Pointer vs array in C, non-trivial difference

Question

I thought I really understood this, and re-reading the standard (ISO 9899:1990) just confirms my obviously wrong understanding, so now I ask here.

The following program crashes:

#include <stdio.h>
#include <stddef.h>

typedef struct {
    int array[3];
} type1_t;

typedef struct {
    int *ptr;
} type2_t;

type1_t my_test = { {1, 2, 3} };

int main(int argc, char *argv[])
{
    (void)argc;
    (void)argv;

    type1_t *type1_p =             &my_test;
    type2_t *type2_p = (type2_t *) &my_test;

    printf("offsetof(type1_t, array) = %lu\n", offsetof(type1_t, array)); // 0
    printf("my_test.array[0]  = %d\n", my_test.array[0]);
    printf("type1_p->array[0] = %d\n", type1_p->array[0]);
    printf("type2_p->ptr[0]   = %d\n", type2_p->ptr[0]);  // this line crashes

    return 0;
}

Comparing the expressions my_test.array[0] and type2_p->ptr[0] according to my interpretation of the standard:

6.3.2.1 Array subscripting

"The definition of the subscript operator [] is that E1[E2] is identical to (*((E1)+(E2)))."

Applying this gives:

my_test.array[0]
(*((E1)+(E2)))
(*((my_test.array)+(0)))
(*(my_test.array+0))
(*(my_test.array))
(*my_test.array)
*my_test.array

type2_p->ptr[0]
*((E1)+(E2)))
(*((type2_p->ptr)+(0)))
(*(type2_p->ptr+0))
(*(type2_p->ptr))
(*type2_p->ptr)
*type2_p->ptr

type2_p->ptr has type "pointer to int" and the value is the start address of my_test. *type2_p->ptr therefore evaluates to an integer object whose storage is at the same address that my_test has.

Further:

6.2.2.1 Lvalues, arrays, and function designators

"Except when it is the operand of the sizeof operator or the unary & operator, ... , an lvalue that has type array of type is converted to an expression with type pointer to type that points to the initial element of the array object and is not an lvalue."

my_test.array has type "array of int" and is as described above converted to "pointer to int" with the address of the first element as value. *my_test.array therefore evaluates to an integer object whose storage is at the same address that the first element in the array.

And finally

6.5.2.1 Structure and union specifiers

A pointer to a structure object, suitably converted, points to its initial member ..., and vice versa. There may be unnamed padding within a structure object, but not at its beginning, as necessary to achieve the appropriate alignment.

Since the first member of type1_t is the array, the start address of that and the whole type1_t object is the same as described above. My understanding were therefore that *type2_p->ptr evaluates to an integer whose storage is at the same address that the first element in the array and thus is identical to *my_test.array.

But this cannot be the case, because the program crashes consistently on solaris, cygwin and linux with gcc versions 2.95.3, 3.4.4 and 4.3.2, so any environmental issue is completely out of the question.

Where is my reasoning wrong/what do I not understand? How do I declare type2_t to make ptr point to the first member of the array?

Answer 1

Please forgive me if i overlook anything in your analysis. But i think the fundamental bug in all that is this wrong assumption

type2_p->ptr has type "pointer to int" and the value is the start address of my_test.

There is nothing that makes it have that value. Rather, it is very probably that it points somewhere to

0x00000001

Because what you do is to interpret the bytes making up that integer array as a pointer. Then you add something to it and subscript.

Also, i highly doubt your casting to the other struct is actually valid (as in, guaranteed to work). You may cast and then read a common initial sequence of either struct if both of them are members of an union. But they are not in your example. You also may cast to a pointer to the first member. For example:

typedef struct {
    int array[3];
} type1_t;

type1_t f = { { 1, 2, 3 } };

int main(void) {
    int (*arrayp)[3] = (int(*)[3])&f;
    (*arrayp)[0] = 3;
    assert(f.array[0] == 3);
    return 0;
}