Lesson 2 will cover *(char*) 0 = 1-1; it is expected to last 2 hours, and it'll dive in microcode, so, bring coffee. Students willing to take lesson 3 get prepared to deal with 2 (two) lines of code, and bring a copy of L. Susskind's book, Introduction to Black Holes.
This presentation reads like one of those essay-length Stack Overflow replies that answers everything that you asked, and then dives into questions you didn't know to ask, all while citing sources.
@@garethma7734 it IS a good thing, if that's what you're already doing be proud to help curious people this much, not necesearly the original poster but also people coming later and reading your reply !
That makes me think of my Latin professor who got behind on lessons about basic grammar going off topic about things like how a particular word developed from archaic Latin and proto indo european.
@@garethma7734 Well it's better than saying "this question is a duplicate" when the said duplicate is 12 years old and doesn't work anymore... You have no idea how many people are looking for you guys.
@@garethma7734 I honestly LOVE IT when I stumble upon those kinds of replies whenever I have to resort to searching Stack Overflow for answers, because those kinds of replies always lead me places I didn't expect, help me to avoid traps for young players, and I usually learn a few new things along the way! 😄Keep writing your essays that answer the question then half a dozen follow-up questions. They're WAY more helpful than you think they are!
I looked at that and thought, "oh, that is the text of a unit test case for a c++ compiler". Mere minutes later in the talk, two compiler bugs have been revealed.
The "-0" bug is strange. One would think the compiler able to expression resolve, instead of hard-coding for typical illegal values. I mean, once you're in illegal territory, isn't it likely the programmer wanted something different than actual zero, and so there is a runaway expression there? :-)
A great talk covering so much ground, by a great presenter, and with gorgeous slides. Something for all C++ developers here: I guarantee you'll learn something!
Well... I learned C++ apparently makes return optional for int main, and this person loves calling hierarchical arrays hash tables, and made diagrams that point every which way inconsistently. Most of all, they took pride in being unclear, so people couldn't make an informed decision on whether to watch the talk, which is a meandering description of how a memory access may or may not work (including how it may be entirely removed by the compiler).
As an ageing programmer with hardware experience I have mixed feelings about this talk. The low level concepts he is trying to explain are valid and completely clear to me. But I guess it's targeted to an audience that is familiar with certain C++ constructs but has no idea how hardware actually works. For me it's quite the opposite. BTW, I used *(char*)0 = 0 to provoke an application crash in order to see what a certain device driver does when a calling application terminates unexpectedly.
I started programming in 1977, so I'm old enough to take code like this at face value: For some reason, the programmer wants to store an int=0 at virtual address zero. Back in the days I would use code like this, typically with a short offset from zero, to store an interrupt handler address into the OS IRQ handler table which was stored at absolute address zero. EDIT: I saw later that he got into my exact usage, with the div_by_zero x86 vector! It is indeed pretty amazing how much that has to happen for each and every instruction that is executed in a modern CPU. 🙂
But the value written is a char, not an int. The programmer wants to set the first memory location (whatever size _char_ happens to be on that architecture) to zero.
This was a surprisingly wonderful video. I was the weird CS student that loved compilers, assembly language, operating systems, and architecture. This talk touches on all of them! 😃
Me too, I'm currently working on designing a whole multiple processor and cache system in Logic World, which I'm planning to write an OS for on itself, to write programs in the game for my processor to run in my system. This serves absolutely no purpose besides to have fun and learn a bit, which I think is the best purpose a project can have :)
This kind of stuff is always the best part. I like how, despite the initial code presented being a pretty simple memory cast and dereference, there's so much to go into from that little bit.
Next step is electrical engineering to complete your knowledge
Год назад+3
@@w花b That's what I loved on my CS studies, as I minored in electronics. I got the complete view from passive analog components to software running atop an OS on a (back then) modern computer. Every step was covered!
As someone who started out on 6502 this code makes me proud that page zero is not forgotten ;) Because, who is the compiler to tell me I can't use the first byte in the most important memory segment!
On Windows, AFAIK, we lose a complete page due to this, i.e. 4096 bytes (because you can only specify access in a PTE, which covers 1 page). You wouldn't do that on a 6502.
@@roboterbasteln it’s not a big deal though on Windows since you have virtual memory and thus only have whatever overhead there is to setup the trap. Also, how in the world were people writing code where null is a valid address? I’ve programmed on a machine with 4k memory and it still seems like madness to not reserve that first byte as the marker for “invalid address”.
I do a lot of work on microcontrollers and on the MC9S08 that I use a lot, this line of code sets all PORTA bits to zero. Depending on what the application is, this might be a reasonable thing to do - to turn all of the LEDs off on a front panel or something. I do find it slightly disturbing, I’d rather see it written as PORTA.R=0x00.
As a recent computer science graduate, who procrastinated, and never took studies too seriously. I find this inspiring. I want to be able to talk and reason and go off on a long knowledgeable tangent about technology like this man. I'm going to start studying on my own time again, and start to learn systems and all these cool nerdy lower level things 😊
Finally, someone who went into the proper level of detail. This was great. It takes a good deal of low and high level experience to do this well. Most videos provide an interesting title and thumbnail and give no gems or anything of deep substance, merely regurgitating basic encyclopedia knowledge. This is refreshing.
@@xpusostomos Yes, I would love to see a part two that gets into the details of how the TLB happens, and how hypervisors work, and all the details of the machinery of stuff like gdb, cachegrind, and qemu. I think virtualization is *very* interesting. I'd also love to see it approached from an embedded perspective where you often have SBCs with some more exotic cache and memory architectures.
At a local user group (60 miles down the coast from where the talk was given) we spent a few weeks playing with microcontrollers (bare metal, no OS), it was cool seeing the reaction to working in such an alien, yet familiar environment. On many ARM cortex M implementations, address 0 is the start of the vector table. Offset 0 in the vector table holds the initial stack pointer value. In many ways, programming something like the RP-2040 (Raspberry Pi Pico) is like a trip back to the early 80s.
This is exactly why I ended up back in development again after burning out doing traditional development targeting desktops and servers. I got scouted off of a website where I made some embedded stuff as a hobby, which I was only doing because coding on those little platforms reminds me of coding in my childhood on 65c02 and 65C816 cpus in the 1980s. I wouldn't be coding professionally anymore if not for this. It's a whole different world, and a ton of fun. :)
Funny thing is that the Zelda 2 "I am Error" became an error, because his counterpart got lost in translation. There is another character whose name is supposed to be "Bug", but because of Japanese pronunciation rules, his name is Bagu, which got translated into English directly as Bagu instead of Bug. Thus the Error - Bug reference got broken.
Cachegrind now longer models the cache by default (since April this year and will be part of the 3.22 release due out in a couple of weeks, around October 20 2023). So now cachegrind is really "instruction-counter-grind". You will need to specify --cache-sim=yes to turn it on. If there are any keen experts in CPU cache architecture that would like to contribute to Cachegrind's cache model please get in touch.
23:05 is what I want. I want it to compile to `mov 0, [0]` or whatever functionally equivalent assember instruction for the particular architecture. No less no more :-P And if the code was running on a microcontroller without a MMU, or x86 in real mode, or 6502 or z80 or... I actually expect it to write 0x00 at memory location 0.
I feel like I needed to pass 4 years of CompSCI and also understand the entirety of FPGA engineering theory to understand this single line of code. But seriously, I've written this exact line before, and I did it to simulate a hard segmentation fault when I was testing a crash reporting C++ library :)
@@xpusostomos well you don't have to do it as a char cast, though you have to match it with the data you are assigning, so if you try to cast an integer as a float, you will get kickback unless you put a decimal point....stuff like that. The point of the line is simply to create a fault or to verify the level of permission of the underlying code base....so if you were not to get a fault, then you most likely be at highest permission levels (a virus may do more damage at that level). Some applications may request permissions from the OS and then trap test to make sure they were followed, like warden systems and such, but usually that's on a read-only basis and not dealing with writes. Older emulations would fault out and ignore OS delegation, which would be a flag for warden systems to know if it was being sandboxed, but that's not necessarily the case anymore. It also allowed OS itself to know if it is in a sandbox or has full CPU control, so if you were writing an OS, you would do these traps to test privileges before "taking over" delegation ops....if it is sandboxed, then a good OS would block some operations (like file access to pass-encrypted stuff) in order to protect sensitive material. emulations and "hackers" are getting better, but for an analogy, just because criminals can bust through your door doesn't mean you should keep your door unlocked. still safer practice than your code just assuming its place.
