How does returning values from a function work?

Question

I recently had a serious bug, where I forgot to return a value in a function. The problem was that even though nothing was returned it worked fine under Linux/Windows and only crashed under Mac. I discovered the bug when I turned on all compiler warnings.

So here is a simple example:

#include <iostream>

class A{
public:
    A(int p1, int p2, int p3): v1(p1), v2(p2), v3(p3)
    {
    }

    int v1;
    int v2;
    int v3;
};

A* getA(){
    A* p = new A(1,2,3);
//  return p;
}

int main(){

    A* a = getA();

    std::cerr << "A: v1=" << a->v1 << " v2=" << a->v2 << " v3=" << a->v3 << std::endl;  

    return 0;
}

My question is how can this work under Linux/Windows without crashing? How is the returning of values done on lower level?

How comfortable are you with assembly, or at least the concept of registers and jumping? — Corbin, Mar 11 '12 at 09:12
You have **undefined behaviour**, so anything can happen. Including what you see. A crash is not part of the defined, let alone *required*, program behaviour! — Kerrek SB, Mar 11 '12 at 09:14
@Corbin I've a basic knowledge of assembler and these concepts since I studied computer sience. — D-rk, Mar 11 '12 at 09:16
@Kerrek I know that this results in undefined behaviour but I want to know why it coincidentally worked? — D-rk, Mar 11 '12 at 09:17
@Dirk: What's the output you're getting? Try adding `delete a;` in `main` and see what Valgrind says. — Kerrek SB, Mar 11 '12 at 09:23
(Ironically, you *can* actually omit the `return 0;` from `main`, as it's implicit.) — Kerrek SB, Mar 11 '12 at 09:24
@KerrekSB: What exactly is **undefined behavior** ? Not returning a value or using the return value of a function that does not provide one (but claims to have one in his declaration) ? — ereOn, Mar 11 '12 at 09:33
See http://stackoverflow.com/questions/1610030/why-can-you-return-from-a-non-void-function-without-returning-a-value-without-pr/1610454#1610454 — JohnPS, Mar 11 '12 at 09:40

score 8 · Accepted Answer · answered Mar 11 '12 at 09:24

8

On Intel architecture, simple values (integers and pointers) are usually returned in eax register. This register (among others) is also used as temporary storage when moving values in memory and as operand during calculations. So whatever value left in that register is treated as the return value, and in your case it turned out to be exactly what you wanted to be returned.

answered Mar 11 '12 at 09:24

hamstergene

24,039
5
57
72

1

How come the missing `return` statement was not an error by compiler? – Cratylus Mar 11 '12 at 09:28
5

@user384706 Because it is allowed by C++ standard (6.6.3/2). I myself wonder why on Earth they keep it this way. – hamstergene Mar 11 '12 at 09:33
1

@hamstergene: I think because it would require the compiler, given `int foo() { bar(); }` (for example), to figure out if `bar()` throws. Possible in principle, probably not worth it for C++ in practice. (Not that it cannot be done in other languages, indeed it is.) – GManNickG Mar 11 '12 at 10:07
1

@hamstergene: As GManNickG, the problem is that evaluating if a function returns on all possible paths is actually pretty difficult. For example, Eclipse just gets it wrong if you have a function that never returns (like `abort`). In order to provide good warnings, `gcc` introduced `__attribute__((noreturn))` to mark such functions, but even then it is non-trivial, and since it's compiler specific, you cannot expect a library you use to have them, so it's kinda hard to impose it. On the other hand, if like me you use `-Werror -Wall -Wextra`, no problem ;) – Matthieu M. Mar 11 '12 at 12:49

score 3 · Answer 2 · answered Mar 11 '12 at 09:23

3

Probably by luck, 'a' left in a register that happens to be used for returning single pointer results, something like that.

The calling/ conventions and function result returns are architecture-dependent, so it's not surprising that your code works on Windows/Linux but not on a Mac.

answered Mar 11 '12 at 09:23

Martin James

24,453
3
36
60

How come the missing `return` statement was not an error by compiler? – Cratylus Mar 11 '12 at 09:29
Checking every control path may be difficult, so compilers aren't required to check, but most will give warnings if they catch it. – JohnPS Mar 11 '12 at 09:39

Luchian Grigore · Answer 3 · 2012-03-11T09:56:31.147

First off, you need to slightly modify your example to get it to compile. The function must have at least an execution path that returns a value.

A* getA(){
    if(false)
        return NULL;
    A* p = new A(1,2,3);
//  return p;
}

Second, it's obviously undefined behavior, which means anything can happen, but I guess this answer won't satisfy you.

Third, in Windows it works in Debug mode, but if you compile under Release, it doesn't.

