动态分配的内存上的指针算法具有未定义的行为

Question

I'm probably misunderstanding this, but does the c99 spec prevent any form of pointer arithmetic on dynamically allocated memory?

From 6.5.6p7...

For the purposes of these operators, a pointer to an object that is not an element of an array behaves the same as a pointer to the first element of an array of length one with the type of the object as its element type.

... a pointer to an object not in an array is treated as if it points into an array of 1 item (when using the operators + and -). Then in this snippet:

char *make_array (void) {
    char *p = malloc(2*sizeof(*p));
    p[0] = 1; // valid
    p[1] = 2; // invalid ?
    return p;
}

...the second subscript p[1] is invalid? Since p points to an object not in an array it is treated as pointing to an object in an array of one item and then from 6.5.6p8...

When an expression that has integer type is added to or subtracted from a pointer, the result has the type of the pointer operand. If the pointer operand points to an element of an array object, and the array is large enough, the result points to an element offset from the original element such that the difference of the subscripts of the resulting and original array elements equals the integer expression. In other words, if the expression P points to the i-th element of an array object, the expressions (P)+N (equivalently, N+(P)) and (P)-N (where N has the value n) point to, respectively, the i+n-th and i−n-th elements of the array object, provided they exist. Moreover, if the expression P points to the last element of an array object, the expression (P)+1 points one past the last element of the array object, and if the expression Q points one past the last element of an array object, the expression (Q)-1 points to the last element of the array object. If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined. If the result points one past the last element of the array object, it shall not be used as the operand of a unary * operator that is evaluated.

...we have undefined behaviour since we dereference past the array bound (the one implied to have length 1).

Edit:

OK, to try to clarify more what confuses me, let's do it step-by-step:

1.) p[1] is defined to mean *(p+1) .
2.) p points to an object that isn't inside of an array, so it's treated as if it points to an object inside an array of length 1 for the purpose of evalutating p+1 .
3.) p+1 produces a pointer 1 past the array that p is implied to point into.
4.) *(p+1) does the invalid dereference.

Answer 1

From C99, 7.20.3 - Memory management functions (emphasis mine) :

The pointer returned if the allocation succeeds is suitably aligned so that it may be assigned to a pointer to any type of object and then used to access such an object or an array of such objects in the space allocated (until the space is explicitly deallocated).

This implies that the allocated memory can be accessed as an array of char (as per your example), and so pointer arithmetic is well defined.