Skip to content

runtime: writeHeapDump crashes program #9172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dvyukov opened this issue Nov 26, 2014 · 5 comments
Closed

runtime: writeHeapDump crashes program #9172

dvyukov opened this issue Nov 26, 2014 · 5 comments
Labels
FrozenDueToAge
Milestone
Go1.5

Comments

@dvyukov
Copy link
Member

dvyukov commented Nov 26, 2014 

go version devel +efd786846a76 Tue Nov 25 16:00:25 2014 -0500 linux/amd64

A program crashes as:

panic: runtime error: index out of range
fatal error: panic on system stack
runtime stack:
runtime.gothrow(0x590af0, 0x15)
    src/runtime/panic.go:507 +0x8e fp=0x7fffcabc22f0 sp=0x7fffcabc22d8
runtime.gopanic(0x541da0, 0xc208034000)
    src/runtime/panic.go:325 +0x9e fp=0x7fffcabc2358 sp=0x7fffcabc22f0
runtime.panicindex()
    src/runtime/panic.go:12 +0x4e fp=0x7fffcabc2380 sp=0x7fffcabc2358
runtime.iterate_finq(0x5ba720)
    src/runtime/mgc.go:794 +0xad fp=0x7fffcabc23c0 sp=0x7fffcabc2380
runtime.dumproots()
    src/runtime/heapdump.go:448 +0x180 fp=0x7fffcabc2418 sp=0x7fffcabc23c0
runtime.mdump()
    src/runtime/heapdump.go:652 +0xcc fp=0x7fffcabc2438 sp=0x7fffcabc2418
runtime.writeheapdump_m(0x3)
    src/runtime/heapdump.go:673 +0x8e fp=0x7fffcabc2460 sp=0x7fffcabc2438
runtime.func·016()
    src/runtime/mem.go:106 +0x2a fp=0x7fffcabc2470 sp=0x7fffcabc2460
runtime.systemstack(0x639930)
    src/runtime/asm_amd64.s:244 +0x71 fp=0x7fffcabc2478 sp=0x7fffcabc2470
runtime.mstart()
    src/runtime/proc1.go:693 fp=0x7fffcabc2480 sp=0x7fffcabc2478

I've caught it on all.bash but with modified runtime, but it should be easy to create a
test.

iterate_finq accesses fb.fin with large indexes:

func iterate_finq(callback func(*funcval, unsafe.Pointer, uintptr, *_type, *ptrtype)) {
    for fb := allfin; fb != nil; fb = fb.alllink {
        for i := int32(0); i < fb.cnt; i++ {
            f := &fb.fin[i]  // <<<--- HERE
            callback(f.fn, f.arg, f.nret, f.fint, f.ot)
        }
    }
}

But finblock is declared as follows:

type finblock struct {
    alllink *finblock
    next    *finblock
    cnt     int32
    cap     int32
    fin     [1]finalizer  // <<<--- sizeof of the array is 1
}

So the block contains more than 1 finalizer during heap dump, program crashes with index
out of range.
@dvyukov
Copy link
Member Author

dvyukov commented Nov 26, 2014

Comment 1:

The following fixed the issue for me:
 func iterate_finq(callback func(*funcval, unsafe.Pointer, uintptr, *_type, *ptrtype)) {
    for fb := allfin; fb != nil; fb = fb.alllink {
        for i := int32(0); i < fb.cnt; i++ {
-           f := &fb.fin[i]
+           f := (*finalizer)(add(unsafe.Pointer(&finq.fin[0]),
uintptr(i)*unsafe.Sizeof(finq.fin[0])))
            callback(f.fn, f.arg, f.nret, f.fint, f.ot)
        }
    }

@randall77
Copy link
Contributor

Comment 2:

Was this on the dev.cc branch?  This doesn't look to be a problem for 1.4, as the code
involved is still in C.

@dvyukov
Copy link
Member Author

dvyukov commented Nov 26, 2014

Comment 3:

You are right, it was dev.cc.

Labels changed: added release-go1.5, removed release-go1.4maybe.

@gopherbot
Copy link
Contributor

Comment 4:

CL https://golang.org/cl/178380043 mentions this issue.

gopherbot pushed a commit that referenced this issue Dec 10, 2014
@randall77
runtime: fix finalizer iterator
b796cbc 
It could only handle one finalizer before it raised an out-of-bounds error.

Fixes issue #9172

Change-Id: Ibb4d0c8aff2d78a1396e248c7129a631176ab427
Reviewed-on: https://go-review.googlesource.com/1201
Reviewed-by: Russ Cox <rsc@golang.org>
@bradfitz bradfitz modified the milestone: Go1.5 Dec 16, 2014
@randall77
Copy link
Contributor

Fixed by https://go-review.googlesource.com/#/c/1201/

@golang golang locked and limited conversation to collaborators Jun 25, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.5
Development

No branches or pull requests
4 participants
@bradfitz @dvyukov @randall77 @gopherbot