Cython, 14

This often comes in handy for debugging purposes.

a=(<int*>0)[0] 

Matlab - Yes it is possible!

In a response to a question of mine, Amro came up with this quirk:

S = struct(); S = setfield(S, {}, 'g', {}, 0) 

Rust, 34 bytes

fn main(){unsafe{*(0 as*mut _)=3}} 

Just a null pointer assignment, nothing special here.

As a bonus, 45 44 40 bytes solution not using unsafe. Arguably a bug in a compiler.

#![no_main]#[no_mangle]static main:i8=0; 

Main is usually a function ;).

C# - 62

System.Runtime.InteropServices.Marshal.ReadInt32(IntPtr.Zero); 

C# /unsafe, 23 bytes

unsafe{int i=*(int*)0;} 

For some reason I don't understand, *(int*)0=0 just throws a NullReferenceException, while this version gives the proper access violation.

Ruby 3.x, 10 bytes

->x=(1in^x 

Ruby doesn't like a circular pin reference in proc argument for some reason, this results in a null pointer dereference. Since this is a parser bug the program doesn't even have to be syntactically valid.

J (6)

memf 1 

memf means free memory, 1 is interpreted as a pointer.

Unix PDP-11 assembly, 18 bytes binary, 7 bytes source

(this is becoming a theme with me, maybe because it's the only language I sort of know that no-one else here does.)

inc(r0) 

Increments the single byte addressed by the initial value of r0 [which happens to be 05162 according to the simh debugger] as of program start.

0000000 000407 000002 000000 000000 000000 000000 000000 000000 0000020 005210 000000 

And, as always, the extraneous bytes at the end can be removed with strip.

I made a few attempts to get the source shorter, but always ended up getting either a syntax error or SIGBUS.

Python 3.8, 14 bytes

This only works on Python 3.8 :P. I found this while scavenging bug reports.

*reversed({}), 

Try it online!

JavaScript Shell, 7 bytes

clear() 

Clears absolutely everything, not just the current scope which obviously causes lots of borks which result in JS blowing up and segfaulting

Java (OpenJDK 9), 311 227 223 bytes

import sun.misc.*;import java.lang.reflect.*;class M{public static void main(String[]args) throws Exception{Constructor<Unsafe> c=Unsafe.class.getDeclaredConstructor();c.setAccessible(true);c.newInstance().getAddress(0);}} 

Try it online!

Ungolfed:

import sun.misc.Unsafe; import java.lang.reflect.Constructor; public class SegFault { public static void main(String[] args) throws Exception { Constructor<Unsafe> unsafeConstructor = Unsafe.class.getDeclaredConstructor(); unsafeConstructor.setAccessible(true); Unsafe unsafe = unsafeConstructor.newInstance(); System.out.println(unsafe.getAddress(0)); } } 

Saved 84 Bytes thanks to Mistah Figg

Befunge-98 (FBBI), 1 byte

= 

Try it online! (expand the Debug section to view the segfault)

This only works in the FBBI implementation of Befunge, exploiting a bug in its string handling code. Any attempt to read a string from an empty stack will result in a null pointer dereference. You can achieve the same result with the i (Input File) and o (Output File) instructions, which also expect a string on the stack.

Note that this error wouldn't occur if the stack was simply full of zeros, which in Befunge should be semantically equivalent to an empty stack. For it to crash the stack must be genuinely empty, as is the case on startup.

Tcl, 60 bytes

set a a;while {[incr i]<999999999} {set a [list $a]};puts $a 

Not short, but crashes with a segfault.

This builds a deeply nested list (each with only one element), and when trying to serialize it, Tcl will crash with a stack overflow.

I have reported this bug here

AArch64, 4 bytes

Raw machine code:

d65f03e0 

Disassembly

 .globl f f: ret xzr 

Branches to the xzr register, which is always null. We can't do something like str x0, [xzr] because it would be treated as sp.

Lua (LuaJIT), 47 43 bytes

f=require"ffi"f.cdef"int puts()"f.C.puts() 

Try it online!

Uses FFI in LuaJIT to call puts() with no (valid) argument.

Ruby, 15 bytes

eval a='eval a' 

Segfaults (Ruby 2.3 on Ubuntu xenial)

Lua (luajit), 52 48 bytes

function f()c=coroutine;c.resume(c.create(f))end 

An attempt to compete for the bounty that was recently set on an answer in Lua. This is a function submission (basically because I had to define a function anyway, so not including the code to run it saves bytes). Now with 4 bytes saved due to a suggestion by @ceilingcat to avoid repeating the word coroutine.

