From: Dmitriy Vyukov <dvyukov@google.com>
Date: Tue, 13 May 2014 05:53:47 +0000 (+0400)
Subject: reflect: fix map type generation
X-Git-Tag: go1.3beta2~75
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=5bc1cef869b0c6caea2d680010908cf6871c6c24;p=gostls13.git

reflect: fix map type generation
If a map variable is created with reflect.New it has incorrect type (map[unsafe.Pointer]unsafe.Pointer).
If GC follows such pointer, it scans Hmap and buckets with incorrect type.
This can lead to overscan of up to 120 bytes for map[int8]struct{}.
Which in turn can lead to crash if the memory after a bucket object is unaddressable
or false retention (buckets are scanned as arrays of unsafe.Pointer).
I don't see how it can lead to heap corruptions, though.

LGTM=khr
R=rsc, khr
CC=golang-codereviews
https://golang.org/cl/96270044
---

diff --git a/src/pkg/reflect/type.go b/src/pkg/reflect/type.go
index 5a4ac8cf7c..40d76f99d0 100644
--- a/src/pkg/reflect/type.go
+++ b/src/pkg/reflect/type.go
@@ -1541,6 +1541,13 @@ func MapOf(key, elem Type) Type {
 	mt.uncommonType = nil
 	mt.ptrToThis = nil
 	mt.zero = unsafe.Pointer(&make([]byte, mt.size)[0])
+	mt.gc = unsafe.Pointer(&ptrGC{
+		width:  unsafe.Sizeof(uintptr(0)),
+		op:     _GC_PTR,
+		off:    0,
+		elemgc: mt.hmap.gc,
+		end:    _GC_END,
+	})
 
 	// INCORRECT. Uncomment to check that TestMapOfGC and TestMapOfGCValues
 	// fail when mt.gc is wrong.