What is the strict aliasing rule?

c++ c undefined-behavior strict-aliasing type-punning

248,148

Solution 1

A typical situation where you encounter strict aliasing problems is when overlaying a struct (like a device/network msg) onto a buffer of the word size of your system (like a pointer to uint32_ts or uint16_ts). When you overlay a struct onto such a buffer, or a buffer onto such a struct through pointer casting you can easily violate strict aliasing rules.

So in this kind of setup, if I want to send a message to something I'd have to have two incompatible pointers pointing to the same chunk of memory. I might then naively code something like this:

typedef struct Msg
{
    unsigned int a;
    unsigned int b;
} Msg;

void SendWord(uint32_t);

int main(void)
{
    // Get a 32-bit buffer from the system
    uint32_t* buff = malloc(sizeof(Msg));
    
    // Alias that buffer through message
    Msg* msg = (Msg*)(buff);
    
    // Send a bunch of messages    
    for (int i = 0; i < 10; ++i)
    {
        msg->a = i;
        msg->b = i+1;
        SendWord(buff[0]);
        SendWord(buff[1]);   
    }
}

The strict aliasing rule makes this setup illegal: dereferencing a pointer that aliases an object that is not of a compatible type or one of the other types allowed by C 2011 6.5 paragraph 7¹ is undefined behavior. Unfortunately, you can still code this way, maybe get some warnings, have it compile fine, only to have weird unexpected behavior when you run the code.

(GCC appears somewhat inconsistent in its ability to give aliasing warnings, sometimes giving us a friendly warning and sometimes not.)

To see why this behavior is undefined, we have to think about what the strict aliasing rule buys the compiler. Basically, with this rule, it doesn't have to think about inserting instructions to refresh the contents of buff every run of the loop. Instead, when optimizing, with some annoyingly unenforced assumptions about aliasing, it can omit those instructions, load buff[0] and buff[1] into CPU registers once before the loop is run, and speed up the body of the loop. Before strict aliasing was introduced, the compiler had to live in a state of paranoia that the contents of buff could change by any preceding memory stores. So to get an extra performance edge, and assuming most people don't type-pun pointers, the strict aliasing rule was introduced.

Keep in mind, if you think the example is contrived, this might even happen if you're passing a buffer to another function doing the sending for you, if instead you have.

void SendMessage(uint32_t* buff, size_t size32)
{
    for (int i = 0; i < size32; ++i) 
    {
        SendWord(buff[i]);
    }
}

And rewrote our earlier loop to take advantage of this convenient function

for (int i = 0; i < 10; ++i)
{
    msg->a = i;
    msg->b = i+1;
    SendMessage(buff, 2);
}

The compiler may or may not be able to or smart enough to try to inline SendMessage and it may or may not decide to load or not load buff again. If SendMessage is part of another API that's compiled separately, it probably has instructions to load buff's contents. Then again, maybe you're in C++ and this is some templated header only implementation that the compiler thinks it can inline. Or maybe it's just something you wrote in your .c file for your own convenience. Anyway undefined behavior might still ensue. Even when we know some of what's happening under the hood, it's still a violation of the rule so no well defined behavior is guaranteed. So just by wrapping in a function that takes our word delimited buffer doesn't necessarily help.

So how do I get around this?

Use a union. Most compilers support this without complaining about strict aliasing. This is allowed in C99 and explicitly allowed in C11.
```
  union {
      Msg msg;
      unsigned int asBuffer[sizeof(Msg)/sizeof(unsigned int)];
  };
```
You can disable strict aliasing in your compiler (f[no-]strict-aliasing in gcc))
You can use char* for aliasing instead of your system's word. The rules allow an exception for char* (including signed char and unsigned char). It's always assumed that char* aliases other types. However this won't work the other way: there's no assumption that your struct aliases a buffer of chars.

Beginner beware

This is only one potential minefield when overlaying two types onto each other. You should also learn about endianness, word alignment, and how to deal with alignment issues through packing structs correctly.

Footnote

¹ The types that C 2011 6.5 7 allows an lvalue to access are:

a type compatible with the effective type of the object,
a qualified version of a type compatible with the effective type of the object,
a type that is the signed or unsigned type corresponding to the effective type of the object,
a type that is the signed or unsigned type corresponding to a qualified version of the effective type of the object,
an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union), or
a character type.

Solution 2

The best explanation I have found is by Mike Acton, Understanding Strict Aliasing. It's focused a little on PS3 development, but that's basically just GCC.

From the article:

"Strict aliasing is an assumption, made by the C (or C++) compiler, that dereferencing pointers to objects of different types will never refer to the same memory location (i.e. alias each other.)"

So basically if you have an int* pointing to some memory containing an int and then you point a float* to that memory and use it as a float you break the rule. If your code does not respect this, then the compiler's optimizer will most likely break your code.

The exception to the rule is a char*, which is allowed to point to any type.

Solution 3

This is the strict aliasing rule, found in section 3.10 of the C++03 standard (other answers provide good explanation, but none provided the rule itself):

If a program attempts to access the stored value of an object through an lvalue of other than one of the following types the behavior is undefined:

the dynamic type of the object,

a cv-qualified version of the dynamic type of the object,

a type that is the signed or unsigned type corresponding to the dynamic type of the object,

a type that is the signed or unsigned type corresponding to a cv-qualified version of the dynamic type of the object,

an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union),

a type that is a (possibly cv-qualified) base class type of the dynamic type of the object,

a char or unsigned char type.

C++11 and C++14 wording (changes emphasized):

If a program attempts to access the stored value of an object through a glvalue of other than one of the following types the behavior is undefined:

the dynamic type of the object,

a cv-qualified version of the dynamic type of the object,

a type similar (as defined in 4.4) to the dynamic type of the object,

a type that is the signed or unsigned type corresponding to the dynamic type of the object,

a type that is the signed or unsigned type corresponding to a cv-qualified version of the dynamic type of the object,

an aggregate or union type that includes one of the aforementioned types among its elements or non-static data members (including, recursively, an element or non-static data member of a subaggregate or contained union),

a type that is a (possibly cv-qualified) base class type of the dynamic type of the object,

a char or unsigned char type.

Two changes were small: glvalue instead of lvalue, and clarification of the aggregate/union case.

The third change makes a stronger guarantee (relaxes the strong aliasing rule): The new concept of similar types that are now safe to alias.

Also the C wording (C99; ISO/IEC 9899:1999 6.5/7; the exact same wording is used in ISO/IEC 9899:2011 §6.5 ¶7):

An object shall have its stored value accessed only by an lvalue expression that has one of the following types ^{73) or 88)}:

a type compatible with the effective type of the object,

a qualiﬁed version of a type compatible with the effective type of the object,

a type that is the signed or unsigned type corresponding to the effective type of the object,

a type that is the signed or unsigned type corresponding to a qualiﬁed version of the effective type of the object,

an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union), or

a character type.

^{73) or 88)} The intent of this list is to specify those circumstances in which an object may or may not be aliased.

Solution 4

Note

This is excerpted from my "What is the Strict Aliasing Rule and Why do we care?" write-up.

What is strict aliasing?

In C and C++ aliasing has to do with what expression types we are allowed to access stored values through. In both C and C++ the standard specifies which expression types are allowed to alias which types. The compiler and optimizer are allowed to assume we follow the aliasing rules strictly, hence the term strict aliasing rule. If we attempt to access a value using a type not allowed it is classified as undefined behavior(UB). Once we have undefined behavior all bets are off, the results of our program are no longer reliable.

