runtime: fix heap memory corruption

With concurrent sweeping finc if modified by runfinq and queuefinalizer concurrently.
Fixes crashes like this one:
http://build.golang.org/log/6ad7b59ef2e93e3c9347eabfb4c4bd66df58fd5a
Fixes #7324.
Update #7396

LGTM=rsc
R=golang-codereviews, minux.ma, rsc
CC=golang-codereviews, khr
https://golang.org/cl/67980043

diff --git a/src/pkg/runtime/mgc0.c b/src/pkg/runtime/mgc0.c
index 238a1e790e2b7bb0bcc5f0867d76091c58ad374c..95c3e831516f25ebce18c31457d93a0c5c917127 100644 (file)
--- a/src/pkg/runtime/mgc0.c
+++ b/src/pkg/runtime/mgc0.c
@@ -2551,7 +2551,7 @@ runfinq(void)
                                if(framecap < framesz) {
                                        runtime·free(frame);
                                        // The frame does not contain pointers interesting for GC,
-                                       // all not yet finalized objects are stored in finc.
+                                       // all not yet finalized objects are stored in finq.
                                        // If we do not mark it as FlagNoScan,
                                        // the last finalized object is not collected.
                                        frame = runtime·mallocgc(framesz, 0, FlagNoScan|FlagNoInvokeGC);
@@ -2580,8 +2580,10 @@ runfinq(void)
                                f->ot = nil;
                        }
                        fb->cnt = 0;
+                       runtime·lock(&gclock);
                        fb->next = finc;
                        finc = fb;
+                       runtime·unlock(&gclock);
                }
                runtime·gc(1); // trigger another gc to clean up the finalized objects, if possible
        }