diff options
| author | Austin Clements <austin@google.com> | 2020-02-26 15:12:33 -0500 |
|---|---|---|
| committer | Andrew Bonventre <andybons@golang.org> | 2020-04-07 20:04:49 +0000 |
| commit | c8d1e4cf833a2d36bfabda5e864a7cb357bc8b78 (patch) | |
| tree | be1332bc3be7aed87b14dfb8aa5e2bf9fe083ca9 | |
| parent | ea3a94c92e2ded0c49f77fc1ad08aa12ccabc461 (diff) | |
| download | go-c8d1e4cf833a2d36bfabda5e864a7cb357bc8b78.tar.gz go-c8d1e4cf833a2d36bfabda5e864a7cb357bc8b78.zip | |
[release-branch.go1.14] runtime: fix rounding in materializeGCProg
materializeGCProg allocates a temporary buffer for unrolling a GC
program. Unfortunately, when computing the size of the buffer, it
rounds *down* the number of bytes needed to store bitmap before
rounding up the number of pages needed to store those bytes. The fact
that it rounds up to pages usually mitigates the rounding down, but
the type from #37470 exists right on the boundary where this doesn't
work:
type Sequencer struct {
htable [1 << 17]uint32
buf []byte
}
On 64-bit, this GC bitmap is exactly 8 KiB of zeros, followed by three
one bits. Hence, this needs 8193 bytes of storage, but the current
math in materializeGCProg rounds *down* the three one bits to 8192
bytes. Since this is exactly pageSize, the next step of rounding up to
the page size doesn't mitigate this error, and materializeGCProg
allocates a buffer that is one byte too small. runGCProg then writes
one byte past the end of this buffer, causing either a segfault (if
you're lucky!) or memory corruption.
Updates #37470.
Fixes #37480.
Change-Id: Iad24c463c501cd9b1dc1924bc2ad007991a094a0
Reviewed-on: https://go-review.googlesource.com/c/go/+/224417
Run-TryBot: Austin Clements <austin@google.com>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
| -rw-r--r-- | src/runtime/mbitmap.go | 6 | ||||
| -rw-r--r-- | src/runtime/stubs.go | 7 |
2 files changed, 12 insertions, 1 deletions
diff --git a/src/runtime/mbitmap.go b/src/runtime/mbitmap.go index 55c0282403..2045789fa4 100644 --- a/src/runtime/mbitmap.go +++ b/src/runtime/mbitmap.go @@ -1921,7 +1921,11 @@ Run: // The bitmask starts at s.startAddr. // The result must be deallocated with dematerializeGCProg. func materializeGCProg(ptrdata uintptr, prog *byte) *mspan { - s := mheap_.allocManual((ptrdata/(8*sys.PtrSize)+pageSize-1)/pageSize, &memstats.gc_sys) + // Each word of ptrdata needs one bit in the bitmap. + bitmapBytes := divRoundUp(ptrdata, 8*sys.PtrSize) + // Compute the number of pages needed for bitmapBytes. + pages := divRoundUp(bitmapBytes, pageSize) + s := mheap_.allocManual(pages, &memstats.gc_sys) runGCProg(addb(prog, 4), nil, (*byte)(unsafe.Pointer(s.startAddr)), 1) return s } diff --git a/src/runtime/stubs.go b/src/runtime/stubs.go index b8d4d6b30a..2c6f027c2c 100644 --- a/src/runtime/stubs.go +++ b/src/runtime/stubs.go @@ -310,6 +310,13 @@ func alignDown(n, a uintptr) uintptr { return n &^ (a - 1) } +// divRoundUp returns ceil(n / a). +func divRoundUp(n, a uintptr) uintptr { + // a is generally a power of two. This will get inlined and + // the compiler will optimize the division. + return (n + a - 1) / a +} + // checkASM reports whether assembly runtime checks have passed. func checkASM() bool |