Pointer type casting and dereferencing

Question

I'm actually not sure how the printf statement is working.

char *po;    
int y=9999;    
po = &y;    
printf("\n%d", *(int *)po);

I first create a char pointer assign an integer address to it, then print it back after typecasting. My guess is that (int *)po casts po to integer type, then *(int *)po retrieves the value pointed by this integer type pointer. Not sure though. Can someone explain it better?

What if po was still a char * but y was some struct with multiple different members, int, float, char etc.?

Answer 1

Let's go line by line.

char *po;   //po is a pointer to character.
int y=9999; //y is an int initialised to 9999.  
po = &y;    //po is assigned to point to the first character (i.e. byte) of y.
printf("\n%d", *(int *)po); //po is cast back to a pointer to int, dereferenced and printed.

There's an explicit rule in C that you can cast any pointer to a data type to a pointer to character type (signed char, unsigned char or the one-of-those but unspecified char). So this is guaranteed OK. Be careful though. C doesn't specify if the platform is big-endian or little-endian so there's no way of knowing upfront which byte of the int you're pointing to - most, least significant or other (on some obscure platforms).

That rule casting any data-type pointer to a char-pointer applies to everything struct, double, float - the whole data-type shooting match.

Now if you cast it back to an int and try and print it, you could be in trouble. If you're dealing with a struct and its first member is an int you're still fine. Otherwise you're straight into Undefined Behaviour. On some machines assuming the thing you're pointing to is at least sizeof(int) long, you'll get a value that is whatever is stored interpreted as an int but on some machines the address may not be properly aligned. If the object is not large enough (<sizeof(int)) and you may get some protection fault or even the value of the 'next aligned int up'.

On some very obscure architectures, you could hit a 'trap representation' and also abort.

Answer 2

A pointer is a number which indicates the beginning of a memory section. For example, you can write

void* ptr = 0xaa3156bc;

Now, you have this address where you want to read data, but how do interpret what's there?

Well, you can tell the compiler to either read 4 bytes as int by converting to int, or 8 bytes and convert to a double precision number, or a byte by converting to a char.

int vali = *(int*)ptr;
double vals = *(double*)ptr; // valid operation in C but can fail/have unexpected consequences
char valc = *(char*)ptr;
char *valstr = (char*)ptr;

Normally, you can just read/write to arbitrary memory addresses, so you will need the address of some valid memory: an existing variable, something what was allocated with malloc or new (C++). This restriction is true on modern processors, but on Arduino for example, you should not get an access violation reading/writing arbitrary location within address space.

float x = 10.0f;
void *ptr = (void*)&x;
int*ptrf = (int*)(void*)&x;
MyStructWithManyFields *ptrstruct = (MyStructWithManyFields *)(void*)&x;
// you can still do conversions:
float valf = *(float*)ptrstruct; // valf = 10.0f
int vali = *(int*)ptrstruct;  // vali=1092616192

You can use any as intermediate pointer because is just a hint to the compiler. Type of pointer is only important for the following reasons: hint to the developer, pointer arithmetic, pointer reference:

// given
void *pvoid = 0x0000aa10; // just as an example, do not do this in practice.
int *pi = (int*)pvoid;
char *pc = (char*)pvoid;
StructOfSize9bytes *ps = (StructOfSize9bytes *)pvoid;
// then
pvoid++; // compiler error;
pi++; // pi= 0x0000aa14;
pc++; // pc= 0x0000aa11;
ps++; // ps= 0x00aaaa19;

Answer 3

The "type" of the pointer is not tracked in memory by the compiler. You can cast that pointer to any kind of pointer you want as an input and it doesn't make any difference to the compiler when processing the call to printf, nor does printf receive any type information that would allow it to fail safely if you pass in the "wrong" type.

There is a C facility called varargs, which is kind of an agreement between the compiler, the ABI, and the C standard library. You can read about it here: https://www.gnu.org/software/libc/manual/html_node/Variadic-Functions.html

In short, printf uses the varargs facility to iterate over the arguments passed into the function. At the same time, it evaluates the format string to interpret what kind of arguments should have been passed in. It then casts the varargs results as needed to format the data for output.

That's why mismatches between printf format strings and argument lists is such a huge security hole. Some compilers even go so far as to interpret the format string and warn you about mismatches between the parameters and the format.

Answer 4

I first create a char pointer assign an integer address

No, you create a pointer-to-char and assign the address of an integer to it.

An integer address isn't a thing, and integers don't live in some magically different address space to characters.

An pointer-to-integer is an address (which is essentially typeless and could point to any data type) coupled to a type (the thing stored at this address is an integer).

When you cast your int* to a char*, the address is unchanged. You're just choosing to lie to the compiler about the type stored at that address, for reasons best known to yourself.

My guess is that (int *)po casts po to integer type

When you cast po back to int*, the address is still unchanged, and it's still the address of your original integer. You just admitted to the compiler that it isn't "really" a char stored there.

Casting to "integer type" would mean (int)po, which isn't what you did. You seem to be confusing the type of the pointer with the type of the thing it points at.

then *(int *)po retrieves the value pointed by this integer type pointer. Not sure though.

Yes, that's correct. It's just the same as dereferencing any other pointer-to-integer, you get the value of the integer it points to. You could trivially split the expression up as

int *pi = (int*)po;
int i = *pi;

and then print that. You can also print the address of a pointer with to confirm everything is what you expect (or just inspect these values in a debugger)

char *po;
int *pi;
int i;
int y=9999;    
po = (char *)&y;   
pi = (int *)po;
i = *pi;

printf("y=%d\n &y=%p\n po=%p\n pi=%p\n i=%d\n &i=%p\n",
       y, (void*)&y, (void*)po, (void*)pi, i, (void*)&i);

What if ... y was some struct with multiple different members ...

You're just asking in general what happens when you cast a pointer-to-X to a pointer-to-Y and back to pointer-to-X?

It's fine. You're just telling stories about the pointed-to type, but the address never changes.

If you want to access your X through a pointer-to-Y, you need to read the strict aliasing rules