Segmentation fault
Encyclopedia
A segmentation fault (often shortened to segfault), bus error or access violation is generally an attempt to access memory that the CPU
cannot physically address. It occurs when the hardware notifies an operating system
about a memory access violation. The OS kernel
then sends a signal
to the process
which caused the exception. By default, the process receiving the signal dumps core
and terminates. The default signal handler can also be overridden to customize how the signal is handled.
signal, but SIGBUS can also be caused by any general device fault that the computer detects. A bus error rarely means that the computer hardware
is physically broken—it is normally caused by a bug
in a program's
source code
.
There are two main causes of bus errors:
non-existent address : The CPU is instructed by software to read or write a specific physical memory address
. Accordingly, the CPU sets this physical address on its address bus
and requests all other hardware connected to the CPU to respond with the results, if they answer for this specific address. If no other hardware responds, the CPU raises an exception
, stating that the requested physical address is unrecognized by the whole computer system. Note that this only covers physical memory addresses. Trying to access an undefined virtual memory address is generally considered to be a segmentation fault rather than a bus error, though if the MMU
is separate, the processor can't tell the difference.
unaligned access : Most CPUs are byte-addressable, where each unique memory address refers to an 8-bit byte
. Most CPUs can access individual bytes from each memory address, but they generally cannot access larger units (16 bits, 32 bits, 64 bits and so on) without these units being "aligned
" to a specific boundary. For example, if multi-byte accesses must be 16 bit-aligned, addresses 0, 2, 4, and so on would be considered aligned and therefore accessible, while addresses 1, 3, 5, and so on would be considered unaligned. Similarly, if multi-byte accesses must be 32-bit aligned, addresses 0, 4, 8, 12, and so on would be considered aligned and therefore accessible, and all addresses in between would be considered unaligned. Attempting to access a unit larger than a byte at an unaligned address can cause a bus error.
CPUs generally access data at the full width of their data bus at all times. To address bytes, they access memory at the full width of their data bus, then mask and shift to address the individual byte. This is inefficient, but tolerated as it is an essential feature for most software, especially string
processing. Unlike bytes, larger units can span two aligned addresses and would thus require more than one fetch on the data bus. It is possible for CPUs to support this, but this functionality is rarely required directly at the machine code
level, thus CPU designers normally avoid implementing it and instead issue bus errors for unaligned memory access.
location that it is not allowed to access, or attempts to access a memory location in a way that is not allowed (for example, attempting to write to a read-only
location, or to overwrite part of the operating system
).
Segmentation
is one approach to memory management
and protection in the operating system. It has been superseded by paging
for most purposes, but much of the terminology of segmentation is still used, "segmentation fault" being an example. Some operating systems still have segmentation at some logical level although paging is used as the main memory management policy.
On Unix-like
operating systems, a signal
called SIGSEGV
is sent to a process that accesses an invalid memory address. On Microsoft Windows
, a process that accesses invalid memory receives the STATUS_ACCESS_VIOLATION exception
.
A few causes of a segmentation fault can be summarized as follows:
Generally, segmentation faults occur because: a pointer is either NULL, points to random memory (probably never initialized to anything), or points to memory that has been freed/deallocated/"deleted".
e.g.
Now, dereferencing any of these variables could cause a segmentation fault.
Bus error
.
Compiling and running the example on Linux
on x86 demonstrates the error:
The GDB debugger
shows that the immediate value
0x2a is being stored at the location stored in the EAX
register
, using X86 assembly language
. This is an example of register indirect addressing.
Printing the low order bits
of the address shows that it is not aligned to a word boundary
("dword" using x86 terminology).
code that should create a segmentation fault on platforms with memory protection:
When the program containing this code is compiled
, the string
"hello world" is placed in the section of the program executable file marked as read-only; when loaded, the operating system places it with other strings and constant
data in a read-only segment of memory. When executed, a variable, s, is set to point to the string's location, and an attempt is made to write an H character through the variable into the memory, causing a segmentation fault. Compiling such a program with a compiler that does not check for the assignment of read-only locations at compile time, and running it on a Unix-like operating system produces the following runtime error:
Backtrace of the core file from gdb:
The conditions under which segmentation violations occur and how they manifest themselves are specific to an operating system.