Unfortunately with strict aliasing violations, we will often obtain the results we expect, leaving the possibility the a future version of a compiler with a new optimization will break code we thought was valid. This is undesirable and it is a worthwhile goal to understand the strict aliasing rules and how to avoid violating them.

To understand more about why we care, we will discuss issues that come up when violating strict aliasing rules, type punning since common techniques used in type punning often violate strict aliasing rules and how to type pun correctly.

Preliminary examples

Let's look at some examples, then we can talk about exactly what the standard(s) say, examine some further examples and then see how to avoid strict aliasing and catch violations we missed. Here is an example that should not be surprising (live example):

int x = 10;
int *ip = &x;

std::cout << *ip << "\n";
*ip = 12;
std::cout << x << "\n";

We have a int* pointing to memory occupied by an int and this is a valid aliasing. The optimizer must assume that assignments through ip could update the value occupied by x.

The next example shows aliasing that leads to undefined behavior (live example):

int foo( float *f, int *i ) { 
    *i = 1;               
    *f = 0.f;            

   return *i;
}

int main() {
    int x = 0;

    std::cout << x << "\n";   // Expect 0
    x = foo(reinterpret_cast<float*>(&x), &x);
    std::cout << x << "\n";   // Expect 0?
}

In the function foo we take an int* and a float*, in this example we call foo and set both parameters to point to the same memory location which in this example contains an int. Note, the reinterpret_cast is telling the compiler to treat the the expression as if it had the type specificed by its template parameter. In this case we are telling it to treat the expression &x as if it had type float*. We may naively expect the result of the second cout to be 0 but with optimization enabled using -O2 both gcc and clang produce the following result:

0
1

Which may not be expected but is perfectly valid since we have invoked undefined behavior. A float can not validly alias an int object. Therefore the optimizer can assume the constant 1 stored when dereferencing i will be the return value since a store through f could not validly affect an int object. Plugging the code in Compiler Explorer shows this is exactly what is happening(live example):

foo(float*, int*): # @foo(float*, int*)
mov dword ptr [rsi], 1  
mov dword ptr [rdi], 0
mov eax, 1                       
ret

The optimizer using Type-Based Alias Analysis (TBAA) assumes 1 will be returned and directly moves the constant value into register eax which carries the return value. TBAA uses the languages rules about what types are allowed to alias to optimize loads and stores. In this case TBAA knows that a float can not alias and int and optimizes away the load of i.

Now, to the Rule-Book

What exactly does the standard say we are allowed and not allowed to do? The standard language is not straightforward, so for each item I will try to provide code examples that demonstrates the meaning.

What does the C11 standard say?

The C11 standard says the following in section 6.5 Expressions paragraph 7:

An object shall have its stored value accessed only by an lvalue expression that has one of the following types:⁸⁸⁾ — a type compatible with the effective type of the object,

int x = 1;
int *p = &x;   
printf("%d\n", *p); // *p gives us an lvalue expression of type int which is compatible with int

— a qualified version of a type compatible with the effective type of the object,

int x = 1;
const int *p = &x;
printf("%d\n", *p); // *p gives us an lvalue expression of type const int which is compatible with int

— a type that is the signed or unsigned type corresponding to the effective type of the object,

int x = 1;
unsigned int *p = (unsigned int*)&x;
printf("%u\n", *p ); // *p gives us an lvalue expression of type unsigned int which corresponds to 
                     // the effective type of the object

gcc/clang has an extension and also that allows assigning unsigned int* to int* even though they are not compatible types.

— a type that is the signed or unsigned type corresponding to a qualified version of the effective type of the object,

int x = 1;
const unsigned int *p = (const unsigned int*)&x;
printf("%u\n", *p ); // *p gives us an lvalue expression of type const unsigned int which is a unsigned type 
                     // that corresponds with to a qualified verison of the effective type of the object

— an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union), or

struct foo {
  int x;
};

void foobar( struct foo *fp, int *ip );  // struct foo is an aggregate that includes int among its members so it can
                                         // can alias with *ip

foo f;
foobar( &f, &f.x );

— a character type.

int x = 65;
char *p = (char *)&x;
printf("%c\n", *p );  // *p gives us an lvalue expression of type char which is a character type.
                      // The results are not portable due to endianness issues.

What the C++17 Draft Standard say

The C++17 draft standard in section [basic.lval] paragraph 11 says:

If a program attempts to access the stored value of an object through a glvalue of other than one of the following types the behavior is undefined:⁶³ (11.1) — the dynamic type of the object,

void *p = malloc( sizeof(int) ); // We have allocated storage but not started the lifetime of an object
int *ip = new (p) int{0};        // Placement new changes the dynamic type of the object to int
std::cout << *ip << "\n";        // *ip gives us a glvalue expression of type int which matches the dynamic type 
                                  // of the allocated object

(11.2) — a cv-qualified version of the dynamic type of the object,

int x = 1;
const int *cip = &x;
std::cout << *cip << "\n";  // *cip gives us a glvalue expression of type const int which is a cv-qualified 
                            // version of the dynamic type of x

(11.3) — a type similar (as defined in 7.5) to the dynamic type of the object,

(11.4) — a type that is the signed or unsigned type corresponding to the dynamic type of the object,

// Both si and ui are signed or unsigned types corresponding to each others dynamic types
// We can see from this godbolt(https://godbolt.org/g/KowGXB) the optimizer assumes aliasing.
signed int foo( signed int &si, unsigned int &ui ) {
  si = 1;
  ui = 2;

  return si;
}

(11.5) — a type that is the signed or unsigned type corresponding to a cv-qualified version of the dynamic type of the object,

signed int foo( const signed int &si1, int &si2); // Hard to show this one assumes aliasing

(11.6) — an aggregate or union type that includes one of the aforementioned types among its elements or nonstatic data members (including, recursively, an element or non-static data member of a subaggregate or contained union),

struct foo {
 int x;
};

// Compiler Explorer example(https://godbolt.org/g/z2wJTC) shows aliasing assumption
int foobar( foo &fp, int &ip ) {
 fp.x = 1;
 ip = 2;

 return fp.x;
}

foo f; 
foobar( f, f.x );

(11.7) — a type that is a (possibly cv-qualified) base class type of the dynamic type of the object,

struct foo { int x ; };

struct bar : public foo {};

int foobar( foo &f, bar &b ) {
  f.x = 1;
  b.x = 2;

  return f.x;
}

(11.8) — a char, unsigned char, or std::byte type.

int foo( std::byte &b, uint32_t &ui ) {
  b = static_cast<std::byte>('a');
  ui = 0xFFFFFFFF;                   

  return std::to_integer<int>( b );  // b gives us a glvalue expression of type std::byte which can alias
                                     // an object of type uint32_t
}

Worth noting signed char is not included in the list above, this is a notable difference from C which says a character type.

What is Type Punning

We have gotten to this point and we may be wondering, why would we want to alias for? The answer typically is to type pun, often the methods used violate strict aliasing rules.

Sometimes we want to circumvent the type system and interpret an object as a different type. This is called type punning, to reinterpret a segment of memory as another type. Type punning is useful for tasks that want access to the underlying representation of an object to view, transport or manipulate. Typical areas we find type punning being used are compilers, serialization, networking code, etc…

Traditionally this has been accomplished by taking the address of the object, casting it to a pointer of the type we want to reinterpret it as and then accessing the value, or in other words by aliasing. For example:

int x =  1 ;

// In C
float *fp = (float*)&x ;  // Not a valid aliasing

// In C++
float *fp = reinterpret_cast<float*>(&x) ;  // Not a valid aliasing

printf( "%f\n", *fp ) ;

As we have seen earlier this is not a valid aliasing, so we are invoking undefined behavior. But traditionally compilers did not take advantage of strict aliasing rules and this type of code usually just worked, developers have unfortunately gotten used to doing things this way. A common alternate method for type punning is through unions, which is valid in C but undefined behavior in C++ (see live example):

union u1
{
  int n;
  float f;
} ;

union u1 u;
u.f = 1.0f;

printf( "%d\n”, u.n );  // UB in C++ n is not the active member

This is not valid in C++ and some consider the purpose of unions to be solely for implementing variant types and feel using unions for type punning is an abuse.

