Can a local variable s memory be accessed outside its scope

Question

I have the following code    include  lt iostream gt   int   foo         int a   5      return  amp a     int main         int  p   foo        std  cout  lt  lt   p       p   8      std  cout  lt  lt   p      And the code is just running with no runtime exceptions   The output was 58  How can it be  Isn t the memory of a local variable inaccessible outside its function

User · Answer

This behavior is undefined  as Alex pointed out--in fact  most compilers will warn against doing this  because it s an easy way to get crashes   For an example of the kind of spooky behavior you are likely to get  try this sample   int  a        int x   5     return  amp x     void b  int  c        int y   29      c   123     cout  lt  lt   y    lt  lt  y  lt  lt  endl     int main        b  a         return 0      This prints out  y 123   but your results may vary  really    Your pointer is clobbering other  unrelated local variables

User · Answer

Your code is very risky  You are creating a local variable  wich is considered destroyed after function ends  and you return the address of memory of that variable after it is destoyed   That means the memory address could be valid or not  and your code will be vulnerable to possible memory address issues  for example segmentation fault    This means that you are doing a very bad thing  becouse you are passing a memory address to a pointer wich is not trustable at all    Consider this example  instead  and test it   int   foo        int  x   new int      x   5     return x     int main         int  p   foo        std  cout  lt  lt   p  lt  lt    n     better to put a new-line in the output  IMO      p   8      std  cout  lt  lt   p      delete p      return 0      Unlike your example  with this example you are    allocating memory for int into a local function that memory address is still valid also when function expires   it is not deleted by anyone  the memory address is trustable  that memory block is not considered free  so it will be not overridden until it is deleted  the memory address should be deleted when not used   see the delete at the end of the program

User · Answer

It works because the stack has not been altered  yet  since a was put there   Call a few other functions  which are also calling other functions  before accessing a again and you will probably not be so lucky anymore     -

User · Answer

The things with correct     console output can change dramatically if you use   printf but not cout   You can play around with debugger within below code  tested on x86  32-bit  MSVisual Studio    char  foo        char buf 10       strcpy buf   TEST        return buf     int main        char  s   foo         place breakpoint  amp  check  s  varialbe here     printf   s n   s

User · Answer

In typical compiler implementations  you can think of the code as  print out the value of the memory block with adress that used to be occupied by a   Also  if you add a new function invocation to a function that constains a local int it s a good chance that the value of a  or the memory address that a used to point to  changes  This happens because the stack will be overwritten with a new frame containing different data   However  this is undefined behaviour and you should not rely on it to work

User · Answer

It s  Dirty  way of using memory addresses  When you return an address  pointer  you don t know whether it belongs to local scope of a function  It s just an address  Now that you invoked the  foo  function  that address  memory location  of  a  was already allocated there in the  safely  for now at least  addressable memory of your application  process   After the  foo  function returned  the address of  a  can be considered  dirty  but it s there  not cleaned up  nor disturbed modified by expressions in other part of program  in this specific case at least   A C C   compiler doesn t stop you from such  dirty  access  might warn you though  if you care   You can safely use  update  any memory location that is in the data segment of your program instance  process  unless you protect the address by some means

User · Answer

You are just returning a memory address  it s allowed but probably an error     Yes if you try to dereference that memory address you will have undefined behavior   int   ref        int tmp   100   return  amp tmp     int main        int   a   ref       Up until this point there is defined results    You can even print the address returned     but yes probably a bug   cout  lt  lt   a  lt  lt  endl   Undefined results

User · Answer

After returning from a function  all identifiers are destroyed instead of kept values in a memory location and we can not locate the values without having an identifier But that location still contains the value stored by previous function   So  here function foo   is returning the address of a and a is destroyed after returning its address  And you can access the modified value through that returned address   Let me take a real world example   Suppose a man hides money at a location and tells you the location  After some time  the man who had told you the money location dies  But still you have the access of that hidden money

