Can *common* struct-members of 2 different struct-types, that are the same for the first common members, be accessed via pointer cast to either struct-type?

[John Reye]

Assume identical common top struct members:

struct a {
int i1;
char c1;
short sa1[3];
};

struct b {
int i2;
char c2;
short sa2[3];

int differ_here;
};


struct a tmp;



Are the following 2 line always equivalent (as in: yielding the same
lvalue) and allowed:

tmp.c1
((struct b*)&tmp)->c1

Thanks.
- John.

[James Kuyper]

No, the behavior is undefined. It's not because the members might be a
different locations in the two structs; that's possible but unlikely.
The real reason is the anti-aliasing rules (6.5p7). Because those rules
make the behavior of such code undefined, the implementation is not
obligated to consider the possibility that an lvalue referring to a
"struct a" object refers to the same object as one that refers to a
"struct b" object. As a result, when implementing code such as the
following:

tmp.c1 = 1;
printf("%d\n", ((struct b*)&tmp)->c1);

An implementation is not required to notice that the printf() is
referring to the same object as the assignment statement. As a result,
it could, for instance, defer the writing the new value to tmp.c1 until
after executing the printf() call. That's pretty unlikely in this simple
case, but gets more likely in more complicated code when aggressive
optimization is turned on.

There's a special exception that allows you to access the "common
initial sequence" of any two struct types, using either struct type,
when they are both members of the same union (6.5.2.3p6):

union ab
{
struct a one;
struct b two;
} pair;
pair.one.c1 = 1
printf("%d\n", pair.two.c1);

[John Reye]

Ah thanks James. Your replies are always much appreciated.

By the way does the union trick also work, when the first part is
common, but the 2 diverge afterwards.
Example:

struct a {
int i1;
char c1;
short sa1[3];

char u;

};

struct b {
int i2;
char c2;
short sa2[3];

int differ_here;
};

union ab
{
struct a one;
struct b two;
} pair;

The sizeof(union ab) will be the maximum value, of course.
So some union access-members (e.g. short structs), do not give me
access to the whole union (as described by the maximum struct). Right?

[James Kuyper]

On 05/02/2012 01:04 PM, John Reye wrote:
> On May 2, 6:36 pm, James Kuyper wrote:
>> On 05/02/2012 12:06 PM, John Reye wrote:
>>
>>> Assume identical common top struct members:
>>
>>> struct a {
>>> int i1;
>>> char c1;
>>> short sa1[3];
>>> };
>>
>>> struct b {
>>> int i2;
>>> char c2;
>>> short sa2[3];
>>
>>> int differ_here;
>>> };
>>
>>> struct a tmp;
>>
>>> Are the following 2 line always equivalent (as in: yielding the same
>>> lvalue) and allowed:
>>
>>> tmp.c1
>>> ((struct b*)&tmp)->c1

Correction: that should be ->c2, presumably.

>> No, the behavior is undefined. It's not because the members might be a
>> different locations in the two structs; that's possible but unlikely.
>> The real reason is the anti-aliasing rules (6.5p7). Because those rules
>> make the behavior of such code undefined, the implementation is not
>> obligated to consider the possibility that an lvalue referring to a
>> "struct a" object refers to the same object as one that refers to a
>> "struct b" object. As a result, when implementing code such as the
>> following:
>>
>> tmp.c1 = 1;
>> printf("%d\n", ((struct b*)&tmp)->c1);

Same correction here.

>> An implementation is not required to notice that the printf() is
>> referring to the same object as the assignment statement. As a result,
>> it could, for instance, defer the writing the new value to tmp.c1 until
>> after executing the printf() call. That's pretty unlikely in this simple
>> case, but gets more likely in more complicated code when aggressive
>> optimization is turned on.
>>
>> There's a special exception that allows you to access the "common
>> initial sequence" of any two struct types, using either struct type,
>> when they are both members of the same union (6.5.2.3p6):
>>
>> union ab
>> {
>> struct a one;
>> struct b two;
>> } pair;
>> pair.one.c1 = 1
>> printf("%d\n", pair.two.c1);

Correction: that should have been pair.two.c2.

