Commit 5bc1cef8 authored by Dmitriy Vyukov's avatar Dmitriy Vyukov

reflect: fix map type generation

If a map variable is created with reflect.New it has incorrect type (map[unsafe.Pointer]unsafe.Pointer).
If GC follows such pointer, it scans Hmap and buckets with incorrect type.
This can lead to overscan of up to 120 bytes for map[int8]struct{}.
Which in turn can lead to crash if the memory after a bucket object is unaddressable
or false retention (buckets are scanned as arrays of unsafe.Pointer).
I don't see how it can lead to heap corruptions, though.

LGTM=khr
R=rsc, khr
CC=golang-codereviews
https://golang.org/cl/96270044
parent a1266132
...@@ -1541,6 +1541,13 @@ func MapOf(key, elem Type) Type { ...@@ -1541,6 +1541,13 @@ func MapOf(key, elem Type) Type {
mt.uncommonType = nil mt.uncommonType = nil
mt.ptrToThis = nil mt.ptrToThis = nil
mt.zero = unsafe.Pointer(&make([]byte, mt.size)[0]) mt.zero = unsafe.Pointer(&make([]byte, mt.size)[0])
mt.gc = unsafe.Pointer(&ptrGC{
width: unsafe.Sizeof(uintptr(0)),
op: _GC_PTR,
off: 0,
elemgc: mt.hmap.gc,
end: _GC_END,
})
// INCORRECT. Uncomment to check that TestMapOfGC and TestMapOfGCValues // INCORRECT. Uncomment to check that TestMapOfGC and TestMapOfGCValues
// fail when mt.gc is wrong. // fail when mt.gc is wrong.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment