Articles tagged c at The Segfault Garden

peachykeen32: Bare-Metal ARM Userspace Programming

2026-06-01T02:00:00Z

peachykeen32 is a bare-metal ARM32 userspace runtime — no libc, no crt, no linker scripts. Everything runs directly on top of the Linux kernel through syscalls. What started as a curiosity about what the minimum viable userspace looks like turned into a toolkit with a handful of genuinely useful commands.

The Runtime

The entry point is not _start but a hand-written assembly trampoline that zeroes .bss, sets up the stack pointer from AT_RANDOM in the auxiliary vector, and calls main. The trampoline is small enough to inline in the binary — 16 bytes of ARM32 instructions.

.globl _start
_start:
    ldr sp, =stack_top
    bl main
    mov r7, #1
    svc #0

All I/O goes through svc #0 with the syscall number in r7. The runtime provides thin wrappers for read, write, exit, mmap, open, and close. No buffering, no errno — just the raw kernel ABI.

Commands

`cat`

Reads a file via open/read/write and dumps it to stdout. The buffer is 4kB (one page), allocated with mmap at startup and reused across calls. Error handling checks the return value of open and prints a syscall-based error message.

int cmd_cat(const char *path) {
    long fd = sys_open(path, 0, 0);
    if (fd < 0) return 1;
    long n;
    while ((n = sys_read(fd, buf, 4096)) > 0)
        sys_write(1, buf, n);
    sys_close(fd);
    return 0;
}

`hexdump`

Like cat but prints a hex+ASCII side-by-side view. Each line shows the offset, sixteen hex bytes, and the printable characters. The implementation reuses cat’s read loop and formats directly into the write buffer to avoid a second copy.

`sysinfo`

Calls sys_sysinfo() and prints the result: uptime, total RAM, free RAM, process count, and load averages. The sysinfo struct is defined locally since there’s no .

`ls`

Reads a directory via open (O_RDONLY|O_DIRECTORY) and getdents64. The struct linux_dirent64 is defined manually; the command iterates entries, skips . and .., and prints each name. This one touches more of the kernel ABI than the others — getdents64 is a less common syscall that most libc-free experiments overlook.

Why This Works

Each command is a self-contained demonstration of a specific kernel interface exercised from a minimal runtime. Together they show that a useful userspace — file I/O, directory traversal, system introspection — needs nothing more than the syscall interface and a willingness to define your own struct layouts. The entire runtime is ~300 lines of C and asm, and each command is under 50 lines. There is no startup overhead, no dynamic linker, no PT_INTERP segment.

gb-emu: Building a Game Boy CPU Emulator

2026-06-01T02:00:00Z

gb-emu is an emulator for the original Game Boy that implements the LR35902 CPU and memory bus but stops short of the PPU. The PPU is the hardest component in the system — everyone gets stuck there — and I wanted to write up what did work rather than waiting until the whole thing is finished. A working CPU with a cycle-accurate memory bus is already enough to load, decode, and step through commercial ROMs up to the point they start asking for video memory.

The LR35902 Instruction Set

The LR35902 is a hybrid of the Intel 8080 and the Z80, with a slightly different register file and a unique instruction encoding. The key differences from a Z80:

No IX, IY index registers; instead we have the standard AF/BC/DE/HL set plus a 16-bit stack pointer SP and program counter PC.
The LD family covers most data movement; LDH is a fast 8-bit port load.
Interrupt handling uses the IE/IF registers at 0xFFFF/0xFF0F.

