The problem does not occur if I removed m sync.Mutex from struct.

sync.Once.done's type is uint32, not uint64, so I think this is a legit checkptr report. Not sure off hand why it wouldn't consistently report this though.

I'd guess it has something to do with either scheduling of the concurrent GC, or with placement of o in the heap.

sync.Once.done's type is uint32, not uint64, so I think this is a legit checkptr report. Not sure off hand why it wouldn't consistently report this though.

I'd guess it has something to do with either scheduling of the concurrent GC, or with placement of o in the heap.

If m sync.Mutex was removed, then checkptr does not report, sounds like another issue.

Why? It's not an error to convert from *BigType to *SmallType. If you remove m sync.Mutex, then unsafe.Sizeof(onceSpy{}) <= unsafe.Sizeof(sync.Once{}), right?

Why? It's not an error to convert from *BigType to *SmallType. If you remove m sync.Mutex, then unsafe.Sizeof(onceSpy{}) <= unsafe.Sizeof(sync.Once{}), right?

Ah right 👍

Hmm, but should the race detector emit an error when a 32-bit atomic op occurs concurrently with a 64-bit atomic op?

My recollection is that on some 32-bit architectures, the 32-bit atomic ops use an entirely separate code path from the 64-bit ones, so I can't imagine that the memory model allows it.

(Oh, right: the memory model doesn't define atomic at all: that's #5045.)

Filed that separately as #38881.

@mdempsky

I'd guess it has something to do with either scheduling of the concurrent GC, or with placement of o in the heap.

Seems concurrent GC problem, because if I set GOGC=off, then checkptr reports it consistently.

Hmm, but should the race detector emit an error when a 32-bit atomic op occurs concurrently with a 64-bit atomic op?

This is worth discussing in #38881, but I think it's a red herring here. The 32-bit and 64-bit atomic ops that modify o are all happening on the same goroutine anyway, so there's no race.

Seems concurrent GC problem, because if I set GOGC=off, then checkptr reports it consistently.

Interesting. I wonder if there's a race condition in the calls to findObject in checkptrAlignment. Maybe it's not actually safe to call checkptrBase(add(p, size-1))?

Hm, I'm not able to reproduce this on linux/amd64. I don't get any checkptr reports, even with GOGC=off.

Hm, I'm not able to reproduce this on linux/amd64. I don't get any checkptr reports, even with GOGC=off.

Confirm that this does not happen on linux/amd64, but does on darwin/amd64, sounds like a false negative on linux/amd64?

Yeah, not reporting on linux/amd64 is a false negative. (With the usual caveats that checkptr is best-effort, so some false negatives will be inevitable; though I can't immediately see why the behavior here would be OS-specific.)

I'm not able to reproduce on darwin/amd64.

% uname -a
Darwin CheeseGrater.local 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov  9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64 x86_64

I checked out the Go release at 9b18968.
It hasn't failed after thousands of iterations.

@randall77 still reproduce for me in current latest commit 9f33108

% uname -a
Darwin Cuongs-MacBook-Pro.local 19.4.0 Darwin Kernel Version 19.4.0: Wed Mar  4 22:28:40 PST 2020; root:xnu-6153.101.6~15/RELEASE_X86_64 x86_64

Also reproduce on:

19.5.0 Darwin Kernel Version 19.5.0: Tue May 26 20:41:44 PDT 2020; root:xnu-6153.121.2~2/RELEASE_X86_64 x86_64

Operator error. I am now able to reproduce. Sorry for the runaround.

This is definitely a correct report.

A sync.Once is 12 bytes (4 for the done field, 8 for the sync.Mutex, and the sync.Mutex is only 4-byte aligned).
The sync.Once gets allocated in a 16 byte tinyalloc region, at offsets 4-16. When you cast to your onceSpy, that 16-byte object now straddles 4 bytes into the next region.

I can confirm that the problem reproduces exactly when the sync.Once is allocated at 4 mod 16 and not when it is allocated at 0 mod 16. That's the source of the inconsistent reporting.

On Linux, the sync.Once never appears to be allocated at 4 mod 16. I guess there's some early allocation on Darwin that doesn't happen on Linux.

I can force an error on Linux by allocating 4 bytes at the start of main:

var x int = 4
var b []byte

func main() {
	b = make([]byte, x)

With that change, it now reports an error reliably on Linux.

It is unfortunate that checkptr does not reliably report this as a violation. I think to fix that, we'd need to keep track of the separate allocations inside a tinyalloc. I don't think there's any easy way to do that, unfortunately. Possibly we could just turn off tinyalloc when checkptr is on. Certainly when checkptr is on because the race detector is on, the cost would be in the noise. With just checkptr, though, I'm not sure. @mdempsky what do you think?

Of course, just turning off tinyalloc is not enough - that would just allocate sync.Once in its own 16-byte region and thus checkptr would never report an error.
I think in addition maybe we could allocate objects that are smaller than the size class randomly either at the start or end of the sizeclass object?

I can confirm that the problem reproduces exactly when the sync.Once is allocated at 4 mod 16 and not when it is allocated at 0 mod 16. That's the source of the inconsistent reporting.

@randall77 👍 , also, any thought on why GOGC=off makes it reports reliably on OSX?

Not sure. Probably just makes the allocation pattern more deterministic.

In any case, there's no bug here worth fixing for 1.15. Punting to 1.16.

@randall77 Thanks for reproducing and figuring out what's up.

Agreed with your suggestions (being able to turn off tinyalloc, and randomly end-aligning objects rather than start-aligning them) would be good ways of making this fire more reliably.

Ok, we'll do that for 1.16.
Now that I think about it, always end-aligning is probably better than random. it's rare to modify a pointer in the negative direction too far.

@mdempsky @randall77 related issue #35128

Hi @aclements, do you have any suggestion to solve this?

It sounds like that path forward here is to at least top-align tiny allocs in checkptr mode and possible top-align all allocations (much harder). We're not planning to work on this during the freeze, so bumping to 1.17.

@mdempsky Are we likely to fix this for 1.17? Should we move this to Backlog? Thanks.

I have a CL kinda ready for this. I should mail it out. I think I was being too aggressive and tried doing it for all size classes. Just tinyalloc is easier.

Change https://golang.org/cl/315029 mentions this issue: runtime: top align tinyallocs in race mode