Is "int *ptr = *( ( &a ) + 1 );" where "a" is int[5] well-defined by the Standard?

Question

Based on this Question ( strange output issue in c) there was an Answer ( provided by @Lundin ) about this line:

int *ptr = (int*)(&a+1);

where he said:

the cast (int*) was hiding this bug.

So I came with the following:

#include <stdio.h>

int main( void ){
    int a[5] = {1,2,3,4,5};

    int *ptr = *( ( &a ) + 1 );
    printf("%d", *(ptr-1) );
}

I would like to know if this:

int *ptr = *( ( &a ) + 1 );

Is well-defined by the Standard?

EDIT:

At some point @chux pointed to §6.3.2.3.7 which is:

A pointer to an object type may be converted to a pointer to a different object type. If the
resulting pointer is not correctly aligned68) for the referenced type, the behavior is
undefined. Otherwise, when converted back again, the result shall compare equal to the
original pointer. When a pointer to an object is converted to a pointer to a character type,
the result points to the lowest addressed byte of the object. Successive increments of the
result, up to the size of the object, yield pointers to the remaining bytes of the object.

But I am not sure if I understand it right.

Answer 1

This expression invokes undefined behavior as a result of the dereference operator *:

int *ptr = *( ( &a ) + 1 );

First, let's start with ( &a ) + 1. This part is valid. &a has type int (*)[5], i.e. a pointer to an array of size 5. Performing pointer arithmetic by adding 1 is valid, even though a is not an element of an array.

In section 6.5.6 of the C standard detailing Additive Operators, paragraph 7 states:

For the purposes of these operators, a pointer to an object that is not an element of an array behaves the same as a pointer to the first element of an array of length one with the type of the object as its element type.

It's also allowed to create a pointer that points to one element past the end of an array. So &a + 1 is allowed.

The problem is when we dereference this expression. Paragraph 8 states:

When an expression that has integer type is added to or subtracted from a pointer, the result has the type of the pointer operand. If the pointer operand points to an element of an array object, and the array is large enough, the result points to an element offset from the original element such that the difference of the subscripts of the resulting and original array elements equals the integer expression. In other words, if the expression P points to the i-th element of an array object, the expressions (P)+N (equivalently, N+(P)) and (P)-N (where N has the value n) point to, respectively, the i+n-th and i−n-th elements of the array object, provided they exist. Moreover, if the expression P points to the last element of an array object, the expression (P)+1 points one past the last element of the array object, and if the expression q points one past the last element of an array object, the expression (Q)-1 points to the last element of the array object. If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined. If the result points one past the last element of the array object, it shall not be used as the operand of a unary * operator that is evaluated.

Since dereferencing a pointer to one past the end of an array is not allowed, the beahvior is undefined.

Going back to the expression in the referenced post:

int *ptr = (int*)(&a+1);
printf("%d %d", *(a+1), *(ptr-1));

This is also undefined behavior but for a different reason. In this case, a int (*)[5] is converted to int * and the converted value is subsequently used. The only case where using such a converted value is legal is when converting an object pointer to a pointer to a character type, e.g. char * or unsigned char * and subsequently dereferenced to read the bytes of the object's representation.

EDIT:

It seems the two lines above are actually well defined. At the time the pointer dereference *(ptr-1) occurs, the object being accessed has effective type int, which matches the dereferenced type of ptr-1. Casting the pointer value &a+1 from int (*)[5] to int * is valid, and performing pointer arithmetic on the casted pointer value is also valid because it points either inside of a or one element past it.

Answer 2

*( ( &a ) + 1 ) is UB due to

... If the result points one past the last element of the array object, it shall not be used as the operand of a unary * operator that is evaluated. C11 §6.5.6 8

( &a ) + 1 points to "one past". Using * on that goes against "shall not".

int a[5] = {1,2,3,4,5};
int *ptr = *( ( &a ) + 1 );

---

Even if a was int a this applies due to

For the purposes of these operators, a pointer to an object that is not an element of an array behaves the same as a pointer to the first element of an array of length one with the type of the object as its element type. §6.5.6 7

Answer 3

int *ptr = *( ( &a ) + 1 ); is invoked undefined behaviour.

C11 - §6.5.6 "Additive operators" (P8) :

When an expression that has integer type is added to or subtracted from a pointer, the result has the type of the pointer operand. If the pointer operand points to an element of an array object, and the array is large enough, the result points to an element offset from the original element such that the difference of the subscripts of the resulting and original array elements equals the integer expression. In other words, if the expression P points to the i-th element of an array object, the expressions (P)+N (equivalently, N+(P)) and (P)-N (where N has the value n) point to, respectively, the i+n-th and i−n-th elements of the array object, provided they exist. Moreover, if the expression P points to the last element of an array object, the expression (P)+1 points one past the last element of the array object, and if the expression Q points one past the last element of an array object, the expression (Q)-1 points to the last element of the array object.[...]