In ARM, Thumb-EE instruction set supports automatic null-pointer checking.
In ThumbEE state, the processor uses almost the same instruction set as Thumb-2 although some instructions behave differently, and a few are removed, or added.
The key differences are:
additional state changing instructions in both Thumb state and ThumbEE state
new instructions to branch to handlers
null pointer checking on loads and stores
an additional instruction in ThumbEE state to check array bounds
some other modifications to the load, store, and branch instructions
ARM manual says, when a thumb-EE instruction tries to reference a null pointer, a 'handler will be invoked'. But who sets this handler's address? and how?, when? I can't get answer from ARM Thumb-EE manual.
See the section "B1.12 Thumb Execution Environment" in the ARM Architecture Reference Manual (ARM DDI 0406C).
The base address of the ThumbEE check handlers is held in the TEEHBR register, which resides in the CP14 sysrem register space:
MRC p14, 6, <Rt>, c1, c0, 0 ; Read TEEHBR into Rt
MCR p14, 6, <Rt>, c1, c0, 0 ; Write Rt to TEEHBR
Note that ThumbEE, like Jazelle, is deprecated by ARM.