Because a very common program error is a null pointer dereference (a read or write through a null pointer, used in C to mean "pointer to no object" and as an error indicator), most operating systems map the null pointer's address such that accessing it causes a segmentation fault.
This sample code creates a null pointer, and tries to assign a value to its non-existent target. Doing so causes a segmentation fault at runtime on many operating systems.
Another example is recursion
without a base case:
which causes the stack to overflow
which results in a segmentation fault. Note that infinite recursion may not necessarily result in a stack overflow depending on the language, optimizations performed by the compiler and the exact structure of a code. In this case, the behavior of unreachable code (the return statement) is undefined, so the compiler can eliminate it and use a tail call
optimization that might result in no stack usage. Other optimizations could include translating the recursion into iteration, which given the structure of the example function would result in the program running forever, while probably not overflowing its stack.
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
cannot physically address. It occurs when the hardware notifies an operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
about a memory access violation. The OS kernel
Kernel (computing)
In computing, the kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware level. The kernel's responsibilities include managing the system's resources...
then sends a signal
Signal (computing)
A signal is a limited form of inter-process communication used in Unix, Unix-like, and other POSIX-compliant operating systems. Essentially it is an asynchronous notification sent to a process in order to notify it of an event that occurred. When a signal is sent to a process, the operating system...
to the process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
which caused the exception. By default, the process receiving the signal dumps core
Core dump
In computing, a core dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has terminated abnormally...
and terminates. The default signal handler can also be overridden to customize how the signal is handled.
Bus error
Bus errors are usually signaled with the SIGBUSSIGBUS
On POSIX-compliant platforms, SIGBUS is the signal sent to a process when it causes a bus error. The symbolic constant for SIGBUS is defined in the header file signal.h. Symbolic signal names are used because signal numbers can vary across platforms....
signal, but SIGBUS can also be caused by any general device fault that the computer detects. A bus error rarely means that the computer hardware
Computer hardware
Personal computer hardware are component devices which are typically installed into or peripheral to a computer case to create a personal computer upon which system software is installed including a firmware interface such as a BIOS and an operating system which supports application software that...
is physically broken—it is normally caused by a bug
Software bug
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
in a program's
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
.
There are two main causes of bus errors:
non-existent address : The CPU is instructed by software to read or write a specific physical memory address
Memory address
A digital computer's memory, more specifically main memory, consists of many memory locations, each having a memory address, a number, analogous to a street address, at which computer programs store and retrieve, machine code or data. Most application programs do not directly read and write to...
. Accordingly, the CPU sets this physical address on its address bus
Address bus
An address bus is a computer bus that is used to specify a physical address. When a processor or DMA-enabled device needs to read or write to a memory location, it specifies that memory location on the address bus...
and requests all other hardware connected to the CPU to respond with the results, if they answer for this specific address. If no other hardware responds, the CPU raises an exception
Exception handling
Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of exceptions, special conditions that change the normal flow of program execution....
, stating that the requested physical address is unrecognized by the whole computer system. Note that this only covers physical memory addresses. Trying to access an undefined virtual memory address is generally considered to be a segmentation fault rather than a bus error, though if the MMU
Memory management unit
A memory management unit , sometimes called paged memory management unit , is a computer hardware component responsible for handling accesses to memory requested by the CPU...
is separate, the processor can't tell the difference.
unaligned access : Most CPUs are byte-addressable, where each unique memory address refers to an 8-bit byte
Byte
The byte is a unit of digital information in computing and telecommunications that most commonly consists of eight bits. Historically, a byte was the number of bits used to encode a single character of text in a computer and for this reason it is the basic addressable element in many computer...
. Most CPUs can access individual bytes from each memory address, but they generally cannot access larger units (16 bits, 32 bits, 64 bits and so on) without these units being "aligned
Data structure alignment
Data structure alignment is the way data is arranged and accessed in computer memory. It consists of two separate but related issues: data alignment and data structure padding. When a modern computer reads from or writes to a memory address, it will do this in word sized chunks...
