Robert Love's answer to What actually happens when dereferencing a NULL pointer? Usually, the process terminates. Does the reaction depend on the operating system, or is it controlled by the compiler? Is it mandatory that NULL always be defined as “0” with proper casting?

What actually happens when dereferencing a NULL pointer? Usually, the process terminates. Does the reaction depend on the operating system, or is it controlled by the compiler? Is it mandatory that NULL always be defined as “0” with proper casting?

Robert Love

Even Stroustrup isn't an expert in C++. · Upvoted by

Isuru Daulagala

, Software Engineer at NVIDIA (2016-present) and

Jan Christian Meyer

, Ph.D. in Computer Science · Author has 504 answers and 11.2M answer views · Updated 11y ·

Originally Answered: Dereferencing NULL pointer: What actually happens? ·

I dislike answering these sorts of questions as there are so many different answers and the question is underspecified. As Tim Wilson noted, the correct answer is "that is undefined." Full stop.

Nonetheless, I was asked to answer this, so I'll discuss what actually happens on a modern system such as Linux. I think the underlying mechanics are what you are trying to get at.

First, some preliminaries: NULL is numerically zero. That is, NULL == 0 is always true. C and C++ allow, however, NULL's internal representation to differ from zero as dictated by a specific implementation. It is up to the compiler then to translate zero to the proper internal representation and vice versa.

For the rest of this answer, we'll assume NULL's internal representation and its numerical representation are both zero. That is true on nearly any system you will ever work on, including Linux/x86.

So to your question: What actually happens when you dereference NULL? I'll repeat the previous caveat: Doing so is undefined, which means literally anything can happen. Undefined doesn't mean "crash" and it doesn't mean (as many people think) "implementation specific." It means anything—and maybe something different every time—can happen.

Nonetheless, the behavior on Linux is rather consistent: Segfault. How that happens is both simple and elegant:

The page starting at virtual address 0x0 is mapped into every user-space process on Linux with no access permissions (by mapping it, the kernel ensures nothing else will ever be mapped there).
Linux compilers treat the internal representation of NULL as zero and happily let you dereference the pointer.
The page fault handler is invoked as the page at 0x0 is not resident.
The page fault handler notices your operation isn't allowed (as none are).
The page fault handler fails, refusing to fault in the page.
The kernel sends the process a SIGSEGV, for which the default behavior is process termination plus core generation. In other words, you crash.

Thus, without any special compiler or kernel support except a page mapped at 0x0, Linux provides the expected behavior for a NULL dereference.

52.1K views ·

View upvotes

· Answer requested by

Venkateswara Rao Sanaka

1 of 10 answers

Something went wrong. Wait a moment and try again.

View 9 other answers to this question

About · Careers · Privacy · Terms · Contact · Languages · Your Ad Choices · Press ·