User · Answer

How can it be  Isn t the memory of a local variable inaccessible outside its function    You rent a hotel room  You put a book in the top drawer of the bedside table and go to sleep   You check out the next morning  but  forget  to give back your key  You steal the key   A week later  you return to the hotel  do not check in  sneak into your old room with your stolen key  and look in the drawer  Your book is still there  Astonishing   How can that be  Aren t the contents of a hotel room drawer inaccessible if you haven t rented the room   Well  obviously that scenario can happen in the real world no problem  There is no mysterious force that causes your book to disappear when you are no longer authorized to be in the room  Nor is there a mysterious force that prevents you from entering a room with a stolen key   The hotel management is not required to remove your book  You didn t make a contract with them that said that if you leave stuff behind  they ll shred it for you  If you illegally re-enter your room with a stolen key to get it back  the hotel security staff is not required to catch you sneaking in  You didn t make a contract with them that said  if I try to sneak back into my room later  you are required to stop me   Rather  you signed a contract with them that said  I promise not to sneak back into my room later   a contract which you broke   In this situation anything can happen  The book can be there -- you got lucky  Someone else s book can be there and yours could be in the hotel s furnace  Someone could be there right when you come in  tearing your book to pieces  The hotel could have removed the table and book entirely and replaced it with a wardrobe  The entire hotel could be just about to be torn down and replaced with a football stadium  and you are going to die in an explosion while you are sneaking around    You don t know what is going to happen  when you checked out of the hotel and stole a key to illegally use later  you gave up the right to live in a predictable  safe world because you chose to break the rules of the system   C   is not a safe language  It will cheerfully allow you to break the rules of the system  If you try to do something illegal and foolish like going back into a room you re not authorized to be in and rummaging through a desk that might not even be there anymore  C   is not going to stop you  Safer languages than C   solve this problem by restricting your power -- by having much stricter control over keys  for example   UPDATE  Holy goodness  this answer is getting a lot of attention   I m not sure why -- I considered it to be just a  fun  little analogy  but whatever    I thought it might be germane to update this a bit with a few more technical thoughts   Compilers are in the business of generating code which manages the storage of the data manipulated by that program  There are lots of different ways of generating code to manage memory  but over time two basic techniques have become entrenched    The first is to have some sort of  long lived  storage area where the  lifetime  of each byte in the storage -- that is  the period of time when it is validly associated with some program variable -- cannot be easily predicted ahead of time  The compiler generates calls into a  heap manager  that knows how to dynamically allocate storage when it is needed and reclaim it when it is no longer needed   The second method is to have a    short-lived    storage area where the lifetime of each byte is well known  Here  the lifetimes follow a    nesting    pattern  The longest-lived of these short-lived variables will be allocated before any other short-lived variables  and will be freed last  Shorter-lived variables will be allocated after the longest-lived ones  and will be freed before them  The lifetime of these shorter-lived variables is    nested    within the lifetime of longer-lived ones   Local variables follow the latter pattern  when a method is entered  its local variables come alive  When that method calls another method  the new method s local variables come alive  They ll be dead before the first method s local variables are dead   The relative order of the beginnings and endings of lifetimes of storages associated with local variables can be worked out ahead of time   For this reason  local variables are usually generated as storage on a  stack  data structure  because a stack has the property that the first thing pushed on it is going to be the last thing popped off    It s like the hotel decides to only rent out rooms sequentially  and you can t check out until everyone with a room number higher than you has checked out    So let s think about the stack  In many operating systems you get one stack per thread and the stack is allocated to be a certain fixed size  When you call a method  stuff is pushed onto the stack  If you then pass a pointer to the stack back out of your method  as the original poster does here  that s just a pointer to the middle of some entirely valid million-byte memory block  In our analogy  you check out of the hotel  when you do  you just checked out of the highest-numbered occupied room   If no one else checks in after you  and you go back to your room illegally  all your stuff is guaranteed to still be there in this particular hotel   We use stacks for temporary stores because they are really cheap and easy  An implementation of C   is not required to use a stack for storage of locals  it could use the heap  It doesn t  because that would make the program slower    An implementation of C   is not required to leave the garbage you left on the stack untouched so that you can come back for it later illegally  it is perfectly legal for the compiler to generate code that turns back to zero everything in the  room  that you just vacated  It doesn t because again  that would be expensive   An implementation of C   is not required to ensure that when the stack logically shrinks  the addresses that used to be valid are still mapped into memory  The implementation is allowed to tell the operating system  we re done using this page of stack now  Until I say otherwise  issue an exception that destroys the process if anyone touches the previously-valid stack page    Again  implementations do not actually do that because it is slow and unnecessary   Instead  implementations let you make mistakes and get away with it  Most of the time  Until one day something truly awful goes wrong and the process explodes   This is problematic  There are a lot of rules and it is very easy to break them accidentally  I certainly have many times  And worse  the problem often only surfaces when memory is detected to be corrupt billions of nanoseconds after the corruption happened  when it is very hard to figure out who messed it up   More memory-safe languages solve this problem by restricting your power  In  normal  C  there simply is no way to take the address of a local and return it or store it for later  You can take the address of a local  but the language is cleverly designed so that it is impossible to use it after the lifetime of the local ends  In order to take the address of a local and pass it back  you have to put the compiler in a special  unsafe  mode  and put the word  unsafe  in your program  to call attention to the fact that you are probably doing something dangerous that could be breaking the rules    For further reading    What if C  did allow returning references  Coincidentally that is the subject of today s blog post   https   ericlippert com 2011 06 23 ref-returns-and-ref-locals  Why do we use stacks to manage memory  Are value types in C  always stored on the stack  How does virtual memory work  And many more topics in how the C  memory manager works  Many of these articles are also germane to C   programmers   https   ericlippert com tag memory-management

