Is accessing arrays out-of-bounds legal if what lies beyond those bounds is known in C? Why not and how can this be worked around?

Question

Take the following which works in GCC:

union Int2 {
    int i[2];
};
union Int4 {
    union Int2 i2[2];
};
union Int4 i4;
i4.i2[1].i[-1] = 10;
printf("%d\n", i4.i2[0].i[1]); // 10
static_assert(sizeof(Int4)==sizeof(int[4]), "Unexpected padding");

In this case, the union is not allowed to have any padding, so what lies beyond those internal arrays is definitively known. However according a comment this is technically undefined behavior and not legal.

The rule that specifies pointer arithmetic, C 2018 6.5.6 8, defines it only for arithmetic within an array (including the end position one beyond the last element and treating a single object as an array of one element). This creates a "pointer provenance" property; if p[x] has behavior defined by the C standard, it can refer only to elements of an array p points to. Compilers may use this to reduce pointer arithmetic when optimizing, and this reduction may break code that attempts to use indexing outside the actual array.

If this comment is correct, this answers the first question: No. Which brings us to my actual questions:

• If arrays use pointer arithmetic, then doing so would just generate a pointer to the out-of-bounds but known value. Could someone explain what could be going on behind the scenes that could prevent this from working, despite this working in practice on GCC?
• Is there any way to 'circumvent' this undefined behavior? Some undefined behavior can be circumvented trivially, such as signed overflow, by casting to an unsigned type before performing. Similarly, assuming I only have access to a pointer to the second element of an i2 member, is there any way to access the first i2 member and/or the constituent int values without invoking undefined behavior?

Answer 1

Is accessing arrays out-of-bounds legal if what lies beyond those bounds is known in C?

I take you to mean evaluating an expression of the form array[i], where array is an expression having array value (prior to decay), and i is either negative or greater than or equal to the number of elements in the array. No, that is not "legal", by which I mean that the C language specification does not define the behavior. It does not matter what lies outside the bounds of the array, or whether that is known in some sense.

Why not

Because the language spec says so. Specifically, it says that array[i] is equivalent to *((array) + (i)), where array is, as usual, subject to decay to a pointer. And it says explicitly that the pointer addition (array) + (i) is defined only if i is between 0 and the number of elements in the array, but that dereferencing the result has undefined behavior if i is equal to the number of elements in the array.

But perhaps you are asking about rationale. The committee has not published an official rationale for those semantics, but it seems reasonable that they favored simpler rules with fewer exceptions. Additionally, they definitely avoid assuming an addressing model that supports "what lies beyond?" even being a sensible question.

and how can this be worked around?

Generally, don't rely on out-of-bounds array accesses.

If the knowledge you claim about what lies beyond an array is based on the array being part of another object, however, then you may be able to use information about the container type. In your particular example, I would just change i4.i2[1].i[-1] to i4.i2[0].i[1]. Under other circumstances, you might be able to use pointer conversions to express the access you want relative to the container. In the worst case, you might need to perform a deeper refactoring to avoid out of bounds accesses.

If arrays use pointer arithmetic,

They do.

then doing so would just generate a pointer to the out-of-bounds but known value.

Actually, yes, but that does not allow you to dereference the pointer. Perhaps that's inconsistent, but it's what the spec says.

Could someone explain what could be going on behind the scenes that could prevent this from working, despite this working in practice on GCC?

A compiler is permitted to assume that your code has well-defined behavior. It is permitted to do anything at all in the event of undefined behavior, whether it recognizes the UB or not. Compilers can and do leverage that to implement optimizations that are correct as long as all program behavior is defined, but that produce results different from what you might naively expect when the behavior is undefined. That you do not observe that in your particular example is not generalizable to other code or other compilers.

Is there any way to 'circumvent' this undefined behavior?

There are lots of ways. Some better, and some worse. Specifics depend on the situation.

assuming I only have access to a pointer to the second element of an i2 member, is there any way to access the first i2 member and/or the constituent int values without invoking undefined behavior?