Yes you can. In alternative universe you can intuitively know it's just a crap of code and do useful stuff. This whole talk reminds me of old article from joelonsoftware about stratosphere architects who design awesome super stuff that nobody needs, while others do useful stuff.
One of the best talks I've seen in a while! In my last job, I was porting a game to Xbox One and I got used to this exact code as a quick and dirty way to breakpoint what I was doing. Great memories! 😅
@@pre-ansi-c-forever I believe the debugger is called when something errors out hardware side (whether it is via interrupts or via whatever mechanism), allowing the debugger to inspect memory at that point. So a debugger will catch a program before a "crash" (termination). If you then change things, it might allow you to continue, at least higher level debuggers do (In Godot's GDScript, i don't know about lower level ones).
On any platform I have used, I found this code to be a sure way of crashing the program with a segmentation fault or something similar. Very useful to test your program's fatal exception handler.
Interviewer response: It was nice hearing your ideas about this piece of code - our conversation was very interesting. Unfortunately, we have decided to move forward with another candidate that better suits our needs.
I enjoyed your presentation. It made me wish I had gone down the path of being system engineer instead of working with databases. It was simple enough for a non-system engineer to understand and yet deep enough to make it interesting.
This is the most fascinating talk I've ever watched all of and understood none of. I'll take my yaml and python scripts now and head back to my own sandbox to eat the sand.
I remember a few years back the Linux kernel added X86_RESERVE_LOW to allow you to reserve memory starting at 0x0 to prevent a possible privileged escalation where in certain circumstances malicious instructions could be written starting at 0x0 which would then get run when some other program tried to null pointer de-reference. At the time I went "Wait REALLY?? Writing to 0x0 won't always simply segfault?". But apparently there were some circumstances where it was possible. I guess since then the first 1M of memory is reserved so X86_RESERVE_LOW isn't needed anymore.
I was thinking this the first time I started to dig into the code. Either it's process memory mapped, or it'll hit some sort of OS memory protection, because 0x0 is a pretty important piece of memory to block access to. It took pretty long into the presentation before he explained that the significance of the memory depends on the specific device. You could work with a device where the 0x0 address contains valid data, which is pretty trippy. Although I'd argue that there's a more clear way to write that code than to do what amounts to a null dereference in 99.9% of cases.
A pointer dereference doesn't run code. I'm not sure if you know how code works, but you have to invoke the function pointer for it to execute. If it is the divide by zero interrupt handler in x86 real mode than still won't run code. Then you would actually divide by zero to run the code.
I've worked on major software projects where previous authors didn't initialize variables in the constructors. They assumed that the memory the classes would be newed up in was always going to be 0! Then again, this was code using the C++03 standard written around 2015, and was still on C++03 post 2020!
Those are different. X86_RESERVE_LOW reserves physical memory and prevents it from being allocated. This was done because the BIOS can't be trusted not to corrupt it, which would corrupt random memory that was allocated to some process. The BIOS would normally be out of the picture when the OS is booted and has entered protected mode, but it's sometimes invoked before/after hibernation. If X86_RESERVE_LOW is no longer needed, it would perhaps be due to UEFI boot which is not as ad hoc as a BIOS. The first 1M being reserved is in virtual memory, meaning that the lowest 1M of the virtual memory is mapped to pages that are non-writable and writes there will be trapped. It's unrelated to X86_RESERVE_LOW.
that talk is me the day I found out about virtual memory lmfao. It's so complete and great, I spent some time reading cpu manuals and that blew my mind at the time
Well this talk is a lot of fun. I wasn't expecting this to get into the page table layout. Having recently played around with writing my own kernel in Rust, a bunch of this was pretty fresh in my mind.
This is a brilliant talk -- Technically as well as inspiring to many aspiring presenters. Builds up from core concepts! 🎉 I could imagine the fun it would have been on a live stage. I really loved the slides, the programmer fonts and how cool the title of this talk! Intriguing! 🎉 JF onto my favourite speakers list. Thanks!
I love this discussion since I am a grey beard. I started programming in 1977 and have programmed systems with a 36 bit word length (Honeywell), 60 bits (CDC Cyber 760 which used ones complement), and 24 bits (Harris H series). Far too many programmers today assume the Intel x386 or AMD x86_64 CPU model assume that is the only behavior that exists.
Perhaps I'm a white beard ;-) Also Honeywell (DPS8; EIS box allowed double-words 72 bits), Control Data 1604 (I don't remember the word length). Univac 1830 (30 bits if I remember right). The registers in this presentation suggest the Motorola chipset (68000) rather than Intel.
Well, hello there! I also started in 1977, on a Unisys1100 (36 bits afair). The strangest cpu on which I've written asm code was the HP 85/87 lab computers which had 8/16/64-bit registers all stored inside a 128-byte block of static ram: You could start a register access at a misaligned offset and get 3-byte/4-byte/5-byte/etc "registers". Currently working (unpaid) on the Mill architecture which doesn't have registers at all, just a belt which will automatically garbage collect all values after a number of instructions have been executed.
I need more cache memory for my brain. I get to have fun with page tables, and then he asks: "what were we talking about?" and I'm like: that is definitely a good question, as I completely forgot that this all started with setting a value of 0 at address 0.
Every time I want to learn C++ I get recommended terrifying talks like this LOL. I appreciate what these programming languages do but I'm not sure if I'll ever be able to absorb the knowledge about it to this extent. I can only hope that extent differs for what you want to accomplish but also, having knowledge about something could never hurt.
What an amazing talk! I started watching this puzzled and asking myself, what could possibly be so interesting about some obvious null pointer dereferencing? I'm thoroughly impressed!
Being an embedded software developer my mind first went to reset vectors, which are often at address 0 (usually in ROM/FLASH). My next thought was what can happen in Harvard architectures (e.g PIC or AVR). Depending on how the linker script is set up it may be possible for the first static variable to end up at address 0 in data memory. Having a variable with an address of 0 can create some very obscure bugs.
On a bunch of 8 bit Motorola microcontrollers, address 0 is I/O port A. So it is equivalent to PORTA.R=0x00; and this is a valid thing to do if you want to turn off a bunch of lamps or other outputs connected to port A.
Even on modern widely spread architectures like ARM. On Zynq/ZynqUltrascale (Xilinx FPGA's with embedded ARM CPU) physical address 0 is either on-chip memory or DDR. So, perfectly valid memory which you can access. Though the linker script will not allocate variables there by default. Yeah, this can lead to very obscure errors in baremetal code if your (or some third-party) code checks for null as a sign of an uninitialized pointer (which it usually is).
Great walk through the depths of things. I first started out with a SEL machine which implemented virtual memory with some internal CPU registers not normally available to the programmer (called, appropriately 'memory-map registers'). I remember reading in the tech manual for the cpu a phrase that went something like: "Since these registers are critical to the operation of the machine, none but the most trusted code should ever attempt to modify them." lol One project using such machines, had this nasty quirk that if you cleared memory and started it up and started this critical program first, your day was great. But if you shutdown that task and restarted it without rebooting, chaos. Turned out that task had some tricky code that expected certain virtual addresses were exactly equal to physical address. If it was the first task started, the memory manager made it so. But of course after you kill it and other tasks had been running and you restart that task, virt != phys and crash. THAT took a while to find... lol
That may or may not work, but I'm pretty sure it's undefined, or at least implementation-defined behavior. The compiler will often put that kind of data into a .data or .rodata section, which is not set to be executable on modern systems.
What an amazing talk, really inspiring. That's exactly my kind of mindset, talking about all the different aspects of a seemingly simple thing. I would love to meet you in actual interview, to exchange some ideas!
7:26 inspiration, it shows that you can use integer and pass it to address in raw form without 30 lines of code, like: atoi(toa(toi(string.tostring(5)))); and null is now an integer of type char and not null, which you can have some fun with. Like what if you set null to 5. "Are there any people in the room? No, there are none, because there where four and one came in"
i enjoyed every bit of this. it went from i don't anything. compiler stuff. to things i know a bit. unknown unknowns to known unknowns. thanks for this great talk. ❤️
my immediate answer is that its a DMA hack for an embedded system or its a unit test to cover a very specific requirement from an very particular client. i can see the requirement now... "system shall set caution light when null pointer is deferenced" lol. this is a fantastic interview question because its not a stupid riddle designed to make you feel stupid, but instead it just reveals where your expertise is because its where you will start looking.
