I was playing around with labels as values and ended up with this code.

int foo = 0;
goto *foo;

My C/C++ experience tells me *foo means dereference foo and that this won't compile because foo isn't a pointer. But it does compile. What does this actually do?

gcc (Ubuntu 4.9.2-0ubuntu1~12.04) 4.9.2, if important.

This is a known bug in gcc.

gcc has a documented extension that permits a statement of the form

goto *ptr;

where ptr can be any expression of type void*. As part of this extension, applying a unary && to a label name yields the address of the label, of type void*.

In your example:

int foo = 0;
goto *foo;

foo clearly is of type int, not of type void*. An int value can be converted to void*, but only with an explicit cast (except in the special case of a null pointer constant, which does not apply here).

The expression *foo by itself is correctly diagnosed as an error. And this:

goto *42;

compiles without error (the generated machine code appears to be a jump to address 42, if I'm reading the assembly code correctly).

A quick experiment indicates that gcc generates the same assembly code for

goto *42;

as it does for

goto *(void*)42;

The latter is a correct use of the documented extension, and it's what you should probably if, for some reason, you want to jump to address 42.

I've submitted a bug report -- which was quickly closed as a duplicate of this bug report, submitted in 2007.

Seems to be a GCC bug. Here is a clang output as a comparison. It seems that these are the errors we should expect.

$ cc -v
Apple LLVM version 7.0.2 (clang-700.1.81)
Target: x86_64-apple-darwin15.3.0
Thread model: posix
$ cc goto.c 
goto.c:5:7: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'const void *' [-Wint-conversion]
        goto *foo;
             ^~~~
goto.c:5:2: error: indirect goto in function with no address-of-label expressions
        goto *foo;
        ^
1 warning and 1 error generated.

goto.c source code:

int main(int argc, char const *argv[])
{
    int foo = 0;
    goto *foo;
}

This is not a bug, rather a consequence of GCC's Labels and Values extension. I'm guessing they had things like fast jump tables and JIT's in mind. With this (mis)feature, you can jump into functions

// c
goto *(int *)exit;
// c++
goto *reinterpret_cast<int *>(std::exit);

and do wonderfully tasteful things like jump into a string literal

goto *&"\xe8\r\0\0\0Hello, World!Yj\1[j\rZj\4X\xcd\x80,\f\xcd\x80";

Try it online!

Don't forget that pointer arithmetic is permitted!

goto *(24*(a==1)+"\xe8\7\0\0\0Hello, Yj\1[j\7Zj\4X\xcd\x80\xe8\6\0\0\0World!Yj\1[j\6Zj\4X\xcd\x80,\5\xcd\x80");

I'll leave additional consequences as an exercise to the reader (argv[0], __FILE__, __DATE__, etc.)

Note that you'll need to ensure that you have executable permission for the area of memory to which you jump.