From aa9c1a8f8038e88da6d7cbfdc56e34ff914b7b04 Mon Sep 17 00:00:00 2001 From: Josh Bleecher Snyder Date: Wed, 28 Feb 2018 22:01:24 -0800 Subject: [PATCH] runtime: fix amd64p32 indexbytes in presence of overflow When the slice/string length is very large, probably artifically large as in CL 97523, adding BX (length) to R11 (pointer) overflows. As a result, checking DI < R11 yields the wrong result. Since they will be equal when the loop is done, just check DI != R11 instead. Yes, the pointer itself could overflow, but if that happens, something else has gone pretty wrong; not our concern here. Fixes #24187 Change-Id: I2f60fc6ccae739345d01bc80528560726ad4f8c6 Reviewed-on: https://go-review.googlesource.com/97802 Run-TryBot: Josh Bleecher Snyder TryBot-Result: Gobot Gobot Reviewed-by: Keith Randall --- src/runtime/asm_amd64p32.s | 2 +- test/fixedbugs/issue24187.go | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 test/fixedbugs/issue24187.go diff --git a/src/runtime/asm_amd64p32.s b/src/runtime/asm_amd64p32.s index a59ba6ad91..dc4c57de13 100644 --- a/src/runtime/asm_amd64p32.s +++ b/src/runtime/asm_amd64p32.s @@ -904,7 +904,7 @@ sse: condition: CMPL DI, R11 - JLT sse + JNE sse // search the end MOVL SI, CX diff --git a/test/fixedbugs/issue24187.go b/test/fixedbugs/issue24187.go new file mode 100644 index 0000000000..45fc929710 --- /dev/null +++ b/test/fixedbugs/issue24187.go @@ -0,0 +1,33 @@ +// +build amd64p32 +// run + +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package main + +import ( + "bytes" + "fmt" + "unsafe" +) + +func main() { + b := make([]byte, 128) + for i := range b { + b[i] = 1 + } + if bytes.IndexByte(b, 0) != -1 { + panic("found 0") + } + for i := range b { + b[i] = 0 + c := b + *(*int)(unsafe.Pointer(uintptr(unsafe.Pointer(&c)) + unsafe.Sizeof(uintptr(0)))) = 1<<31 - 1 + if bytes.IndexByte(c, 0) != i { + panic(fmt.Sprintf("missing 0 at %d\n", i)) + } + b[i] = 1 + } +} -- 2.50.0