Type punning

Last updated

In computer science, a type punning is any programming technique that subverts or circumvents the type system of a programming language in order to achieve an effect that would be difficult or impossible to achieve within the bounds of the formal language.

Contents

In C and C++, constructs such as pointer type conversion and union — C++ adds reference type conversion and reinterpret_cast to this list — are provided in order to permit many kinds of type punning, although some kinds are not actually supported by the standard language.

In the Pascal programming language, the use of records with variants may be used to treat a particular data type in more than one manner, or in a manner not normally permitted.

Sockets example

One classic example of type punning is found in the Berkeley sockets interface. The function to bind an opened but uninitialized socket to an IP address is declared as follows:

intbind(intsockfd,structsockaddr*my_addr,socklen_taddrlen);

The bind function is usually called as follows:

structsockaddr_insa={0};intsockfd=...;sa.sin_family=AF_INET;sa.sin_port=htons(port);bind(sockfd,(structsockaddr*)&sa,sizeofsa);

The Berkeley sockets library fundamentally relies on the fact that in C, a pointer to struct sockaddr_in is freely convertible to a pointer to struct sockaddr; and, in addition, that the two structure types share the same memory layout. Therefore, a reference to the structure field my_addr->sin_family (where my_addr is of type struct sockaddr*) will actually refer to the field sa.sin_family (where sa is of type struct sockaddr_in). In other words, the sockets library uses type punning to implement a rudimentary form of polymorphism or inheritance.

Often seen in the programming world is the use of "padded" data structures to allow for the storage of different kinds of values in what is effectively the same storage space. This is often seen when two structures are used in mutual exclusivity for optimization.

Floating-point example

Not all examples of type punning involve structures, as the previous example did. Suppose we want to determine whether a floating-point number is negative. We could write:

boolis_negative(floatx){returnx<0.0;}

However, supposing that floating-point comparisons are expensive, and also supposing that float is represented according to the IEEE floating-point standard, and integers are 32 bits wide, we could engage in type punning to extract the sign bit of the floating-point number using only integer operations:

boolis_negative(floatx){int*i=(int*)&x;return*i<0;}

Note that the behaviour will not be exactly the same: in the special case of x being negative zero, the first implementation yields false while the second yields true. Also, the first implementation will return false for any NaN value, but the latter might return true for NaN values with the sign bit set.

This kind of type punning is more dangerous than most. Whereas the former example relied only on guarantees made by the C programming language about structure layout and pointer convertibility, the latter example relies on assumptions about a particular system's hardware. Some situations, such as time-critical code that the compiler otherwise fails to optimize, may require dangerous code. In these cases, documenting all such assumptions in comments, and introducing static assertions to verify portability expectations, helps to keep the code maintainable.

Practical examples of floating-point punning include fast inverse square root popularized by Quake III, fast FP comparison as integers, [1] and finding neighboring values by incrementing as an integer (implementing nextafter). [2]

By language

C and C++

In addition to the assumption about bit-representation of floating-point numbers, the above floating-point type-punning example also violates the C language's constraints on how objects are accessed: [3] the declared type of x is float but it is read through an expression of type unsigned int. On many common platforms, this use of pointer punning can create problems if different pointers are aligned in machine-specific ways. Furthermore, pointers of different sizes can alias accesses to the same memory, causing problems that are unchecked by the compiler. Even when data size and pointer representation match, however, compilers can rely on the non-aliasing constraints to perform optimizations that would be unsafe in the presence of disallowed aliasing.

Use of pointers

A naive attempt at type-punning can be achieved by using pointers: (The following running example assumes IEEE-754 bit-representation for type float.)

boolis_negative(floatx){int32_ti=*(int32_t*)&x;// In C++ this is equivalent to: int32_t i = *reinterpret_cast<int32_t*>(&x);returni<0;}


The C standard's aliasing rules state that an object shall have its stored value accessed only by an lvalue expression of a compatible type. [4] The types float and int32_t are not compatible, therefore this code's behavior is undefined. Although on GCC and LLVM this particular program compiles and runs as expected, more complicated examples may interact with assumptions made by strict aliasing and lead to unwanted behavior. The option -fno-strict-aliasing will ensure correct behavior of code using this form of type-punning, although using other forms of type punning is recommended. [5]

Use of union

In C, but not in C++, it is sometimes possible to perform type punning via a union.

boolis_negative(floatx){union{inti;floatd;}my_union;my_union.d=x;returnmy_union.i<0;}

Accessing my_union.i after most recently writing to the other member, my_union.d, is an allowed form of type-punning in C, [6] provided that the member read is not larger than the one whose value was set (otherwise the read has unspecified behavior [7] ). The same is syntactically valid but has undefined behavior in C++, [8] however, where only the last-written member of a union is considered to have any value at all.