How do we Type Pun correctly?

The standard method for type punning in both C and C++ is memcpy. This may seem a little heavy handed but the optimizer should recognize the use of memcpy for type punning and optimize it away and generate a register to register move. For example if we know int64_t is the same size as double:

static_assert( sizeof( double ) == sizeof( int64_t ) );  // C++17 does not require a message

we can use memcpy:

void func1( double d ) {
  std::int64_t n;
  std::memcpy(&n, &d, sizeof d); 
  //...

At a sufficient optimization level any decent modern compiler generates identical code to the previously mentioned reinterpret_cast method or union method for type punning. Examining the generated code we see it uses just register mov (live Compiler Explorer Example).

C++20 and bit_cast

In C++20 we may gain bit_cast (implementation available in link from proposal) which gives a simple and safe way to type-pun as well as being usable in a constexpr context.

The following is an example of how to use bit_cast to type pun a unsigned int to float, (see it live):

std::cout << bit_cast<float>(0x447a0000) << "\n" ; //assuming sizeof(float) == sizeof(unsigned int)

In the case where To and From types don't have the same size, it requires us to use an intermediate struct15. We will use a struct containing a sizeof( unsigned int ) character array (assumes 4 byte unsigned int) to be the From type and unsigned int as the To type.:

struct uint_chars {
 unsigned char arr[sizeof( unsigned int )] = {} ;  // Assume sizeof( unsigned int ) == 4
};

// Assume len is a multiple of 4 
int bar( unsigned char *p, size_t len ) {
 int result = 0;

 for( size_t index = 0; index < len; index += sizeof(unsigned int) ) {
   uint_chars f;
   std::memcpy( f.arr, &p[index], sizeof(unsigned int));
   unsigned int result = bit_cast<unsigned int>(f);

   result += foo( result );
 }

 return result ;
}

It is unfortunate that we need this intermediate type but that is the current constraint of bit_cast.

Catching Strict Aliasing Violations

We don't have a lot of good tools for catching strict aliasing in C++, the tools we have will catch some cases of strict aliasing violations and some cases of misaligned loads and stores.

gcc using the flag -fstrict-aliasing and -Wstrict-aliasing can catch some cases although not without false positives/negatives. For example the following cases will generate a warning in gcc (see it live):

int a = 1;
short j;
float f = 1.f; // Originally not initialized but tis-kernel caught 
               // it was being accessed w/ an indeterminate value below

printf("%i\n", j = *(reinterpret_cast<short*>(&a)));
printf("%i\n", j = *(reinterpret_cast<int*>(&f)));

although it will not catch this additional case (see it live):

int *p;

p=&a;
printf("%i\n", j = *(reinterpret_cast<short*>(p)));

Although clang allows these flags it apparently does not actually implement the warnings.

Another tool we have available to us is ASan which can catch misaligned loads and stores. Although these are not directly strict aliasing violations they are a common result of strict aliasing violations. For example the following cases will generate runtime errors when built with clang using -fsanitize=address

int *x = new int[2];               // 8 bytes: [0,7].
int *u = (int*)((char*)x + 6);     // regardless of alignment of x this will not be an aligned address
*u = 1;                            // Access to range [6-9]
printf( "%d\n", *u );              // Access to range [6-9]

The last tool I will recommend is C++ specific and not strictly a tool but a coding practice, don't allow C-style casts. Both gcc and clang will produce a diagnostic for C-style casts using -Wold-style-cast. This will force any undefined type puns to use reinterpret_cast, in general reinterpret_cast should be a flag for closer code review. It is also easier to search your code base for reinterpret_cast to perform an audit.

For C we have all the tools already covered and we also have tis-interpreter, a static analyzer that exhaustively analyzes a program for a large subset of the C language. Given a C verions of the earlier example where using -fstrict-aliasing misses one case (see it live)

int a = 1;
short j;
float f = 1.0 ;

printf("%i\n", j = *((short*)&a));
printf("%i\n", j = *((int*)&f));

int *p; 

p=&a;
printf("%i\n", j = *((short*)p));

tis-interpeter is able to catch all three, the following example invokes tis-kernal as tis-interpreter (output is edited for brevity):

./bin/tis-kernel -sa example1.c 
...
example1.c:9:[sa] warning: The pointer (short *)(& a) has type short *. It violates strict aliasing
              rules by accessing a cell with effective type int.
...

example1.c:10:[sa] warning: The pointer (int *)(& f) has type int *. It violates strict aliasing rules by
              accessing a cell with effective type float.
              Callstack: main
...

example1.c:15:[sa] warning: The pointer (short *)p has type short *. It violates strict aliasing rules by
              accessing a cell with effective type int.

Finally there is TySan which is currently in development. This sanitizer adds type checking information in a shadow memory segment and checks accesses to see if they violate aliasing rules. The tool potentially should be able to catch all aliasing violations but may have a large run-time overhead.

Solution 5

Strict aliasing doesn't refer only to pointers, it affects references as well, I wrote a paper about it for the boost developer wiki and it was so well received that I turned it into a page on my consulting web site. It explains completely what it is, why it confuses people so much and what to do about it. Strict Aliasing White Paper. In particular it explains why unions are risky behavior for C++, and why using memcpy is the only fix portable across both C and C++. Hope this is helpful.

View more solutions

248,148

Author by

Benoit

Started programming on a good old TRS-80 Model I Spent most of my time working with embedded processors. Everything from 8-bit micros to 32-bit systems. Now teaching for a living.

Updated on June 10, 2021

Comments

Benoit about 3 years

When asking about common undefined behavior in C, people sometimes refer to the strict aliasing rule.
What are they talking about?
Matthieu M. over 13 years

I am coming after the battle it seems.. may unsigned char* be used far char* instead ? I tend to use unsigned char rather than char as the underlying type for byte because my bytes are not signed and I don't want the weirdness of signed behavior (notably wrt to overflow)
Thomas Eding about 13 years

@Matthieu: Signedness makes no difference to alias rules, so using unsigned char * is okay.
phorgan1 almost 13 years

You can alias between references and between a reference and a pointer as well. See my tutorial dbp-consulting.com/tutorials/StrictAliasing.html
Ben Voigt almost 13 years

Why not SendToStupidApi(&msg->a)?
R. Martinho Fernandes almost 13 years

Isn't it undefined behaviour to read from an union member different from the last one written to?
Andriy Tylychko almost 13 years

@Doug T.: as I understand, the same problem is on receiving side too when StupidAPI casts back to Msg, right? And how using char* instead of unsigned int* would improve this?
Cheers and hth. - Alf almost 13 years

-1 The code examples in the answer code won't compile as C99.
R. Martinho Fernandes almost 13 years

Bollocks, this answer is completely backwards. The example it shows as illegal is actually legal, and the example it shows as legal is actually illegal.
Doug T. almost 13 years

@R.MartinhoFernandes I reworked this answer quite a bit to hopefully be more accurate and clarify things. In the original example it was assumed that SendToStupidApi would dereference the type punned pointer thus violating strict aliasing. I also took out the reinterpret_cast that is of course not C. And added a note that the union solution violates the spec but is supported by most compilers.
ninjalj over 12 years