The following is compiled under Debug:

    A* p = new A(1,2,3);
00021535  push        0Ch  
00021537  call        operator new (211FEh) 
0002153C  add         esp,4 
0002153F  mov         dword ptr [ebp-0E0h],eax 
00021545  mov         dword ptr [ebp-4],0 
0002154C  cmp         dword ptr [ebp-0E0h],0 
00021553  je          getA+7Eh (2156Eh) 
00021555  push        3    
00021557  push        2    
00021559  push        1    
0002155B  mov         ecx,dword ptr [ebp-0E0h] 
00021561  call        A::A (21271h) 
00021566  mov         dword ptr [ebp-0F4h],eax 
0002156C  jmp         getA+88h (21578h) 
0002156E  mov         dword ptr [ebp-0F4h],0 
00021578  mov         eax,dword ptr [ebp-0F4h] 
0002157E  mov         dword ptr [ebp-0ECh],eax 
00021584  mov         dword ptr [ebp-4],0FFFFFFFFh 
0002158B  mov         ecx,dword ptr [ebp-0ECh] 
00021591  mov         dword ptr [ebp-14h],ecx

The second instruction, the call to operator new, moves into eax the pointer to the newly created instance.

    A* a = getA();
0010484E  call        getA (1012ADh) 
00104853  mov         dword ptr [a],eax

The calling context expects eax to contain the returned value, but it does not, it contains the last pointer allocated by new, which is incidentally, p.

So that's why it works.

my code compiles without modification on my linux machine here. But thats not really important. But I have two questions: How can I see the generated assembler code after comiling? Can you help me understand the first assembler code snippet? Whats done there exactly? — D-rk, Mar 11 '12 at 09:43
@Dirk I'm using Visual Studio, you just right click and select `show dissasembly`. As for the second question, it's constructing a new `A` object at the address pointed to by `eax`, which was initialized by the call to `new`. I can't explain much more, my asm knowledge is limited. — Luchian Grigore, Mar 11 '12 at 09:58

score 2 · Answer 4 · answered Mar 11 '12 at 09:34

There are two major ways for a compiler to return a value:

Put a value in a register before returning, and
Have the caller pass a block of stack memory for the return value, and write the value into that block [more info]

The #1 is usually used with anything that fits into a register; #2 is for everything else (large structs, arrays, et cetera).

In your case, the compiler uses #1 both for the return of new and for the return of your function. On Linux and Windows, the compiler did not perform any value-distorting operations on the register with the returned value between writing it into the pointer variable and returning from your function; on Mac, it did. Hence the difference in the results that you see: in the first case, the left-over value in the return register happened to co-inside with the value that you wanted to return anyway.

score 1 · Answer 5 · answered Mar 11 '12 at 09:24

As Kerrek SB mentioned, your code has ventured into the realm of undefined behavior.

Basically, your code is going to compile down to assembly. In assembly, there's no concept of a function requiring a return type, there's just an expectation. I'm the most comfortable with MIPS, so I shall use MIPS to illustrate.

Assume you have the following code:

int add(x, y)
{
    return x + y;
}

This is going to be translated to something like:

add:
    add $v0, $a0, $a1 #add $a0 and $a1 and store it in $v0
    jr $ra #jump back to where ever this code was jumped to from

To add 5 and 4, the code would be called something like:

addi $a0, $0, 5 # 5 is the first param
addi $a1, $0, 4 # 4 is the second param
jal add
# $v0 now contains 9

Note that unlike C, there's no explicit requirement that $v0 contain the return value, just an expectation. So, what happens if you don't actually push anything into $v0? Well, $v0 always has some value, so the value will be whatever it last was.

Note: This post makes some simplifications. Also, you're computer is likely not running MIPS... But hopefully the example holds, and if you learned assembly at a university, MIPS might be what you know anyway.

How come the missing `return` statement was not an error by compiler? — Cratylus, Mar 11 '12 at 09:29
My guess is that when C was first drafted up, they didn't want to bother with the code analysis to figure out if a function always returns or not (it can be a complex analysis in functions with loops and ifs and so on and so forth with returns in them). Then, it's probably lived on since then as never becoming an explicit error. It is a warning though, and you should typically keep warnings on. — Corbin, Mar 11 '12 at 09:31

score 0 · Answer 6 · answered Mar 11 '12 at 09:20

0

The way of returning of value from the function depends on architecture and the type of value. It could be done thru registers or thru stack. Typically in the x86 architecture the value is returned in EAX register if it is an integral type: char, int or pointer. When you don't specify the return value, that value is undefined. This is only your luck that your code sometimes worked correctly.

answered Mar 11 '12 at 09:20

Jurlie

1,014
10
27

TBH, I'm surprised that the construction of 'a' is not just optimized away entirely if it's result is not used. If asked without knowledge of the outcome, I would have guessed that the OP code would segfault/AV when trying to dereference in main(). – Martin James Mar 11 '12 at 09:27
1

It couldn't be optimized being built in debug mode. There is no surprise :-). The behaviour you describe should happen in release mode, with optimizations turned on. – Jurlie Mar 11 '12 at 09:31

Bojan Komazec · Answer 7 · 2012-03-11T10:10:25.900

Regarding the following statement from n3242 draft C++ Standard, paragraph 6.6.3.2, your example yields undefined behavior:

Flowing off the end of a function is equivalent to a return with no value; this results in undefined behavior in a value-returning function.

