Can I write to NULL (0x0000000000) without seg faulting?

Thanks Edgar, I can use that tip.

Whenever you leave the realm of standard C or C++, test your environmen as much as possible: compiler, compiler version, processor architecture, whatever. If you get unexpected values:
#error "system dependent code used outside expected environment. Please re-qualify. See document 1234.56.78"

Yup, though it would be a little bit more involved. You need to write and install some kind of rootkit.

On the ATTINY3217 NULL is a valid address in the memory space, it is a general purpose register with IN/OUT and direct bit manipulation functionality (look it up in the datasheet)

Could you explain why?

@@KangJangkrik under Linux mmap_min_addr defines the lowest address an unprivileged user can map memory to.
This limitation primarily exists to make NULL pointer dereference bugs in the kernel harder to exploit.
mmap_min_addr is ignored if the process runs under root since root already has full control over the kernel.
mmap_min_addr can also be changed to 0 to allow unprivileged users to map memory to 0.

in /proc/pid/maps 00000000-00001000 rw-p 00000000 00:00 0

I made a wip OS with grub, and writing to NULL caused the entire computer to reboot lmao

@@cerulity32k im working on the millionth (it feels like) iteration of my os and i have everything mostly working and im pretty much implementing the required syscalls to port newlib to it

Good point. But then he said “modern operating system” which restricts the options quite a lot.

@@Martin.Krischik Also depends on what is considered "modern". If you include anything that requires an MMU, Windows 9x is to be considered modern. However, it is not an SMP OS.

@@milasudril There are newer embedded OS which don't require an MMUs.
For a good answer you need a few more parameter:
1) Consumer OS vs embedded OS
2) MMU vs no MMU.
3) CPU with super user mode vs no super user mode.
If you are in super user mode or the CPU has no super user mode than you can just reprogram the MMU.

It is not the pointer to the interrupt table that you would be overwriting, it would be a pointer IN the interrupt table that you would be overwriting, specifically the pointer to the real mode divide by zero handler.

On x86 Win9X uses VM8086 mode for many operations such as disk operations. It would make sense then that it would identity map this region. Since the IVT is stored at 0x0000:0, then overwriting any info here would break your BIOS calls (which again, the OS is using regularly, so it would break immediately)

That is,
sysctl vm.mmap_min_addr=0

This is what i was thinking, microcontrollers don't have an OS or even an RTOS usually, but they might simply not work properly if you screw around with the low address values. IIRC, most low addresses still have specific functions on microcontrollers so you shouldn't screw with them, but they'll probably at least let you do it

I think on cortex m0 to m4, address 0 is the startup address, where you init BSS and set stack and frame pointers and jump to main.
it's written to flash so you are going to hardfault on that. You can use flash erase+ flash write operations to write on it. thats what bootloaders do.

@@xBoBox333 in ARM address 0 is flash .. address somthing 0x0040000 is Ram .. everything is yours but you have to respect how to setup .bss and data in memory, stack and how c works before you call main function.. and yeah how arm boots and expect address 0 to point to vector table of ISR routines.

So you might change something that is actually a constant or random global variable of your program..

The standard DOES require the null pointer to be 0.
section 6.3.2.3 of C99

By default, user processes are not allowed to map low memory addresses. Search for "debian wiki mmap_min_addr" for an explanation.

@@maxsilvester1327 Oh, interesting. Thanks for the explanation!

Real mode disables memory protection and virtual addressing, so that's fine... you won't segfault.

0x0000 is at the bottom of the memory map, not the top.

Depends on the microcontroller, of course. They're all different. Not all have flash memory, and not all have the same memory layout. But, yeah, most will hardfault if you write to NULL. I've actually seen a lot of programmers use that as an easy way to reboot their MCU. Just write to NULL. Definitely requires good comments so people don't think you've lost your mind.

That is only relevant when in real mode. If you boot in any modern OS that uses the MMU it doesn't apply

source files produce modules - modules can be linked directly into an binary/executable or they can be linked into libraries (which are just collections of modules) - a module importantly contains information about (a) public symbols that it exposes (b) external symbols that it references and (c) all the locations inside where direct addresses are relative to its eventual load address (which is minimal these days because x64 loves relative addressing.)

@@styleisaweapon Right, but for anything complicated enough I can’t just hand the compiler a collection of object files to link, I need a linker script, which I don’t understand. I know the basics of linking in general, just not anything complicated enough I can’t have gcc write the script automatically behind the scenes.

@@danielrhouck why cant you? its how the linker works - its how all linkers have always worked

@@styleisaweapon Because I have not yet learned how, partially because I haven’t found a good intro and partially because I’ve spent time learning other things? That’s why I said it’d be interesting to have a video about them; it’d be a good place to start.
I can sometimes *read* linker scripts if they aren’t too complicated, but I don’t know enough to even write a simple one yet.

@@danielrhouck so when you said that a particular thing cant be done ... you didnt mean that it cant be done...

Yes, please do explain lex() and yak() in one easy 15 minute video. I dare you! Love you videos Jacob.