User · Answer

It can  because a is a variable allocated temporarily for the lifetime of its scope  foo function   After you return from foo the memory is free and can be overwritten   What you re doing is described as undefined behavior  The result cannot be predicted

User · Answer

You never throw a C   exception by accessing invalid memory  You are just giving an example of the general idea of referencing an arbitrary memory location  I could do the same like this   unsigned int q   123456     double   q    1 2    Here I am simply treating 123456 as the address of a double and write to it  Any number of things could happen     q might in fact genuinely be a valid address of a double  e g  double p  q    amp p    q might point somewhere inside allocated memory and I just overwrite 8 bytes in there   q points outside allocated memory and the operating system s memory manager sends a segmentation fault signal to my program  causing the runtime to terminate it   You win the lottery    The way you set it up it is a bit more reasonable that the returned address points into a valid area of memory  as it will probably just be a little further down the stack  but it is still an invalid location that you cannot access in a deterministic fashion   Nobody will automatically check the semantic validity of memory addresses like that for you during normal program execution  However  a memory debugger such as valgrind will happily do this  so you should run your program through it and witness the errors

User · Answer

In C    you can access any address  but it doesn t mean you should  The address you are accessing is no longer valid  It works because nothing else scrambled the memory after foo returned  but it could crash under many circumstances  Try analyzing your program with Valgrind  or even just compiling it optimized  and see

User · Answer

You actually invoked undefined behaviour   Returning the address of a temporary works  but as temporaries are destroyed at the end of a function the results of accessing them will be undefined   So you did not modify a but rather the memory location where a once was  This difference is very similar to the difference between crashing and not crashing

User · Answer

That s classic undefined behaviour that s been discussed here not two days ago -- search around the site for a bit  In a nutshell  you were lucky  but anything could have happened and your code is making invalid access to memory

User · Answer

A little addition to all the answers   if you do something like that    include lt stdio h gt   include  lt stdlib h gt  int   foo        int a   5      return  amp a    void boo        int a   7     int main        int   p   foo        boo        printf   d n   p       the output probably will be  7  That is because after returning from foo   the stack is freed and then reused by boo    If you deassemble the executable you will see it clearly

User · Answer

Did you compile your program with the optimiser enabled  The foo   function is quite simple and might have been inlined or replaced in the resulting code   But I agree with Mark B that the resulting behavior is undefined

User · Answer

Your problem has nothing to do with scope  In the code you show  the function main does not see the names in the function foo  so you can t access a in foo directly with this name outside foo   The problem you are having is why the program doesn t signal an error when referencing illegal memory  This is because C   standards does not specify a very clear boundary between illegal memory and legal memory  Referencing something in popped out stack sometimes causes error and sometimes not  It depends  Don t count on this behavior  Assume it will always result in error when you program  but assume it will never signal error when you debug

User · Answer

Because the storage space wasn t stomped on just yet  Don t count on that behavior

User · Answer

What you re doing here is simply reading and writing to memory that used to be the address of a  Now that you re outside of foo  it s just a pointer to some random memory area  It just so happens that in your example  that memory area does exist and nothing else is using it at the moment  You don t break anything by continuing to use it  and nothing else has overwritten it yet  Therefore  the 5 is still there  In a real program  that memory would be re-used almost immediately and you d break something by doing this  though the symptoms may not appear until much later    When you return from foo  you tell the OS that you re no longer using that memory and it can be reassigned to something else  If you re lucky and it never does get reassigned  and the OS doesn t catch you using it again  then you ll get away with the lie  Chances are though you ll end up writing over whatever else ends up with that address   Now if you re wondering why the compiler doesn t complain  it s probably because foo got eliminated by optimization  It usually will warn you about this sort of thing  C assumes you know what you re doing though  and technically you haven t violated scope here  there s no reference to a itself outside of foo   only memory access rules  which only triggers a warning rather than an error   In short  this won t usually work  but sometimes will by chance

User · Answer

Pay attention to  all warnings   Do not only solve errors  GCC shows this Warning      warning  address of local variable  a  returned    This is  power of C    You should care about memory  With the -Werror flag  this warning becames an error and now you have to debug it

[c++] Can a local variable's memory be accessed outside its scope?

Examples related to c++

Examples related to memory-management

Examples related to local-variables

Examples related to dangling-pointer