I don't think the union solution violates the intent of C99, and it does not violate C11 (it was removed from appendix J). See: open-std.org/jtc1/sc22/wg14/www/docs/dr_283.htm
ninjalj over 12 years

As per my comment to stackoverflow.com/questions/6359629/…: C99 says that the bytes that don't correspond to the last stored member take unspecified values (potentially implying that it's legal to read from members which share all its bytes with the last stored member), but then lists reading from a member other than the last stored as UB. C1X changes that, defining as UB reading from bytes that do not correspond to the last stored member.
Ben Voigt over 12 years

@Kos: That's cool, thanks! Can you also comment on whether strict aliasing was required by C89/90? (I seem to recall not, that it was introduced at the same time as the restrict keyword, but I'm not sure).
curiousguy over 12 years

"Strict aliasing doesn't refer only to pointers, it affects references as well" Actually, it refers to lvalues. "using memcpy is the only fix portable" Hear!
phorgan1 over 12 years

Look at the C89 Rationale cs.technion.ac.il/users/yechiel/CS/C++draft/rationale.pdf section 3.3 which talks about it.
Pavel P over 11 years

Great answer. I have a similar question where I had to alias a struct onto a char array because I had to portably ensure alignment of the struct's memory. stackoverflow.com/questions/14170010/…
hdante over 11 years

This answer does not define what strict aliasing is. I also think this example is not correct, since the memory is being accessed by a struct that contains compatible types to the effective type of the memory (unsigned, assuming 32 bit values everywhere).
Nubok almost 11 years

The answer tells using char* avoids this problem. Doesn't also passing the buffer as a void* parameter of a function solve this problem?
Jonathan Leffler almost 11 years

@nubok: see the answer by Ben Voigt. The relevant paragraph of the C standard explicitly says 'character type' and does not mention 'void' or 'void pointer' at all.
philippe lhardy over 10 years

if you add a second short * j to check() and use it ( *j = 7 ) then optimization disapear since ggc does not not if h and j are not actualy point to same value. yes optimisation is really smart.
nonsensickle over 10 years

Your uint32_t* buff = malloc(sizeof(Msg)); and the subsequent union unsigned int asBuffer[sizeof(Msg)]; buffer declarations will have different sizes and neither is correct. The malloc call is relying on the 4 byte alignment under the hood (don't do it) and the union will be 4 times bigger than it needs to be... I understand that it is for clarity but it bugs me none-the-less...
Peter - Reinstate Monica about 10 years

Isn't the "wrong" example on top well defined if uint32_t is a typedef for unsigned int? Because Msg qualifies for "an aggregate or union type that includes one of the aforementioned types [here: uint32_t. -ps] among its elements", doesn't it?
Grzegorz about 10 years

I can't stand the fact that char b[4]; *(int*)b=0; does not work but int* i=*(int*)b; *i=0; does. I am calling for creating an anti strict aliasing movement where optimizer is forcing people to add extra declarations to avoid the issue. I understand that there can be some special case where warning actually should be an error but in the example above? come on! I am working on an old code that did not have this problem before, and I have hundreds of places to 'fix' (make less readable.)
Ben Voigt about 10 years

@Grzegorz: So use -fno-strict-aliasing when you compile, but then you aren't using C (or C++). Anyway, both pieces of code in your comment are wrong. The second won't even compile, since you have mismatching indirection in an initialization.
Shafik Yaghmour almost 10 years

See my answer here for the relevant quotes, especially the footnotes but type punning through unions has always been allowed in C although it was poorly worded at first. You my want to clarify your answer.
Yakov Galka over 9 years

The "Another Broken version, referencing a twice" section of the paper makes no sense. Even if there were a sequence point, it would not give the right result. Perhaps you meant to use shift operators instead of shift assignments? But then the code is well-defined and does the right thing.
M.M over 9 years

It is permitted to have different pointer types to the same data. Where strict aliasing comes in is when the same memory location is written through one pointer type and read through another. Also, some different types are permitted (e.g. int and a struct which contains an int).
M.M over 9 years

This example is unclear. It shows unsigned int being aliased as uint32_t. However it is implementation-defined whether unsigned int is compatible with uint32_t. If uint32_t is a typedef for unsigned int then the code actually has no strict aliasing violation, otherwise it does. I'd suggest editing it so that the two types are clearly incompatible.
Shafik Yaghmour over 9 years

I think you need to reconsider your example, if uint32_t is unsigned int then given my answer here there should be no strict aliasing violation.
David R Tribble over 9 years

To address @nonsensickle's observation, the union declaration should have this member declaration instead: unsigned int asBuffer[sizeof(Msg)/sizeof(unsigned int)].
nonsensickle over 9 years

@DavidRTribble Thanks for addressing it. May I also suggest to you to mention the other two options that this article talks about, i.e. memcpy and the restrict keyword, in your answer (for completeness)? Other than that, good work! Tough topic...
slashmais over 9 years

Good paper. My take: (1) this aliasing-'problem' is an over-reaction to bad programming - trying to protect the bad programmer from his/her bad habits. If the programmer has good habits then this aliasing is just a nuisance and the checks can safely be turned off. (2) Compiler-side optimization should only be done in well-known cases and should when in doubt strictly follow the source-code; forcing the programmer to write code to cater for the compiler's idiosyncrasies is, simply put, wrong. Even worse to make it part of the standard.
supercat about 9 years

@slashmais: I suspect that much of the horribleness of modern C stems from a belief that it is bad to add new directives and features to a language to tell a compiler what inferences it should make, but better to have the use of certain language features invoke inferences which, while consistent with the baseline requirements for what compilers must do, would break code that relies upon common and useful extensions that many implementations had historically provided at little or no cost.
this almost 9 years

@DougT. I appears I though you were sending msg instead of buff, which is violating strict aliasing( so the code is correct ). My bad :-////.
Doug T. almost 9 years

@this all is forgiven. This is a hard topic and I appreciate having an opportunity to double check :)
jiggunjer almost 9 years

So what is the canonical way to legally use the same memory with variables of 2 different types? or does everyone just copy?
Aaron McDaid almost 9 years

I think the issue of optimizations that may or may not be possible can actually be unhelpful sometimes. The reason I say this is the I have constructed code where such optimizations weren't possible anyway, and was still told that the code is UB. So maybe, the optimization story is part of the history of the strict aliasing rule; but today, the today the effect of the rule is more drastic. Casting a pointer, and immediately reading from it, will be undefined generally (except for the specific exceptions around unions and compatible types).
curiousguy almost 9 years

@Grzegorz "I can't stand the fact that" source?
curiousguy almost 9 years

How can you use an lvalue of class type?
Ben Voigt almost 9 years

@curiousguy: Any way that class allows. Seriously, I'm not going to write you an entire C++ book listing all the things that you can do with a class instance. One notable thing you can't do with an lvalue of class type is bind an rvalue reference to it.
Ben Voigt almost 9 years

@curiousguy: In std::cout << "Hello World.\n";, std::cout is an lvalue with class type.
curiousguy almost 9 years

@BenVoigt Are you saying "section 3.10 of the C++03 standard" applies to std::cout?
curiousguy almost 9 years

@slashmais (1) "is an over-reaction to bad programming" Nonsense. It is a rejection of the bad habits. You do that? You pay the price: no guarantee for you! (2) Well known cases? Which ones? The strict aliasing rule should be "well known"!
curiousguy almost 9 years

@supercat No, modern C is the result of an incompetent re-design by people with no understanding of compiler design, optimization, or the formalism of a specification. It looks like a train crash.
supercat almost 9 years