" to a specific boundary. For example, if multi-byte accesses must be 16 bit-aligned, addresses 0, 2, 4, and so on would be considered aligned and therefore accessible, while addresses 1, 3, 5, and so on would be considered unaligned. Similarly, if multi-byte accesses must be 32-bit aligned, addresses 0, 4, 8, 12, and so on would be considered aligned and therefore accessible, and all addresses in between would be considered unaligned. Attempting to access a unit larger than a byte at an unaligned address can cause a bus error.
CPUs generally access data at the full width of their data bus at all times. To address bytes, they access memory at the full width of their data bus, then mask and shift to address the individual byte. This is inefficient, but tolerated as it is an essential feature for most software, especially string
String (computer science)
In formal languages, which are used in mathematical logic and theoretical computer science, a string is a finite sequence of symbols that are chosen from a set or alphabet....
processing. Unlike bytes, larger units can span two aligned addresses and would thus require more than one fetch on the data bus. It is possible for CPUs to support this, but this functionality is rarely required directly at the machine code
Machine code
Machine code or machine language is a system of impartible instructions executed directly by a computer's central processing unit. Each instruction performs a very specific task, typically either an operation on a unit of data Machine code or machine language is a system of impartible instructions...
level, thus CPU designers normally avoid implementing it and instead issue bus errors for unaligned memory access.
Segmentation/Page fault / Access violation
A segmentation fault occurs when a program attempts to access a memoryComputer memory
In computing, memory refers to the physical devices used to store programs or data on a temporary or permanent basis for use in a computer or other digital electronic device. The term primary memory is used for the information in physical systems which are fast In computing, memory refers to the...
location that it is not allowed to access, or attempts to access a memory location in a way that is not allowed (for example, attempting to write to a read-only
Read-only memory
Read-only memory is a class of storage medium used in computers and other electronic devices. Data stored in ROM cannot be modified, or can be modified only slowly or with difficulty, so it is mainly used to distribute firmware .In its strictest sense, ROM refers only...
location, or to overwrite part of the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
).
Segmentation
Segmentation (memory)
Memory segmentation is the division of computer memory into segments or sections. Segments or sections are also used in object files of compiled programs when they are linked together into a program image, or when the image is loaded into memory...
is one approach to memory management
Memory management
Memory management is the act of managing computer memory. The essential requirement of memory management is to provide ways to dynamically allocate portions of memory to programs at their request, and freeing it for reuse when no longer needed. This is critical to the computer system.Several...
and protection in the operating system. It has been superseded by paging
Paging
In computer operating systems, paging is one of the memory-management schemes by which a computer can store and retrieve data from secondary storage for use in main memory. In the paging memory-management scheme, the operating system retrieves data from secondary storage in same-size blocks called...
for most purposes, but much of the terminology of segmentation is still used, "segmentation fault" being an example. Some operating systems still have segmentation at some logical level although paging is used as the main memory management policy.
On Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating systems, a signal
Signal (computing)
A signal is a limited form of inter-process communication used in Unix, Unix-like, and other POSIX-compliant operating systems. Essentially it is an asynchronous notification sent to a process in order to notify it of an event that occurred. When a signal is sent to a process, the operating system...
called SIGSEGV
SIGSEGV
On POSIX-compliant platforms, SIGSEGV is the signal sent to a process when it makes an invalid memory reference, or segmentation fault. The symbolic constant for SIGSEGV is defined in the header file signal.h...
is sent to a process that accesses an invalid memory address. On Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, a process that accesses invalid memory receives the STATUS_ACCESS_VIOLATION exception
Exception handling
Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of exceptions, special conditions that change the normal flow of program execution....
.
Common causes
Segmentation faultA few causes of a segmentation fault can be summarized as follows:
- attempting to execute a program that does not compile correctly. Note that most compilers will not output a binaryBinary fileA binary file is a computer file which may contain any type of data, encoded in binary form for computer storage and processing purposes; for example, computer document files containing formatted text...
given a compile-time error. - a buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
. - using uninitialized pointers.