> Ah thanks James. Your replies are always much appreciated.
>
> By the way does the union trick also work, when the first part is
> common, but the 2 diverge afterwards.

It works for the entire initial common sequence, no matter how many
additional members either struct type has after the common part.
Corresponding members of the common sequence must have compatible types;
for bit-fields, they must also have the same width.

> Example:
>
> struct a {
> int i1;
> char c1;
> short sa1[3];
>
> char u;
> };
>
> struct b {
> int i2;
> char c2;
> short sa2[3];
>
> int differ_here;
> };
>
>
>
> union ab
> {
> struct a one;
> struct b two;
> } pair;
>
>
> The sizeof(union ab) will be the maximum value, of course.
> So some union access-members (e.g. short structs), do not give me
> access to the whole union (as described by the maximum struct). Right?

Correct.

[Barry Schwarz]

Since struct b does not contain a member c1, the second line should
produce a diagnostic.

I appear to be in the minority. If you change the second line to
((struct b*)&tmp)->c2
and if the two structures are guaranteed to have the same alignment,
then I believe the requirement in 6.5.2.3-5 (which technically only
applies if the two structures are members of a union) would force the
compiler to generate the appropriate code to yield the same lvalue.
This would probably work everywhere except the DS9000.

--
Remove del for email

[christian.bau]

On May 2, 8:35 pm, Barry Schwarz <schwa...@dqel.com> wrote:

> I appear to be in the minority.  If you change the second line to
>      ((struct b*)&tmp)->c2
> and if the two structures are guaranteed to have the same alignment,
> then I believe the requirement in 6.5.2.3-5 (which technically only
> applies if the two structures are members of a union) would force the
> compiler to generate the appropriate code to yield the same lvalue.
> This would probably work everywhere except the DS9000.

Well, it wouldn't work on the DS9000 (which is a 100% standard
conforming but highly malicious implementation), so it is not
portable. But lets say I write

void f (struct a *p, struct b *q)
{
q->c2 = 1;
p->c1 = 2;
printf ("%d\n", q->c2);
}

and call

f (&tmp, (struct b*) &tmp);

do you think the function might print the number 1? If it could, then
the fact that in one case it is easy to detect for the compiler and
one case it is not, shouldn't make a difference.

[James Kuyper]

It might generate a retrieval using the same offset from the base of the
struct, but the key issue is whether the value it retrieves from that
location is the one that would, otherwise be considered the "current" value.

> This would probably work everywhere except the DS9000.

So the DS9000 is the only platform that would aggressively optimize
based upon the fact that a "struct a" lvalue could never, with defined
behavior, refer to the same object as a "struct b" lvalue?
I'd thought that the best modern optimizers were more aggressive than
that, at least at their highest levels.

[John Reye]

On May 2, 6:36 pm, James Kuyper wrote:

> the implementation is not
> obligated to consider the possibility that an lvalue referring to a
> "struct a" object refers to the same object as one that refers to a
> "struct b" object. As a result, when implementing code such as the
> following:
>
>         tmp.c1 = 1;
>         printf("%d\n", ((struct b*)&tmp)->c1);
>
> An implementation is not required to notice that the printf() is
> referring to the same object as the assignment statement.

Hmmm... I think that would be one heck of a rubbish compiler (or more
precisely *optimizing* compiler)! ;)
If the standard allows that kind of stuff, then it simply is not
bullet-proof enough.

Because tmp occurs in both lines. Every compiler should notice that!

Even if I "obfuscate" like this:
tmp.c1 = 1;
char *cp = ((struct b*)&tmp);
printf("%d\n", cp->c1);

I'd expect any compiler that gets it wrong, to be complete rubbish.
Why? Because it's an optimizer BUG.
Why?
Because any simple compiler, that does not optimize... get's it right!
And if any simple compiler get's it right, then any optimization must
guarantee to get it right as well.

I mean: if the C standard allows one to create optimizers that result
in such ... ummm... surprises (read: "rubbish"), then the standard is
faulty in my eyes.

[John Reye]

In fact...

then any use of pointers at all would fail.
char a;
char *p;

a = 1;
*p = 2;
printf("%d", a);

This will never print 1, unless the compiler is buggy.