@curiousguy: Reading your last comments to me and slashmais I'm not quite clear what you're trying to say about which versions of C. Perhaps we could discuss in a chat session? Protocol specifications make key distinctions which are missing in the C standard with regard to what compilers must provide vs what programs may legitimately rely upon, and between things implementations may do if convenient, things they should do if at all practical, and things they must do to be regarded as compliant On the other hand, C was written I think before such specs became common.
supercat almost 9 years

@curiousguy: While I'm not privvy to all the discussions leading up to various versions of the Standard, I suspect a major problem was a political need to avoid declaring any members' implementations "non-normative". It's useful to have a language which could be implemented on a sign-magnitude machine in such a fashion as to allow it to run a substantial fraction of code written in C. It's far less useful to say that because the meaning of left-shifting a negative number or casting an oversized unsigned value to int` is not well-defined on such machines, the Standard should impose...
supercat almost 9 years

...no requirements on the behavior of such operations even on two's-complement machines. Further, there are many case where code which will work pre-2009 compilers totalling 99%+ of the market can be faster and more readable than any code which must meet the same requirements when fed into any actual or theoretical Standard-compliant compiler. Failure to define a normative standard for behaviors which were widely-supported is detrimental to both source-code readability and machine-code efficiency--ironic given that the supposed justification for hyper-modernism is "optimization".
Grzegorz almost 9 years

@curiousguy: I am afraid I do not understand the question :) Can you rephrase it, please? If it still matters, of course.
curiousguy almost 9 years

@Grzegorz What makes you think that int* i=*(int*)b; *i=0; works?
davmac almost 9 years

Mike Acton's page is flawed. The part of "Casting through a union (2)", at least, is downright wrong; the code he claims is legal is not.
Chris Culter over 8 years

The example has drifted over time, and it now needs to be cleaned up. SendWord is declared to take a pointer-to-uint32_t, but it is then called on a uint32_t. And the commend "// Get a 32-bit buffer from the system" precedes an allocation of sizeof(Msg), which will be 64 bits on most popular implementations. I can't tell which errors are intentional, to point out the violation of strict aliasing, and which are accidents. What is the intended meaning?
supercat over 8 years

@curiousguy: Having cleared up a few points of confusion, it is clear that the C language with the aliasing rules makes it impossible for programs to implement type-agnostic memory pools. Some kinds of program can get by with malloc/free, but others need memory management logic better tailored to the tasks at hand. I wonder why the C89 rationale used such a crummy example of the reason for the aliasing rule, since their example makes it seem like the rule won't pose any major difficulty in performing any reasonable task.
curiousguy over 8 years

@supercat It's a very unsettling conclusion.
supercat over 8 years

If one has an lvalue of a structure type, takes the address of a member, and passes that to a function that uses it as a pointer to the member type, would that be regarded as accessing an object of the member type (legal), or an object of the structure type (forbidden)? A lot of code assumes it's legal to access structures in such fashion, and I think a lot of people would squawk at a rule which was understood as forbidding such actions, but it's unclear what the exact rules are. Further, unions and structures are treated the same, but sensible rules for each should be different.
Ben Voigt over 8 years

@supercat: The way the rule for structures is worded, the actual access is always to the primitive type. Then access via a reference to the primitive type is legal because the types match, and access via a reference to the containing structure type is legal because it's specially permitted.
supercat over 8 years

@BenVoigt: Under that interpretation, if S1 and S2 are structures with int x; as their first field, and which require nothing coarser than int alignment, then given void blah(S1 *p1, S2, *p2);` a compiler would not be allowed to make any assumptions about aliasing between p1->x and p2->x. because they could both identify storage of type int. I don't think that's what was intended.
Ben Voigt over 8 years

@supercat: Check out "common initial subsequence". Aliasing between p1->x and p2->x is perfectly legal.
supercat over 8 years

@BenVoigt: Given union { struct S1 s1; struct S2 s2; } u;, if both structures start with int x, then an assignment to u.s1.x is also an assignment to u.s1.x. That doesn't imply that they legitimately alias when not accessed through union u.
Ben Voigt over 8 years

@supercat: So you claim that it would be invalid to call blah(&u.s1, &u.s2)? By what rule?
supercat over 8 years

@BenVoigt: Given typedef struct { int x; float y;} S1; typedef struct { int x; int y;} S2; typedef union { S1 s1; S2 s2;} U; void wow1(S1 *p1, S2 *p2) { p1->x++; p2->x^=1; p1->x--; p2->x^=1; } gcc will compile the function as a do-nothing-and-return.
supercat over 8 years

@BenVoigt: If gcc sees the definition of wow1 when it compiles a call to wow(&u->s1, &u->s2); it produces weird behavior which is consistent with neither the recognized-aliasing nor the non-aliasing case.
Ben Voigt over 8 years

Hmm, I see that the common initial sequence rule only allows reading. So we could do bar(S1* p1, const S2* p2) { p1->x = p2->x+1; p1->x = p2->x-1; } and see what happens. Could be that gcc doesn't implement common initial sequence correctly.
Ben Voigt over 8 years

@supercat: Also, why are you using typedef? We're talking about C++ aren't we?
supercat over 8 years

@BenVoigt: I don't think the common initial sequence works unless accesses are done via the union. See goo.gl/HGOyoK to see what gcc is doing. If accessing an lvalue of union type via an lvalue of a member type (not using union-member-access operator) was legal, then wow(&u->s1,&u->s2) would need to be legal even when a pointer is used to modify u, and that would negate most optimizations that the aliasing rule was designed to facilitate.
Ben Voigt over 8 years

@supercat: Not really, common initial sequence only allows aliasing int S1::x with int S2::x and not float S1::y with int S2::y. That's still a very powerful optimization rule.
supercat over 8 years

@BenVoigt: My focus is on C, though gcc behavior here is identical in both C and C++ modes. In C++ the proper way to create structures with a recognized common initial subsequence would be to use inheritance, which would clearly be 100% legal, but that's not an option in C.
Ben Voigt over 8 years

@supercat: Actually, you couldn't use inheritance and the union. Common initial sequence rule only applies to standard-layout types, which is broken by inheritance.
supercat over 8 years

@BenVoigt: Though even in C++, I think that if S1 and S2 shared a common base SB, it would be legal to alias an S1* and an SB*, or an S2* and an SB*, but not to alias an S1* with an S2* even if code was only using members common to both.
supercat over 8 years

@BenVoigt: Is it not possible to use inheritance with PODS? The only case where a compiler would have to store any type-related information when inheriting from a PODS and not adding any virtual members would be if it were legal to use delete on a base-type pointer to eliminate a derived-type object, and I don't think that's legal, is it?
Ben Voigt over 8 years

@supercat: The rule is that a class that singly-inherits a standard-layout type and has no non-static data members of its own is also standard-layout. Or if it inherits an empty base class, the derived type can add non-static data members and still be standard-layout. But as soon as you have non-static data members at multiple different inheritance levels, you lose standard-layout.
supercat over 8 years

@BenVoigt: My suspicion is that the rules almost "work", but that the rule would be useless for compilers if it didn't let them pretend some defined behavior was UB, and would make the language almost useless for programmers if compilers didn't treat some forms of UB predictably.
supercat over 8 years

@BenVoigt: Hmm... that seems a shame, since there should be a useful way of creating a type whose layout was equivalent to struct derived1 { base1 b; int anothermember;} and allowing it to be used as either a base1 or ` derived1, without having to use b.` to access base members.
Ben Voigt over 8 years

@supercat: Consider: struct B { double x; char y; }; struct D1 : B { char z; }; struct D2 { B b; char z; }; Is it legal for D1::z to overlap the padding in D1::B? What about D2::z and D2::b ? (Assume an 8-bit machine so that sizeof(double) == alignof(double) = 8)
supercat over 8 years

