NotificationsYou must be signed in to change notification settings
Fork18.4k
Star130k

Commitd72c550

committed

[release-branch.go1.1] runtime: fix heap corruption during GC

««« CL 9831043 / e84e7204b01bruntime: fix heap corruption during GCThe 'n' variable is used during rescan initiation in GC_END case,but it's overwritten with chan capacity in GC_CHAN case.As the result rescan is done with the wrong object size.Fixes#5554.R=golang-dev, khrCC=golang-devhttps://golang.org/cl/9831043»»»R=dvyukov, khr, daveCC=golang-devhttps://golang.org/cl/10028044

1 parent371a3ab commitd72c550Copy full SHA for d72c550

File tree

2 files changed

+32

-4

lines changed

src/pkg/runtime
- gc_test.go
- mgc0.c

2 files changed

+32

-4

lines changed

`‎src/pkg/runtime/gc_test.go‎`

Lines changed: 28 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -121,3 +121,31 @@ func TestGcArraySlice(t *testing.T) {`
`121`	`121`	`}`
`122`	`122`	`}`
`123`	`123`	`}`
	`124`	`+`
	`125`	`+funcTestGcRescan(t*testing.T) {`
	`126`	`+typeXstruct {`
	`127`	`+cchanerror`
	`128`	`+nextx*X`
	`129`	`+}`
	`130`	`+typeYstruct {`
	`131`	`+X`
	`132`	`+nexty*Y`
	`133`	`+p*int`
	`134`	`+}`
	`135`	`+varhead*Y`
	`136`	`+fori:=0;i<10;i++ {`
	`137`	`+p:=&Y{}`
	`138`	`+p.c=make(chanerror)`
	`139`	`+p.nextx=&head.X`
	`140`	`+p.nexty=head`
	`141`	`+p.p=new(int)`
	`142`	`+*p.p=42`
	`143`	`+head=p`
	`144`	`+runtime.GC()`
	`145`	`+}`
	`146`	`+forp:=head;p!=nil;p=p.nexty {`
	`147`	`+if*p.p!=42 {`
	`148`	`+t.Fatal("corrupted heap")`
	`149`	`+}`
	`150`	`+}`
	`151`	`+}`

`‎src/pkg/runtime/mgc0.c‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -623,7 +623,7 @@ scanblock(Workbuf wbuf, Obj wp, uintptr nobj, bool keepworking)`
`623`	`623`	`byteb,arena_start,*arena_used;`
`624`	`624`	`uintptrn,i,end_b,elemsize,size,ti,objti,count,type;`
`625`	`625`	`uintptr*pc,precise_type,nominal_size;`
`626`		`-uintptrmap_ret,mapkey_size,mapval_size,mapkey_ti,mapval_ti,chan_ret;`
	`626`	`+uintptrmap_ret,mapkey_size,mapval_size,mapkey_ti,mapval_ti,chan_ret,chancap;`
`627`	`627`	`void*obj;`
`628`	`628`	`Type*t;`
`629`	`629`	`Slice*sliceptr;`
`@@ -1062,13 +1062,13 @@ scanblock(Workbuf wbuf, Obj wp, uintptr nobj, bool keepworking)`
`1062`	`1062`	`if(!(chantype->elem->kind&KindNoPointers)) {`
`1063`	`1063`	`// Channel's buffer follows Hchan immediately in memory.`
`1064`	`1064`	`// Size of buffer (cap(c)) is second int in the chan struct.`
`1065`		`-n= ((uintgo*)chan)[1];`
`1066`		`-if(n>0) {`
	`1065`	`+chancap= ((uintgo*)chan)[1];`
	`1066`	`+if(chancap>0) {`
`1067`	`1067`	`// TODO(atom): split into two chunks so that only the`
`1068`	`1068`	`// in-use part of the circular buffer is scanned.`
`1069`	`1069`	`// (Channel routines zero the unused part, so the current`
`1070`	`1070`	`// code does not lead to leaks, it's just a little inefficient.)`
`1071`		`-objbufpos++= (Obj){(byte)chan+runtime·Hchansize,n*chantype->elem->size,`
	`1071`	`+objbufpos++= (Obj){(byte)chan+runtime·Hchansize,chancap*chantype->elem->size,`
`1072`	`1072`	`(uintptr)chantype->elem->gc \|PRECISE \|LOOP};`
`1073`	`1073`	`if(objbufpos==objbuf_end)`
`1074`	`1074`	`flushobjbuf(objbuf,&objbufpos,&wp,&wbuf,&nobj);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd72c550

File tree

2 files changed

2 files changed

`‎src/pkg/runtime/gc_test.go‎`

`‎src/pkg/runtime/mgc0.c‎`

0 commit comments