languages/go
languages/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-07-21 01:55:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
go/test/fixedbugs/issue16515.go
Cherry Zhang 111d590f86 cmd/compile: fix possible spill of invalid pointer with DUFFZERO on AMD64 
SSA compiler on AMD64 may spill Duff-adjusted address as scalar. If
the object is on stack and the stack moves, the spilled address become
invalid.

Making the spill pointer-typed does not work. The Duff-adjusted address
points to the memory before the area to be zeroed and may be invalid.
This may cause stack scanning code panic.

Fix it by doing Duff-adjustment in genValue, so the intermediate value
is not seen by the reg allocator, and will not be spilled.

Add a test to cover both cases. As it depends on allocation, it may
be not always triggered.

Fixes #16515.

Change-Id: Ia81d60204782de7405b7046165ad063384ede0db
Reviewed-on: https://go-review.googlesource.com/25309
Run-TryBot: Cherry Zhang <cherryyz@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
2016-07-29 01:09:55 +00:00

54 lines
1.1 KiB
Go
Raw Blame History

// run
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// issue 16515: spilled Duff-adjusted address may be invalid
package main
import "runtime"
type T [62]int // DUFFZERO with non-zero adjustment on AMD64
var sink interface{}
//go:noinline
func zero(x *T) {
// Two DUFFZEROs on the same address with a function call in between.
// Duff-adjusted address will be spilled and loaded
*x = T{} // DUFFZERO
runtime.GC()
(*x)[0] = 1
g() // call a function with large frame, trigger a stack move
*x = T{} // DUFFZERO again
}
//go:noinline
// a function with large frame
func g() {
var x [1000]int
_ = x
}
func main() {
var s struct { a T; b [8192-62]int } // allocate 64K, hopefully it's in a new span and a few bytes before it is garbage
sink = &s // force heap allocation
s.a[0] = 2
zero(&s.a)
if s.a[0] != 0 {
println("s.a[0] =", s.a[0])
panic("zeroing failed")
}
var a T // on stack
a[0] = 2
zero(&a)
if a[0] != 0 {
println("a[0] =", a[0])
panic("zeroing failed")
}
}
Reference in a new issue View git blame Copy permalink