I sort of knew what this code did because of two experiences. The first was when I needed a "nop" in C. I was told the closest was (void*)0;. The second was watching the RUclips video "Fast Inverse Square Root - A Quake III Algorithm" There's two lines of code in the video: i = *(long*)&y; and y = *(float*)&i;. The video explains it as a bit hack of floating point numbers. It's a a great video that explains exactly whats happening to the code and why the programmer did it.
On the Commodore 64, address 0 holds the data direction register for the 6510's I/O port. On the Amiga a typical declaration would be ExecBase = *(struct Library **)4;. They put the pointer to the kernel library at address 4, so accessing NULL can always be treated as an error. Another valid use case for dereferencing a NULL pointer is the offsetof() macro in C: #define offsetof(struct_name, member_name) (size_t)&((struct_name *)NULL)->member_name
Hm, technically you're not dereferencing anything there, the & operator causes the lvalue to not become an rvalue (it serves the purpose of the x86-64 LEA instruction but in C).
And the fun thing you didn't mention was how the CPU does a 'context switch'. A lot of those cache pointers have to change every time the CPU switches from one program to another, so the two programs are blissfully unaware of the virtual memory mapping of each other. As you touch on a couple times, you CAN make two programs share a common block of physical memory, but you have to work at it. And that is a key place to tell the compiler some data is 'volitile'.
On the Apple-II family machines with Disk II controller or equivalent (a popular machine throughout the 1980s, with a sales volume of around six million), reading 0xC0EF shortly after a disk access would start overwriting the current disk track with whatever data happened to be fetched on every 32nd cycle until the next access to 0xC0EE. That's an actual platform--an hardly an obscure one--where a single stay read could trash the contents of a disk volume.
On the VAX, dereferencing address zero returned zero. I *think* I first encountered a SEGV (or maybe a bus error) on an early 68010-based (yes, 68010) Sun workstation when dereferencing 0. I've worked with older architectures where the register file would overlap with the low addresses; for example, on the Univac 1100 series, register A0 was the same as address 0 of the address space, X0 was address 16 (or something like that; it's been way too long). The 1100 (and not only) were fun, in that they were one's complement machines, so that -0 in your example would have been all-ones. And then there is all the fun of embedded systems without an MMU!
There's the question of "can" you execute this, and then the question of "what might it mean." It depends both on architecture and memory model layout. The result could be anything from yes with an effect of nothing, to an immediate runtime error, to setting up something obscure in the way the system will operate or malfunction (as by code invoked by destructors). I remember back in Usenet days on comp.lang.c where it was discussed that one could do a read dereference of the byte at address zero on VAXes running BSD which would come back with NUL. Therefore a NULL pointer was a usable shortcut for a zero length readonly "C" string. However I do not remember if the VAX memory model would permit a write, as here. (I recall on BSD this would throw a SIGSEGV.) Writers of C code (let alone C++) were admonished never to assume what the byte at address zero will be, if it can even be read at all, because "the world is not a VAX." This only goes to show how ancient I am....
Admittedly I even barely write code, but this is pretty interesting. In terms of I knew most of these things about the main function but I wouldn't have thought to pick them from the depths of the brain even when asked, they're so "obvious" and taken as granted, you wouldn't even think to do them when since the beginning you've learned not to even consider them. I got to the point of thinking it's assigning a null pointer, but what I think would've been a great answer (my humble personal opinion of no skill and experience worth talking about in programming): why is there no comments made when you're writing code like this. The least you could and probably should do is writing the comment explaining what you're doing and attempting to do with your choice of code. Watching this really makes me think of the creator of C++ saying how it's more difficult to shoot in your own leg in C++, but when you do it blows your whole leg off. This quickly spiraled into incomprehensible mess. The feeling when you understand the japanese better than the code. All in all great speaker, good humour. Barely kept up with the content but enjoyed all of it. And probably learned a thing or two.
This feels like one of those afternoon beer talks, sitting on the porch chairs, going through subjects almost as fast as the inflation rate increase, and twice as fast through beers, until the sun has set hours ago and the wives call threatening to pack your stuff and leave it at the door...
Lovely. I remember, c1976-9, a micro OS on 8080 that fitted at the bottom bytes of 1 UV EPROM (~1kB maybe) where the 0-7 interrupt levels mapped to 0000h, 0008h, 0010h, etc, and one of the Interrupt service routines (ISRs) was 9 bytes long, so overran into the next routine, but was ended with a 'jmp' instruction, with high byte, still being 'local', set to 00h, so it was NOOP instruction for the first byte of the following ISR (little endian). Oh, it was driven by a Teletype with a paper tape loader. We then updated to FORTH. The good old days.
52:05 『The most elementary and valuable statement in science, the beginning of wisdom, is "I do not know".』 -- Data ST:TNG S2E2 "Where Silence Has Lease" 08:10 stardate 42193.6
Kinda funny that my first thoughts corresponded to your final descriptions re: virtual address spaces, memory protection, page tables, etc. finally ending with "it depends". And I retired today (last day of professoring). I think the two are connected - i.e. a certain perspective that comes with time. And then you die. The human condition.
It’s really interesting how the feelings of C++ programmers are different from the ones of C programmers. I belong to the later group, and I felt the talk was for another audience just when my feeling on the first code was not one of the given options (I consider it bad code, something I wouldn’t write, but cool and nice at the same time, while I cannot stand the horrible syntax of the supposedly “nicer” C++ified versions). So, when “I love it” was not present in the “denial, angry, etc.”, options, I realized it’s true that the C++ feelings are so distant from mine.
To really now what's happening here is, compile it on several processors with different word sizes and if it compiles, analyze the machine code or disassembly.
This is a great talk! I've asked firmware engineers interviewing for silicon bring up positions how they would be able to use memory on a system before they have initialized the dram controller (assume no sram). Answer: use the cache - just make sure it's set as write back and choose your temporary memory map so that you don't trigger cache evictions from your outward most cache that is configured. This is a trick I learned from a coworker when he used that in the bootloader on a PowerPC system we were designing.
Awesome talk, very entertaining and inspiring! When JF ask, how do we usually express this line in C++, I had expected simply `*static_cast(nullptr) = 0;`, or do I overlook something?
Same. Maybe he really wanted to talk about std::bit_cast! The static_cast code will compile with the same "indirection of non-volatile null pointer will be deleted, not trap" warning (at least with GCC and clang). And any level of optimization will indeed generate no assembly at all for this expression.
It depends what you want to do. Imagine you're running on a microcontroller that enumerates some digital out ins in the first eight bits of memory space, and you want to pull all those pins high. How do you write that in C++? It's certainly not how you wrote it.
Re: "as if my memcpy" from nullptr: In real, contemporary, architectures we expect a null pointer to be all zero bits. But that's not required by the standard, and the actual representation can vary by type. The casting of one pointer type to another should preserve nulls, transforming the representation if required. But that is bypassed with memcpy! And nullptr_t is a distinct type having one value, and what that value looks like as bits doesn't have to have anything to do with the representation of an actual pointer. edit: OK, you mentioned this later.
I've worked on two systems where "0" was a valid address. On the Sunplus SPG series where 0 is the first valid address and you have a lot of control of the memory layout. And of course the Commodore 64 where the MOS 6510 cpu had two memory addressable built-in registers at addresses 0 and 1 used a general data port that were connected to memory banking and datasette control. There "*(char*)0=0;" would do something potentially useful.
What would be even better would be if compiler writers would recognize that they shouldn't expect to understand the purpose behind lvalues like `*(pointer_type)intexpr`, and should refrain from making optimizations that presume they do understand such code, with or without the qualifier. The qualifier was added to deal with situations where a compiler might make what what would otherwise be reasonable and useful inferences, but such inferences in the vicinity of integer-to-pointer casts are almost never useful anyway. On the other hand, with clang and gcc, making pointer-to-integer casts and then performing calculations and comparisons involving the integers may result in inferences about the pointers that are simultaneously clever and wrong, *even if the integers are never converted back to pointers*.
What this talk taught me is that I know nothing about C++. Serioulsy, I would walk out of the interview out of respect for the interviewer's time. "Thank you for your time, but I don't know how to program anymore."
32:32 I'm pleased hear "kibibytes" used (vs "kilobytes"). I think this may be the first time I've actually heard anybody use the term---which is objectively the correct one to use here.
24:12 ... I was trying to think of a use case where this would be valid.... i like to work on harvard architecture microcontroller systems with no memory management... and there, this becomes almost "just assigning a variable".
We had an opensource project where people kept asking the same question and wouldn't read the simple "getting started" guide and look through the config file. We put 2 entries in the config file crash1=true and crash2=true at the bottom. If those were set we would essentially run code kind of like this. Just crash. The next time someone came in to our IRC (ye.. this was a long time ago..) with "its crashing on startup!" we could just tell them to RTFM.
