On these platforms, we set up a frame pointer record below
the current stack pointer, so when we're in duffcopy or duffzero,
we get a reasonable traceback. See #73753.
But because this frame pointer record is below SP, it is vulnerable.
Anything that adds a new stack frame to the stack might clobber it.
Which actually happens in #73748 on amd64. I have not yet come across
a repro on arm64, but might as well be safe here.
The only real situation this could happen is when duffzero or duffcopy
is passed a nil pointer. So we can just avoid the problem by doing the
nil check outside duffzero/duffcopy. That way we never add a frame
below duffzero/duffcopy. (Most other ways to get a new frame below the
current one, like async preempt or debugger-generated calls, don't
apply to duffzero/duffcopy because they are runtime functions; we're
not allowed to preempt there.)
Longer term, we should stop putting stuff below SP. #73753 will
include that as part of its remit. But that's not for 1.25, so we'll
do the simple thing for 1.25 for this issue.
Fixes #73908
Change-Id: I913c49ee46dcaee8fb439415a4531f7b59d0f612
Reviewed-on: https://go-review.googlesource.com/c/go/+/676916
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Keith Randall <khr@google.com>
(cherry picked from commit
dbaa2d3e6525a29defdff16f354881a93974dd2e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/677095
inputs: []regMask{buildReg("DI")},
clobbers: buildReg("DI"),
},
- faultOnNilArg0: true,
- unsafePoint: true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
+ //faultOnNilArg0: true, // Note: removed for 73748. TODO: reenable at some point
+ unsafePoint: true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
},
// arg0 = address of memory to zero
inputs: []regMask{buildReg("DI"), buildReg("SI")},
clobbers: buildReg("DI SI X0"), // uses X0 as a temporary
},
- clobberFlags: true,
- faultOnNilArg0: true,
- faultOnNilArg1: true,
- unsafePoint: true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
+ clobberFlags: true,
+ //faultOnNilArg0: true, // Note: removed for 73748. TODO: reenable at some point
+ //faultOnNilArg1: true,
+ unsafePoint: true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
},
// arg0 = destination pointer
inputs: []regMask{buildReg("R20")},
clobbers: buildReg("R16 R17 R20 R30"),
},
- faultOnNilArg0: true,
- unsafePoint: true, // FP maintenance around DUFFZERO can be clobbered by interrupts
+ //faultOnNilArg0: true, // Note: removed for 73748. TODO: reenable at some point
+ unsafePoint: true, // FP maintenance around DUFFZERO can be clobbered by interrupts
},
// large zeroing
inputs: []regMask{buildReg("R21"), buildReg("R20")},
clobbers: buildReg("R16 R17 R20 R21 R26 R30"),
},
- faultOnNilArg0: true,
- faultOnNilArg1: true,
- unsafePoint: true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
+ //faultOnNilArg0: true, // Note: removed for 73748. TODO: reenable at some point
+ //faultOnNilArg1: true,
+ unsafePoint: true, // FP maintenance around DUFFCOPY can be clobbered by interrupts
},
// large move
},
},
{
- name: "DUFFZERO",
- auxType: auxInt64,
- argLen: 2,
- faultOnNilArg0: true,
- unsafePoint: true,
+ name: "DUFFZERO",
+ auxType: auxInt64,
+ argLen: 2,
+ unsafePoint: true,
reg: regInfo{
inputs: []inputInfo{
{0, 128}, // DI
},
},
{
- name: "DUFFCOPY",
- auxType: auxInt64,
- argLen: 3,
- clobberFlags: true,
- faultOnNilArg0: true,
- faultOnNilArg1: true,
- unsafePoint: true,
+ name: "DUFFCOPY",
+ auxType: auxInt64,
+ argLen: 3,
+ clobberFlags: true,
+ unsafePoint: true,
reg: regInfo{
inputs: []inputInfo{
{0, 128}, // DI
},
},
{
- name: "DUFFZERO",
- auxType: auxInt64,
- argLen: 2,
- faultOnNilArg0: true,
- unsafePoint: true,
+ name: "DUFFZERO",
+ auxType: auxInt64,
+ argLen: 2,
+ unsafePoint: true,
reg: regInfo{
inputs: []inputInfo{
{0, 1048576}, // R20
},
},
{
- name: "DUFFCOPY",
- auxType: auxInt64,
- argLen: 3,
- faultOnNilArg0: true,
- faultOnNilArg1: true,
- unsafePoint: true,
+ name: "DUFFCOPY",
+ auxType: auxInt64,
+ argLen: 3,
+ unsafePoint: true,
reg: regInfo{
inputs: []inputInfo{
{0, 2097152}, // R21
--- /dev/null
+// run
+
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+ "context"
+ "io"
+ "runtime/trace"
+)
+
+type T struct {
+ a [16]int
+}
+
+//go:noinline
+func f(x *T) {
+ *x = T{}
+}
+
+func main() {
+ trace.Start(io.Discard)
+ defer func() {
+ recover()
+ trace.Log(context.Background(), "a", "b")
+
+ }()
+ f(nil)
+}
--- /dev/null
+// run
+
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+ "context"
+ "io"
+ "runtime/trace"
+)
+
+type T struct {
+ a [16]int
+}
+
+//go:noinline
+func f(x, y *T) {
+ *x = *y
+}
+
+func main() {
+ trace.Start(io.Discard)
+ defer func() {
+ recover()
+ trace.Log(context.Background(), "a", "b")
+
+ }()
+ f(nil, nil)
+}