runtime: bad pointer in scanbitvector strikes back #8155

dvyukov · 2014-06-05T12:27:25Z

go version devel +5439c77d4acb Tue Jun 03 16:39:40 2014 -0700 linux/amd64

The program is:
http://play.golang.org/p/y4GwCuLztv

I was able to reproduce it only on nacl so far.
$ GOOS=nacl GOARCH=amd64p32 go build nacl.go

Every other time it crashes as:

$ go_nacl_amd64p32_exec ./naclcrash 
bad pointer in frame main.init·2 at 0xfeee1f1c: 0xd2a
fatal error: bad pointer in scanbitvector

runtime stack:
runtime.throw(0x82c6b, 0x62c78)
    src/pkg/runtime/panic.c:520 +0xa0 fp=0xfffefbd0 sp=0xfffefbc0
scanbitvector(0x62c3c, 0x5cf01, 0xfeee1f1c, 0xfffefc48, 0x1, 0xfffefd74)
    src/pkg/runtime/mgc0.c:1492 +0x420 fp=0xfffefc18 sp=0xfffefbd0
scanframe(0xfffefc8c, 0xfffefd74)
    src/pkg/runtime/mgc0.c:1622 +0x3a0 fp=0xfffefc60 sp=0xfffefc18
runtime.gentraceback(0x2d340, 0xfeee1e00, 0x0, 0x102020b0, 0x0, 0x0, 0x7fffffff,
0x2b1a0, 0xfffefd74, 0x0)
    src/pkg/runtime/traceback_x86.c:253 +0x8c0 fp=0xfffefce0 sp=0xfffefc60
addstackroots(0x102020b0, 0xfffefd74)
    src/pkg/runtime/mgc0.c:1692 +0x1c0 fp=0xfffefd30 sp=0xfffefce0
markroot(0x10212480, 0x5)
    src/pkg/runtime/mgc0.c:1321 +0x100 fp=0xfffefd80 sp=0xfffefd30
runtime.parfordo(0x10212480, 0x1)
    src/pkg/runtime/parfor.c:88 +0x100 fp=0xfffefde0 sp=0xfffefd80
gc(0xfeee1e10, 0x0)
    src/pkg/runtime/mgc0.c:2407 +0x300 fp=0xfffeff08 sp=0xfffefde0
mgc(0x102020b0, 0x0)
    src/pkg/runtime/mgc0.c:2349 +0x40 fp=0xfffeff18 sp=0xfffeff08
runtime.mcall(0x4bcc0)
    src/pkg/runtime/asm_amd64p32.s:160 +0x60 fp=0xfffeff28 sp=0xfffeff18

goroutine 16 [garbage collection]:
runtime.gc(0x0, 0x1021a030)
    src/pkg/runtime/mgc0.c:2329 +0x2c0 fp=0xfeee1e28 sp=0xfeee1e00
runtime.mallocgc(0x30, 0x53342, 0x0, 0x10202370)
    src/pkg/runtime/malloc.goc:205 +0x260 fp=0xfeee1e68 sp=0xfeee1e28
makechan(0x53340, 0x0, 0x0, 0x0)
    src/pkg/runtime/chan.goc:40 +0xe0 fp=0xfeee1e98 sp=0xfeee1e68
runtime.makechan(0x53340, 0x57220, 0x0, 0x0, 0x0, 0xd2a)
    src/pkg/runtime/chan.goc:57 +0x60 fp=0xfeee1eb0 sp=0xfeee1e98
main.init·2()
    nacl.go:19 +0x80 fp=0xfeee1f80 sp=0xfeee1eb0
main.init()
    nacl.go:156 +0xc0 fp=0xfeee1f88 sp=0xfeee1f80
runtime.main()
    src/pkg/runtime/proc.c:240 +0x160 fp=0xfeee1fc8 sp=0xfeee1f88
runtime.goexit()
    src/pkg/runtime/proc.c:1445 fp=0xfeee1fd0 sp=0xfeee1fc8
created by _rt0_go
    src/pkg/runtime/asm_amd64p32.s:78 +0x160

