
is glvalue in the example of (11.2) in the section What the C++17 Draft Standard say? It looks like the lvalue, does it? It looks equal with the 2nd example in the section What does the C11 standard say? -
M.M over 2 yearsIt should also be clarified that this answer is intended to be a C answer (although it is completely wrong for C as well) ; the question is dual-tagged C and C++.
-
Imperishable Night about 2 years@curiousguy What I think slashmais might have been talking about is: (1) When a function takes multiple pointers that are not supposed to overlap, they should be explicitly declared as
restrict
; not doing so is a bad habit and should be "punished" by bad machine-code efficiency (as is already happening when the pointers happen to have the same type). (2) There are certainly examples of undefined behaviors, such as out-of-bound array access, that are more well-known than aliasing problems.