The following on my Mac succeeds:
int main() {
    int* addr = (int*) mmap(0, 100, 1 | 2, 2 | 4096, -1, 0);
    *addr = 25;
    return 0;
}
However the below code is identical but fails when I try to write to *addr with segmentation fault:
int main() {
    int* addr = (int*) syscall(SYS_mmap, 0, 100, 1 | 2, 2 | 4096, -1, 0);
    *addr = 25;
    return 0;
}
I.e. syscall successfully returns me a memory address, but when I try writing to it it fails.
I compile it like this:
g++ ./c++/mmap.cc -o ./mmap && ./mmap
If I run both versions with dtruss:
g++ ./c++/mmap.cc -o ./mmap && sudo dtruss ./mmap
then both version succeed and I see identical mmap call for both:
mmap(0x0, 0x64, 0x3, 0x1002, 0xFFFFFFFF, 0x0)            = 0xXXXXXXX 0
Why does the syscall version give me segmentation fault, what am I missing?
P.S. If I do something similar on Linux it works fine.
So, as I understand the mmap function on Mac does not execute syscall(SYS_mmap, .... What does it do then? Can anyone please give me some links where I can see implementation.
EDIT:
It looks like syscall on Mac returns only first 4 bytes. Is there a 64-bit syscall version?
DISASSEMBLED:
mmap version:
_main:
0000000100000cf0        pushq   %rbp
0000000100000cf1        movq    %rsp, %rbp
0000000100000cf4        subq    $0x30, %rsp
0000000100000cf8        xorl    %eax, %eax
0000000100000cfa        movl    %eax, %ecx
0000000100000cfc        movl    $0x64, %eax
0000000100000d01        movl    %eax, %esi
0000000100000d03        movl    $0x3, %edx
0000000100000d08        movl    $0x1002, %eax
0000000100000d0d        movl    $0xffffffff, %r8d
0000000100000d13        movl    $0x0, -0x14(%rbp)
0000000100000d1a        movq    %rcx, %rdi
0000000100000d1d        movq    %rcx, -0x28(%rbp)
0000000100000d21        movl    %eax, %ecx
0000000100000d23        movq    -0x28(%rbp), %r9
0000000100000d27        callq   0x100000ed6 ## symbol stub for: _mmap
0000000100000d2c        movq    0x2cd(%rip), %rdi ## literal pool symbol address: __ZNSt3__14coutE
0000000100000d33        movq    %rax, -0x20(%rbp)
0000000100000d37        movq    -0x20(%rbp), %rax
0000000100000d3b        movq    %rax, %rsi
syscall version:
_main:
0000000100000cf0        pushq   %rbp
0000000100000cf1        movq    %rsp, %rbp
0000000100000cf4        subq    $0x30, %rsp
0000000100000cf8        movl    $0xc5, %edi
0000000100000cfd        xorl    %esi, %esi
0000000100000cff        movl    $0x64, %edx
0000000100000d04        movl    $0x3, %ecx
0000000100000d09        movl    $0x1002, %r8d
0000000100000d0f        movl    $0xffffffff, %r9d
0000000100000d15        movl    $0x0, -0x14(%rbp)
0000000100000d1c        movl    $0x0, (%rsp)
0000000100000d23        movb    $0x0, %al
0000000100000d25        callq   0x100000ed6 ## symbol stub for: _syscall
0000000100000d2a        movq    0x2cf(%rip), %rdi ## literal pool symbol address: __ZNSt3__14coutE
0000000100000d31        movslq  %eax, %r10
0000000100000d34        movq    %r10, -0x20(%rbp)
0000000100000d38        movq    -0x20(%rbp), %r10
0000000100000d3c        movq    %r10, %rsi
Make sure you aren't using variables that haven't been initialised. These may be set to 0 on your computer, but aren't guaranteed to be on the judge. Check every single occurrence of accessing an array element and see if it could possibly be out of bounds. Make sure you aren't declaring too much memory.
A segfault occurs when a reference to a variable falls outside the segment where that variable resides, or when a write is attempted to a location that is in a read-only segment.
Master C and Embedded C Programming- Learn as you go A segmentation fault occurs when your program attempts to access an area of memory that it is not allowed to access. In other words, when your program tries to access memory that is beyond the limits that the operating system allocated for your program.
Apparently Mac does not have a 64-bit syscall function, here a is simple implementation:
#include <sys/types.h>
#define CARRY_FLAG_BIT 1
inline int64_t syscall6(int64_t num, int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg4, int64_t arg5, int64_t arg6) {
    int64_t result;
    int64_t flags;
    __asm__ __volatile__ (
        "movq %6, %%r10;\n"
        "movq %7, %%r8;\n"
        "movq %8, %%r9;\n"
        "syscall;\n"
        "movq %%r11, %1;\n"
        : "=a" (result), "=r" (flags)
        : "a" (num), "D" (arg1), "S" (arg2), "d" (arg3), "r" (arg4), "r" (arg5), "r" (arg6)
        : "%r10", "%r8", "%r9", "%rcx", "%r11"
    );
    return (flags & CARRY_FLAG_BIT) ? -result : result;
}
And you use it on mac by shifting system call numbers by 0x2000000:
int* addr = (int*) syscall6(0x2000000 + SYS_mmap, 0, 100, 1 | 2, 2 | 4096, -1, 0);
You can find more here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With