Why is returning a stack allocated pointer variable in a function allowed in C?

Question

I've read the followed post:

Is returning a heap-allocated pointer from function OK?

Which shows that a pointer pointing to a heap allocated variable is returned is alright. However, is the pointer technically a "stack allocated variable", which would then get deallocated upon returning of the function?

For example:

int* test(){
  int arr[5];
  int *ptr = arr;

  return ptr; //deallocated ptr?
}

int *test2(){
  int arr[5];

  return arr;
}

In test

Also, is it right to say arr is a pointer that points to some newly created int array arr, pointing at &arr[0]. If arr is not a pointer, why is it valid to return it satisfying the function return type?

Since both ptr and arr are supposedly stack allocated, why does the code only work in test() and not test2()? Does test() give an undefined behavior?

Answer 1

They will both be undefined behaviour, if the returned value is accessed. So, none of them are "OK".

You're trying to return a pointer to a block-scoped variable which is of auto storage duration. So, once the scope ends, the lifetime of the variable comes to an end.

Quoting C11, chapter §6.2.4/P2, regarding the lifetime (emphasis mine)

The lifetime of an object is the portion of program execution during which storage is guaranteed to be reserved for it. An object exists, has a constant address, and retains its last-stored value throughout its lifetime. If an object is referred to outside of its lifetime, the behavior is undefined [...]

Then, from P5,

An object whose identifier is declared with no linkage and without the storage-class specifier static has automatic storage duration, [...]

and

For such an object that does not have a variable length array type, its lifetime extends from entry into the block with which it is associated until execution of that block ends in any way. [...]

So, in your case, the variable arr is having automatic storage and it's lifetime is limited to the function body. Once the address is returned to caller, attempt to access the memory at that address would be UB.

Oh, and there's no "stack" or "heap" in C standard, All we have is the lifetime of a variable.

Answer 2

Both test and test2() are equivalent. They return an implementation-defined pointer that you must not dereference, or else UB ensues.

If you don't dereference the returned pointer, calling test() or test2() does not result in undefined behavior, but such a function is probably not very useful.

Answer 3

Upon entering a function a new stack frame is added to the stack. The stack frame is where all autos (non static variables declared in the function) are stored. When we leave the function the return value is placed in a register (generally R0) in the CPU and the stack pointer is then decreased to remove the stack frame. We then return control to the point where we called the function and we get the return value from the register.

So in this case you have int arr[5], as the program enters the function a new stack frame is added to the stack. In this stack frame there is memory for 5 integers in an array, the variable arr is indeed now equivalent a pointer to the first element in the array. When you return the variable arr you are returning a pointer to the data in the stack frame, when the function exits and you return back to the previous function the stack pointer is then decreased to remove the stack frame of the function you just exited.

The pointer is still pointing to that place in memory where we previously had an array allocated. So when the stack is increased the memory arr is pointing to will be over written. Changing the data the returned value points to could result in some very "exciting" stuff happening as we don't know when the memory is now used for.

Array vs pointer example:

char arr[5];
char * ptr = arr;

In this case the compiler knows the size of arr and does not know the size of ptr so we can do sizeof(arr) and the compiler will do the calculation at compile time. When it comes to run time, they are equivalent values in memory.

Answer 4

Both cases are technically the same.

In both cases, a pointer to arr is returned. While the value of the returned pointer indeed points to the memory that used to contain arr, arr is already freed from the memory.

Therefore, sometime when you access the pointer you would still find there the contents of arr, which were just happened to not overridden yet. Other times, you might access it after this memory has been overridden, and get undefined data or even segmentation fault.

Answer 5

You still seem residually confused by the pointer being an automatic variable as well, so that you are afraid that returning it would be invalid even if it pointed to some valid memory (say, a static array).

It is important to remember that in C all parameter and return value passing is done by value. If you "return a pointer" as in return p; it is exactly the same mechanism as if you "returned an integer", as in return i;: The value of the variable is copied somewhere and obtained by the caller. In the case of i that value may be 42; in the case of p the value may be 3735928559 (or in other words, 0xdeadbeef). That value denotes the place in memory where e.g. your array was residing before it ceased to exist because the function returned. The address does not change when you copy it any more than 42 changes, and is completely independent of the lifetime of the variable p which once contained it — it was, after all, copied out of it just in time.¹

---

_{¹This is beyond the scope of the question but technically conceptually, a temporary object is created for the return value. The lifetime and semantics of temporaries are more systematically categorized in modern C++.}