Null pointer
In
A null pointer should not be confused with an uninitialized pointer: a null pointer is guaranteed to compare unequal to any pointer that points to a valid object. However, depending on the language and implementation, an uninitialized pointer may not have any such guarantee. It might compare equal to other, valid pointers; or it might compare equal to null pointers. It might do both at different times; or the comparison might be undefined behaviour.
Because a null pointer does not point to a meaningful object, an attempt to access the data stored at that (invalid) memory location may cause a run-time error or immediate program crash. This is the null pointer error. It is one of the most common types of software weaknesses,[1] and Tony Hoare, who introduced the concept, has referred to it as a "billion dollar mistake".
C
In
In practice, dereferencing a null pointer may result in an attempted read or write from
0000:0000
is readable and also usually writable, and dereferencing a pointer to that address is a perfectly valid but typically unwanted action that may lead to undefined but non-crashing behavior in the application. There are occasions when dereferencing the pointer to address zero is intentional and well-defined; for example, BIOS code written in C for 16-bit real-mode x86 devices may write the interrupt descriptor table (IDT) at physical address 0 of the machine by dereferencing a null pointer for writing. It is also possible for the compiler to optimize away the null pointer dereference, avoiding a segmentation fault but causing other undesired behavior.[6]C++
In C++, while the NULL
macro was inherited from C, the integer literal for zero has been traditionally preferred to represent a null pointer constant.
Other languages
In some programming language environments (at least one proprietary Lisp implementation, for example),[citation needed] the value used as the null pointer (called nil
in Lisp) may actually be a pointer to a block of internal data useful to the implementation (but not explicitly reachable from user programs), thus allowing the same register to be used as a useful constant and a quick way of accessing implementation internals. This is known as the nil
vector.
In languages with a tagged architecture, a possibly null pointer can be replaced with a tagged union which enforces explicit handling of the exceptional case; in fact, a possibly null pointer can be seen as a tagged pointer with a computed tag.
Programming languages use different literals for the null pointer. In Python, for example, a null value is called None
. In Pascal and Swift, a null pointer is called nil
. In Eiffel, it is called a void
reference.
Null dereferencing
Because a null pointer does not point to a meaningful object, an attempt to
- In access violation, because the null pointer representation is chosen to be an address that is never allocated by the system for storing objects. However, this behavior is not universal. It is also not guaranteed, since compilers are permitted to optimize programs under the assumption that they are free of undefined behavior.
- In Delphiand many other Pascal implementations, the constant
nil
represents a null pointer to the first address in memory which is also used to initialize managed variables. Dereferencing it raises an external OS exception which is mapped onto a PascalEAccessViolation
exception instance if theSystem.SysUtils
unit is linked in theuses
clause. - In Java, access to a null reference causes a
NullPointerException
(NPE), which can be caught by error handling code, but the preferred practice is to ensure that such exceptions never occur. - In first class object. By convention,
(first nil)
isnil
, as is(rest nil)
. So dereferencingnil
in these contexts will not cause an error, but poorly written code can get into an infinite loop. - In .NET, access to null reference causes a
NullReferenceException
to be thrown. Although catching these is generally considered bad practice, this exception type can be caught and handled by the program. - In Objective-C, messages may be sent to a
nil
object (which is a null pointer) without causing the program to be interrupted; the message is simply ignored, and the return value (if any) isnil
or0
, depending on the type.[9] - Before the introduction of Supervisor Mode Access Prevention (SMAP), a null pointer dereference bug could be exploited by mapping page zero into the attacker's address space and hence causing the null pointer to point to that region. This could lead to code execution in some cases.[10]
Mitigation
There are techniques to facilitate debugging null pointer dereferences.[11] Bond et al.[11] suggest to modify the Java Virtual Machine (JVM) in order to keep track of null propagation.
Pure
Where a language does provide or utilise pointers which could otherwise become void, it may be possible to mitigate or avoid runtime null dereferences by providing
Similar analysis can be performed using external tools, in some languages.
History
In 2009, Tony Hoare stated[15] that he invented the null reference in 1965 as part of the ALGOL W language. In that 2009 reference Hoare describes his invention as a "billion-dollar mistake":
I call it my billion-dollar mistake. It was the invention of the null reference in 1965. At that time, I was designing the first comprehensive type system for references in an object oriented language (ALGOL W). My goal was to ensure that all use of references should be absolutely safe, with checking performed automatically by the compiler. But I couldn't resist the temptation to put in a null reference, simply because it was so easy to implement. This has led to innumerable errors, vulnerabilities, and system crashes, which have probably caused a billion dollars of pain and damage in the last forty years.
See also
Notes
- ^ "CWE-476: NULL Pointer Dereference". MITRE.
- ^ ISO/IEC 9899, clause 6.3.2.3, paragraph 4.
- ^ ISO/IEC 9899, clause 7.17, paragraph 3: NULL... which expands to an implementation-defined null pointer constant...
- ^ ISO/IEC 9899, clause 6.3.2.3, paragraph 3.
- ^ a b ISO/IEC 9899, clause 6.5.3.2, paragraph 4, esp. footnote 87.
- ^ Lattner, Chris (2011-05-13). "What Every C Programmer Should Know About Undefined Behavior #1/3". blog.llvm.org. Archived from the original on 2023-06-14. Retrieved 2023-06-14.
- ISBN 0-201-88954-4.
- ^ "CWE-476: NULL Pointer Dereference". MITRE.
- ^ The Objective-C 2.0 Programming Language, section "Sending Messages to nil".
- ^ "OS X exploitable kernel NULL pointer dereference in AppleGraphicsDeviceControl"
- ^ S2CID 2832749.
- ^ "Void-safety: Background, definition, and tools". Retrieved 2021-11-24.
- ^ Bartosz Milewski. "SafeD – D Programming Language". Retrieved 17 July 2014.
- ^ "Fearless Security: Memory Safety". Archived from the original on 8 November 2020. Retrieved 4 November 2020.
- ^ Tony Hoare (2009-08-25). "Null References: The Billion Dollar Mistake". InfoQ.com.
References
- Joint Technical Committee ISO/IEC JTC 1, Subcommittee SC 22, Working Group WG 14 (2007-09-08). International Standard ISO/IEC 9899 (PDF) (Committee Draft).
{{cite book}}
: CS1 maint: multiple names: authors list (link) CS1 maint: numeric names: authors list (link)