From: Dmitriy Vyukov <dvyukov@google.com>
Date: Mon, 24 Feb 2014 16:53:50 +0000 (+0400)
Subject: runtime: fix heap memory corruption
X-Git-Tag: go1.3beta1~602
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=ea8750175020f162a15c827225328f8ba9e1a118;p=gostls13.git

runtime: fix heap memory corruption
With concurrent sweeping finc if modified by runfinq and queuefinalizer concurrently.
Fixes crashes like this one:
http://build.golang.org/log/6ad7b59ef2e93e3c9347eabfb4c4bd66df58fd5a
Fixes #7324.
Update #7396

LGTM=rsc
R=golang-codereviews, minux.ma, rsc
CC=golang-codereviews, khr
https://golang.org/cl/67980043
---

diff --git a/src/pkg/runtime/mgc0.c b/src/pkg/runtime/mgc0.c
index 238a1e790e..95c3e83151 100644
--- a/src/pkg/runtime/mgc0.c
+++ b/src/pkg/runtime/mgc0.c
@@ -2551,7 +2551,7 @@ runfinq(void)
 				if(framecap < framesz) {
 					runtime·free(frame);
 					// The frame does not contain pointers interesting for GC,
-					// all not yet finalized objects are stored in finc.
+					// all not yet finalized objects are stored in finq.
 					// If we do not mark it as FlagNoScan,
 					// the last finalized object is not collected.
 					frame = runtime·mallocgc(framesz, 0, FlagNoScan|FlagNoInvokeGC);
@@ -2580,8 +2580,10 @@ runfinq(void)
 				f->ot = nil;
 			}
 			fb->cnt = 0;
+			runtime·lock(&gclock);
 			fb->next = finc;
 			finc = fb;
+			runtime·unlock(&gclock);
 		}
 		runtime·gc(1);	// trigger another gc to clean up the finalized objects, if possible
 	}