The program works by creating infinitely many coroutines, suspending each in turn to create and start the next. The most commonly used Lua interpreter, lua, thought of this case and starts causing coroutine creation to fail after a while. luajit, however, segfaults. (Valgrind reports the issue as a failure to grow the OS-defined stack; this is believable, seeing as one common coroutine implementation gives them each separate parts of the stack.)

Lua 5.3.2 PUC-RIO (the "official") interpreter - 57 bytes

local t={}t.__newindex=t local y=setmetatable({},t)y[1]=1 

Note: does not work on all machines, and was fixed in Lua 5.3.3.

Clean, 19 12 bytes

Start=code{} 

Try it online!

Every function always returns something in Clean, including Start. Because we haven't specified the type of Start, the compiler assumes (and it can only assume when you inline ABC) that it takes no arguments. Since it takes no arguments, there's nothing on either stack when the function resolves, and so the runtime tries to evaluate the first node in the spine of a graph with... Zero nodes.

Malbolge, 3046 bytes

Behold, an answer in Malbolge that you can embed inside an answer!

bP&A@?>=<;:9876543210/.-,+*)('&%$T"!~}|;]yxwvutslUSRQ.yx+i)J9edFb4`_^]\yxwRQ)(TSRQ]m!G0KJIyxFvDa%_@?"=<5:98765.-2+*/.-,+*)('&%$#"!~}|utyrqvutsrqjonmPkjihgfedc\DDYAA\>>Y;;V886L5322G//D,,G))>&&A##!7~5:{y7xvuu,10/.-,+*)('&%$#"yb}|{zyxwvutmVqSohmOOjihafeHcEa`YAA\[ZYRW:U7SLKP3NMLK-I,GFED&%%@?>=6;|9y70/4u210/o-n+k)"!gg$#"!x}`{zyxZvYtsrqSoRmlkjLhKfedcEaD_^]\>Z=XWVU7S6QPON0LKDI,GFEDCBA#?"=};438y6543s1r/o-&%*k('&%e#d!~}|^z]xwvuWsVqponPlOjihgIeHcba`B^A\[ZY;W:UTSR4PI2MLKJ,,AFE(&B;:?"~<}{zz165v3s+*/pn,mk)jh&ge#db~a_{^\xwvoXsrqpRnmfkjMKg`_GG\aDB^A?[><X;9U86R53ONM0KJC,+FEDC&A@?!!6||3876w4-tr*/.-&+*)('&%$e"!~}|utyxwvutWlkponmlOjchg`edGba`_XW\?ZYRQVOT7RQPINML/JIHAFEDC&A@?>!<;{98yw5.-ss*/pn,+lj(!~ff{"ca}`^z][wZXtWUqTRnQOkNLhgfIdcFaZ_^A\[Z<XW:U8SRQPOHML/JIHG*ED=%%:?>=~;:{876w43210/(-,+*)('h%$d"ca}|_z\rqYYnsVTpoRPledLLafIGcbE`BXW??TY<:V97S64P31M0.J-+G*(DCB%@?"=<;|98765.3210p.-n+$)i'h%${"!~}|{zyxwvuXVlkpSQmlOjLbafIGcbE`BXW??TY<:V97S64P31M0.J-+G*(D'%A@?"=<}:98y6543,1r/.o,+*)j'&%eez!