In the same spirit... any compiler that gets the following wrong is
buggy:

>
> tmp.c1 = 1;
> printf("%d\n", ((struct b*)&tmp)->c2);

>
> An implementation is not required to notice that the printf() is

> referring to the same object as the assignment statement. As a result,
> it could, for instance, defer the writing the new value to tmp.c1 until
> after executing the printf() call. That's pretty unlikely in this simple
> case, but gets more likely in more complicated code when aggressive
> optimization is turned on.

It's not complicated. Rather... I suspect it would be a optimizer-
compiler bug.

[John Reye]

Ahh on the other hand, I might have gotten carried away here.

> tmp.c1 = 1;
> printf("%d\n", ((struct b*)&tmp)->c1);

I would always avoid something like this (not because of aliasing
rules, and compiler optimization), but because of the reasons given by
the mysterious 2nd poster (copied below) and because it's completely
unnecessary!

There is simply no need to do something like this. One can always
introduce an inner struct for the common part.
So in my above arguments, I forgot that I was arguing for something
that this is very very bad style anyway... to cast from type struct,
to a different type like that. So what I said about "rubbish
compiler's" is probably completely out of context. Sorry.


mysterious 2nd poster wrote:
> The guarantee only applies to the first member. The work around is to
> make each first field itself the same struct:
>
> struct common {
> int i; char c;
> };
>
> > struct a {
>
> struct common x1;> short sa1[3];
> > };
>
> > struct b {
>
> struct common x2;

>
> > short sa2[3];
>
> > int differ_here;
> > };
>

> > tmp.x1.c
> > ((struct b*)&tmp)->x2.c
>
> &struct a = &struct a.x1
> &struct b = &struct b.x2
> so if &struct a = &struct b
> &struct a.x1 = &struct b.x2
> and typeof struct a.x1 = typeof struct b.x2 = typeof struct common
> therefore for each f in struct common
> &struct a.x1.f = &struct b.x2.f
>
> --
> My name Indigo Montoya. | R'lyeh 38o57'6.5''S 102o51'16''E.
> You flamed my father. | I'm whoever you want me to be.
> Prepare to be spanked. | Annoying Usenet one post at a time.
> Stop posting that! | At least I can stay in character.

[John Reye]

(where did my message go? OK I'll repost)


Ah I think I got carried away above. Sorry.

The main problem was that I was putting down possible optimizing
compilers, while the reality is, that this statement itself is bloody
bad, and should be avoided at all costs.

struct a tmp;
((struct b*)&tmp)->c2

Reason: one casts from one type to a completely different unrelated
type.
Rather one should use an common inner struct, for the common parts
within structs. That's a simple way of not getting bitten. ;)

[John Reye]

On May 3, 6:25 pm, John Reye wrote:
> In fact...
>
> then any use of pointers at all would fail.
> char a;
> char *p;
>
> a = 1;
> *p = 2;
> printf("%d", a);
>
> This will never print 1, unless the compiler is buggy.

Correction in 2nd line of code:
char *p = &a;

[Nobody]

On Thu, 03 May 2012 09:20:24 -0700, John Reye wrote:

>>         tmp.c1 = 1;
>>         printf("%d\n", ((struct b*)&tmp)->c1);
>>
>> An implementation is not required to notice that the printf() is
>> referring to the same object as the assignment statement.
>
> Hmmm... I think that would be one heck of a rubbish compiler (or more
> precisely *optimizing* compiler)! ;)
>
> If the standard allows that kind of stuff, then it simply is not
> bullet-proof enough.
>
> Because tmp occurs in both lines. Every compiler should notice that!

The compiler is free to lose track of that information during
optimisation, and may well do so.

> Why? Because it's an optimizer BUG.

A bug is a failure to behave as documented, not a failure to behave
according to the intuition of some guy on usenet.

If it were otherwise, all compilers would have bugs, and those bugs would
be impossible to fix, as different people's intutions are different and
often contradictory.

> Why?
> Because any simple compiler, that does not optimize... get's it right!
> And if any simple compiler get's it right, then any optimization must
> guarantee to get it right as well.