Crazy direction to take this to. My thoughts: If there actually was a value to be read at address 0 without raising exceptions that is not used anywhere else, we could actually use this line to make the empty string "" 'equal' to nullptr (in a C-string sense), because 0 would be the address of 0 which would be the empty 0-terminated string: *(char*)0 = 0; cout
Amazing. On my system, sizeof(char*) and sizeof(-0) both are 2. It compiles without warning to "jmp 0;" which is just what I intended. It's only a C compiler though. If I call it from beyond 64k it compiles to "ljmp 0;" My first question was: Why char*? Why not void*? But I'm sure that's another one hour talk....
On first view it looks more like an unintended human mistake (like writing nul to nulptr or zero into nirvana). If address 0x00000000 is by hardware design intended to be written to by a running software it can make sense to do so. The usefullness vs. non-sense of writing into a memory address (here to the first memory address addressed by constant integer zero) depends always abut the executing (target) hardware is specified by the addressed hardware at that address; may be its the first entry of an interrupt vector table starting at 0x00000000, or some other hardware function, it just really depends on the hardware component (just a memory chip, or memory mapped i/o to timer chip, serial i/o chip etc.) is selected at this memory address and what a memory write for this here addressed hardware component means (set a value or masked bit in the selected register or start/trigger/execute a hardware compnents action like ADC, counter).
A compiler that respects the Spirit of C principle "Trust the Programmer" would operate on the presumption that a programmer who didn't want a write to address zero wouldn't have written the above code. The Standard wouldn't require that a compiler support such constructs if it's never going to be used for any tasks where they would be useful, but the Standard expects that people seeking to sell compilers would be in a position to judge their customers' needs better than the Committee ever could.
Great talk! I have a slight nitpick, though: At 32:58, the memory is shown such that greater addresses are further down. But at 39:44, greater addresses are further up 🤔
damn so many things i learned from this. i didn't expect that he would talk about all of those interesting things even though it all started from a simple line of code that would usually crash.
As someone who writes code in embedded systems and microcontroller, I don't want the compiler to get in the way of writing to location 0. So I'll stick to C and not have C++ nannying me with my pointers.
I've asked a variation of this question since 1990 in interviews. In an old unix port from the 80s had ((int(*)())0)(); This would reboot the system. There was a bunch code above it that reset hardware. It then jumped to the reset vector on this architecture. This is UB these days... it was a great conversion piece.
If *(volatile char*)0 = 0; were being written for the old NES/Famicom, it'd work just fine. It'd write the byte 0 to the RAM address 0. (Ordinary RAM occupies the first 2 KB of memory in the NES.) I guess the statement tells the compiler, there is an object of type char at address 0 and I need you to write the value 0 there, and don't try to optimize it away.
And it was fairly common for Playstation games to leave a chunk of memory at 0 for any null pointer writes to safely go somewhere. (Which meant you never needed to check for nullptr before writing which freed up valuable processor cycles for more important work.)
17:00 Re -0 Is that really a compiler bug? The literal integer constant 0 is taken as the null pointer. The result of the unary negation expression is NOT. Looking for other ways to indicate 0 in the AST would have to be a warning only. This could be an orthodox way to get past the compiler checking in an embedded application where you really do want to address that byte (e.g. a configuration register, or an interrupt vector).
I do not agree that this is a good interview question, at least with this aim. It's an interesting question for at most five minutes of an interview. It's useful as a test of whether an applicant is capable of entertaining the possibility that (1) this was just bad code and (2) this was intentional and (3) how much weight they give to each possibility. You want a programmer who is willing to say "this was probably a mistake" instead of spending a ton of time trying to decipher the intent because some code really is just bad. You also want a programmer who is willing to consider that there might be a good reason for a piece of code they don't immediately understand, and is intuitive and knowledgeable enough to guess what that intent might be. Someone who says "this looks like bad code...but hmmm, maybe this was just a way to generate a trap" (or any other plausible explanation) is a promising candidate, and you should move on to the next question. But if you want to know if I understand what's going on under the hood - ask me. This is like some teen magazine relationship test. The worst kind of interview is the one where it's a game with trick questions where I'm supposed to guess that by asking me about this line of code, you actually want me to talk for an hour about whatever random aspects of computers and compilers I can think of. The video is right: this could lead in a ton of different directions. So ask me to talk about them. Don't pose the question then wait to see if I pass the secret test by launching into a digression about a few of them at random. When you ask interview questions like this, you are not optimizing for knowledgeable applicants, you are optimizing for people who can guess how you want them to answer your trick question or who are prone to rambling about implementation details without invitation or clear benefit, to expert coworkers who presumably already know about these things.
I was thinking that the code was intended to take advantage of a side effect; like ensuring some flag was cleared regardless of state or provoking a RWX check without an explicit test/branch.
So, I’m not much of a programmer as I’ve done tons of IT Infrastructure work for the past 15 years of my career, but the gist of this is telling the computer to shove its head up its arse and enjoy the smell. Nice. Edit: Reminds me of the time one of our company’s coreswitches’ supervisor module gave up the ghost and failed to failover to the secondary supervisor module because it thought traffic was still flowing when it was in fact flowing into a network blackhole. Now that was fun.
@15:30 does making it `+0` do the same thing? @27:30 I wrote a bootloader that transfers its state information (e820 memory map etc.) to the booting kernel with a struct at memory address 0.
Lesson 2 will cover *(char*) 0 = 1-1; it is expected to last 2 hours, and it'll dive in microcode, so, bring coffee.
Students willing to take lesson 3 get prepared to deal with 2 (two) lines of code, and bring a copy of L. Susskind's book, Introduction to Black Holes.
yes, I want a talk about the entropy of a single bit change from 0 to 0 when the clock ticks
plus there is that laugh like 'hear me all around the world laughing'
Can you implement a C++ compiler on the event horizon of a black hole?
I kinda want to do it now 😂
@@Bourg
OMG it’s HIM!
This presentation reads like one of those essay-length Stack Overflow replies that answers everything that you asked, and then dives into questions you didn't know to ask, all while citing sources.
so, is that a good thing or not? cuz i (try to) write those often :D
@@garethma7734 it IS a good thing, if that's what you're already doing be proud to help curious people this much, not necesearly the original poster but also people coming later and reading your reply !
That makes me think of my Latin professor who got behind on lessons about basic grammar going off topic about things like how a particular word developed from archaic Latin and proto indo european.
@@garethma7734 Well it's better than saying "this question is a duplicate" when the said duplicate is 12 years old and doesn't work anymore... You have no idea how many people are looking for you guys.
@@garethma7734 I honestly LOVE IT when I stumble upon those kinds of replies whenever I have to resort to searching Stack Overflow for answers, because those kinds of replies always lead me places I didn't expect, help me to avoid traps for young players, and I usually learn a few new things along the way! 😄Keep writing your essays that answer the question then half a dozen follow-up questions. They're WAY more helpful than you think they are!
I looked at that and thought, "oh, that is the text of a unit test case for a c++ compiler". Mere minutes later in the talk, two compiler bugs have been revealed.
The "-0" bug is strange. One would think the compiler able to expression resolve, instead of hard-coding for typical illegal values. I mean, once you're in illegal territory, isn't it likely the programmer wanted something different than actual zero, and so there is a runaway expression there? :-)
A great talk covering so much ground, by a great presenter, and with gorgeous slides. Something for all C++ developers here: I guarantee you'll learn something!
And wonderful audience members in the first row! ☺️
@@Bourg only the very best
Yes Matt.
Well... I learned C++ apparently makes return optional for int main, and this person loves calling hierarchical arrays hash tables, and made diagrams that point every which way inconsistently.
Most of all, they took pride in being unclear, so people couldn't make an informed decision on whether to watch the talk, which is a meandering description of how a memory access may or may not work (including how it may be entirely removed by the compiler).
As an ageing programmer with hardware experience I have mixed feelings about this talk. The low level concepts he is trying to explain are valid and completely clear to me. But I guess it's targeted to an audience that is familiar with certain C++ constructs but has no idea how hardware actually works. For me it's quite the opposite. BTW, I used *(char*)0 = 0 to provoke an application crash in order to see what a certain device driver does when a calling application terminates unexpectedly.
Easily the best looking slides I've ever seen for a presentation
I started programming in 1977, so I'm old enough to take code like this at face value: For some reason, the programmer wants to store an int=0 at virtual address zero. Back in the days I would use code like this, typically with a short offset from zero, to store an interrupt handler address into the OS IRQ handler table which was stored at absolute address zero.