The only way you could have access to the second element of one of your i2s without also having access to the first is if the access were through a pointer:

process_second_i2(union Int2 *x2) {
    // ...
}

But given that this is a pointer to the second element of an array, it is valid use it to access the first element of the same array:

int x1_0 =  (x2 - 1)[0];

// or

int x1_1 =  x2[-1][1];

But that has UB if x2 does not after all point to the second or subsequent element of an array.

---

Side note: you claim,

In this case, the union is not allowed to have any padding,

but the C language specification does not support that claim. The ABI of the machine you are compiling for will specify, and it might or might not support that claim. For example, it might specify that int is 4 bytes wide and all structure and union sizes are multiples of 16 bytes. In that case, your union Int2 would indeed contain padding, but your union Int4 would not contain any padding of its own.

Under other circumstances, union Int4 might contain padding.

Answer 2

The behavior on accessing an array out-of-bounds is undefined, period - it doesn't matter if you know the array is contiguous with another object.

Undefined != illegal. All "undefined" means is that neither the compiler nor runtime environment are required to handle the situation in any particular way. The compiler isn't required to issue a diagnostic, the runtime environment is not required to throw a segfault, etc.

Answer 3

There are dialects of C in which the behavior of pointer arithmetic is defined "in a documented manner characteristic of the environment" in all cases where the environment would specify the behavior. Because there are some tasks for which other ways of processing the construct might be more useful, and where optimization might affect program behavior in some scenarios involving out-of-bounds array accesses, the Standard appears to be intended to waive jurisdiction over some scenarios involving indexing beyond the boundaries of "inner" arrays, though I see no evidence of consensus as to what cases programmers should be allowed to rely upon. Annex J2 of N1570 includes the following in its list of "Undefined Behaviors":

An array subscript is out of range, even if an object is apparently accessible with the given subscript (as in the lvalue expression a[1][7] given the declaration int a[4][5]) (6.5.6).

Nothing within the normative text of 6.5.6 would indicate a consensus judgment that a[0]+5 and a[1]+0 should not be viewed as being part of the same "array object" a, but Annex J2 clearly indicates that intention.

Given e.g.

unsigned char arr[5][3];
int test1(int x) { return arr[0][x]; }
int test2(int x) { return *(arr[0]+x); }
int test3(int x) { return *(((char*)arr)+x); }

Annex J2 makes it clear that the Standard is intended to waive jurisdiction of test1 when x is outside the range 0 to 2, but the general principle that objects can be decomposed into a sequence of unsigned char values would imply that test3 should be expected to behave predictably for all values of x from 0 to 14. I see nothing in the normative parts of the Standard, however, that would imply that test1 and test3 are not equivalent.

It's important to note that in many scenarios where pre-standard implementations would almost unanimously process a construct a certain way, but some implementations might have a good reason for processing code in a different fashion that might expose the effects of optimization, the Standard waived jurisdiction to allow implementations that had a good reason for deviating from the commonplace behavior to do so. Such waiver of jurisdiction was never intended to suggest that implementations shouldn't be expected to follow the commonplace behavior in the absence of a documented or obvious reason for doing otherwise, and thus the authors of the Standard saw no need to get bogged down in the details of what precise cases were and were not "defined". If an implementation would have no reason not to process test3 in a manner consistent with the mandated underlying storage layout of the array, nobody should care whether the Standard mandated such behavior.

Incidentally, clang and gcc seem to process the [] operand in a manner that the Standard should have specified but didn't, i.e. specifying that an array operand to [] doesn't decay to a pointer, but is instead processed in a manner analogous to an indexed version of the . operator, which would yield an addressable lvalue when the left operand is an addressable lvalue. Under such a rule, test1 would has defined behavior only for x==0..2, but test2 would has defined behavior for x==0..14. I know of nothing in the documentation for clang or gcc that would specify this behavior, however.