Invalid pointer traps (S/6000)

Marc Brandis brandis at inf.ethz.ch
Mon Feb 18 20:16:20 AEST 1991 

The replies I got so far about NULL pointer accesses seem to indicate the
following two things.

	1) The instruction scheduler may decide to execute a load speculatively
	   before it has checked the pointer.

	2) A lot of code would break if *(NULL) != 0.

Before I comment on these issues, let me briefly explain what I found on the
machine. The whole address range from 0x0 to the end of the data segment is
readable, with some areas also writable. There is an additional area for the
stack which is both readable and writable. Since the data segment is usually
allocated at address 0x20000000, this results in a space of about 600 megabytes
which is readable. Due to the inverted page tables in the S/6000, these are
not just shared page table entries pointing to a single page but in fact are 
allocated in memory the first time they are accessed. A program that I wrote
to scan this area caused a lot of paging traffic.

So, this whole stuff has been implemented somewhere in the page fault handler
of AIX.

Let me now comment on the above two points. I do not think that there are very
many cases in which the speculative execution would be of any help, as the
S/6000 does speculative execution in hardware. You can safely place the branch
in front of the load and the machine will speculatively execute the load until
the it is sure whether the result is needed or not. Note that this is 
advantegeous to using a load that has been moved in front of the branch, as
all kind of exceptions or cache misses have to be handled. 

In fact, I looked at the code generated by the XLC compiler with all 
optimizations turned on for several pieces of code that traverse data 
structures including NULL pointers, and I did not find a single example where
the compiler inserted such a speculatively executed load.

I tend to believe more in the second issue that has been raised, that a lot of
code would break. However, I checked several UNIX systems and I found that this
does not seem to be the case for all systems. The test is whether the machines
trap on a read from address 0, sending an segmentation violation signal to the
application.

	Sun-3, SunOS 4.0.3			traps
	SparcStation, SunOS 4.0.3		traps
	DECstation 5000, Ultrix V4.1 (Rev. 52)	traps
	IBM RS/6000 530, AIX 3			no trap
	Sequent Symetry S81, Dynix V3.0.17.9	no trap

So, it must be possible to make common UNIX programs run without having reads
from 0 returning 0. I have to say that I feel a little bit unsecure using 
these systems, as programs that need to access stuff that they do not have
allocated contain bugs for sure. 

But still, it would be great if there were a way to turn this off. In the long
run I hope IBM is able to write their code so that they would not require
reading through a NULL pointer.


Marc-Michael Brandis
Computer Systems Laboratory, ETH-Zentrum (Swiss Federal Institute of Technology)
CH-8092 Zurich, Switzerland
email: brandis at inf.ethz.ch

More information about the Comp.unix.aix mailing list