@BenVoigt: Your point being that it is worthwhile to allow a derived type to be smaller than the sum of the base type and the new elements? I can see there would be benefit in that. Still, I would suggest that the usefulness of both C and C++ will be significantly hampered if there's no way to have a function accept a pointer to an arbitrary structure type with a known initial prefix. As noted, passing pointers to union members does not work, and there's no reason in the Standard why it should be legal to work with a pointer to even one union member if it's not legal to use more than that.
Ben Voigt over 8 years

@supercat: Well, even with gcc's interpretation of strict aliasing, it is straightforward to "have a function accept a pointer to an arbitrary structure type with a known initial prefix". It's only when you have two such pointers, that overlap, that trouble arises. BTW my thought experiment is addressed here: stackoverflow.com/a/19950151/103167
supercat over 8 years

@BenVoigt: The authors of gcc are very keen to point out that even if today's version of gcc lets programmers get away with violating the rules, programmers have no right to complain if tomorrow's gcc punishes them. If the Standard says that code which receives a pointer to an arbitrary structure with a known initial prefix and uses it as a pointer to a different structure with the same prefix invokes UB, it doesn't matter what today's gcc does or does not do with such code.
supercat over 8 years

@BenVoigt: It's too bad that the Standard didn't define separate "sizeof" and "strideof" operators; that wold have made it possible for an implementation allow objects to have a size which was not a multiple of their alignment.
John Hascall over 8 years

This code is total garbage. The signature for main is wrong. It either needs to use struct Msg or add typedef struct Msg Msg; The type of Sendword()'s argument in wrong. It doesn't have the needed #includes. And older compilers won't accept the for ( int i ... construct.
Doug T. over 8 years

@JohnHascall Thanks. You're right. I'd love to see it cleaned up. Its community wiki, do you have enough rep to edit it?
Doug T. over 8 years

@ChrisCulter I believe my original intention many many years back was to have those unsigned ints be 32 bits.
John Hascall over 8 years

@Doug T. I don't think I do
skimon over 8 years

@DougT. what does "use a union" mean in your answer. I ask because searching i cannot find a definitive answer. As far as i can understand (And im not 100% sure on this) - It seems that if you cast to the union* it is still undefined and that in order for it to be defined you need to first copy the data to a union access it through the type-pun built into the union.
yano about 8 years

@skimon what you say sounds right to me (I learned about strict aliasing ~10 hrs ago, however). You need to access the data in the union directly from a union member, not an alias to the union member. If you read the -fstrict_aliasing flag in this gcc manual, it has an example of unions: gcc.gnu.org/onlinedocs/gcc-5.3.0/gcc.pdf on page 149. Of course this is just gcc and not the C or C++ standards.
supercat about 8 years

@davmac: The authors of C89 never intended that it should force programmers to jump through hoops. I find thoroughly bizarre the notion that a rule that exists for the sole purpose of optimization should be interpreted in such fashion as to require programmers to write code that redundantly copies data in the hopes that an optimizer will remove the redundant code.
kchoi almost 8 years

@curiousguy, most compiler suites out there are including -fstrict-aliasing as default on -O3 and this hidden contract is forced on the users who've never heard of the TBAA and wrote code like how a system programmer might. I don't mean to sound disingenuous to system programmers, but this kind of optimization should be left outside of default opt of -O3 and should be an opt-in optimization for those that know what TBAA is. It is not fun looking at compiler 'bug' that turns out to be user code violating TBAA, especially tracking down the source level violation in user code.
supercat almost 8 years

@kchoi: At minimum, compilers should by default recognize certain patterns that indicate that aliasing is likely; if a T* is cast to a U*, for example, ensure that any operations on T* which precede the cast also precede any uses of the resulting U*, and any operations on T* that follow the cast also follow any uses of the resulting U* which occurs before them. In some cases that would block what might otherwise have been useful optimizations, but it would be far more likely to make code work more cheaply than if the code had to use char* and the compiler had to...
supercat almost 8 years

...consequently expect that the U* might alias anything, rather than only having to expect that within a certain range of code it might access a T. I really doubt the authors of the C89 Standard would have taken seriously anyone who warned that unless they explicitly authorize such a pattern (using the cast pointer strictly between the next and subsequent access with the original type), compilers would optimize them out even on platforms where they would otherwise be useful, but unfortunately such obtuse behavior is now fashionable.
supercat over 7 years

@ShafikYaghmour: C89 clearly allowed implementers to select the cases in which they would or would not usefully recognize type punning through unions. An implementation could, for example, specify that for a write to one type followed by a read of another to be recognized as type punning, if the programmer did either of the following between the write and the read: (1) evaluate an lvalue containing the union type [taking the address of a member would qualify, if done at the right point in the sequence]; (2) convert a pointer to one type into a pointer to the other, and access via that ptr.
supercat over 7 years

@ShafikYaghmour: An implementation could also specify e.g. that type punning between integer and floating-point values would only work reliably if code executed an fpsync() directive between writing as fp and reading as int or vice versa [on implementations with separate integer and FPU pipelines and caches, such a directive might be expensive, but not as costly as having the compiler perform such synchronization on every union access]. Or an implementation could specify that the resulting value will never be usable except in circumstances using Common Initial Sequences.
supercat over 7 years

@ShafikYaghmour: Under C89, implementations could forbid most forms of type punning, including via unions, but the equivalence between pointers to unions and pointers to their members implied that type punning was allowed in implementations that didn't expressly forbid it.
supercat over 7 years

To make things more fun, use pointers to types which aren't compatible but have the same size and representation (on some systems that's true of e.g. long long* and int64_t*). One might expect that a sane compiler should recognize that a long long* and int64_t* could access the same storage if they're stored identically, but such treatment is no longer fashionable.
Palec over 6 years

@Antonio: The link works for me. Maybe a temporary or regional issue. If the problem occurs again, please link to the latest snapshot in Internet Archive.
Palec over 6 years

@Antonio: Just checked again, and when I click the link in this answer, I get the right article, no 404. Firefox 56 on Windows 10. No idea where this might have gone wrong for you.
Antonio over 6 years

@Palec Pretty amazing, must be something with my work network. Indeed on my Android phone it loads.
AnT stands with Russia over 6 years

@curiousguy: "Can't have unions"? Firstly, the original/primary purpose of unions is not in any way related to aliasing at all. Secondly, the modern language spec explicitly permits using unions for aliasing. The compiler is required to notice that a union is used and treat the situation is a special way.
curiousguy over 6 years

@AnT "the original/primary purpose of unions is not in any way related to aliasing at all" What? That's the only purpose of a union. That the definition of a union: different objects at the same address.
AnT stands with Russia over 6 years

@curiousguy: False. Firstly, the original conceptual idea behind unions was that at any moment there's only one member object "active" in the given union object, while the others simply don't exist. So, there are no "different objects at the same address" as you seem to believe. Secondly, aliasing violations everyone is talking about is about accessing one object as a different object, not about simply having two objects with the same address. As long as there is no type-punning access, there no problem. That was the original idea. Later, type-punning through unions was allowed.
AnT stands with Russia over 6 years

There are other contexts in C language which might produce "different objects at the same address". For example, declaring int a[2]; double b; might result in the "imaginary" array element a[2] having the same address as b. The language does not consider this a problem. You just have to remember that only b is accessible, while a[2] can only be "pointed to", but cannot be accessed.
curiousguy over 6 years

@AnT Then how do you write to a member of a union B after a member A has been written?
AnT stands with Russia over 6 years