~a|^tsx[YutWUqjinQOkjMhJ`_dGEaDB^A?[><X;9U86R53O20LKJ-HG*ED'BA@?>7~;:{y7x5.3210q.-n+*)jh&%$#"c~}`{z]rwvutWrkpohmPkjihafI^cba`_^A\[>YXW:UTS5QP3NM0KJ-HGF?D'BA:?>=~;:z8765v32s0/.-nl$#(ig%fd"ca}|_]yrqvYWsVTpSQmPNjMKgJHdGEa`_B]\?ZY<WVUTMR5PO20LK.IHA))>CB%#?87}}49zx6wu3tr0qo-nl*ki'hf$ec!~}`{^yxwvotsrUponQlkMihKIe^]EEZ_B@\?=Y<:V97S64P31M0.J-+GFE(C&A@?8=<;:{876w43s10qo-&%kk"'hf$ec!b`|_]y\ZvYWsVTpSQmlkNiLgf_dcba`C^]\?ZY;WV97SLK33HM0.J-+G*(D'%A$">!};|z8yw543t1r/(-,+*)(i&%fd"!~}|_t]xwvutslqTonmPkjLhKIedGEaZY^A?[Z=X:POT75QP31MFEJ-+**?DC&$@98=~|:{y7xv4us1rp.omll#('&g|#d!~a|{z\\qvuXsUkjoRPOOdihKfH^]bEC_B@\?=Y<:V97S6433HML/J,BAF)'&&;@?"=}549zxww.32s0p(',+*kj!&g$#d!~`|_]y\ZYYnsrUSohglOMihKfH^]bEC_B@\?=YX;V8NMR53O20L/-I,*FED'&A:#>=~;:z87xv4-,1rp.om+*ki'~}$ec!b`__tyx[vXnmrUSoRPlOMihgJIdcb[D_^A\[=Y<:V97SR5P2HGL/-IH+F(>=B%#?"~<}{9zx6wu3tr0/.on+*)('~g$#d!~`|{^y[qpuXVrqToQgfkNLhKIeHFbEC_B@\?=Y<:V97SRQ43NMLKJIHA*EDCBA#9>=<;{3z165.32+0q.-,+l)(h&ge#db~a_{^\x[YuXVrUSoRPlkjMLaJedGbaCBBW\[><XQPU86R53O20L/-I,*F)'C&$@#!=~|:98yx54-t10q.-m+lj(igff{"!b`|uty\ZvYWsVTpSQmPNjMKgJHdcbED_^]\U>YX;VU7S64PO2M/EDI,*F)'&&;@?"~<549zx6wu3tr0qo-nl*kihh}$#"cb}|{zyxqZutWrqSoRPlkNiKa`eHFbEC_^A\>TSX;9U86R53O20L/-I,*FED'&A@?>=<;:3z76543s+0/.-m%l#('&}${"c~}`{z\x[YuXVUUjonQlNdchKIedGEaZY^A?[><X;9U86R53O20//DIHG*)D=&A@#>=}||387x5u-,1rp.om+lj(igff{"!b}_uty\ZvYWsVTpSQmlkNMhgf_HcbE`_A]@>Z=;W:8T75Q42NM0.JCBG*(D'%A$">!};|zyy0543ts0/.-,%l)(i&%e#"c~`vuz][wZXtWUqTRnmPkMcbgJHdGEaDB^A?[ZY<;VUTSRQPI2MLKJI+AFEDC%;$9>=<5:38y65v32r0qonn%*)jh&}|#dbaav{z][wpotWUqTRnQOkjMKg`_dGEaDB^A?[><X;988MRQP32G0KJ-HG)ED'B$:9>!}||387x5u-,1rp.om+lj(ig%fd"ca}`^z][ZZotsrUTongPNNMhgf_dGbaD_^@\?=Y<:VU86RKJO20L/-,,AFE(C%;:?"~<;|9y105vt21rp.'&+*)ji&%${"c~}|{^yxZvYWsVTpoRPlediLJfIGcFD`CA]@>Z=;W:877LQPO21LKJIB+))(CBA@?8=~;:{87w5vt2sq/pn,+l)i!~%fd"!b}_uty\ZYYnsrUpRhglOMiLJfIGcFD`_^A@[ZYXWPU8SRQ4ONM//DIH+)E>=B%#?"~<}{9zx6wutt+0/pn,%$)jhgg|#"ca}vuz][ZZotsVTpihmPNMMbgfIGc\[`CA@@UZY<:VONSRQ4I2MLKJIH+dv'Ps$_"]~[|YzWxUvStQrOpMnKlIjGhEfCAAyxw`;zLxwpo#F!~joQmPNd<hKJr^GoEm~B@zzy,X;c(s&5QJmNGL.h-yTdEc=`;$LK=m|:FV7Cwe3craq_'J\H)jF&%B0/RQ 

Try it online!

Rust, 38 33 bytes

unsafe{*(std::ptr::null_mut())=0} 

Try it online!

