Why does dereferencing a wild or null pointer when passed to malloc not lead to a segmentation fault?

Question

These pieces of code cause a segmentation fault:

int *i;
printf("%d\n", *i);

int *i = NULL;
printf("%d\n", *i);

while these do not:

int *i;
i = malloc(sizeof *i);

int *i = NULL;
i = malloc(sizeof *i);

In all examples wild and null pointers dereferenced and passed as an argument to a function which should cause a segmentation fault. Why do the examples using malloc not behave as expected and produce a segmentation fault?

`sizeof` is not a function it's a builtin operator that returns the size of it's argument. `sizeof *i` is the size of the thing pointed by `i` that is the size of an `int` in your case. There is no dereferencement, and therefore no segfault — Jabberwocky, May 26 '21 at 15:52

score 3 · Accepted Answer · answered May 26 '21 at 15:55

In the last two cases involving sizeof, the operand of the sizeof operator is not actually evaluated. It is observed for its type and the result is calculated at compile time.

Section 6.5.3.4p2 of the C standard regarding the sizeof operator states:

The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type. The size is determined from the type of the operand. The result is an integer. If the type of the operand is a variable length array type, the operand is evaluated; otherwise, the operand is not evaluated and the result is an integer constant.

So there is no actual pointer dereference occurring.

Also, there's no guarantee that dereferencing a NULL pointer or an uninitialized pointer will cause a crash. It's actually undefined behavior, so it might crash, or it might not.

score 1 · Answer 2 · answered May 26 '21 at 15:56

§ 6.5.3.4 The sizeof operator

The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type. The size is determined from the type of the operand. The result is an integer. If the type of the operand is a variable length array type, the operand is evaluated; otherwise, the operand is not evaluated and the result is an integer constant

score 1 · Answer 3 · answered May 26 '21 at 15:58

6.5.3.4 The sizeof and _Alignof operators
...
2 The sizeof operator yields the size (in bytes) of its operand, which may be an expression or the parenthesized name of a type. The size is determined from the type of the operand. The result is an integer. If the type of the operand is a variable length array type, the operand is evaluated; otherwise, the operand is not evaluated and the result is an integer constant.

^{C 2011 Online Draft}

Under most circumstances sizeof does not evaluate its operand, so nothing gets dereferenced - it only cares about the type of the expression *i, not its value.

Why does dereferencing a wild or null pointer when passed to malloc not lead to a segmentation fault?

3 Answers3