For another example of type punning, see Stride of an array.

Use of bit_cast

In C++20, the std::bit_cast operator allows type punning with no undefined behavior. It also allows the function be labeled constexpr.

constexprboolis_negative(floatx)noexcept{static_assert(std::numeric_limits<float>::is_iec559);// (enable only on IEEE 754)autoi=std::bit_cast<std::int32_t>(x);returni<0;}

Pascal

A variant record permits treating a data type as multiple kinds of data depending on which variant is being referenced. In the following example, integer is presumed to be 16 bit, while longint and real are presumed to be 32, while character is presumed to be 8 bit:

typeVariantRecord=recordcaseRecType:LongIntof1:(I:array[1..2]ofInteger);(* not show here: there can be several variables in a variant record's case statement *)2:(L:LongInt);3:(R:Real);4:(C:array[1..4]ofChar);end;varV:VariantRecord;K:Integer;LA:LongInt;RA:Real;Ch:Character;V.I[1]:=1;Ch:=V.C[1];(* this would extract the first byte of V.I *)V.R:=8.3;LA:=V.L;(* this would store a Real into an Integer *)

In Pascal, copying a real to an integer converts it to the truncated value. This method would translate the binary value of the floating-point number into whatever it is as a long integer (32 bit), which will not be the same and may be incompatible with the long integer value on some systems.

These examples could be used to create strange conversions, although, in some cases, there may be legitimate uses for these types of constructs, such as for determining locations of particular pieces of data. In the following example a pointer and a longint are both presumed to be 32 bit:

typePA=^Arec;Arec=recordcaseRT:LongIntof1:(P:PA);2:(L:LongInt);end;varPP:PA;K:LongInt;New(PP);PP^.P:=PP;WriteLn('Variable PP is located at address ',Hex(PP^.L));

Where "new" is the standard routine in Pascal for allocating memory for a pointer, and "hex" is presumably a routine to print the hexadecimal string describing the value of an integer. This would allow the display of the address of a pointer, something which is not normally permitted. (Pointers cannot be read or written, only assigned.) Assigning a value to an integer variant of a pointer would allow examining or writing to any location in system memory:

PP^.L:=0;PP:=PP^.P;(* PP now points to address 0     *)K:=PP^.L;(* K contains the value of word 0 *)WriteLn('Word 0 of this machine contains ',K);

This construct may cause a program check or protection violation if address 0 is protected against reading on the machine the program is running upon or the operating system it is running under.

The reinterpret cast technique from C/C++ also works in Pascal. This can be useful, when eg. reading dwords from a byte stream, and we want to treat them as float. Here is a working example, where we reinterpret-cast a dword to a float:

typepReal=^Real;varDW:DWord;F:Real;F:=pReal(@DW)^;

C#

In C# (and other .NET languages), type punning is a little harder to achieve because of the type system, but can be done nonetheless, using pointers or struct unions.

Pointers

C# only allows pointers to so-called native types, i.e. any primitive type (except string), enum, array or struct that is composed only of other native types. Note that pointers are only allowed in code blocks marked 'unsafe'.

floatpi=3.14159;uintpiAsRawData=*(uint*)&pi;

Struct unions

Struct unions are allowed without any notion of 'unsafe' code, but they do require the definition of a new type.

[StructLayout(LayoutKind.Explicit)]structFloatAndUIntUnion{[FieldOffset(0)]publicfloatDataAsFloat;[FieldOffset(0)]publicuintDataAsUInt;}// ...FloatAndUIntUnionunion;union.DataAsFloat=3.14159;uintpiAsRawData=union.DataAsUInt;

Raw CIL code

Raw CIL can be used instead of C#, because it doesn't have most of the type limitations. This allows one to, for example, combine two enum values of a generic type:

TEnuma=...;TEnumb=...;TEnumcombined=a|b;// illegal

This can be circumvented by the following CIL code:

