runtime: possible pointer-to-random-memory during hashmap evacuate #21459
Comments
josharian
changed the title
|
Change https://golang.org/cl/55890 mentions this issue: |
|
How long has this bug been in existence? |
|
Probably since the GC cared about invalid pointers (1.6?). It's a very hard bug to trigger. You'd have to be evacuating to the last bucket in an array of map buckets, or an overflow bucket, be evacuating just the right number of elements, and get interrupted at just the right time. But if it did trigger it would be one of those annoying and hard to track down "sweep increased allocation count" bugs. The fix is super simple. |
|
We pushed the overflow pointer to the end of the bucket a while ago to solve exactly this sort of problem, so this actually isn't a bug. Even if the pointer points past the end of the value array, it doesn't point past the end of the bucket. |
|
Change https://golang.org/cl/56772 mentions this issue: |
After the key and value arrays, we have an overflow pointer. So there's no way a past-the-end key or value pointer could point past the end of the containing bucket. So we don't need this additional protection. Update #21459 Change-Id: I7726140033b06b187f7a7d566b3af8cdcaeab0b0 Reviewed-on: https://go-review.googlesource.com/56772 Run-TryBot: Keith Randall <khr@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Martin Möhrmann <moehrmann@google.com> Reviewed-by: Josh Bleecher Snyder <josharian@gmail.com> Reviewed-by: Avelino <t@avelino.xxx>
@randall77 noted while reviewing CL 54653 that we might generate a pointer past the end of a map bucket.
This has been fixed for 1.10, in CL 54653. This issue is to discuss whether we want to also fix it for 1.9.
cc @randall77 @broady
The text was updated successfully, but these errors were encountered: