Running this code
#include <stdlib.h>
#include <stdio.h>
char* f() {
char s[] = "Hello, world!";
return s;
}
int main() {
printf("%s", f());
return 0;
}
prints (null). This makes sense to me: The char array is valid only in the scope of f, so the pointer returned is not valid. However, if I create a struct containing the pointer to the array
#include <stdlib.h>
#include <stdio.h>
typedef struct word {
char* str;
} word;
word f() {
char str[] = "Hello, world!";
return (word) { str };
}
int main() {
printf("%s", f().str);
return 0;
}
this will now "work", i. e. it will print Hello, world!.
Now I am wondering why it does; shouldn’t the pointer here be invalid too, because the array it points to was created in f and is thus not valid anymore? Or is this just undefined behavior and I got "lucky" that nothing else was pushed onto the stack at that location? Or is there a mistake in my reasoning (I am rather new to C).
I haven’t been able to find information on this specific behavior, only for structs containing arrays of constant size. I have tested this using gcc version 9.4.0 (which uses gnu11 "standard" as default). I would appreciate if anyone could point me to the explanation of this behavior.
>Solution :
Or is this just undefined behavior and I got "lucky" that nothing else was pushed onto the stack at that location?
That is correct. The line
printf("%s", f().str);
will invoke undefined behavior by dereferencing a dangling pointer. This means that anything may happen; your program may crash or it may appear to work as intended.
The compiler clang is actually able to detect this error at run-time, if you compile with -fsanitize=address. Here is an online demonstration.
For further explanation, you may want to read this answer to a similar C++ question, which contains an interesting analogy. Most of the information in the answer also applies to C.