EDIT: I saw later that he got into my exact usage, with the div_by_zero x86 vector!
It is indeed pretty amazing how much that has to happen for each and every instruction that is executed in a modern CPU. 🙂
But the value written is a char, not an int. The programmer wants to set the first memory location (whatever size _char_ happens to be on that architecture) to zero.
This was a surprisingly wonderful video.
I was the weird CS student that loved compilers, assembly language, operating systems, and architecture.
This talk touches on all of them! 😃
Same for me, I absolutely love low-level stuff !
Me too, I'm currently working on designing a whole multiple processor and cache system in Logic World, which I'm planning to write an OS for on itself, to write programs in the game for my processor to run in my system. This serves absolutely no purpose besides to have fun and learn a bit, which I think is the best purpose a project can have :)
This kind of stuff is always the best part. I like how, despite the initial code presented being a pretty simple memory cast and dereference, there's so much to go into from that little bit.
Next step is electrical engineering to complete your knowledge
@@w花b That's what I loved on my CS studies, as I minored in electronics. I got the complete view from passive analog components to software running atop an OS on a (back then) modern computer. Every step was covered!
The video starts with "My name is Jeff" and I now can't get that meme out of my head, dang it XD
Was looking for this comment. His "My name is Jeff" made my laugh :"D
Knowing when to say "I don't know" is what this presentation really made me excel at.
That is approximately after 1 hour of explanations of topics around the question?
As someone who started out on 6502 this code makes me proud that page zero is not forgotten ;) Because, who is the compiler to tell me I can't use the first byte in the most important memory segment!
Was just thinking this!
On Windows, AFAIK, we lose a complete page due to this, i.e. 4096 bytes (because you can only specify access in a PTE, which covers 1 page). You wouldn't do that on a 6502.
@@roboterbasteln it’s not a big deal though on Windows since you have virtual memory and thus only have whatever overhead there is to setup the trap.
Also, how in the world were people writing code where null is a valid address? I’ve programmed on a machine with 4k memory and it still seems like madness to not reserve that first byte as the marker for “invalid address”.
@@Dyllon2012Back in the day, the concept of "invalid address" wasn't yet invented.
I do a lot of work on microcontrollers and on the MC9S08 that I use a lot, this line of code sets all PORTA bits to zero. Depending on what the application is, this might be a reasonable thing to do - to turn all of the LEDs off on a front panel or something. I do find it slightly disturbing, I’d rather see it written as PORTA.R=0x00.
As a recent computer science graduate, who procrastinated, and never took studies too seriously. I find this inspiring. I want to be able to talk and reason and go off on a long knowledgeable tangent about technology like this man.
I'm going to start studying on my own time again, and start to learn systems and all these cool nerdy lower level things 😊
Program things, you'll learn quicker
I say this as a person who does C# stuff and is probably not as well educated as you lol
Finally, someone who went into the proper level of detail. This was great. It takes a good deal of low and high level experience to do this well. Most videos provide an interesting title and thumbnail and give no gems or anything of deep substance, merely regurgitating basic encyclopedia knowledge. This is refreshing.
Proper level? You mean there was more? 😂
@@xpusostomos Yes, I would love to see a part two that gets into the details of how the TLB happens, and how hypervisors work, and all the details of the machinery of stuff like gdb, cachegrind, and qemu. I think virtualization is *very* interesting.
I'd also love to see it approached from an embedded perspective where you often have SBCs with some more exotic cache and memory architectures.
@@xpusostomosThere is always more. Always.
At a local user group (60 miles down the coast from where the talk was given) we spent a few weeks playing with microcontrollers (bare metal, no OS), it was cool seeing the reaction to working in such an alien, yet familiar environment. On many ARM cortex M implementations, address 0 is the start of the vector table. Offset 0 in the vector table holds the initial stack pointer value. In many ways, programming something like the RP-2040 (Raspberry Pi Pico) is like a trip back to the early 80s.
This is exactly why I ended up back in development again after burning out doing traditional development targeting desktops and servers. I got scouted off of a website where I made some embedded stuff as a hobby, which I was only doing because coding on those little platforms reminds me of coding in my childhood on 65c02 and 65C816 cpus in the 1980s. I wouldn't be coding professionally anymore if not for this. It's a whole different world, and a ton of fun. :)
on AVR registers are mapped into memory, so 0 address is actually an 'r0' register )
Radical!
Funny thing is that the Zelda 2 "I am Error" became an error, because his counterpart got lost in translation. There is another character whose name is supposed to be "Bug", but because of Japanese pronunciation rules, his name is Bagu, which got translated into English directly as Bagu instead of Bug. Thus the Error - Bug reference got broken.
Cachegrind now longer models the cache by default (since April this year and will be part of the 3.22 release due out in a couple of weeks, around October 20 2023). So now cachegrind is really "instruction-counter-grind". You will need to specify --cache-sim=yes to turn it on. If there are any keen experts in CPU cache architecture that would like to contribute to Cachegrind's cache model please get in touch.
Casey Muratori used this in Handmade Hero for creating assert macro.
```cpp
#if HANDMADE_SLOW
#define Assert(Expression) if(!(Expression)) { *(int *)0 = 0; }
#else
#define Assert(Expression)
#endif
```
Woohoo!
23:05 is what I want. I want it to compile to `mov 0, [0]` or whatever functionally equivalent assember instruction for the particular architecture. No less no more :-P
And if the code was running on a microcontroller without a MMU, or x86 in real mode, or 6502 or z80 or... I actually expect it to write 0x00 at memory location 0.
I haven't done C++ since around 1990 and this talk brought back flashbacks... I loved it!
I feel like I needed to pass 4 years of CompSCI and also understand the entirety of FPGA engineering theory to understand this single line of code.
But seriously, I've written this exact line before, and I did it to simulate a hard segmentation fault when I was testing a crash reporting C++ library :)
The exact line? Including the char cast?
@@xpusostomos well you don't have to do it as a char cast, though you have to match it with the data you are assigning, so if you try to cast an integer as a float, you will get kickback unless you put a decimal point....stuff like that. The point of the line is simply to create a fault or to verify the level of permission of the underlying code base....so if you were not to get a fault, then you most likely be at highest permission levels (a virus may do more damage at that level). Some applications may request permissions from the OS and then trap test to make sure they were followed, like warden systems and such, but usually that's on a read-only basis and not dealing with writes. Older emulations would fault out and ignore OS delegation, which would be a flag for warden systems to know if it was being sandboxed, but that's not necessarily the case anymore. It also allowed OS itself to know if it is in a sandbox or has full CPU control, so if you were writing an OS, you would do these traps to test privileges before "taking over" delegation ops....if it is sandboxed, then a good OS would block some operations (like file access to pass-encrypted stuff) in order to protect sensitive material.
emulations and "hackers" are getting better, but for an analogy, just because criminals can bust through your door doesn't mean you should keep your door unlocked. still safer practice than your code just assuming its place.
Yes you can. In alternative universe you can intuitively know it's just a crap of code and do useful stuff. This whole talk reminds me of old article from joelonsoftware about stratosphere architects who design awesome super stuff that nobody needs, while others do useful stuff.
One of the best talks I've seen in a while! In my last job, I was porting a game to Xbox One and I got used to this exact code as a quick and dirty way to breakpoint what I was doing. Great memories! 😅
@@pre-ansi-c-forever I believe the debugger is called when something errors out hardware side (whether it is via interrupts or via whatever mechanism), allowing the debugger to inspect memory at that point.
So a debugger will catch a program before a "crash" (termination). If you then change things, it might allow you to continue, at least higher level debuggers do (In Godot's GDScript, i don't know about lower level ones).
How is throwing a segfault a useful way to breakpoint haha just put an input()
On any platform I have used, I found this code to be a sure way of crashing the program with a segmentation fault or something similar. Very useful to test your program's fatal exception handler.
Interviewer response: It was nice hearing your ideas about this piece of code - our conversation was very interesting. Unfortunately, we have decided to move forward with another candidate that better suits our needs.
Job security by never hiring someone that could replace you
the other candidate: they/them javascript wizard
Another candidate: _"This is an unholy abomination and nobody should ever write that or waste time on it."_
Interviewer: _"You're hired!"_
I enjoyed your presentation. It made me wish I had gone down the path of being system engineer instead of working with databases. It was simple enough for a non-system engineer to understand and yet deep enough to make it interesting.
This is the most fascinating talk I've ever watched all of and understood none of. I'll take my yaml and python scripts now and head back to my own sandbox to eat the sand.