Full program is fn main(){...}. Segfaults as setting a null pointer to a type is undefined behavior (hence the unsafe block that is required). Old version:

unsafe{std::ptr::null::<u8>().read();} 

Jelly, 2 bytes

ßß 

Try it online!

oh

Since ß isn't actually coded as a recursive function call in the underlying Python, it isn't affected by the recursion limit. I don't actually know how Jelly's quicks work under the hood, but this appears to just create a nested structure that grows until it can't anymore. Any atom or atom-like quick works after the first ß.

NASM, 3 characters.

any of the following:

ret nop cbw cwd cdq clc cld cli cmc aaa aas aad aam stc std sti 

ret causes stack underflow. cli and sti trigger SIGSEGV because they are privileged instructions. All the other opcodes trigger a SIGSEGV simply because there's no exit point.

C++ (clang), compiler crash, 36 28 bytes

class{operator*(...){*this*1 

Try it online!

Unlike the other compiler crash which I found on my own, I totally didn't look this one up on bugs.llvm.org..

Assembly (as, x64, Linux), 17 10 bytes

Unfortunately, this was not a segfault, but an assertion. Leaving it up with another compiler segfault as a bonus.

I wrote code that raises a SIGSEGV in assembler.

Literally. 😏

Replace \0 with a literal 0x00 byte.

"\0.asciz " 

Try it online!

Found this bug when golfing the assembly here

Note that this bug seems to have been fixed as of v2.34.

Rust, 17 bytes

fn main(){main()} 

Try it online!

Well... This just calls itself. It may be the only way to do it without unsafe.

Trilangle, UB, 1 byte

If you allow undefined behavior that happens to segfault on my machine (Windows 10 on x64), all of the following programs work:

• +
• -
• *
• :
• %
• 7
• >
• v
• L
• <
• ^
• e
• (
• )
• j
• !
• o
• &
• r
• x
• ~
• 2

All of these attempt to perform some operation on an empty stack. Interestingly, , (pop from stack) runs just fine (though it loops forever).

Swift 6.1.2, 36 11 bytes

let x:Any=x 

Try it on SwiftFiddle! (The Any type annotation is required.)

I'm 99% sure this only works due to a compiler bug, because last time I checked Swift really isn't supposed to let you do this.

Other interesting segfaults (sorted by length)

Stack overflow (13 bytes)

var x:(){x} x 

Try it on SwiftFiddle!

Declares a computed variable (of type (), aka Void) that accesses itself, then tries to access the variable. (Swift is smart enough to warn you about this. Twice.)

Suicide (22 bytes on Linux, 23 bytes on macOS)

import Glibc raise(11) 

Try it on SwiftFiddle!

Fairly self-explanatory. Replace Glibc with Darwin if running on macOS.

Deinit abuse (24 bytes)

class C{deinit{C()}} C() 

Try it on Compiler Explorer! (SwiftFiddle doesn't finish backtracing)

This ends up recursively calling _swift_release_dealloc in the runtime, ending with a stack overflow.

"Null" pointer dereference (36 bytes)

UnsafePointer<Any>(bitPattern:1)![0] 

Try it on SwiftFiddle!

Okay, this one's actually kinda wonky.

• If the generic parameter to UnsafePointer is Int, this doesn't segfault.
• But if the whole thing's wrapped in a call to print, it always segfaults (regardless of the generic parameter).
• UnsafePointer.init?(bitPattern:) returns nil for an argument of 0, but if you give it any other value, it will happily return an invalid pointer.

Use-after-free (38 bytes)

[withUnsafePointer(to:{}){$0}][0][0]() 

Try it on SwiftFiddle!

Escapes a pointer to a closure, wraps it in an array to add some indirection, then tries to call the closure via the pointer.

Perl 6, 22

shell "kill -11 $*PID" 

Just shelling to whatever shell you have.

Dyvil, 42 bytes

dyvil.reflect.ReflectUtils.UNSAFE.getInt 0 

Explanation:

dyvil.reflect.ReflectUtils // qualified type name .UNSAFE // accesses the static field UNSAFE in class // dyvil.reflect.ReflectUtils, of type sun.misc.Unsafe .getInt 0 // calls the method sun.misc.Unsafe.getInt(long), // which tries to read a 4-byte integer from // the memory address 0 

Whispers, 5 bytes

>> 1! 

Try it online!

How it works

>> 1 - Call this line repeated ! - Prevent tail call 

Haskell, 15 bytes

Causes a stackoverflow:

main=main>>main 

Try it online!