[release-branch.go1.13] runtime: fix rounding in materializeGCProg

materializeGCProg allocates a temporary buffer for unrolling a GC
program. Unfortunately, when computing the size of the buffer, it
rounds *down* the number of bytes needed to store bitmap before
rounding up the number of pages needed to store those bytes. The fact
that it rounds up to pages usually mitigates the rounding down, but
the type from #37470 exists right on the boundary where this doesn't
work:

type Sequencer struct {
	htable [1 << 17]uint32
	buf    []byte
}

On 64-bit, this GC bitmap is exactly 8 KiB of zeros, followed by three
one bits. Hence, this needs 8193 bytes of storage, but the current
math in materializeGCProg rounds *down* the three one bits to 8192
bytes. Since this is exactly pageSize, the next step of rounding up to
the page size doesn't mitigate this error, and materializeGCProg
allocates a buffer that is one byte too small. runGCProg then writes
one byte past the end of this buffer, causing either a segfault (if
you're lucky!) or memory corruption.

Updates #37470.
Fixes #37483.

Change-Id: Iad24c463c501cd9b1dc1924bc2ad007991a094a0
Reviewed-on: https://go-review.googlesource.com/c/go/+/224418
Run-TryBot: Austin Clements <austin@google.com>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/runtime/mbitmap.go b/src/runtime/mbitmap.go
index 30ec5f1cc905e3dd20f3249b1bc2e5bfaec4d2e5..71efe33741f39af79b8ca22b1847749484999204 100644 (file)
--- a/src/runtime/mbitmap.go
+++ b/src/runtime/mbitmap.go
@@ -1912,7 +1912,11 @@ Run:
 // The bitmask starts at s.startAddr.
 // The result must be deallocated with dematerializeGCProg.
 func materializeGCProg(ptrdata uintptr, prog *byte) *mspan {
-       s := mheap_.allocManual((ptrdata/(8*sys.PtrSize)+pageSize-1)/pageSize, &memstats.gc_sys)
+       // Each word of ptrdata needs one bit in the bitmap.
+       bitmapBytes := divRoundUp(ptrdata, 8*sys.PtrSize)
+       // Compute the number of pages needed for bitmapBytes.
+       pages := divRoundUp(bitmapBytes, pageSize)
+       s := mheap_.allocManual(pages, &memstats.gc_sys)
        runGCProg(addb(prog, 4), nil, (*byte)(unsafe.Pointer(s.startAddr)), 1)
        return s
 }

diff --git a/src/runtime/stubs.go b/src/runtime/stubs.go
index 26aaf2224d519feb1b4d4343635a5adb0bdf7259..8d1c69840085957b449cd2c127658896d350e64f 100644 (file)
--- a/src/runtime/stubs.go
+++ b/src/runtime/stubs.go
@@ -295,6 +295,13 @@ func round(n, a uintptr) uintptr {
        return (n + a - 1) &^ (a - 1)
 }
 
+// divRoundUp returns ceil(n / a).
+func divRoundUp(n, a uintptr) uintptr {
+       // a is generally a power of two. This will get inlined and
+       // the compiler will optimize the division.
+       return (n + a - 1) / a
+}
+
 // checkASM reports whether assembly runtime checks have passed.
 func checkASM() bool