😂😂😂
and you know what is missing.. at the start, a comment by the programmer to specify what the intend. It's called 'maintainability'
I remember a few years back the Linux kernel added X86_RESERVE_LOW to allow you to reserve memory starting at 0x0 to prevent a possible privileged escalation where in certain circumstances malicious instructions could be written starting at 0x0 which would then get run when some other program tried to null pointer de-reference. At the time I went "Wait REALLY?? Writing to 0x0 won't always simply segfault?". But apparently there were some circumstances where it was possible.
I guess since then the first 1M of memory is reserved so X86_RESERVE_LOW isn't needed anymore.
Me when UB is undefined 🤯
I was thinking this the first time I started to dig into the code. Either it's process memory mapped, or it'll hit some sort of OS memory protection, because 0x0 is a pretty important piece of memory to block access to. It took pretty long into the presentation before he explained that the significance of the memory depends on the specific device. You could work with a device where the 0x0 address contains valid data, which is pretty trippy. Although I'd argue that there's a more clear way to write that code than to do what amounts to a null dereference in 99.9% of cases.
A pointer dereference doesn't run code. I'm not sure if you know how code works, but you have to invoke the function pointer for it to execute. If it is the divide by zero interrupt handler in x86 real mode than still won't run code. Then you would actually divide by zero to run the code.
I've worked on major software projects where previous authors didn't initialize variables in the constructors. They assumed that the memory the classes would be newed up in was always going to be 0! Then again, this was code using the C++03 standard written around 2015, and was still on C++03 post 2020!
Those are different. X86_RESERVE_LOW reserves physical memory and prevents it from being allocated. This was done because the BIOS can't be trusted not to corrupt it, which would corrupt random memory that was allocated to some process. The BIOS would normally be out of the picture when the OS is booted and has entered protected mode, but it's sometimes invoked before/after hibernation. If X86_RESERVE_LOW is no longer needed, it would perhaps be due to UEFI boot which is not as ad hoc as a BIOS.
The first 1M being reserved is in virtual memory, meaning that the lowest 1M of the virtual memory is mapped to pages that are non-writable and writes there will be trapped. It's unrelated to X86_RESERVE_LOW.
that talk is me the day I found out about virtual memory lmfao. It's so complete and great, I spent some time reading cpu manuals and that blew my mind at the time
Well this talk is a lot of fun. I wasn't expecting this to get into the page table layout. Having recently played around with writing my own kernel in Rust, a bunch of this was pretty fresh in my mind.
This is a brilliant talk -- Technically as well as inspiring to many aspiring presenters. Builds up from core concepts! 🎉
I could imagine the fun it would have been on a live stage.
I really loved the slides, the programmer fonts and how cool the title of this talk! Intriguing! 🎉 JF onto my favourite speakers list. Thanks!
Thank you! It is much appreciated that you have made so many positive comments regarding JF Bastien's presentation.
I love this discussion since I am a grey beard. I started programming in 1977 and have programmed systems with a 36 bit word length (Honeywell), 60 bits (CDC Cyber 760 which used ones complement), and 24 bits (Harris H series). Far too many programmers today assume the Intel x386 or AMD x86_64 CPU model assume that is the only behavior that exists.
Perhaps I'm a white beard ;-) Also Honeywell (DPS8; EIS box allowed double-words 72 bits), Control Data 1604 (I don't remember the word length). Univac 1830 (30 bits if I remember right). The registers in this presentation suggest the Motorola chipset (68000) rather than Intel.
Well, hello there! I also started in 1977, on a Unisys1100 (36 bits afair). The strangest cpu on which I've written asm code was the HP 85/87 lab computers which had 8/16/64-bit registers all stored inside a 128-byte block of static ram: You could start a register access at a misaligned offset and get 3-byte/4-byte/5-byte/etc "registers".
Currently working (unpaid) on the Mill architecture which doesn't have registers at all, just a belt which will automatically garbage collect all values after a number of instructions have been executed.
Are we ignoring the fact that he started the video with a totally unironic "so hello, my name is jeff"?
“JF” is my name, non-ironically.
I need more cache memory for my brain. I get to have fun with page tables, and then he asks: "what were we talking about?" and I'm like: that is definitely a good question, as I completely forgot that this all started with setting a value of 0 at address 0.
Every time I want to learn C++ I get recommended terrifying talks like this LOL. I appreciate what these programming languages do but I'm not sure if I'll ever be able to absorb the knowledge about it to this extent. I can only hope that extent differs for what you want to accomplish but also, having knowledge about something could never hurt.
Been coding since 1975, cards, paper tape, ASR33 teletypes, CDC7600 parallel processing…. This was fun!
This talk was amazing! Now I am really curious what other questions/riddles JF has up his sleeve.
What an amazing talk! I started watching this puzzled and asking myself, what could possibly be so interesting about some obvious null pointer dereferencing? I'm thoroughly impressed!
Being an embedded software developer my mind first went to reset vectors, which are often at address 0 (usually in ROM/FLASH).
My next thought was what can happen in Harvard architectures (e.g PIC or AVR). Depending on how the linker script is set up it may be possible for the first static variable to end up at address 0 in data memory. Having a variable with an address of 0 can create some very obscure bugs.
On a bunch of 8 bit Motorola microcontrollers, address 0 is I/O port A. So it is equivalent to PORTA.R=0x00; and this is a valid thing to do if you want to turn off a bunch of lamps or other outputs connected to port A.
Even on modern widely spread architectures like ARM. On Zynq/ZynqUltrascale (Xilinx FPGA's with embedded ARM CPU) physical address 0 is either on-chip memory or DDR. So, perfectly valid memory which you can access. Though the linker script will not allocate variables there by default.
Yeah, this can lead to very obscure errors in baremetal code if your (or some third-party) code checks for null as a sign of an uninitialized pointer (which it usually is).
My mind immediately went to microcontrollers too. Whenever there’s some obscure pointer bit-hacking, it’s bound to have a legit use in MCUs.
As a novice programmer with almost no c++ experience I still almost died laughing beginning at the 7-minute-mark.
Every couple months I come back to this talk because it's so interesting.
Great walk through the depths of things. I first started out with a SEL machine which implemented virtual memory with some internal CPU registers not normally available to the programmer (called, appropriately 'memory-map registers'). I remember reading in the tech manual for the cpu a phrase that went something like: "Since these registers are critical to the operation of the machine, none but the most trusted code should ever attempt to modify them." lol
One project using such machines, had this nasty quirk that if you cleared memory and started it up and started this critical program first, your day was great. But if you shutdown that task and restarted it without rebooting, chaos. Turned out that task had some tricky code that expected certain virtual addresses were exactly equal to physical address. If it was the first task started, the memory manager made it so. But of course after you kill it and other tasks had been running and you restart that task, virt != phys and crash. THAT took a while to find... lol
What a phenomenal presentation. I wasn't expecting it but I'm 100% on board with the roller coaster this was.
Fun fact: main does not need to be a function - can be lets say an array of uint8_t with the machine code haha. Literally used this once. Fun talk.
That may or may not work, but I'm pretty sure it's undefined, or at least implementation-defined behavior. The compiler will often put that kind of data into a .data or .rodata section, which is not set to be executable on modern systems.
What an amazing talk, really inspiring. That's exactly my kind of mindset, talking about all the different aspects of a seemingly simple thing. I would love to meet you in actual interview, to exchange some ideas!
7:26 inspiration, it shows that you can use integer and pass it to address in raw form without 30 lines of code, like: atoi(toa(toi(string.tostring(5)))); and null is now an integer of type char and not null, which you can have some fun with. Like what if you set null to 5. "Are there any people in the room? No, there are none, because there where four and one came in"
i enjoyed every bit of this. it went from i don't anything. compiler stuff. to things i know a bit. unknown unknowns to known unknowns.
thanks for this great talk. ❤️
my immediate answer is that its a DMA hack for an embedded system or its a unit test to cover a very specific requirement from an very particular client. i can see the requirement now... "system shall set caution light when null pointer is deferenced" lol. this is a fantastic interview question because its not a stupid riddle designed to make you feel stupid, but instead it just reveals where your expertise is because its where you will start looking.
I sort of knew what this code did because of two experiences. The first was when I needed a "nop" in C. I was told the closest was (void*)0;. The second was watching the RUclips video "Fast Inverse Square Root - A Quake III Algorithm" There's two lines of code in the video: i = *(long*)&y; and y = *(float*)&i;. The video explains it as a bit hack of floating point numbers. It's a a great video that explains exactly whats happening to the code and why the programmer did it.