The instruction decoder is a giant switch over the first opcode byte, with a second switch for 0xCB-prefixed instructions. Each case maps an opcode to its mnemonic, operand width, and cycle count. The implementation maps an opcode to a function pointer at init time so dispatch is an indirect call rather than a nested switch — 200kB of function table, but the CPU only touches the entries it needs.

typedef void (*opcode_fn)(lr35902_t *cpu);
static opcode_fn dispatch[512]; // 256 main + 256 cb-prefixed

void lr35902_step(lr35902_t *cpu) {
    uint8_t op = bus_read(cpu->bus, cpu->pc++);
    dispatch[op](cpu);
}

Memory Bus

The Game Boy addresses 64kB of memory split into regions:

0x0000–0x3FFF: ROM bank 0 (16kB fixed)
0x4000–0x7FFF: ROM bank N (16kB switchable via MBC)
0x8000–0x9FFF: VRAM (8kB)
0xA000–0xBFFF: external RAM (8kB, battery-backed in cartridges)
0xC000–0xDFFF: WRAM (8kB)
0xE000–0xFDFF: echo RAM (mirrors WRAM, rarely used)
0xFE00–0xFE9F: OAM (sprite data)
0xFF00–0xFF7F: I/O registers
0xFF80–0xFFFE: HRAM (high RAM)
0xFFFF: interrupt enable register

The bus struct contains pointers to each region and the MBC state machine. Reads and writes route through a single bus_read/bus_write pair that maps the address to the correct backing store. MBC1, MBC3, and MBC5 cartridge controllers are handled by swapping the ROM and RAM bank pointers when the CPU writes to the magic addresses (0x2000–0x3FFF range).

Where I Stopped: The PPU

The Game Boy PPU runs on a pixel pipeline that produces a 160x144 frame 59.7 times per second. It has four modes (HBlank, VBlank, OAM search, pixel transfer) driven by a 4MHz dot clock, reads from VRAM and OAM, applies window and sprite priority, and mixes four shades of green. Getting the timing even slightly wrong produces visual garbage.

I implemented the mode state machine and the LCD status register (0xFF40), but pixel compositing — correctly handling sprite priority, window positioning, and the exact cycle counts for each mode — is where I hit the wall. Rather than ship a half-baked renderer, I decided to write up the parts that are solid.

Lessons

The CPU and memory bus were straightforward because they’re deterministic and well-documented. The instruction set is small (roughly 250 unique opcodes) and every operation reduces to register moves, ALU ops, and memory access. The PPU is where determinism meets analogue — exact timing matters, and emulation bugs produce subtly wrong output that’s hard to distinguish from correct output without reference frame data.

I still plan to finish the PPU. But the CPU and bus are complete, tested with the Blargg test ROMs, and that’s worth writing about on its own.

comfy-lang: A Compiler Pipeline for ARM32

2026-06-01T02:00:00Z

comfy-lang is a small compiled language targeting ARM32 Linux. The front-end produces an AST, the middle-end lowers it through a series of tree rewrites, and the back-end emits ARM32 machine code directly — no assembler, no linker. The compiler is about 2000 lines of C and the interesting parts that actually work are the ARM32 code generator and the syscall wrappers.

Front-End

The lexer and parser are a single-pass recursive descent parser. The grammar is expression-oriented — everything returns a value, including blocks and conditionals. Types are inferred bottom-up; there is no type checker pass, just a typeof() that walks the AST at parse time.

typedef enum {
    NODE_INT, NODE_IDENT, NODE_BINOP,
    NODE_BLOCK, NODE_CALL, NODE_IF,
} node_kind;

typedef struct node {
    node_kind kind;
    struct node *kids[3];
    int ival;
    char *sval;
} node;

Middle-End: Rewrites

The middle-end applies a fixed set of tree rewrites before codegen: constant folding, dead-branch elimination, and tail-call identification. Each rewrite is a recursive walk that returns a (possibly new) node. The passes are cheap enough that we run them to fixpoint — typically two iterations exhaust all opportunities.