😂 I'll see what I can do.

there's a book called Crafting Interpreters that you can read online for free; it has its own website and everything. it focuses on writing new programming/scripting languages, but the basic ideas it teaches about designing and parsing a "grammar" could be adapted to query and markup languages as well.
the book goes over scanning and parsing: breaking an input string into raw tokens (e.g. "plus symbol" or "right-hand parenthesis" or "word"), and then poring over those tokens to identify "grammatical" constructs (e.g. "addition" or "function call" or "identifier"). the basic idea is that the meaning of, say, a plus sign could vary by context, so tokens are the raw pieces without context, and the grammar stuff is what you get when you view these raw parts in context. it allows you to move the logic for "skip over comments" and the like away from the grammar, and keep concerns separate.

Yep. Group 2, surrounded by group 1

You seem to be mistaking provably correct with provably safe - application programmers want provably safe and languages have evolved towards that over my lifetime - provably correct is deceptively simple but in practice its very hard to do outside of functional languages with heavy asserting.

There is (often) no memory there.
Modern operating systems use something called virtual memory. An operating system can map physical memory into this virtual address space that can then be accessed through (virtual) addresses. If something is not mapped (which is often the case for NULL), then any access to it will cause a fault because there is nothing there that can be accessed.

A good compiler will issue a warning here. And a good programmer let the compiler treat warnings as errors.
So this program fragment will never see the hardware.

@@Hauketal your last statement removes the difference between warnings an errors.
If that was good practice, compiler guys would remove warnings at all and only use errors.
A good programmer should always check warnings.

@@maxaafbackname5562 Correct about removing the difference.
As always in software development, the only hard rule should be "use your brain". But there are lots of inexperienced developers around, so another rule may be "try to compile without any warnings; if you don't find out how, ask a senior developer, who may grant an exception."

Also your code is no longer valid C program. You can write to address zero, but cannot write to null pointer in standard compliant C. (Btw NULL doesn't need to be 0x00000000). Only after then, you can start worrying about HW and SW exceptions / interrupts / signals / SEH / whatever.

Well, Atari OS with cc65 will let your do it without HW or SW fault. Of course int is only 16 bit on this particular system so the 32 bit number you write will be truncated.

Yes, munmap is the counterpart to mmap.
If memory is not unmapped (similar to when you do not free malloced memory), the memory will stay allocated until it is either unmapped or the process exits.
On modern operating systems, if the process is about to exit, calling munmap for mmapped memory and free for malloced memory is unnecessary since the OS will deallocate the memory for you when cleaning up the process.
It is often considered good practice to do it anyway, even if the process dies, since it can help in the search for memory leaks that grow during runtime, but it might not be possible in some cases.
Examples of applications that often do not free or unmap allocated memory are computer games since doing so would make exiting the game significantly slower while providing no benefit over not doing it.

The boot sector load location in memory is irrelevant because its only executed once and there is no return pointer placed on any stack when the loader branches to the kernel loader - its a jump not a call

@@styleisaweapon it depends on what you're doing, you can make a call, or jump from there. also there might be some data, not just code

@@tochka832 none of what you are saying matters unless you think its really important to explain that the boot sector which only gets executed once gets overwritten after it is executed ... please just stop .. its not important and you arent getting cookies for your efforts here quite the opposite

Pretty sure you can, but i think the kernel would refuse to load that program, at least if run without privileges

In windows its called recycle bin

you can do it in kernel by writing the page tables yourself

Probably because you can check for 0 in one instruction (bne) but you can't do that for -1

@@Starwort Depends on the architecture. Under x86, that is not the case.

@@ValverdeHD well yes of course it depends on the instruction set; are you saying there's an x86 instruction to branch on -1? I haven't seen one, but it's not impossible
Edit: C was originally made to be a more ergonomic assembly language for the PDP set of computers, and I'm fairly sure those had a bne instruction but no specialised branches outside of zero and flags

We didn't. The value of NULL ist implementation defined. And in the early days a few operating system did indeed use -1. But with the rise the x86 architecture 0 became the de facto standard.

@@Starwort I never wrote that there is one. What I am saying is that there is no such instruction for a check for 0 either and both a branch that checks for 0 and one that checks for -1 require two instructions.

On modern operating systems with virtual memory, there is (usually) nothing there.

@@ValverdeHD if nothing is there, where are argc, argv, _start and _exit? I thought the first page. Maybe we should print the argc pointer?

@@ValverdeHD Also, where is the ELF header?

@@dgholstein some where in the memory.. OS knows .. OS gives you virtual memory addresses and have its own mapping to your addresses and real addresses.
And you probably confusing the relative address of stack with actual address?

@@dgholstein _start and _exit somewhere defined by the binary, but not 0. (_start is usually in the .text section and _exit is either in .text or in a shared library)
argv under Linux is on the stack of the first thread, which under x86_64 systems should be an address that looks similar to 0x7fXXXXXXXXXX (where X are some hexadecimal digits).
argc is an integer, so depending on the calling convention it's either on the stack or in a register at the time of the function call (if you print the address to it in C you will get a stack address).

C does not define null to be zero - thats implementation specifics that might break elsewhere if you assume - fairly safe assumption until it isnt

Completely valid in both C and C++.
It will implicitly return 0 at the end of the function, but this only works for main.

@@ValverdeHD Still a bad practice.

@@finmat95 It really, really does not matter.

@@Shakephobiaful Still cringe

@@finmat95 If you're so pedantic about it, you should probably use return EXIT_SUCCESS; instead.

True because 1!=0