.methodpublicstatichidebysig!!TEnumCombineEnums<valuetype.ctor([mscorlib]System.ValueType)TEnum>(!!TEnuma,!!TEnumb)cilmanaged{.maxstack2ldarg.0ldarg.1or// this will not cause an overflow, because a and b have the same type, and therefore the same size.ret}

The cpblk CIL opcode allows for some other tricks, such as converting a struct to a byte array:

.methodpublicstatichidebysiguint8[]ToByteArray<valuetype.ctor([mscorlib]System.ValueType)T>(!!T&v// 'ref T' in C#)cilmanaged{.localsinit([0]uint8[]).maxstack3// create a new byte array with length sizeof(T) and store it in local 0sizeof!!Tnewarruint8dup// keep a copy on the stack for later (1)stloc.0ldc.i4.0ldelemauint8// memcpy(local 0, &v, sizeof(T));// <the array is still on the stack, see (1)>ldarg.0// this is the *address* of 'v', because its type is '!!T&'sizeof!!Tcpblkldloc.0ret}

Related Research Articles

C is a general-purpose computer programming language. It was created in the 1970s by Dennis Ritchie, and remains very widely used and influential. By design, C's features cleanly reflect the capabilities of the targeted CPUs. It has found lasting use in operating systems, device drivers, and protocol stacks, but its use in application software has been decreasing. C is commonly used on computer architectures that range from the largest supercomputers to the smallest microcontrollers and embedded systems.

<span class="mw-page-title-main">Data type</span> Attribute of data

In computer science and computer programming, a data type is a collection or grouping of data values, usually specified by a set of possible values, a set of allowed operations on these values, and/or a representation of these values as machine types. A data type specification in a program constrains the possible values that an expression, such as a variable or a function call, might take. On literal data, it tells the compiler or interpreter how the programmer intends to use the data. Most programming languages support basic data types of integer numbers, floating-point numbers, characters and Booleans.

In computer science, primitive data types are a set of basic data types from which all other data types are constructed. Specifically it often refers to the limited set of data representations in use by a particular processor, which all compiled programs must use. Most processors support a similar set of primitive data types, although the specific representations vary. More generally, "primitive data types" may refer to the standard data types built into a programming language. Data types which are not primitive are referred to as derived or composite.

<span class="mw-page-title-main">C syntax</span> Set of rules defining correctly structured programs

The syntax of the C programming language is the set of rules governing writing of software in C. It is designed to allow for programs that are extremely terse, have a close relationship with the resulting object code, and yet provide relatively high-level data abstraction. C was the first widely successful high-level language for portable operating-system development.

<span class="mw-page-title-main">Pointer (computer programming)</span> Object which stores memory addresses in a computer program

In computer science, a pointer is an object in many programming languages that stores a memory address. This can be that of another value located in computer memory, or in some cases, that of memory-mapped computer hardware. A pointer references a location in memory, and obtaining the value stored at that location is known as dereferencing the pointer. As an analogy, a page number in a book's index could be considered a pointer to the corresponding page; dereferencing such a pointer would be done by flipping to the page with the given page number and reading the text found on that page. The actual format and content of a pointer variable is dependent on the underlying computer architecture.

In computer science, a union is a value that may have any of several representations or formats within the same position in memory; that consists of a variable that may hold such a data structure. Some programming languages support special data types, called union types, to describe such values and variables. In other words, a union type definition will specify which of a number of permitted primitive types may be stored in its instances, e.g., "float or long integer". In contrast with a record, which could be defined to contain both a float and an integer; in a union, there is only one value at any given time.

In computer science, type conversion, type casting, type coercion, and type juggling are different ways of changing an expression from one data type to another. An example would be the conversion of an integer value into a floating point value or its textual representation as a string, and vice versa. Type conversions can take advantage of certain features of type hierarchies or data representations. Two important aspects of a type conversion are whether it happens implicitly (automatically) or explicitly, and whether the underlying data representation is converted from one representation into another, or a given representation is merely reinterpreted as the representation of another data type. In general, both primitive and compound data types can be converted.

A struct in the C programming language is a composite data type declaration that defines a physically grouped list of variables under one name in a block of memory, allowing the different variables to be accessed via a single pointer or by the struct declared name which returns the same address. The struct data type can contain other data types so is used for mixed-data-type records such as a hard-drive directory entry, or other mixed-type records.

