• Russ Cox's avatar
    runtime: stack split + garbage collection bug · 370276a3
    Russ Cox authored
    The g->sched.sp saved stack pointer and the
    g->stackbase and g->stackguard stack bounds
    can change even while "the world is stopped",
    because a goroutine has to call functions (and
    therefore might split its stack) when exiting a
    system call to check whether the world is stopped
    (and if so, wait until the world continues).
    
    That means the garbage collector cannot access
    those values safely (without a race) for goroutines
    executing system calls.  Instead, save a consistent
    triple in g->gcsp, g->gcstack, g->gcguard during
    entersyscall and have the garbage collector refer
    to those.
    
    The old code was occasionally seeing (because of
    the race) an sp and stk that did not correspond to
    each other, so that stk - sp was not the number of
    stack bytes following sp.  In that case, if sp < stk
    then the call scanblock(sp, stk - sp) scanned too
    many bytes (anything between the two pointers,
    which pointed into different allocation blocks).
    If sp > stk then stk - sp wrapped around.
    On 32-bit, stk - sp is a uintptr (uint32) converted
    to int64 in the call to scanblock, so a large (~4G)
    but positive number.  Scanblock would try to scan
    that many bytes and eventually fault accessing
    unmapped memory.  On 64-bit, stk - sp is a uintptr (uint64)
    promoted to int64 in the call to scanblock, so a negative
    number.  Scanblock would not scan anything, possibly
    causing in-use blocks to be freed.
    
    In short, 32-bit platforms would have seen either
    ineffective garbage collection or crashes during garbage
    collection, while 64-bit platforms would have seen
    either ineffective or incorrect garbage collection.
    You can see the invalid arguments to scanblock in the
    stack traces in issue 1620.
    
    Fixes #1620.
    Fixes #1746.
    
    R=iant, r
    CC=golang-dev
    https://golang.org/cl/4437075
    370276a3
runtime.h 15.2 KB