- dereferencing NULL pointers.
- attempting to access memory the program does not own.
- attempting to alter memory the program does not own (storage violationStorage violationA storage violation occurs when a task modifies, or attempts to modify, computer storage that it does not own.-Types of storage violation:Storage violation can, for instance, consist of writing to or freeing storage not owned by the task....
). - exceeding the allowable stack size (possibly due to runaway recursion or an infinite loop)
Generally, segmentation faults occur because: a pointer is either NULL, points to random memory (probably never initialized to anything), or points to memory that has been freed/deallocated/"deleted".
e.g.
Now, dereferencing any of these variables could cause a segmentation fault.
Bus error
- A common cause of a bus error (in Linux) that has nothing to do with hardware failure is the following scenario. A binary program is running. As long as this is completely resident in memory, the corresponding executable binary file can be changed 'under the hood' without notice. However, if the binary is large, or there is not enough free memory, some of its pages may have been swapped out. If the paging mechanism subsequently accesses the expected blocks on disk, a bus error ensues because the original executable was replaced by another file. In this case, the SIGBUSSIGBUSOn POSIX-compliant platforms, SIGBUS is the signal sent to a process when it causes a bus error. The symbolic constant for SIGBUS is defined in the header file signal.h. Symbolic signal names are used because signal numbers can vary across platforms....
signal prevents the execution of random blocks of machine code due to pagingPagingIn computer operating systems, paging is one of the memory-management schemes by which a computer can store and retrieve data from secondary storage for use in main memory. In the paging memory-management scheme, the operating system retrieves data from secondary storage in same-size blocks called...
.
Bus error example
This is an example of un-aligned memory access, written in the C programming languageC (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
.
Compiling and running the example on Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
on x86 demonstrates the error:
$ gcc -ansi sigbus.c -o sigbus
$ ./sigbus
Bus error
$ gdb ./sigbus
(gdb) r
Program received signal SIGBUSSIGBUSOn POSIX-compliant platforms, SIGBUS is the signal sent to a process when it causes a bus error. The symbolic constant for SIGBUS is defined in the header file signal.h. Symbolic signal names are used because signal numbers can vary across platforms....
, Bus error.
0x080483ba in main
(gdb) x/i $pc
0x80483ba : mov DWORD PTR [eax],0x2a
(gdb) p/x $eax
$1 = 0x804a009
(gdb) p/t $eax & (sizeof(int) - 1)
$2 = 1
The GDB debugger
Debugger
A debugger or debugging tool is a computer program that is used to test and debug other programs . The code to be examined might alternatively be running on an instruction set simulator , a technique that allows great power in its ability to halt when specific conditions are encountered but which...
shows that the immediate value
Constant (programming)
In computer programming, a constant is an identifier whose associated value cannot typically be altered by the program during its execution...
0x2a is being stored at the location stored in the EAX
IA-32
IA-32 , also known as x86-32, i386 or x86, is the CISC instruction-set architecture of Intel's most commercially successful microprocessors, and was first implemented in the Intel 80386 as a 32-bit extension of x86 architecture...
register
Processor register
In computer architecture, a processor register is a small amount of storage available as part of a CPU or other digital processor. Such registers are addressed by mechanisms other than main memory and can be accessed more quickly...
, using X86 assembly language
X86 assembly language
x86 assembly language is a family of backward-compatible assembly languages, which provide some level of compatibility all the way back to the Intel 8008. x86 assembly languages are used to produce object code for the x86 class of processors, which includes Intel's Core series and AMD's Phenom and...
. This is an example of register indirect addressing.
Printing the low order bits
Least significant bit
In computing, the least significant bit is the bit position in a binary integer giving the units value, that is, determining whether the number is even or odd. The lsb is sometimes referred to as the right-most bit, due to the convention in positional notation of writing less significant digits...
of the address shows that it is not aligned to a word boundary
Data structure alignment
Data structure alignment is the way data is arranged and accessed in computer memory. It consists of two separate but related issues: data alignment and data structure padding. When a modern computer reads from or writes to a memory address, it will do this in word sized chunks...
("dword" using x86 terminology).