@curiousguy: By definition, writing into a union member "activates" that member and "deactivates" all other members.
curiousguy over 6 years

@AnT And how would you do that? Is there an operator "activate" in C?
curiousguy over 6 years

Let us continue this discussion in chat.
Suraj Jain over 6 years

@BenVoigt Does this stackoverflow.com/questions/34826036/… have undefined behaviour due to strict aliasing rule, or not, I am little confused
Ben Voigt over 6 years

@SurajJain: No, that one is ok. The strict aliasing rule allows reading an object through both its actual type, and also through a char* (to see the individual bytes making up the object).
alfC over 6 years

The link is broken. Archived link: web.archive.org/web/20171221170757/http://…
NeilB over 6 years

with restrict keyword, at step 3, shouldn't it be save result to 'b' only? It sounds as if the result of the summation will be stored in 'a' as well. Does it 'b' need to be reloaded again?
Myst over 6 years

@NeilB - Yap you're right. We're only saving b (not reloading it) and reloading a. I hope it's clearer now.
supercat over 6 years

Type-based aliasing may have offered some benefits prior to restrict, but I would think that the latter would in most circumstances be more effective, and loosening some constraints on register would allow it to fill in some of the cases where restrict wouldn't help. I'm not sure it was ever "important" to treat the Standard as fully describing all cases where programmers should expect compilers to recognize evidence of aliasing, rather than merely describing places where compilers must presume aliasing even when no particular evidence of it exists.
supercat about 6 years

It may be worthwhile to note that the list of allowed types does not allow for a struct or union object to be accessed using lvalues of member type. A quality compiler should treat an access to an lvalue or pointer which is freshly derived from one of another type as an access to the original object, but a compiler's ability to recognize such things is a Quality of Implementation issue rather than a conformance one, and the Standard deliberately makes no attempt to mandate that implementations be of adequate quality to be suitable for any particular purpose.
supercat about 6 years

@skimon: Code that does almost anything with structs or unions will be reliant upon compilers writers to refrain from doing stupid things that the Standard would allow. Something like struct S { int x; } s = {0}; s.x=1; invokes UB because int is not one of the types that may be used to access an object of type struct S. Obviously a compiler would have to be really stupid not to process something like that in useful fashion, and I don't know of any that are deliberately that bad, but some seem read the Standard as inviting behaviors that are almost as dumb.
supercat about 6 years

@curiousguy: With regard to the code in the chat, a quality compiler will recognize that an access made to an lvalue or pointer which is freshly derived from one of another type as being an access or potential access to the original. So given int *p = u.a;, a quality compiler should recognize accesses to *p as accesses to u until code does something else u without involving a, or execution enters a function or loop wherein that occurs. Since the lvalue u is allowed to access any members thereof, pointers that are freshly derived from it should be able to do likewise.
supercat about 6 years

@curiousguy: The question of when compilers must recognize derived pointers and lvalues is a quality-of-implementation issue, and the authors of the Standard deliberately refrained from trying to mandate that conforming implementations must be of sufficient quality to be useful for any particular purpose. I doubt they imagined that compiler writers would try to use the standard to justify writing low-quality implementations.
supercat almost 6 years

The C Standard uses the term "object" to refer to a number of different concepts. Among them, a sequence of bytes that are exclusively allocated to some purpose, a not-necessarily-exclusive reference to a sequence of bytes to/from which a value of a particular type could be written or read, or such a reference that actually has been or will be accessed in some context. I don't think there's any sensible way to define the term "Object" that would be consistent with all the way the Standard uses it.
supercat almost 6 years

@AnT: The special guarantees about Common Initial Sequences were part of C before unions were. If would be meaningless to guarantee that any part of a Common Initial Sequence can be inspected using any structure type that contains it, if the corresponding portions of the structs in question didn't exist simultaneously.
jrh almost 6 years

Well put, it would be interesting to read a proposal of sorts that was more or less "what the standards committee could have done" that achieved their goals without introducing as much complexity.
supercat almost 6 years

@jrh: I think it would be pretty simple. Recognize that 1. For aliasing to occur during a particular execution of a function or loop, two different pointers or lvalues must be used during that execution to address the same storage in conflicting fashon; 2. Recognize that in contexts where one pointer or lvalue is freshly visibly derived from another, an access to the second is an access to the first; 3. Recognize that the rule is not intended to apply in cases that don't actually involve aliasing.
supercat almost 6 years

The exact circumstances where a compiler recognizes a freshly-derived lvalue may be a Quality-of-Implementation issue, but any remotely-decent compiler should be able to recognize forms that gcc and clang deliberately ignore.
Bhargav Rao almost 6 years

Comments are not for extended discussion; this conversation has been moved to chat.
Jonathan Leffler over 5 years

@DougT. The c++-faq tag was recently removed from this question. Is that change appropriate? Please flag this comment 'no longer needed' when you've read it, or respond to me and I'll delete it.
Gabriel over 5 years

If I could, +10, well written and explained, also from both sides, compiler writers and programmers... the only criticism: It would be nice to have counter examples above, to see what is prohibited by the standard, its not obvious kind of :-)
Mirko over 5 years

On a 32 bit machine, malloc(sizeof(Msg)) returns a 64 bit buffer, and on a 64 bit machine, it returs a 128 bit buffer. It's a 32-bit buffer only on 16-bit machines.
Mirko over 5 years

Also, you should free malloc'd memory.
Derek Zhang about 5 years

Msg msg = (Msg)malloc(sizeof(Msg)); will this violate strict aliasing?
S.S. Anne almost 5 years

Grr... x64 is a Microsoft convention. Use amd64 or x86_64 instead.
curiousguy over 4 years

Note that although loading from main RAM is very slow (and can stall the CPU core for a long time if following operations depend on the result), loading from L1 cache is pretty fast, and so is writing to a cache line that was recently writing to by the same core. So all but the first read or write to an address will usually be reasonably fast: the difference between reg/mem addr access is smaller than the difference between cached/uncached mem addr.
Myst over 4 years

@curiousguy - although you're correct, "fast" in this case is relative. The L1 cache is probably still an order of magnitude slower than CPU registers (I think more than 10 times slower). In addition, the restrict keyword minimizes not only the speed of the operations but their number as well, which could be meaningful... I mean, after all, the fastest operation is no operation at all :)
lanyusea over 4 years

will the strict aliasing rule breaking make our program slower? or the compiler still optimize the code in that way but may cause some undefined behavior like SIGBUS?
Gro-Tsen over 4 years

Very good answer. I only regret that the initial examples are given in C++, which makes it hard to follow for people like me who only know or care about C and have no idea what reinterpret_cast might do or what cout might mean. (It's all right to mention C++ but the original question was about C and IIUC these examples could just as validly be written in C.)
FrankHB over 4 years

@supercat Incorrect. Despite your imagination, it is actually fairly consistent. In ISO C it is defined as "region of data storage in the execution environment, the contents of which can represent values". In ISO C++ there is a similar definition. Your comment is even more irrelevant than the answer because all you mentioned are ways of representation to refer objects' content, while the answer illustrates the C++ concept (glvalue) of a kind of expressions that tightly relates to the identity of objects. And all aliasing rules are basically relevant to the identity but not the content.
supercat over 4 years

@FrankHB: If one declares int foo;, what is accessed by the lvalue expression *(char*)&foo? Is that an object of type char? Does that object come into existence at the same time as foo? Would writing to foo change the stored value of that aforementioned object of type char? If so, is there any rule that would allow the stored value of an object of type char to be accessed using an lvalue of type int?
supercat over 4 years