The behaviour of a "simple" compiler does not form a part of the standard.

> I mean: if the C standard allows one to create optimizers that result
> in such ... ummm... surprises (read: "rubbish"), then the standard is
> faulty in my eyes.

Whether or not it is faulty "in your eyes" is irrelevant. The standard
is what it is.

The standard explicitly and intentionally facilitates optimisation, rather
than forcing the majority of real-world code to be suboptimal for the sake
of pathological cases. This is also why "const" and "volatile" were added
to C89 and "restrict" to C99, in spite of being completely unnecessary for
"simple" (i.e. non-optimising) compilers.

[John Reye]

On May 3, 8:14 pm, Nobody wrote:
> The compiler is free to lose track of that information during
> optimisation, and may well do so.

char a;
char *p = &a;

a = 1;
*p = 2;

printf("%d\n", a);

Does the C standard guarantee, that the value 2 will get printed in
the above code??
Thanks.

[Jens Gustedt]

no

for that you'd have to declare them

char volatile a;
char volatile *p = &a;

Jens

[John Reye]

Assume no volatile:

char a;
char *p = &a;

Does the C standard guarantee that the following will print 2? ->

a = 1, *p = 2, printf("%d\n", a);

Thanks.

[James Kuyper]

On 05/03/2012 03:05 PM, Jens Gustedt wrote:
> Am 05/03/2012 08:45 PM, schrieb John Reye:
>> On May 3, 8:14 pm, Nobody wrote:
>>> The compiler is free to lose track of that information during
>>> optimisation, and may well do so.
>>
>> char a;
>> char *p = &a;
>>
>> a = 1;
>> *p = 2;
>> printf("%d\n", a);
>>
>> Does the C standard guarantee, that the value 2 will get printed in
>> the above code??
>
> no

Why not? In the abstract machine those statements must be executed in
sequence. There's a sequence point at the end of each statement, which
means that side effects such as the change in value of a in the second
statement, must be complete by the time the value of 'a' is read by the
third statement.

> for that you'd have to declare them
>
> char volatile a;
> char volatile *p = &a;

Why should that be necessary?

[James Kuyper]

Yes.

The key point is that *p and a have the same type, so there's no
violation of the anti-aliasing rules. There's also a special exemption
in those rules for character types, so the behavior would remain
well-defined even if 'a' had the type 'int'.

[James Kuyper]

On 05/03/2012 12:25 PM, John Reye wrote:
> In fact...
>
> then any use of pointers at all would fail.
> char a;
> char *p;
>
> a = 1;
> *p = 2;
> printf("%d", a);

How do you reach that conclusion? That use of pointers doesn't violate
the anti-aliasing rules.

[John Reye]

Great, thanks.
(I'm quite relieved, otherwise I might have started sprinkling
unnecessary "volatiles"!!)

[Lanarcam]

IMO, volatile is useful when and only when the variable
can be modified by a piece of code out of scope of
the compiler or by a separate IC, for instance:

- global variable modifiable by several threads in a
multithread OS.

- Global variable modifiable by an ISR.

- Memory mapped IC registers.

Is that correct?

[James Kuyper]

On 05/03/2012 03:56 PM, Lanarcam wrote:
...

> IMO, volatile is useful when and only when the variable
> can be modified by a piece of code out of scope of
> the compiler or by a separate IC, for instance:
>
> - global variable modifiable by several threads in a
> multithread OS.
>
> - Global variable modifiable by an ISR.
>
> - Memory mapped IC registers.
>
> Is that correct?

You left out another important context: signal handlers. In fact, until
C2011 added working about threading, signal handlers were the only
purely internal C reason for needing volatile; all of the other possible
reasons were outside the scope of the standard.