Segmentation fault example
Here is an example of ANSI CANSI C
ANSI C refers to the family of successive standards published by the American National Standards Institute for the C programming language. Software developers writing in C are encouraged to conform to the standards, as doing so aids portability between compilers.-History and outlook:The first...
code that should create a segmentation fault on platforms with memory protection:
When the program containing this code is compiled
Compiler
A compiler is a computer program that transforms source code written in a programming language into another computer language...
, the string
String literal
A string literal is the representation of a string value within the source code of a computer program. There are numerous alternate notations for specifying string literals, and the exact notation depends on the individual programming language in question...
"hello world" is placed in the section of the program executable file marked as read-only; when loaded, the operating system places it with other strings and constant
Constant (programming)
In computer programming, a constant is an identifier whose associated value cannot typically be altered by the program during its execution...
data in a read-only segment of memory. When executed, a variable, s, is set to point to the string's location, and an attempt is made to write an H character through the variable into the memory, causing a segmentation fault. Compiling such a program with a compiler that does not check for the assignment of read-only locations at compile time, and running it on a Unix-like operating system produces the following runtime error:
$ gcc segfault.c -g -o segfault
$ ./segfault
Segmentation fault
Backtrace of the core file from gdb:
Program received signal SIGSEGV, Segmentation fault.
0x1c0005c2 in main at segfault.c:6
6 *s = 'H';
The conditions under which segmentation violations occur and how they manifest themselves are specific to an operating system.
Because a very common program error is a null pointer dereference (a read or write through a null pointer, used in C to mean "pointer to no object" and as an error indicator), most operating systems map the null pointer's address such that accessing it causes a segmentation fault.
This sample code creates a null pointer, and tries to assign a value to its non-existent target. Doing so causes a segmentation fault at runtime on many operating systems.
Another example is recursion
Recursion
Recursion is the process of repeating items in a self-similar way. For instance, when the surfaces of two mirrors are exactly parallel with each other the nested images that occur are a form of infinite recursion. The term has a variety of meanings specific to a variety of disciplines ranging from...
without a base case:
which causes the stack to overflow
Stack overflow
In software, a stack overflow occurs when too much memory is used on the call stack. The call stack contains a limited amount of memory, often determined at the start of the program. The size of the call stack depends on many factors, including the programming language, machine architecture,...
which results in a segmentation fault. Note that infinite recursion may not necessarily result in a stack overflow depending on the language, optimizations performed by the compiler and the exact structure of a code. In this case, the behavior of unreachable code (the return statement) is undefined, so the compiler can eliminate it and use a tail call
Tail call
In computer science, a tail call is a subroutine call that happens inside another procedure and that produces a return value, which is then immediately returned by the calling procedure. The call site is then said to be in tail position, i.e. at the end of the calling procedure. If a subroutine...
optimization that might result in no stack usage. Other optimizations could include translating the recursion into iteration, which given the structure of the example function would result in the program running forever, while probably not overflowing its stack.
See also
- Buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
- Core dumpCore dumpIn computing, a core dump consists of the recorded state of the working memory of a computer program at a specific time, generally when the program has terminated abnormally...
- General protection faultGeneral protection faultA general protection fault in the Intel x86 and AMD x86-64 architectures, and other unrelated architectures, is a fault that can encompass several cases in which protection mechanisms within the processor architecture are violated by any of the programs that are running, either the kernel or a...
- Segfault (website)Segfault (website)Segfault was a popular humor website that posted fake news reports on hacker-related topics on a near-daily basis. The range of topics was approximately the same as that covered and regularly discussed on the Slashdot — including free software, Internet phenomena, programming, and technology...
- Page faultPage faultA page fault is a trap to the software raised by the hardware when a program accesses a page that is mapped in the virtual address space, but not loaded in physical memory. In the typical case the operating system tries to handle the page fault by making the required page accessible at a location...
- Storage violationStorage violationA storage violation occurs when a task modifies, or attempts to modify, computer storage that it does not own.-Types of storage violation:Storage violation can, for instance, consist of writing to or freeing storage not owned by the task....