Was this before "volatile asm("nop")"
43:50 ASCII doesn't have all those fancy shadows and arrows, looks more like Code Page 437.
I'm not that much into low-level stuff, but the talk was very insightful and even entertaining.
25:19 Also, Error's brother in another town is named Bagu. As in "Bug," to go with the theme.
On the Commodore 64, address 0 holds the data direction register for the 6510's I/O port. On the Amiga a typical declaration would be ExecBase = *(struct Library **)4;. They put the pointer to the kernel library at address 4, so accessing NULL can always be treated as an error.
Another valid use case for dereferencing a NULL pointer is the offsetof() macro in C:
#define offsetof(struct_name, member_name) (size_t)&((struct_name *)NULL)->member_name
Hm, technically you're not dereferencing anything there, the & operator causes the lvalue to not become an rvalue (it serves the purpose of the x86-64 LEA instruction but in C).
And the fun thing you didn't mention was how the CPU does a 'context switch'. A lot of those cache pointers have to change every time the CPU switches from one program to another, so the two programs are blissfully unaware of the virtual memory mapping of each other. As you touch on a couple times, you CAN make two programs share a common block of physical memory, but you have to work at it. And that is a key place to tell the compiler some data is 'volitile'.
Shhh, that part is magic
The auto transcription transcribes kibibyte and kibibit as kitty byte and kitty bit and it's adorable!
I'm just learning C from Python (not even C++). It was difficult to keep up with but I got there, with my brain mostly in tact.
Sometimes you run into a talk that you just needed to hear... when you are missing the forest for the trees. Thanks!
My favorite possible effect of `*(char)0 = 0;` is formatting your hard drive :>
Actually as written that's a compile error, you can't deference a char ;)
Besides, the best possible effect of UB is causing demons to come flying out of your nose, everyone knows that
You couldn’t accurately copy 14 characters. No hire.
On the Apple-II family machines with Disk II controller or equivalent (a popular machine throughout the 1980s, with a sales volume of around six million), reading 0xC0EF shortly after a disk access would start overwriting the current disk track with whatever data happened to be fetched on every 32nd cycle until the next access to 0xC0EE. That's an actual platform--an hardly an obscure one--where a single stay read could trash the contents of a disk volume.
@@StarwortAssembler: "The hell I can't!"
On the VAX, dereferencing address zero returned zero. I *think* I first encountered a SEGV (or maybe a bus error) on an early 68010-based (yes, 68010) Sun workstation when dereferencing 0. I've worked with older architectures where the register file would overlap with the low addresses; for example, on the Univac 1100 series, register A0 was the same as address 0 of the address space, X0 was address 16 (or something like that; it's been way too long). The 1100 (and not only) were fun, in that they were one's complement machines, so that -0 in your example would have been all-ones.
And then there is all the fun of embedded systems without an MMU!
I thought that on the 68k address 0 is your starting stack pointer value or the starting PC value (I forget which)
The 68k family is highly regarded, why the "yes, 68010"? 🤔
There's the question of "can" you execute this, and then the question of "what might it mean." It depends both on architecture and memory model layout. The result could be anything from yes with an effect of nothing, to an immediate runtime error, to setting up something obscure in the way the system will operate or malfunction (as by code invoked by destructors).
I remember back in Usenet days on comp.lang.c where it was discussed that one could do a read dereference of the byte at address zero on VAXes running BSD which would come back with NUL. Therefore a NULL pointer was a usable shortcut for a zero length readonly "C" string. However I do not remember if the VAX memory model would permit a write, as here. (I recall on BSD this would throw a SIGSEGV.) Writers of C code (let alone C++) were admonished never to assume what the byte at address zero will be, if it can even be read at all, because "the world is not a VAX."
This only goes to show how ancient I am....
I'm not a professional C++ dev but this talk was excellent and sparked my curiosity througout; superb presentation!
Very glad to hear that you enjoyed JF Bastien's presentation on all levels! Thank you.
Admittedly I even barely write code, but this is pretty interesting. In terms of I knew most of these things about the main function but I wouldn't have thought to pick them from the depths of the brain even when asked, they're so "obvious" and taken as granted, you wouldn't even think to do them when since the beginning you've learned not to even consider them. I got to the point of thinking it's assigning a null pointer, but what I think would've been a great answer (my humble personal opinion of no skill and experience worth talking about in programming): why is there no comments made when you're writing code like this. The least you could and probably should do is writing the comment explaining what you're doing and attempting to do with your choice of code.
Watching this really makes me think of the creator of C++ saying how it's more difficult to shoot in your own leg in C++, but when you do it blows your whole leg off. This quickly spiraled into incomprehensible mess. The feeling when you understand the japanese better than the code.
All in all great speaker, good humour. Barely kept up with the content but enjoyed all of it. And probably learned a thing or two.
This feels like one of those afternoon beer talks, sitting on the porch chairs, going through subjects almost as fast as the inflation rate increase, and twice as fast through beers, until the sun has set hours ago and the wives call threatening to pack your stuff and leave it at the door...
Lovely. I remember, c1976-9, a micro OS on 8080 that fitted at the bottom bytes of 1 UV EPROM (~1kB maybe) where the 0-7 interrupt levels mapped to 0000h, 0008h, 0010h, etc, and one of the Interrupt service routines (ISRs) was 9 bytes long, so overran into the next routine, but was ended with a 'jmp' instruction, with high byte, still being 'local', set to 00h, so it was NOOP instruction for the first byte of the following ISR (little endian).
Oh, it was driven by a Teletype with a paper tape loader. We then updated to FORTH. The good old days.
52:05 『The most elementary and valuable statement in science, the beginning of wisdom, is "I do not know".』 -- Data ST:TNG S2E2 "Where Silence Has Lease" 08:10 stardate 42193.6
Kinda funny that my first thoughts corresponded to your final descriptions re: virtual address spaces, memory protection, page tables, etc. finally ending with "it depends". And I retired today (last day of professoring). I think the two are connected - i.e. a certain perspective that comes with time. And then you die. The human condition.
Its fascinating watching this guy being so fascinated with all these things! 😊
2:29 start of the class
48:26 after you fall asleep for a second
❤
This was an amazing journey. Well worth the watch.
It’s really interesting how the feelings of C++ programmers are different from the ones of C programmers. I belong to the later group, and I felt the talk was for another audience just when my feeling on the first code was not one of the given options (I consider it bad code, something I wouldn’t write, but cool and nice at the same time, while I cannot stand the horrible syntax of the supposedly “nicer” C++ified versions). So, when “I love it” was not present in the “denial, angry, etc.”, options, I realized it’s true that the C++ feelings are so distant from mine.
How would you rewrite it in C to be painfully obvious what the intent is?
To really now what's happening here is, compile it on several processors with different word sizes and if it compiles, analyze the machine code or disassembly.
A demo on how to debug this kind of thing with gdb and/or qemu would be great.
This is a great talk!
I've asked firmware engineers interviewing for silicon bring up positions how they would be able to use memory on a system before they have initialized the dram controller (assume no sram).
Answer: use the cache - just make sure it's set as write back and choose your temporary memory map so that you don't trigger cache evictions from your outward most cache that is configured. This is a trick I learned from a coworker when he used that in the bootloader on a PowerPC system we were designing.
Awesome talk, very entertaining and inspiring! When JF ask, how do we usually express this line in C++, I had expected simply `*static_cast(nullptr) = 0;`, or do I overlook something?
Same. Maybe he really wanted to talk about std::bit_cast! The static_cast code will compile with the same "indirection of non-volatile null pointer will be deleted, not trap" warning (at least with GCC and clang). And any level of optimization will indeed generate no assembly at all for this expression.
It depends what you want to do. Imagine you're running on a microcontroller that enumerates some digital out ins in the first eight bits of memory space, and you want to pull all those pins high. How do you write that in C++? It's certainly not how you wrote it.
Re: "as if my memcpy" from nullptr:
In real, contemporary, architectures we expect a null pointer to be all zero bits. But that's not required by the standard, and the actual representation can vary by type. The casting of one pointer type to another should preserve nulls, transforming the representation if required. But that is bypassed with memcpy! And nullptr_t is a distinct type having one value, and what that value looks like as bits doesn't have to have anything to do with the representation of an actual pointer.
edit: OK, you mentioned this later.
Laughs in 6502 Assembly
I've worked on two systems where "0" was a valid address. On the Sunplus SPG series where 0 is the first valid address and you have a lot of control of the memory layout. And of course the Commodore 64 where the MOS 6510 cpu had two memory addressable built-in registers at addresses 0 and 1 used a general data port that were connected to memory banking and datasette control. There "*(char*)0=0;" would do something potentially useful.