goroutine 17 [runnable]:
runtime.MHeap_Scavenger()
    src/pkg/runtime/mheap.c:507 fp=0xfeefdfc8 sp=0xfeefdfc0
runtime.goexit()
    src/pkg/runtime/proc.c:1445 fp=0xfeefdfd0 sp=0xfeefdfc8
created by runtime.main
    src/pkg/runtime/proc.c:207

goroutine 18 [runnable]:
main.func·001()
    nacl.go:6 fp=0xfeefbfc8 sp=0xfeefbfc0
runtime.goexit()
    src/pkg/runtime/proc.c:1445 fp=0xfeefbfd0 sp=0xfeefbfc8
created by main.init·1
    nacl.go:11 +0x40

gopherbot · 2014-06-05T17:37:13Z

Comment 1:

CL https://golang.org/cl/108740047 mentions this issue.

rsc · 2014-06-05T20:39:56Z

Comment 2:

This issue was closed by revision ac0e12d.

Status changed to Fixed.

gopherbot · 2014-06-06T20:55:44Z

Comment 3:

CL https://golang.org/cl/107830044 mentions this issue.

rsc · 2014-06-07T02:07:27Z

Comment 4:

This issue was closed by revision 8e4d4d247e38.

««« CL 108740047 / c8e9255aed3f cmd/6g: fix stack zeroing on native client I am not sure what the rounding here was trying to do, but it was skipping the first pointer on native client. The code above the rounding already checks that xoffset is widthptr-aligned, so the rnd was a no-op everywhere but on Native Client. And on Native Client it was wrong. Perhaps it was supposed to be rounding down, not up, but zerorange handles the extra 32 bits correctly, so the rnd does not seem to be necessary at all. This wouldn't be worth doing for Go 1.3 except that it can affect code on the playground. Fixes #8155. LGTM=r, iant R=golang-codereviews, r, iant CC=dvyukov, golang-codereviews, khr https://golang.org/cl/108740047 »»» LGTM=iant R=golang-codereviews, iant CC=golang-codereviews, r https://golang.org/cl/107830044

I am not sure what the rounding here was trying to do, but it was skipping the first pointer on native client. The code above the rounding already checks that xoffset is widthptr-aligned, so the rnd was a no-op everywhere but on Native Client. And on Native Client it was wrong. Perhaps it was supposed to be rounding down, not up, but zerorange handles the extra 32 bits correctly, so the rnd does not seem to be necessary at all. This wouldn't be worth doing for Go 1.3 except that it can affect code on the playground. Fixes golang#8155. LGTM=r, iant R=golang-codereviews, r, iant CC=dvyukov, golang-codereviews, khr https://golang.org/cl/108740047

dvyukov added fixed labels Jun 7, 2014

rsc added this to the Go1.3 milestone Apr 14, 2015

rsc removed the release-go1.3maybe label Apr 14, 2015

golang locked and limited conversation to collaborators Jun 25, 2016

gopherbot added the FrozenDueToAge label Jun 25, 2016

This issue was closed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

runtime: bad pointer in scanbitvector strikes back #8155

runtime: bad pointer in scanbitvector strikes back #8155

dvyukov commented Jun 5, 2014

gopherbot commented Jun 5, 2014

rsc commented Jun 5, 2014

gopherbot commented Jun 6, 2014

rsc commented Jun 7, 2014

runtime: bad pointer in scanbitvector strikes back #8155

runtime: bad pointer in scanbitvector strikes back #8155

Comments

dvyukov commented Jun 5, 2014

gopherbot commented Jun 5, 2014

rsc commented Jun 5, 2014

gopherbot commented Jun 6, 2014

rsc commented Jun 7, 2014