@FrankHB: In the absence of 6.5p7, one could simply say that every region of storage simultaneously contains all objects of every type that could fit in that region of storage, and that accessing that region of storage simultaneously accesses all of them. Interpreting in such fashion the use of the term "object" in 6.5p7, however, would forbid doing much of anything with non-character-type lvalues, which would clearly be an absurd result and totally defeat the purpose of the rule. Further, the concept of "object" used everywhere other than 6.5p6 has a static compile-time type, but...
supercat over 4 years

...6.5p6 adds a notion of "Effective Type" whose corner cases are very badly broken, ambiguous, and unworkable. Bizarrely, even though the "Effective Type" notion of 6.5p6 is clearly based upon the stated rationale for Defect Report #028, whose authors said that because writing one union member and reading another is Implementation-Defined behavior, using a pointer to do so is Undefined Behavior, the rule as written fails to actually handle the corner case described in Defect Report #028.
supercat over 4 years

@FrankHB: Also, on a platform where a write to e.g. GPIOA->BSSR = x; would atomically behave in a fashion equivalent to GPIOA->ODR = GPIOA->ODR | (x & 0xFFFF) & ~(x>>16);, but reads of GPIOA->BSSR always yield zero, would GPIOA->BSSR be an "object" given that values written to its upper bits aren't actually stored anyplace, or would an attempt to write GPIOA->BSSR be Undefined Behavior on the basis that GPIOA->BSSR isn't an object?
FrankHB over 4 years

@supercat In C, an lvalue (as an expression) always has a statically determined type. That type is used in the access to the object it referred to, and there is no way to simultaneously access "all of them" even before taking 6.5p7 into account. I fail to see how it "defeat the purpose of the rule". (And to be clear, which rule, exactly?)
FrankHB over 4 years

DR 028 is about the dynamically determined type of objects not explicitly introduced by declarations. This is not the case of union members which are declared, even though they are not created upon their declarations.
FrankHB over 4 years

... I agree the notion of effective type does not handle the lifetime issues well (as C++'s dynamic type), but the purpose of the notion is simply not for the union members. So, don't expect it will reproduce the exact same restrictions as the accesses on union members.
FrankHB over 4 years

@supercat An object designating an register is usually needed to be qualified by volatile. The additional value adjustment is virtually the access from the external environment, if necessary. It won't be undefined just because of not being an object introduced by a declaration (although the declaration to introduce such volatile lvalues can not be strictly conforming).
supercat over 4 years

If an implementation given int foo{float *fp, int *ip) { if (*ip) *fp = 1.0; return *ip;}, if an implementation were required to handle the case where fp and ip identified items in the same union, the code required to do so would be completely independent of the type of union involved, so the semantics need not be affected by what kind of union might exist, or whether any union in fact existed. The purpose of DR #028 was to say that such handling wasn't necessary, but the stated rationale was completely nonsensical. Also, I'm interested in your answer to the first question: if...
supercat over 4 years

sizeof(int) is 4, does the declaration int i; create four objects of each character type in addition to one of type int? I see no way to apply a consistent definition of "object" which would allow for operations on both *(char*)&i` and i. Finally, there's nothing in the Standard that allows even a volatile-qualified pointer to access hardware registers that don't meet the definition of "object".
supercat over 4 years

@lanyusea: The "strict aliasing rule" will improve the performance of programs that still work, but gcc/clang interpretation will cause some programs that would have behaved usefully to instead behave nonsensically. The Standard can be interpreted in a way that would allow 90% of the performance improvements, plus some that clang/gcc miss, while still processing most of the useful constructs that are broken by their interpretation, but the authors of clang/gcc are heavily invested in their refusal to interpret it in such fashion.
Michael IV about 4 years

Regarding type puning: so if I write an array of some type X into file , then read from that file this array into memory pointed with void* , then I cast that pointer to the real type of the data in order to use it - that's undefined behavior?
Aviv Cohn about 4 years

So I know this is old. Quick question: The last paragraph says "... An object shall have its stored value accessed only by an lvalue expression that has one of the following types ...". If the "object" is a pointer, is "its stored value" the address it stores, or the object pointed to by that address? The former option makes sense to me, the second not so much.
Aviv Cohn about 4 years

Phrased differently: Why is this code wrong? A* a = malloc(sizeof(A)); B* b = (B*) a;. Is it wrong because the stored value of a is an address to A, and the lvalue expression B* is not compatible with it? Or is it wrong because the stored value of a is an object of type A, and the lvalue B is not compatible with it?
Aviv Cohn about 4 years

Can anybody elaborate on "an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union)". What does it exactly mean, and how is this exception to the rule commonly used?
Ben Voigt about 4 years

@AvivCohn: It's not wrong. a and *a are two different objects. The access to a is fine, because it is done with type A* (the result of the access is then converted, but that doesn't change the access type). Doing *b would be wrong. Doing A* c = (A*)b; is fine and it is guaranteed that c == a. Note that pointers from sources other than malloc could have alignment issues in addition to strict aliasing issues.
Aviv Cohn about 4 years

@BenVoigt So the only illegal thing in terms of strict aliasing is the actual dereferencing, right? Meaning we can assign pointers to different pointer types all we want, as long as dereferencing happens on a compatible pointer type?
Ben Voigt about 4 years

@AvivCohn: To be super precise, the forbidden thing is accessing the object resulting from dereferencing. Merely playing with pointer conversions and arithmetic cannot violate strict aliasing (although it may violate other rules).
Aviv Cohn about 4 years

@BenVoigt I understand. Quick question, actually clarifying what I meant to ask in the first place: As we know the standard says "... An object shall have its stored value accessed only by an lvalue expression that has one of the following types ...". In the case of a pointer-type, the "stored value" means the address stored in the variable, correct? I.e. - the stored value (the address) in the object (the pointer) can only be accessed by a compatible lvalue (one that describes a compatible pointer).
Ben Voigt about 4 years

@AvivCohn: That's correct. If in your example, the type A is actually int* and B is actually float* then *b will again lead to a strict aliasing violation.
Nubcake about 4 years

I'm a little bit confused, why would you ever want to use -fno-strict-aliasing if violating the strict aliasing rule causes UB?
chux - Reinstate Monica about 4 years

The exception is wider than char * --> Applies to any character type.
polynomial_donut almost 4 years

Adding the definition of 'effective type', including an exact standard reference, would improve this answer a lot. I take it the effectice type is the last type information that has been used for the object, if there is any (taken from here, but this doesn't point to the standard)
supercat over 3 years

@Nubcake: Because, in the words of the Committee expressed in the published Rationale, when the Standard use the term "Undefined Behavior", it among other things, "...identifies areas of possible conforming language extension: the implementor may augment the language by providing a definition of the officially undefined behavior." A religion has formed around the idea the Standard characterizes as "broken" any program whose behavior it regards as UB, ignoring the fact that the phrase "non-portable or erroneous" in no way excludes "non-portable but correct".
Bogdan over 3 years

Why cip is glvalue in the example of (11.2) in the section What the C++17 Draft Standard say? It looks like the lvalue, does it? It looks equal with the 2nd example in the section What does the C11 standard say?
M.M over 2 years

It should also be clarified that this answer is intended to be a C answer (although it is completely wrong for C as well) ; the question is dual-tagged C and C++.
Imperishable Night about 2 years

@curiousguy What I think slashmais might have been talking about is: (1) When a function takes multiple pointers that are not supposed to overlap, they should be explicitly declared as restrict; not doing so is a bad habit and should be "punished" by bad machine-code efficiency (as is already happening when the pointers happen to have the same type). (2) There are certainly examples of undefined behaviors, such as out-of-bound array access, that are more well-known than aliasing problems.