3

In my day job, I have encountered a lot of C codes resembling the following pattern. I am worrying whether this pattern is safe.

typedef struct
{
    unsigned char someField : 4;
    unsigned char someOtherField : 4;
    unsigned char body[1];
} __attribute__((__packed__, aligned(1))) SomeStruct;

int main()
{
    unsigned char pack[16] = {};
    SomeStruct* structPack = (SomeStruct*)pack;

    structPack->someField = 0xC;
    structPack->body[4] = 0x5;

    return 0;
}

What makes me worry is that the program uses structPack->body[4], which is still a part of the 16-byte array, but is out-of-bound if we look at the definition of SomeStruct. So there are two ways to look at it:

  • It is refering to a valid memory location. No danger.
  • It is out-of-bound, therefore undefined behaviour.

So, my questions are:

  1. According to the C standard (more specifically, C89), is this pattern safe or undefined behaviour?
  2. Also, for some specific compilers (esp. GCC) or platform, is it safe?
  3. Are there better alternatives?

Note that this kind of code mostly runs on micro-controllers, and sometimes runs as application on Linux desktop.

  • I'd consider it unsafe, and misleading at best. There's no point in doing it. If the code that wrote to `structPack->body[4]` was moved somewhere else, and it was no longer pointing at a larger buffer, you're in trouble. Or, if someone decides to make an array of SomeStruct's you're going to have a bad time. – Jonathon Reinhart Nov 10 '14 at 01:43
  • If body is an array of size 1, then why do you want to access the 5th element? Something is wrong with your logic here. – Neil Kirk Nov 10 '14 at 01:58
  • @NeilKirk This is a commonly used pattern in C for allocating a single object with a variable length array at the end. Normally the object is allocated via `malloc`. But no idea whether it is strictly legal or not. – Keith Nov 10 '14 at 02:06
  • 2
    http://c-faq.com/struct/structhack.html – Neil Kirk Nov 10 '14 at 02:09
  • @NeilKirk. Nice one. I think that counts as an answer. – Keith Nov 10 '14 at 02:11
  • @Keith Feel free to make the answer and get the rep, I'm too tired :) – Neil Kirk Nov 10 '14 at 02:12
  • Seems like a bad attempt at [flexible arrays](http://stackoverflow.com/q/20221012/1708801) – Shafik Yaghmour Nov 10 '14 at 02:14
  • Also, `unsigned char pack[16] = {};` is illegal in Standard C (there must be at least one initializer), and the `__attribute__` specification is also non-standard. So by nature your question is asking about a specific compiler; even though the struct hack causes UB in Standard C, your compiler might support it – M.M Nov 10 '14 at 04:37

1 Answers1

3

Accessing an object through an incompatible lvalue is undefined behaviour. Alignment may be solved by your attribute line, but using the pointer to access the object is still violating strict aliasing:

unsigned char pack[16] = {};
SomeStruct* structPack = (SomeStruct*)pack;

6.5. p7:

An object shall have its stored value accessed only by an lvalue expression that has one of the following types:

— a type compatible with the effective type of the object,

— a qualified version of a type compatible with the effective type of the object,

— a type that is the signed or unsigned type corresponding to the effective type of the object,

— a type that is the signed or unsigned type corresponding to a qualified version of the effective type of the object,

— an aggregate or union type that includes one of the aforementioned types among its members (including, recursively, a member of a subaggregate or contained union), or

— a character type.

Where effective type is:

The effective type of an object for an access to its stored value is the declared type of the object, if any.

SomeStruct* is not compatible to a char array.

The correct way of allocating SomeStruct is to use memory allocators, or alloca( which will allocate stack if that is a concern ) if the function is supported.

Still there is the problem of the body member which is a size one array and Standard will not permit accessing it out of bounds( i.e. body[1] ). c99 introduced a solution which is the flexible array member:

typedef struct
{
    unsigned char someField : 4;
    unsigned char someOtherField : 4;
    unsigned char body[];    //must be last
}...

When you set the size to allocate this struct, you add additional size depending how large the body[] member needs to be.

2501
  • 25,460
  • 4
  • 47
  • 87