The best way to see what actually happens is to check the assembly code generated by the given compiler on a given architecture. For the following code:

#pragma warning(default:4716)
int foo(int a, int b)
{
    int c = a + b;
}

int main()
{
    int n = foo(1, 2);
}

...VS2010 compiler (in Debug mode, on Intel 32-bit machine) generates the following assembly:

#pragma warning(default:4716)
int foo(int a, int b)
{
011C1490  push        ebp  
011C1491  mov         ebp,esp  
011C1493  sub         esp,0CCh  
011C1499  push        ebx  
011C149A  push        esi  
011C149B  push        edi  
011C149C  lea         edi,[ebp-0CCh]  
011C14A2  mov         ecx,33h  
011C14A7  mov         eax,0CCCCCCCCh  
011C14AC  rep stos    dword ptr es:[edi]  
    int c = a + b;
011C14AE  mov         eax,dword ptr [a]  
011C14B1  add         eax,dword ptr [b]  
011C14B4  mov         dword ptr [c],eax  
}
...
int main()
{
011C14D0  push        ebp  
011C14D1  mov         ebp,esp  
011C14D3  sub         esp,0CCh  
011C14D9  push        ebx  
011C14DA  push        esi  
011C14DB  push        edi  
011C14DC  lea         edi,[ebp-0CCh]  
011C14E2  mov         ecx,33h  
011C14E7  mov         eax,0CCCCCCCCh  
011C14EC  rep stos    dword ptr es:[edi]  
    int n = foo(1, 2);
011C14EE  push        2  
011C14F0  push        1  
011C14F2  call        foo (11C1122h)  
011C14F7  add         esp,8  
011C14FA  mov         dword ptr [n],eax  
}

The result of addition operation in foo() is stored in eax register (accumulator) and its content is used as a return value of the function, moved to variable n.

eax is used to store a return value (pointer) in the following example as well:

#pragma warning(default:4716)
int* foo(int a)
{
    int* p = new int(a);
}

int main()
{
    int* pn = foo(1);

    if(pn)
    {
        int n = *pn;
        delete pn;
    }
}

Assembly code:

#pragma warning(default:4716)
int* foo(int a)
{
000C1520  push        ebp  
000C1521  mov         ebp,esp  
000C1523  sub         esp,0DCh  
000C1529  push        ebx  
000C152A  push        esi  
000C152B  push        edi  
000C152C  lea         edi,[ebp-0DCh]  
000C1532  mov         ecx,37h  
000C1537  mov         eax,0CCCCCCCCh  
000C153C  rep stos    dword ptr es:[edi]  
    int* p = new int(a);
000C153E  push        4  
000C1540  call        operator new (0C1253h)  
000C1545  add         esp,4  
000C1548  mov         dword ptr [ebp-0D4h],eax  
000C154E  cmp         dword ptr [ebp-0D4h],0  
000C1555  je          foo+50h (0C1570h)  
000C1557  mov         eax,dword ptr [ebp-0D4h]  
000C155D  mov         ecx,dword ptr [a]  
000C1560  mov         dword ptr [eax],ecx  
000C1562  mov         edx,dword ptr [ebp-0D4h]  
000C1568  mov         dword ptr [ebp-0DCh],edx  
000C156E  jmp         foo+5Ah (0C157Ah)  
std::operator<<<std::char_traits<char> >:
000C1570  mov         dword ptr [ebp-0DCh],0  
000C157A  mov         eax,dword ptr [ebp-0DCh]  
000C1580  mov         dword ptr [p],eax  
}
...
int main()
{
000C1610  push        ebp  
000C1611  mov         ebp,esp  
000C1613  sub         esp,0E4h  
000C1619  push        ebx  
000C161A  push        esi  
000C161B  push        edi  
000C161C  lea         edi,[ebp-0E4h]  
000C1622  mov         ecx,39h  
000C1627  mov         eax,0CCCCCCCCh  
000C162C  rep stos    dword ptr es:[edi]  
    int* pn = foo(1);
000C162E  push        1  
000C1630  call        foo (0C124Eh)  
000C1635  add         esp,4  
000C1638  mov         dword ptr [pn],eax  

    if(pn)
000C163B  cmp         dword ptr [pn],0  
000C163F  je          main+51h (0C1661h)  
    {
        int n = *pn;
000C1641  mov         eax,dword ptr [pn]  
000C1644  mov         ecx,dword ptr [eax]  
000C1646  mov         dword ptr [n],ecx  
        delete pn;
000C1649  mov         eax,dword ptr [pn]  
000C164C  mov         dword ptr [ebp-0E0h],eax  
000C1652  mov         ecx,dword ptr [ebp-0E0h]  
000C1658  push        ecx  
000C1659  call        operator delete (0C1249h)  
000C165E  add         esp,4  
    }
}

VS2010 compiler issues warning 4716 in both examples. By default this warning is promoted to an error.

score 0 · Answer 8 · answered Mar 11 '12 at 09:29

When popping values from the stack in IBM PC architecture there is no physical destruction of the old values of data stored there. They just become unavailable through the operation of the stack, but still remain in the same memory cell.

Of course, the previous values of these data will be destroyed during the subsequent pushing of new data on the stack.

So probably you are just lucky enough, and nothing is added to stack during your function's call and return surrounding code.

How does returning values from a function work?

8 Answers8

Linked