diff options
| author | Russ Cox <rsc@golang.org> | 2014-09-08 14:05:23 -0400 |
|---|---|---|
| committer | Russ Cox <rsc@golang.org> | 2014-09-08 14:05:23 -0400 |
| commit | c81a0ed3c50606d1ada0fd9b571611b3687c90e1 (patch) | |
| tree | a35c5747f012a3c7d5ec16286298e87be53b86c6 /src/runtime/cgocallback.go | |
| parent | 526319830bf0d7778226fa9ef558f51ebe67aaa6 (diff) | |
| download | go-c81a0ed3c50606d1ada0fd9b571611b3687c90e1.tar.gz go-c81a0ed3c50606d1ada0fd9b571611b3687c90e1.zip | |
liblink, runtime: diagnose and fix C code running on Go stack
This CL contains compiler+runtime changes that detect C code
running on Go (not g0, not gsignal) stacks, and it contains
corrections for what it detected.
The detection works by changing the C prologue to use a different
stack guard word in the G than Go prologue does. On the g0 and
gsignal stacks, that stack guard word is set to the usual
stack guard value. But on ordinary Go stacks, that stack
guard word is set to ^0, which will make any stack split
check fail. The C prologue then calls morestackc instead
of morestack, and morestackc aborts the program with
a message about running C code on a Go stack.
This check catches all C code running on the Go stack
except NOSPLIT code. The NOSPLIT code is allowed,
so the check is complete. Since it is a dynamic check,
the code must execute to be caught. But unlike the static
checks we've been using in cmd/ld, the dynamic check
works with function pointers and other indirect calls.
For example it caught sigpanic being pushed onto Go
stacks in the signal handlers.
Fixes #8667.
LGTM=khr, iant
R=golang-codereviews, khr, iant
CC=golang-codereviews, r
https://golang.org/cl/133700043
Diffstat (limited to 'src/runtime/cgocallback.go')
| -rw-r--r-- | src/runtime/cgocallback.go | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/src/runtime/cgocallback.go b/src/runtime/cgocallback.go new file mode 100644 index 0000000000..844a095c22 --- /dev/null +++ b/src/runtime/cgocallback.go @@ -0,0 +1,37 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package runtime + +import "unsafe" + +// These functions are called from C code via cgo/callbacks.c. + +// Allocate memory. This allocates the requested number of bytes in +// memory controlled by the Go runtime. The allocated memory will be +// zeroed. You are responsible for ensuring that the Go garbage +// collector can see a pointer to the allocated memory for as long as +// it is valid, e.g., by storing a pointer in a local variable in your +// C function, or in memory allocated by the Go runtime. If the only +// pointers are in a C global variable or in memory allocated via +// malloc, then the Go garbage collector may collect the memory. +// +// TODO(rsc,iant): This memory is untyped. +// Either we need to add types or we need to stop using it. + +func _cgo_allocate_internal(len uintptr) unsafe.Pointer { + ret := gomallocgc(len, nil, 0) + c := new(cgomal) + c.alloc = ret + gp := getg() + c.next = gp.m.cgomal + gp.m.cgomal = c + return ret +} + +// Panic. + +func _cgo_panic_internal(p *byte) { + panic(gostringnocopy(p)) +} |