runtime: repeat bitmap for slice of GCprog n-1 times, not n times

Currently, to write out the bitmap of a slice of a type with a GCprog,
we construct a new GCprog that executes the underlying type's GCprog
to write out the bitmap once and then repeats those bits n more times.
This results in n+1 repetitions of the bitmap, which is one more
repetition than it should be. This corrupts the bitmap of the heap
following the slice and may write past the mapped bitmap memory and
segfault.

Fix this by repeating the bitmap only n-1 more times.

Fixes #11430.

Change-Id: Ic24854363bffc5a755b66f257339f9309ada3aa5
Reviewed-on: https://go-review.googlesource.com/11570
Run-TryBot: Austin Clements <austin@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/runtime/mbitmap.go b/src/runtime/mbitmap.go
index efdcb8fca41fa8538549511f669a960c258fa8f8..ef17409ebeb73cc57a4161eacae415cd462853f2 100644 (file)
--- a/src/runtime/mbitmap.go
+++ b/src/runtime/mbitmap.go
@@ -1193,7 +1193,7 @@ func heapBitsSetTypeGCProg(h heapBits, progSize, elemSize, dataSize, allocSize u
                }
                trailer[i] = byte(n)
                i++
-               n = count
+               n = count - 1
                for ; n >= 0x80; n >>= 7 {
                        trailer[i] = byte(n | 0x80)
                        i++