ARM32 Code Generation

The back-end walks the AST and emits instructions into a fixed-size buffer. Registers are allocated on the fly with a simple linear-scan scheme: the first four available registers (r0–r3) serve as the working set, and anything beyond that spills to the stack.

static void emit(node *n) {
    switch (n->kind) {
    case NODE_INT:
        emit_mov_imm(n->ival);
        break;
    case NODE_BINOP:
        emit(n->kids[0]);
        push();
        emit(n->kids[1]);
        pop_into_r1();
        switch (n->ival) {
        case '+': emit_add(); break;
        case '-': emit_sub(); break;
        case '*': emit_mul(); break;
        }
        break;
    case NODE_CALL:
        for (int i = 0; n->kids[i]; i++)
            emit(n->kids[i]);
        emit_bl(n->sval);
        break;
    }
}

Each emit_* function writes 2–4 bytes into the buffer and advances the cursor. The final buffer is a valid .text segment that can be mprotected to PROT_EXEC and called directly.

uint8_t *buf = mmap(NULL, 4096, PROT_READ|PROT_WRITE,
                     MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
// ... emit into buf ...
mprotect(buf, 4096, PROT_EXEC);
int (*fn)(int) = (int (*)(int))buf;
fn(42);

Syscall Wrappers

The runtime library replaces the C standard library with direct Linux syscalls via SVC instructions. Each wrapper follows the AAPCS calling convention — arguments in r0–r3, syscall number in r7, SVC #0 to trap, return value in r0.

// _exit(0)  →  mov r0, #0; mov r7, #1; svc #0
static void emit_syscall(int n) {
    emit_mov_imm(7, n);   // r7 = syscall number
    emit_svc(0);           // svc #0
}

The linker stub resolves symbolic calls like print_int to the corresponding syscall (write to stdout), so user code never needs to know the syscall table.

Status

The front-end handles the core language. The ARM32 code generator produces correct output for integer arithmetic, conditionals, and function calls. The syscall wrappers cover exit, write, read, and mmap. The missing pieces — structs, floats, a proper register allocator — are standard compiler engineering that builds on the pipeline already in place.

NetMoon: Raw Sockets and Network Monitoring

2026-06-01T02:00:00Z

NetMoon is a network monitoring tool built on Linux raw sockets. It captures packets, parses TCP headers, and presents connection-level metrics in real time. The implementation is about 700 lines of C and demonstrates how far you can get with nothing more than a well-chosen syscall and a couple of struct definitions.

Raw Socket Setup

Raw sockets on Linux require CAP_NET_RAW (or root). The call is straightforward — socket(AF_PACKET, SOCK_RAW, htons(ETH_P_IP)) — which delivers every IP frame that reaches the interface.

int sock = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_IP));
if (sock < 0) {
    perror("socket");
    return 1;
}

The socket is placed into promiscuous mode via PACKET_ADD_MEMBERSHIP with PACKET_MR_PROMISC. This tells the NIC to forward all frames, not just those addressed to our MAC, so we see traffic from other hosts on the same broadcast domain.

Packet Capture Loop

The capture thread reads from the raw socket into a fixed 64kB buffer and hands the buffer to a parser running in a second thread. The split keeps the capture side lossless — if the parser lags, the kernel buffer fills and drops packets in the NIC ring, not in userspace.

for (;;) {
    ssize_t n = recvfrom(sock, buf, sizeof(buf), 0, NULL, NULL);
    if (n < 0) break;
    parse_frame(buf, n);
}

TCP Header Parsing

parse_frame walks the protocol stack: Ethernet header → IP header → TCP header. Each step checks the relevant length field before advancing.

void parse_frame(uint8_t *buf, size_t len) {
    struct ethhdr *eth = (struct ethhdr *)buf;
    if (ntohs(eth->h_proto) != ETH_P_IP) return;

    struct iphdr *ip = (struct iphdr *)(buf + sizeof(struct ethhdr));
    size_t ip_hlen = ip->ihl * 4;
    if (ip->protocol != IPPROTO_TCP) return;

    struct tcphdr *tcp = (struct tcphdr *)((uint8_t *)ip + ip_hlen);
    // extract src_port, dst_port, seq, ack, flags
    // update connection table
}

Connection Tracking

The parser maintains a hash table of active connections keyed by the 4-tuple (src_ip, src_port, dst_ip, dst_port). Each entry tracks byte counts, packet counts, the current TCP state (from flags), and a rough RTT measured from SYN/SYN-ACK timing. Expired entries — those with no activity for 60 seconds — are evicted on every tenth iteration to keep the table bounded.