IEC 61131-3 is the third part of the international standard IEC 61131 for programmable logic controllers. It was first published in December 1993 by the IEC; the current (third) edition was published in February 2013.

The computer programming languages C and Pascal have similar times of origin, influences, and purposes. Both were used to design their own compilers early in their lifetimes. The original Pascal definition appeared in 1969 and a first compiler in 1970. The first version of C appeared in 1972.

<span class="mw-page-title-main">C data types</span> Data types supported by the C programming language

In the C programming language, data types constitute the semantics and characteristics of storage of data elements. They are expressed in the language syntax in form of declarations for memory locations or variables. Data types also determine the types of operations or methods of processing of data elements.

Data structure alignment is the way data is arranged and accessed in computer memory. It consists of three separate but related issues: data alignment, data structure padding, and packing.

typedef is a reserved keyword in the programming languages C, C++, and Objective-C. It is used to create an additional name (alias) for another data type, but does not create a new type, except in the obscure case of a qualified typedef of an array type where the typedef qualifiers are transferred to the array element type. As such, it is often used to simplify the syntax of declaring complex data structures consisting of struct and union types, although it is also commonly used to provide specific descriptive type names for integer data types of varying sizes.

In computer programming, the term hooking covers a range of techniques used to alter or augment the behaviour of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a hook.

A class in C++ is a user-defined type or data structure declared with any of the keywords class, struct or union that has data and functions as its members whose access is governed by the three access specifiers private, protected or public. By default access to members of a C++ class declared with the keyword class is private. The private members are not accessible outside the class; they can be accessed only through member functions of the class. The public members form an interface to the class and are accessible outside the class.

sizeof is a unary operator in the programming languages C and C++. It generates the storage size of an expression or a data type, measured in the number of char-sized units. Consequently, the construct sizeof (char) is guaranteed to be 1. The actual number of bits of type char is specified by the preprocessor macro CHAR_BIT, defined in the standard include file limits.h. On most modern computing platforms this is eight bits. The result of sizeof has an unsigned integer type that is usually denoted by size_t.

The C and C++ programming languages are closely related but have many significant differences. C++ began as a fork of an early, pre-standardized C, and was designed to be mostly source-and-link compatible with C compilers of the time. Due to this, development tools for the two languages are often integrated into a single product, with the programmer able to specify C or C++ as their source language.

C++11 is a version of the ISO/IEC 14882 standard for the C++ programming language. C++11 replaced the prior version of the C++ standard, called C++03, and was later replaced by C++14. The name follows the tradition of naming language versions by the publication year of the specification, though it was formerly named C++0x because it was expected to be published before 2010.

S3 is a structured, imperative high-level computer programming language. It was developed by the UK company International Computers Limited (ICL) for its 2900 Series mainframes. It is a system programming language with syntax influenced by ALGOL 68 but with data types and operators aligned to those offered by the 2900 Series. It was the implementation language of the operating system VME.

In computer programming, a variable-length array (VLA), also called variable-sized or runtime-sized, is an array data structure whose length is determined at run time . In C, the VLA is said to have a variably modified type that depends on a value.

References

  1. Herf, Michael (December 2001). "radix tricks". stereopsis : graphics.
  2. "Stupid Float Tricks". Random ASCII - tech blog of Bruce Dawson. 24 January 2012.
  3. ISO/IEC 9899:1999 s6.5/7
  4. "§ 6.5/7" (PDF), ISO/IEC 9899:2018, 2018, p. 55, archived from the original (PDF) on 2018-12-30, An object shall have its stored value accessed only by an lvalue expression that has one of the following types: [...]
  5. "GCC Bugs - GNU Project". gcc.gnu.org.
  6. "§ 6.5.2.3/3, footnote 97" (PDF), ISO/IEC 9899:2018, 2018, p. 59, archived from the original (PDF) on 2018-12-30, If the member used to read the contents of a union object is not the same as the member last used to store a value in the object, the appropriate part of the object representation of the value is reinterpreted as an object representation in the new type as described in 6.2.6 (a process sometimes called "type punning"). This might be a trap representation.
  7. "§ J.1/1, bullet 11" (PDF), ISO/IEC 9899:2018, 2018, p. 403, archived from the original (PDF) on 2018-12-30, The following are unspecified: … The values of bytes that correspond to union members other than the one last stored into (6.2.6.1).
  8. ISO/IEC 14882:2011 Section 9.5
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.