History of Null Pointer Dereferences on macOS

pjmlp · 2025-03-21T09:14:07 1742548447

Thanks to the wonders of UB, the sample on the article when compiled with optimization on, it actually reduces to,

   //clang -o null_dereference null_dereference.c
   #include <stdio.h>

   int main() {
      int *ptr = NULL;  // Initialize a pointer to NULL
      int value = *ptr; // Attempt to dereference the NULL pointer 

      printf("Value: %d\n", value); // This line will reached, because the previous will be optimized away.

    return 0;
    }

Example, https://godbolt.org/z/Kv3rcz1ch

pajko · 2025-03-21T20:10:55 1742587855

What do you mean? There is nothing optimized away. If there would be an if statement to check for a NULL pointer, yes, that most likely would be optimized away due to UB (if something is undefined, it is not NULL, so the check can be removed...). To make it implementation defined, the -fno-delete-null-pointer-checks parameter can be used: https://news.ycombinator.com/item?id=39463804

pjmlp · 2025-03-22T08:43:44 1742633024

Look at the generated assembly, only printf remains, the assignments preceding it were removed, thus execution reaches printf and fails elsewhere, not at the point shown on the article.

mrpippy · 2025-03-21T17:30:41 1742578241

On macOS x86_64, the size of PAGEZERO cannot be set to 0, but it can be set to 0x1000 (4 KiB) instead of the default 4 GiB. Wine does this to support running Windows EXEs which need to load at a fixed address.

On ARM64, PAGEZERO's size cannot be made smaller than 4 GiB.

VogonPoetry · 2025-03-22T03:23:34 1742613814

The default 4GiB setup is done to very quickly catch poorly written / ported 32-bit code that promotes a 32-bit integer to a pointer. In 64bit mode, such a promotion will create a pointer with the top bits set to zero. Any de-reference of this sort of promotion will cause a SEGFAULT. This might happen if some sort of mixed mode compilation happened for a 64bit process where some of the code was still compiled and linked assuming 32bit mode. (mixed mode Intel code mostly)

jisnsm · 2025-03-21T13:26:07 1742563567

> A NULL pointer dereference occurs when software attempts to access memory at address 0 (the NULL address) via a pointer set to NULL.

There is nothing in the standard that says that NULL must be 0.

vardump · 2025-03-22T11:15:09 1742642109

When's the last time you've seen a non zero NULL pointer?

We don't code for things like PDP-11 or Honeywell mainframes all that often.

https://c-faq.com/null/machexamp.html

andreyv · 2025-03-22T16:30:58 1742661058

Here is a non-zero null pointer: https://gcc.godbolt.org/z/Po5r5Pa36

__tidu · 2025-03-24T07:00:11 1742799611

whats going on here, I dont know enough C++ to understand

dented42 · 2025-03-27T06:58:31 1743058711

We’re covering the history of null pointers on the Mac and not mentioning that in the early days null de-referencing was totally allowed and the system didn’t do anything to stop it? ;)

derefr · 2025-03-21T15:37:47 1742571467

On a tangent re: memory safety in operating systems —

We hear a lot these days from the (very much in-the-open) debate over how much (if any) of the Linux kernel should be rewritten in Rust for memory safety.

But does anyone know if a similar debate is also going on inside Apple re: XNU/Darwin, or within Microsoft re: NTOS? (Maybe not using Rust in particular, but some other memory-safe systems language?)

jeroenhd · 2025-03-21T15:47:22 1742572042

Microsoft is hard at work rewriting risky C code into Rust (old presentation mentioned here: https://www.bleepingcomputer.com/news/microsoft/new-windows-...). They're also actively working on things like their Rust framework for Windows drivers.

I don't know about Apple. I'd expect them to go for Swift rather than Rust, but Darwin doesn't seem to include any such code yet.

Linux is full of C developers who don't want anything to do with Rust actively working against the current Rust for Linux experiment. I expect Linux to end up lagging behind Apple and Microsoft in this area because of the difference in organisational structure and priorities.

dagmx · 2025-03-22T06:52:44 1742626364

Apple have both a memory safe dialect of C (called firebloom) and are working on making a subset of Swift for safe, embedded use.

Idk if the xnu kernel will adopt those but it seems most likely.

usrnm · 2025-03-21T07:24:41 1742541881

How large is the protected memory area? In my experience it's often not zero but some offset from zero that is accessed

TazeTSchnitzel · 2025-03-21T09:13:44 1742548424

DonHopkins · 2025-03-21T09:34:12 1742549652

How things change! Page zero was extremely important on the Apple ][.

nomad41 · 2025-03-21T10:49:52 1742554192

Very interesting. Can you expand on why? Or point to some relevant sources. Thank you in advance.

0x0 · 2025-03-21T11:15:00 1742555700

Probably because the 6502 CPU had instructions for optimized access to the zero page (first 256 bytes of RAM), this would also apply to C64 and NES etc. If you want to use "Indirect Indexed" memory accesses then I think it also has to go through an address held in the zero page.

See https://www.nesdev.org/obelisk-6502-guide/addressing.html

pajko · 2025-03-21T20:17:33 1742588253

The AVR architecture puts its registers starting from address 0 of its data memory. As a twist, the program memory also starts at 0 (due to the Harvard architecture).

LoganDark · 2025-03-21T05:51:23 1742536283

Hugged to death?

Edit: Seems good half an hour later!

gsf_emergency_2 · 2025-03-21T05:58:24 1742536704

https://archive.ph/p86V1