You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The bug is that cgocallback_gofunc allocates a fake frame for cgocallback_gofunc:
// Switch to m->curg stack and call runtime.cgocallbackg.
// Because we are taking over the execution of m->curg
// but *not* resuming what had been running, we need to
// save that information (m->curg->sched) so we can restore it.
// We can restore m->curg->sched.sp easily, because calling
// runtime.cgocallbackg leaves SP unchanged upon return.
// To save m->curg->sched.pc, we push it onto the stack.
// This has the added benefit that it looks to the traceback
// routine like cgocallbackg is going to return to that
// PC (because the frame we allocate below has the same
// size as cgocallback_gofunc's frame declared above)
// so that the traceback will seamlessly trace back into
// the earlier calls.
//
// In the new goroutine, 0(SP) holds the saved R8.
MOVQ m_curg(BX), SI
MOVQ SI, g(CX)
MOVQ (g_sched+gobuf_sp)(SI), DI // prepare stack as DI
MOVQ (g_sched+gobuf_pc)(SI), BX
MOVQ BX, -8(DI)
// Compute the size of the frame, including return PC and, if
// GOEXPERIMENT=framepointer, the saved based pointer
LEAQ fv+0(FP), AX
SUBQ SP, AX
SUBQ AX, DI
MOVQ DI, SP
But the frame contains garbage while cgocallback_gofunc arguments contain 2 pointers, so these pointer slots contain garbage during GC and stack copying.
I can confirm that by spraying newly allocated stacks with any magic value and then observing these values in panic traces:
runtime.cgocallback_gofunc(0x67, 0x67, 0x67)
This happens on 1.4 and tip and can lead to false memory retention and crashes.
The text was updated successfully, but these errors were encountered:
This was reported privately as episodic crashes on 1.4:
I can reproduce it on tip using the following program:
And if I enable object validation during GC, then it crashes as:
The bug is that cgocallback_gofunc allocates a fake frame for cgocallback_gofunc:
But the frame contains garbage while cgocallback_gofunc arguments contain 2 pointers, so these pointer slots contain garbage during GC and stack copying.
I can confirm that by spraying newly allocated stacks with any magic value and then observing these values in panic traces:
This happens on 1.4 and tip and can lead to false memory retention and crashes.
The text was updated successfully, but these errors were encountered: