mmap Mac: Segmentation fault

Question

The following on my Mac succeeds:

int main() {
    int* addr = (int*) mmap(0, 100, 1 | 2, 2 | 4096, -1, 0);

    *addr = 25;

    return 0;
}

However the below code is identical but fails when I try to write to *addr with segmentation fault:

int main() {
    int* addr = (int*) syscall(SYS_mmap, 0, 100, 1 | 2, 2 | 4096, -1, 0);

    *addr = 25;

    return 0;
}

I.e. syscall successfully returns me a memory address, but when I try writing to it it fails.

I compile it like this:

g++ ./c++/mmap.cc -o ./mmap && ./mmap

If I run both versions with dtruss:

g++ ./c++/mmap.cc -o ./mmap && sudo dtruss ./mmap

then both version succeed and I see identical mmap call for both:

mmap(0x0, 0x64, 0x3, 0x1002, 0xFFFFFFFF, 0x0)            = 0xXXXXXXX 0

Why does the syscall version give me segmentation fault, what am I missing?

P.S. If I do something similar on Linux it works fine.

So, as I understand the mmap function on Mac does not execute syscall(SYS_mmap, .... What does it do then? Can anyone please give me some links where I can see implementation.

EDIT:

It looks like syscall on Mac returns only first 4 bytes. Is there a 64-bit syscall version?

DISASSEMBLED:

mmap version:

_main:
0000000100000cf0        pushq   %rbp
0000000100000cf1        movq    %rsp, %rbp
0000000100000cf4        subq    $0x30, %rsp
0000000100000cf8        xorl    %eax, %eax
0000000100000cfa        movl    %eax, %ecx
0000000100000cfc        movl    $0x64, %eax
0000000100000d01        movl    %eax, %esi
0000000100000d03        movl    $0x3, %edx
0000000100000d08        movl    $0x1002, %eax
0000000100000d0d        movl    $0xffffffff, %r8d
0000000100000d13        movl    $0x0, -0x14(%rbp)
0000000100000d1a        movq    %rcx, %rdi
0000000100000d1d        movq    %rcx, -0x28(%rbp)
0000000100000d21        movl    %eax, %ecx
0000000100000d23        movq    -0x28(%rbp), %r9
0000000100000d27        callq   0x100000ed6 ## symbol stub for: _mmap
0000000100000d2c        movq    0x2cd(%rip), %rdi ## literal pool symbol address: __ZNSt3__14coutE
0000000100000d33        movq    %rax, -0x20(%rbp)
0000000100000d37        movq    -0x20(%rbp), %rax
0000000100000d3b        movq    %rax, %rsi

syscall version:

_main:
0000000100000cf0        pushq   %rbp
0000000100000cf1        movq    %rsp, %rbp
0000000100000cf4        subq    $0x30, %rsp
0000000100000cf8        movl    $0xc5, %edi
0000000100000cfd        xorl    %esi, %esi
0000000100000cff        movl    $0x64, %edx
0000000100000d04        movl    $0x3, %ecx
0000000100000d09        movl    $0x1002, %r8d
0000000100000d0f        movl    $0xffffffff, %r9d
0000000100000d15        movl    $0x0, -0x14(%rbp)
0000000100000d1c        movl    $0x0, (%rsp)
0000000100000d23        movb    $0x0, %al
0000000100000d25        callq   0x100000ed6 ## symbol stub for: _syscall
0000000100000d2a        movq    0x2cf(%rip), %rdi ## literal pool symbol address: __ZNSt3__14coutE
0000000100000d31        movslq  %eax, %r10
0000000100000d34        movq    %r10, -0x20(%rbp)
0000000100000d38        movq    -0x20(%rbp), %r10
0000000100000d3c        movq    %r10, %rsi

Answer 1

Apparently Mac does not have a 64-bit syscall function, here a is simple implementation:

#include <sys/types.h>

#define CARRY_FLAG_BIT 1

inline int64_t syscall6(int64_t num, int64_t arg1, int64_t arg2, int64_t arg3, int64_t arg4, int64_t arg5, int64_t arg6) {
    int64_t result;
    int64_t flags;

    __asm__ __volatile__ (
        "movq %6, %%r10;\n"
        "movq %7, %%r8;\n"
        "movq %8, %%r9;\n"
        "syscall;\n"
        "movq %%r11, %1;\n"
        : "=a" (result), "=r" (flags)
        : "a" (num), "D" (arg1), "S" (arg2), "d" (arg3), "r" (arg4), "r" (arg5), "r" (arg6)
        : "%r10", "%r8", "%r9", "%rcx", "%r11"
    );

    return (flags & CARRY_FLAG_BIT) ? -result : result;
}

And you use it on mac by shifting system call numbers by 0x2000000:

int* addr = (int*) syscall6(0x2000000 + SYS_mmap, 0, 100, 1 | 2, 2 | 4096, -1, 0);

You can find more here.