Comment 1:

Might be related to issue #7008.

Comment 2:

Labels changed: added release-go1.2.1, repo-main.

Status changed to Accepted.

Comment 3:

Why Go 1.2.1?  Is this bug in Go 1.2?  I thought it was just tip.

Comment 4:

As far as I know the bug is only in tip.  But just in case, I marked it 1.2.1, so that
we will consider the fix (if there is one) for the 1.2.1 release (if there is one).  If
there is nothing to fix in 1.2.1, then we can change the tag to Release-Go1.3.

Comment 5:

fwiw
cd $GOROOT/src/pkg/go/doc
go test -c
GOGC=0 ./doc.test -test.run='Test$'
seems to reproduce it reliably for me

Comment 6:

Using rsc's test I have bisected this to 
changeset:   18730:7e24a86563b4
user:        Keith Randall <khr@golang.org>
date:        Mon Dec 30 12:03:56 2013 -0800
summary:     runtime: use readrange instead of read to check for races
Which is confusing to say the least.
The good news is it does not appear to affect revisions before this, so probably isn't
critical to backport to 1.2.x

Comment 7:

I think this is liveness issues:
https://golang.org/issue/7008
Probably stack layout has changed.

Comment 8:

Looks like a GC bitmap is wrong.  The function in which this appears is
go/doc.methodSet.set.  The snippet of code is:
    mset[name] = &Func{
        Doc:  f.Doc.Text(),
        Name: name,
        Decl: f,
        Recv: recv,
        Orig: recv,
    }
Here's a hacked-up trace of what is happening:
mallocing 0xc210081b90 doc.Func    <- the &Func{} allocation
mallocing 0xc210081be0/80          <- ? - no type info, probably settype data?
scan go/doc.methodSet.set          <- GC triggered in mapassign
after prologue
full locals info                   <- pointer map for go/doc.methodSet.set
  0x28: 0                          <- bug!
  0x30: 1
  0x38: 0
  0x40: 1
  0x48: 0
  0x50: 1
  0x58: 0
  0x60: 1
  0x68: 0
  0x70: 1
  0x78: 0
full args info
  0x88: 1
  0x90: 1
GC: conservative stack scan        <- all ptr-looking things on the stack that point
to non-marked objects
  ptr not marked testing.RunTests/144 -> 0xc21005d1b0
  ptr not marked go/doc.methodSet.set/40 -> 0xc210081b90  <- this is the bug
  ptr not marked go/doc.test/160 -> 0xc2100c3720
  ptr not marked go/doc.test/168 -> 0xc210053d90
  ptr not marked go/doc.test/200 -> 0xc210053d90
  ptr not marked go/doc.test/208 -> 0xc210051540
  ptr not marked go/doc.test/304 -> 0xc210051540
freeing 0xc210081b90               <- oops!
mallocing 0xc21004b000 map.bucket[string]*doc.Func
Note that a doc.Func is allocated, a GC is run, then that doc.Func is immediately
deallocated.  The bug is the 0x28:0 line.  The return value of the malloc of the Func
structure is stored here.
I haven't delved into the compiler yet, but I suspect this has something to do with
changing the map operations to take pointers instead of values.  The GC that throws away
the doc.Func pointer is called from inside mapassign.  mapassign receives a pointer to
the 0x28 stack slot containing the doc.Func pointer.  The slot is still live because we
have a pointer to it, but maybe the analysis happens before the rewrite to have map ops
take pointers instead of values.  (Before, the doc.Func pointer was copied to the arg
region, so even though the pointer isn't dead, the 0x28 stack slot is.)
The 0x28 slot is otherwise dead after the mapassign.

Status changed to Started.

Comment 9:

A simple repro is below.  The pointer map for f is wrong.
package main
func f(m map[int]*string, i int) {
    s := ""
    m[i] = &s
}
func main() {
    m := map[int]*string{}
    for i := 0; i < 40; i++ {
        f(m, i)
        if len(*m[i]) != 0 {
            panic("bad length")
        }
    }
}
go build -gcflags -l bug7083.go
env GOGC=0 ./bug7083
panic: bad length
goroutine 1 [running]:
runtime.panic(0x422ce0, 0xc21000a0a0)
    /usr/local/google/home/khr/sandbox/go-issue7083/src/pkg/runtime/panic.c:264 +0xb6
main.main()
    /usr/local/google/home/khr/go/bug7083.go:13 +0xdf
Note -gcflags -l is not needed, but it isolates the bug in f instead of being part of
main.
If you change f to this, the bug goes away:
func f(m map[int]*string, i int) {
    s := ""
    p := &s
    m[i] = p
}
So it may not have anything to do with maps & passing by pointer.  At least, the
compiler gets that right some of the time.

Comment 10:

Thanks Keith. I'll try this new test and see if it can detect a change earlier than
7e24a86563b4 which might give a clue, and also indicate if it affects 1.2

Comment 11:

I think I know what's wrong. I found this earlier today while debugging a
crash in html/template that I thought was caused my own changes to the
liveness code. At the time I thought it didn't fix this issue: I reran
go/doc and it still crashed, but it looks like I just didn't recompile
enough code with the fix.
Three CLs on the way:
51010045 cmd/gc: return canonical Node* from temp
51820043 cmd/gc: add -live flag for debugging liveness maps
51830043 runtime: emit collection stacks in GODEBUG=allocfreetrace mode
The first is the bug fix; the others are just help for next time.

Comment 12:

This issue was closed by revision 334056a.

Status changed to Fixed.

Comment 13:

This is marked 1.2.1 but the bug we found was hurting the liveness code, which was not
in 1.2. I am moving it back to 1.3.

Labels changed: added release-go1.3, removed release-go1.2.1.

Comment 14:

CL https://golang.org/cl/100800046 mentions this issue.

Comment 15:

This issue was closed by revision 8a2db40.