Found the c64 one out the hard way when I used $00 and $01 to store joystick reads... shouldn't have done that!
Clearly Matt Godbolt and I are from the same era, home brewed breakpoints were the first thing I thought when I saw the title.
What did JF use to make the presentation? I need to know - I'm in love with the ascii aesthetic!
Keynote, with Berkeley Mono font.
This is pure magic. I only thought that assembler allows for magic - or PERL. But this is way cooler!
Loved this. The OS I work on uses this as a convenient way to jump to the process' fault handler, so I appreciate the reminder to use volatile!
What would be even better would be if compiler writers would recognize that they shouldn't expect to understand the purpose behind lvalues like `*(pointer_type)intexpr`, and should refrain from making optimizations that presume they do understand such code, with or without the qualifier. The qualifier was added to deal with situations where a compiler might make what what would otherwise be reasonable and useful inferences, but such inferences in the vicinity of integer-to-pointer casts are almost never useful anyway. On the other hand, with clang and gcc, making pointer-to-integer casts and then performing calculations and comparisons involving the integers may result in inferences about the pointers that are simultaneously clever and wrong, *even if the integers are never converted back to pointers*.
What this talk taught me is that I know nothing about C++. Serioulsy, I would walk out of the interview out of respect for the interviewer's time. "Thank you for your time, but I don't know how to program anymore."
*(char *)0 = 0: what is this?
A deep deep rabbit hole, that's what it is.
32:32 I'm pleased hear "kibibytes" used (vs "kilobytes"). I think this may be the first time I've actually heard anybody use the term---which is objectively the correct one to use here.
I'm still upset they created the new terminology. In my mind a kilobyte is 2^10 bytes
This is so incredibly fascinating. I love it.
24:12 ... I was trying to think of a use case where this would be valid.... i like to work on harvard architecture microcontroller systems with no memory management... and there, this becomes almost "just assigning a variable".
Oh yeah.... memory mapped registers.... I think this could compile down to `LDI r0, 0` ... that's kosher!
We had an opensource project where people kept asking the same question and wouldn't read the simple "getting started" guide and look through the config file. We put 2 entries in the config file crash1=true and crash2=true at the bottom. If those were set we would essentially run code kind of like this. Just crash. The next time someone came in to our IRC (ye.. this was a long time ago..) with "its crashing on startup!" we could just tell them to RTFM.
Crazy direction to take this to. My thoughts: If there actually was a value to be read at address 0 without raising exceptions that is not used anywhere else, we could actually use this line to make the empty string "" 'equal' to nullptr (in a C-string sense), because 0 would be the address of 0 which would be the empty 0-terminated string:
*(char*)0 = 0;
cout
Having address zero hold a zero byte can eliminate a lot of null checks in code that is designed to exploit that.
This is really cool, I love every single second in this talk. Thank you so much for sharing.
Your comment is very much appreciated!
Amazing. On my system, sizeof(char*) and sizeof(-0) both are 2. It compiles without warning to "jmp 0;" which is just what I intended. It's only a C compiler though. If I call it from beyond 64k it compiles to "ljmp 0;"
My first question was: Why char*? Why not void*?
But I'm sure that's another one hour talk....
Wtf? Is your computer somehow 16 bit? I don't understand
@@dunda563 Apple systems use 2 bytes for 'char'.
You can't dereference a void* because you don't know what's there.
On first view it looks more like an unintended human mistake (like writing nul to nulptr or zero into nirvana). If address 0x00000000 is by hardware design intended to be written to by a running software it can make sense to do so. The usefullness vs. non-sense of writing into a memory address (here to the first memory address addressed by constant integer zero) depends always abut the executing (target) hardware is specified by the addressed hardware at that address; may be its the first entry of an interrupt vector table starting at 0x00000000, or some other hardware function, it just really depends on the hardware component (just a memory chip, or memory mapped i/o to timer chip, serial i/o chip etc.) is selected at this memory address and what a memory write for this here addressed hardware component means (set a value or masked bit in the selected register or start/trigger/execute a hardware compnents action like ADC, counter).
A compiler that respects the Spirit of C principle "Trust the Programmer" would operate on the presumption that a programmer who didn't want a write to address zero wouldn't have written the above code. The Standard wouldn't require that a compiler support such constructs if it's never going to be used for any tasks where they would be useful, but the Standard expects that people seeking to sell compilers would be in a position to judge their customers' needs better than the Committee ever could.
Great talk! I have a slight nitpick, though: At 32:58, the memory is shown such that greater addresses are further down. But at 39:44, greater addresses are further up 🤔
damn so many things i learned from this.
i didn't expect that he would talk about all of those interesting things even though it all started from a simple line of code that would usually crash.
As someone who writes code in embedded systems and microcontroller, I don't want the compiler to get in the way of writing to location 0. So I'll stick to C and not have C++ nannying me with my pointers.
I've asked a variation of this question since 1990 in interviews. In an old unix port from the 80s had ((int(*)())0)(); This would reboot the system. There was a bunch code above it that reset hardware. It then jumped to the reset vector on this architecture. This is UB these days... it was a great conversion piece.
That is the most hideous mess of parentheses I've ever seen
If *(volatile char*)0 = 0; were being written for the old NES/Famicom, it'd work just fine. It'd write the byte 0 to the RAM address 0. (Ordinary RAM occupies the first 2 KB of memory in the NES.)
I guess the statement tells the compiler, there is an object of type char at address 0 and I need you to write the value 0 there, and don't try to optimize it away.
Yeah that's right
And it was fairly common for Playstation games to leave a chunk of memory at 0 for any null pointer writes to safely go somewhere. (Which meant you never needed to check for nullptr before writing which freed up valuable processor cycles for more important work.)
17:00 Re -0
Is that really a compiler bug? The literal integer constant 0 is taken as the null pointer. The result of the unary negation expression is NOT. Looking for other ways to indicate 0 in the AST would have to be a warning only.
This could be an orthodox way to get past the compiler checking in an embedded application where you really do want to address that byte (e.g. a configuration register, or an interrupt vector).
I do not agree that this is a good interview question, at least with this aim.
It's an interesting question for at most five minutes of an interview. It's useful as a test of whether an applicant is capable of entertaining the possibility that (1) this was just bad code and (2) this was intentional and (3) how much weight they give to each possibility. You want a programmer who is willing to say "this was probably a mistake" instead of spending a ton of time trying to decipher the intent because some code really is just bad. You also want a programmer who is willing to consider that there might be a good reason for a piece of code they don't immediately understand, and is intuitive and knowledgeable enough to guess what that intent might be. Someone who says "this looks like bad code...but hmmm, maybe this was just a way to generate a trap" (or any other plausible explanation) is a promising candidate, and you should move on to the next question.
But if you want to know if I understand what's going on under the hood - ask me. This is like some teen magazine relationship test. The worst kind of interview is the one where it's a game with trick questions where I'm supposed to guess that by asking me about this line of code, you actually want me to talk for an hour about whatever random aspects of computers and compilers I can think of. The video is right: this could lead in a ton of different directions. So ask me to talk about them. Don't pose the question then wait to see if I pass the secret test by launching into a digression about a few of them at random.
When you ask interview questions like this, you are not optimizing for knowledgeable applicants, you are optimizing for people who can guess how you want them to answer your trick question or who are prone to rambling about implementation details without invitation or clear benefit, to expert coworkers who presumably already know about these things.
I was thinking that the code was intended to take advantage of a side effect; like ensuring some flag was cleared regardless of state or provoking a RWX check without an explicit test/branch.
So, I’m not much of a programmer as I’ve done tons of IT Infrastructure work for the past 15 years of my career, but the gist of this is telling the computer to shove its head up its arse and enjoy the smell. Nice.
Edit: Reminds me of the time one of our company’s coreswitches’ supervisor module gave up the ghost and failed to failover to the secondary supervisor module because it thought traffic was still flowing when it was in fact flowing into a network blackhole. Now that was fun.
@15:30 does making it `+0` do the same thing?
@27:30 I wrote a bootloader that transfers its state information (e820 memory map etc.) to the booting kernel with a struct at memory address 0.
no, +0 still throws the warning.. i checked, if i had to guess +0 is just 0 which is caught in the AST check mentioned
I found this really interesting... Very well explained :)
-0 is not 0 on a 1-s complement arch. Not sure if there is a c++ compiler that runs on CDC6500 : (