[Jens Gustedt]

Am 05/03/2012 09:16 PM, schrieb James Kuyper:
> On 05/03/2012 03:05 PM, Jens Gustedt wrote:
>> Am 05/03/2012 08:45 PM, schrieb John Reye:
>>> char a;
>>> char *p = &a;
>>>
>>> a = 1;
>>> *p = 2;
>>> printf("%d\n", a);
>>>
>>> Does the C standard guarantee, that the value 2 will get printed in
>>> the above code??
>>
>> no
>
> Why not? In the abstract machine those statements must be executed in
> sequence. There's a sequence point at the end of each statement, which
> means that side effects such as the change in value of a in the second
> statement, must be complete by the time the value of 'a' is read by the
> third statement.

ah, right, I missed the fact that this was a pointer of the same (and
char) type.

>> for that you'd have to declare them
>>
>> char volatile a;
>> char volatile *p = &a;
>
> Why should that be necessary?

so it should only be necessary if you'd do a modification through a
pointer of different type.

Thinking of it, I wonder if the change would be necessarily visible if
we had

unsigned a = 1;
unsigned two = 2;
memcpy(&a, &two, sizeof a);
printf("%u\n", a);

Jens

[John Reye]

Volatile is also useful, if you have a dummy variable for debugging
purposes. To prevent it from getting optimized away (as could occur if
you never read from that variable, but just look at it through the
debugger), just declare it volatile.

[James Kuyper]

On 05/03/2012 12:20 PM, John Reye wrote:
> On May 2, 6:36 pm, James Kuyper wrote:
>> the implementation is not
>> obligated to consider the possibility that an lvalue referring to a
>> "struct a" object refers to the same object as one that refers to a
>> "struct b" object. As a result, when implementing code such as the
>> following:
>>
>> tmp.c1 = 1;
>> printf("%d\n", ((struct b*)&tmp)->c1);
>>
>> An implementation is not required to notice that the printf() is
>> referring to the same object as the assignment statement.
>
>
> Hmmm... I think that would be one heck of a rubbish compiler (or more
> precisely *optimizing* compiler)! ;)
> If the standard allows that kind of stuff, then it simply is not
> bullet-proof enough.

Many people think so; C is not the language to use if you want
bullet-proof code.

> Because tmp occurs in both lines. Every compiler should notice that!

The rule violated by your code is written to cover situations where that
is not the case, without creating a special exception for when it is the
case. Type punning is very fundamentally a hack; if you really want to
write for bullet-proof code, you want a language where such a hack
constitutes a syntax error or a constraint violation; ideally, a
language which doesn't even present you with a mechanism for describing
such behavior. For bullet-proof code, you don't want a language which
actually defines the behavior that C leaves undefined.

> Even if I "obfuscate" like this:
> tmp.c1 = 1;
> char *cp = ((struct b*)&tmp);
> printf("%d\n", cp->c1);
>
> I'd expect any compiler that gets it wrong, to be complete rubbish.
> Why? Because it's an optimizer BUG.
> Why?
> Because any simple compiler, that does not optimize... get's it right!
> And if any simple compiler get's it right, then any optimization must
> guarantee to get it right as well.
>
> I mean: if the C standard allows one to create optimizers that result
> in such ... ummm... surprises (read: "rubbish"), then the standard is
> faulty in my eyes.

OK: here's an example of the kind of code for which the relevant rules
were defined, which may give you a better understanding of why they
exist. It's enormously simplified from any realistic example, but the
key features of this example that are relevant to the aliasing rules are
also commonplace features of much real-world code:

struct department {
int department_id;
// ...
};

struct employee {
int employee_id;
int department_id;
// ...
};

// The key point is that employee_id and department_id are both at the
// start of their structs, and have the same type.

static void lay_off_employees(
struct department *dept,
struct employee employees[],
int num
){
for(int emp = 0; emp<num; emp++)
{
if(employees[emp].department_id == dept->department_id)
{
// Deal with lots of other issues.
// We're done now!
employees[emp].employee_id = -1;
}
}
// ...
}

Key point to notice: dept->department_id is not changed through an
lvalue of type "struct department" anywhere inside the lay_off_employees
loop. It can therefore be treated as a loop invariant, which need only
actually be evaluated once, before the loop begins. In other words, the
implementation is free to compile that function as if it were written:

int dept_id = dept->department_id;
for(int emp=0; emp<num; emp++)
{
if(employee[emp].department_id == dept_id)
...