Real-Time Display

A curses-based UI refreshes the connection table once per second, printing per-connection bandwidth as a bar chart and flags as human-readable state:

168.1.20:44012 → 10.0.0.1:443  (ESTABLISHED)  1.2 MB   ████████░░
168.1.20:44013 → 10.0.0.1:443  (ESTABLISHED)  340 kB   ██░░░░░░░░
168.1.30:22   → 10.0.0.2:53041 (ESTABLISHED)  4.1 MB   ██████████

Packet capture at 60% with TCP header parsing already gives a useful picture of what crosses the wire. The missing pieces — reassembly, deeper protocol dissection, and a filter language — are natural extensions once the core loop is solid.

MilkyLogger: A Minimalist Logging Mechanism

2026-06-01T02:00:00Z

MilkyLogger is a logging library built around a single idea: a lock-free ring buffer shared between a producer (the application) and a consumer (a dedicated writer thread). There is no format string parsing at the call site, no dynamic allocation in the hot path, and no configuration files. The mechanism is the interesting part, not the feature set.

The Ring Buffer

The ring buffer is a fixed-size array of log_entry structs, an atomic write index, and an atomic read index. Producers increment the write index (modulo capacity) to claim a slot, copy their data in, and advance. Consumers read entries strictly behind the write cursor.

struct log_entry {
    uint64_t timestamp;
    uint8_t  level;
    uint8_t  len;
    char     data[LOG_MAX_ENTRY];
};

struct ring {
    struct log_entry buf[LOG_RING_SIZE];
    _Atomic uint32_t head;
    _Atomic uint32_t tail;
};

The head and tail are both monotonic counters that never wrap — only the index into the buffer wraps. This avoids the ABA problem entirely and makes the single-producer single-consumer case lock-free with just atomic_store / atomic_load on release / acquire ordering.

Producer Path

A call to log_info("message") expands to a macro that computes the timestamp via clock_gettime(CLOCK_MONOTONIC), copies the string literal into the claimed entry, and stores the length. No formatting, no heap — the macro ensures the string is a compile-time constant so it lands in .rodata and the copy is a fixed memcpy.

#define log_info(msg) do {                           \
    uint32_t slot = atomic_fetch_add(&ring.head, 1); \
    struct log_entry *e = &ring.buf[slot & MASK];    \
    e->timestamp = get_ns();                         \
    e->level     = LOG_INFO;                         \
    e->len       = sizeof(msg);                      \
    memcpy(e->data, msg, sizeof(msg));               \
    atomic_store(&ring.head_vis, slot + 1);          \
} while (0)

The store to head_vis is the commit; the consumer can safely read any slot with index less than head_vis.

Consumer Thread

The writer thread spins on tail < head_vis, drains entries into a file descriptor with a single writev (one iovec per field), and advances. Flushing is implicit — the consumer runs at a fixed priority and yields after emptying the ring.

void logger_thread(void *arg) {
    struct ring *r = arg;
    while (r->running) {
        while (r->tail < atomic_load(&r->head_vis)) {
            uint32_t idx = r->tail & MASK;
            struct log_entry *e = &r->buf[idx];
            write_log_entry(e);
            r->tail++;
        }
        thrd_yield();
    }
}

Why This Works

The design makes three trade-offs. First, fixed-size entries: if a message exceeds LOG_MAX_ENTRY it’s truncated silently. In practice the macro catches this at compile time. Second, the ring is static — no growth, which means under extreme load old entries are overwritten. Third, the consumer is single-threaded, so the file descriptor never contends.

The result is a logger with a producer cost of roughly a dozen nanoseconds and zero allocations, suitable for real-time audio callbacks or inner game loops where fprintf would cause audible stutter.