This is one of the simplest and oldest of loop optimization strategies.
Now, consider the following ridiculous code:

employees[523].employee_id = human_resources.department_id;
lay_off_employees((struct department*)(employees+523),
employees, 600);

The possibility of writing such code means that dept->department_id is
not actually a loop invariant. If it weren't for C's anti-aliasing
rules, the behavior of such code would be defined, and as soon as
emp==523, the value of dept->department_id would have to change to -1.

The simplest approach to making that work would be to accept the
performance hit of repeatedly re-evaluating dept->department_id during
every pass through the loop, just in case it might change as a result of
something that happens inside the loop. There are more complicated
approaches can be used to reduce the performance hit, by retrieving it
only once at the start of the loop, and a second time after emp==523.
However, those ARE more complicated approaches, and they don't scale
well when the number of different expressions that might alias each
other gets as large as 5 or 10 different expressions (in typical
real-world code the number of potentially-aliasing expressions is much
larger than that, particularly if there's a lot of pointers floating
around).

Because it is undefined behavior for *dept to refer to the same object
as employees[emp], an implementation is allowed to not worry about the
possibility that someone would write such ridiculous code, so they can
treat dept->department_id as if it actually were a loop invariant that
could be moved out of the loop. Only code that has undefined behavior
would be broken by treating it as a loop invariant.

This seems like a trivial issue in this simplified context, but keep in
mind that, without the anti-aliasing rules, any lvalue derived from a
pointer could potentially alias any other lvalue, if that pointer had
the right value and compatible alignment requirements. The anti-aliasing
rules guarantee that a compiler only needs to worry about aliasing
between lvalues of certain types, greatly reducing the problem, with
corresponding increases in the feasibility of performing such optimizations.

[Keith Thompson]

John Reye <jono...@googlemail.com> writes:

> On May 3, 9:05 pm, Jens Gustedt wrote:
>> > char a;
>> > char *p = &a;
>>
>> > a = 1;
>> > *p = 2;
>> > printf("%d\n", a);
>>
>> > Does the C standard guarantee, that the value 2 will get printed in
>> > the above code??
>>
>> no
>>
>> for that you'd have to declare them
>>
>> char volatile a;
>> char volatile *p = &a;
>

> Thanks!!!
> So it would seem that good C coders sprinkle a lot of volatile. ;)

volatile is completely unnecessary in this case; the original code is
well defined.

--
Keith Thompson (The_Other_Keith) ks...@mib.org <http://www.ghoti.net/~kst>
Will write code for food.
"We must do something. This is something. Therefore, we must do this."
-- Antony Jay and Jonathan Lynn, "Yes Minister"

[Nobody]

On Thu, 03 May 2012 16:12:50 -0400, James Kuyper wrote:

> You left out another important context: signal handlers. In fact, until
> C2011 added working about threading, signal handlers were the only
> purely internal C reason for needing volatile; all of the other possible
> reasons were outside the scope of the standard.

Not quite; volatile is also meaningful in conjunction with setjmp/longjmp.
7.13.2.1p3 says:

[#3] All accessible objects have values as of the time
longjmp was called, except that the values of objects of
automatic storage duration that are local to the function
containing the invocation of the corresponding setjmp macro
that do not have volatile-qualified type and have been
changed between the setjmp invocation and longjmp call are
indeterminate.

[Tim Rentsch]

An accident waiting to happen. The important question isn't
whether it works today, but whether it has to keep working in the
future. As compilers get better at optimizing, the likelihood
that code like this will have problems becomes non-negligible.
Since the Standards allows them to take advantage of such
cases, compiler writers inevitably will, and then... kaboom!

[Tim Rentsch]

This suggestion is dangerously wrong. Not only is using
'volatile' irrelevant in this case, it makes no difference in any
other case (ie, of type punning). The effective type rules delimit
what types of accesses are permitted, and adding volatile doesn't
change that -- using 'volatile double *' to access a value stored
using a 'volatile long *' is undefined behavior just as much as
'double *' and 'long *' would be. In practical terms the
'volatile' variants may have a better chance of working, but as
far as the Standard goes they are equally undefined behavior.