Move this knob from a binary-startup thing to a build-time thing.
This will enable followon optmizations to the write barrier.
Change-Id: Ic3323348621c76a7dc390c09ff55016b19c43018
Reviewed-on: https://go-review.googlesource.com/c/go/+/447778
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Run-TryBot: Keith Randall <khr@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
}
func TestPointerChecks(t *testing.T) {
- dir, exe := buildPtrTests(t)
+ var gopath string
+ var dir string
+ if *tmp != "" {
+ gopath = *tmp
+ dir = ""
+ } else {
+ d, err := os.MkdirTemp("", filepath.Base(t.Name()))
+ if err != nil {
+ t.Fatal(err)
+ }
+ dir = d
+ gopath = d
+ }
+
+ exe := buildPtrTests(t, gopath, false)
+ exe2 := buildPtrTests(t, gopath, true)
// We (TestPointerChecks) return before the parallel subtest functions do,
// so we can't just defer os.RemoveAll(dir). Instead we have to wait for
os.RemoveAll(dir)
}
}()
- testOne(t, pt, exe)
+ testOne(t, pt, exe, exe2)
})
}
}
-func buildPtrTests(t *testing.T) (dir, exe string) {
- var gopath string
- if *tmp != "" {
- gopath = *tmp
- dir = ""
- } else {
- d, err := os.MkdirTemp("", filepath.Base(t.Name()))
- if err != nil {
- t.Fatal(err)
- }
- dir = d
- gopath = d
- }
+func buildPtrTests(t *testing.T, gopath string, cgocheck2 bool) (exe string) {
src := filepath.Join(gopath, "src", "ptrtest")
if err := os.MkdirAll(src, 0777); err != nil {
t.Fatal(err)
}
- cmd := exec.Command("go", "build", "-o", "ptrtest.exe")
+ exeName := "ptrtest.exe"
+ if cgocheck2 {
+ exeName = "ptrtest2.exe"
+ }
+ cmd := exec.Command("go", "build", "-o", exeName)
cmd.Dir = src
cmd.Env = append(os.Environ(), "GOPATH="+gopath)
+ if cgocheck2 {
+ found := false
+ for i, e := range cmd.Env {
+ if strings.HasPrefix(e, "GOEXPERIMENT=") {
+ cmd.Env[i] = e + ",cgocheck2"
+ found = true
+ }
+ }
+ if !found {
+ cmd.Env = append(cmd.Env, "GOEXPERIMENT=cgocheck2")
+ }
+ }
out, err := cmd.CombinedOutput()
if err != nil {
t.Fatalf("go build: %v\n%s", err, out)
}
- return dir, filepath.Join(src, "ptrtest.exe")
+ return filepath.Join(src, exeName)
}
const ptrTestMain = `
var csem = make(chan bool, 16)
-func testOne(t *testing.T, pt ptrTest, exe string) {
+func testOne(t *testing.T, pt ptrTest, exe, exe2 string) {
t.Parallel()
// Run the tests in parallel, but don't run too many
runcmd := func(cgocheck string) ([]byte, error) {
csem <- true
defer func() { <-csem }()
- cmd := exec.Command(exe, pt.name)
+ x := exe
+ if cgocheck == "2" {
+ x = exe2
+ cgocheck = "1"
+ }
+ cmd := exec.Command(x, pt.name)
cmd.Env = append(os.Environ(), "GODEBUG=cgocheck="+cgocheck)
return cmd.CombinedOutput()
}
AssertI2I2 *obj.LSym
Asanread *obj.LSym
Asanwrite *obj.LSym
+ CgoCheckMemmove *obj.LSym
+ CgoCheckPtrWrite *obj.LSym
CheckPtrAlignment *obj.LSym
Deferproc *obj.LSym
DeferprocStack *obj.LSym
"cmd/internal/objabi"
"cmd/internal/src"
"fmt"
+ "internal/buildcfg"
)
// A ZeroRegion records parts of an object which are known to be zero.
}
var sb, sp, wbaddr, const0 *Value
- var typedmemmove, typedmemclr, gcWriteBarrier *obj.LSym
+ var typedmemmove, typedmemclr, gcWriteBarrier, cgoCheckPtrWrite, cgoCheckMemmove *obj.LSym
var stores, after []*Value
var sset *sparseSet
var storeNumber []int32
gcWriteBarrier = f.fe.Syslook("gcWriteBarrier")
typedmemmove = f.fe.Syslook("typedmemmove")
typedmemclr = f.fe.Syslook("typedmemclr")
+ if buildcfg.Experiment.CgoCheck2 {
+ cgoCheckPtrWrite = f.fe.Syslook("cgoCheckPtrWrite")
+ cgoCheckMemmove = f.fe.Syslook("cgoCheckMemmove")
+ }
const0 = f.ConstInt32(f.Config.Types.UInt32, 0)
// allocate auxiliary data structures for computing store order
switch w.Op {
case OpStoreWB, OpMoveWB, OpZeroWB:
if w.Op == OpStoreWB {
+ if buildcfg.Experiment.CgoCheck2 {
+ // Issue cgo checking code.
+ memThen = wbcall(pos, bThen, cgoCheckPtrWrite, nil, ptr, val, memThen, sp, sb)
+ }
+
memThen = bThen.NewValue3A(pos, OpWB, types.TypeMem, gcWriteBarrier, ptr, val, memThen)
} else {
srcval := val
// else block: normal store
switch w.Op {
case OpStoreWB:
+ if buildcfg.Experiment.CgoCheck2 {
+ // Issue cgo checking code.
+ memElse = wbcall(pos, bElse, cgoCheckPtrWrite, nil, ptr, val, memElse, sp, sb)
+ }
memElse = bElse.NewValue3A(pos, OpStore, types.TypeMem, w.Aux, ptr, val, memElse)
case OpMoveWB:
+ if buildcfg.Experiment.CgoCheck2 {
+ // Issue cgo checking code.
+ memElse = wbcall(pos, bElse, cgoCheckMemmove, reflectdata.TypeLinksym(w.Aux.(*types.Type)), ptr, val, memElse, sp, sb)
+ }
memElse = bElse.NewValue3I(pos, OpMove, types.TypeMem, w.AuxInt, ptr, val, memElse)
memElse.Aux = w.Aux
case OpZeroWB:
off := config.ctxt.Arch.FixedFrameSize
var argTypes []*types.Type
- if typ != nil { // for typedmemmove
+ if typ != nil { // for typedmemmove/cgoCheckMemmove
taddr := b.NewValue1A(pos, OpAddr, b.Func.Config.Types.Uintptr, typ, sb)
argTypes = append(argTypes, b.Func.Config.Types.Uintptr)
off = round(off, taddr.Type.Alignment())
ir.Syms.AssertE2I2 = typecheck.LookupRuntimeFunc("assertE2I2")
ir.Syms.AssertI2I = typecheck.LookupRuntimeFunc("assertI2I")
ir.Syms.AssertI2I2 = typecheck.LookupRuntimeFunc("assertI2I2")
+ ir.Syms.CgoCheckMemmove = typecheck.LookupRuntimeFunc("cgoCheckMemmove")
+ ir.Syms.CgoCheckPtrWrite = typecheck.LookupRuntimeFunc("cgoCheckPtrWrite")
ir.Syms.CheckPtrAlignment = typecheck.LookupRuntimeFunc("checkptrAlignment")
ir.Syms.Deferproc = typecheck.LookupRuntimeFunc("deferproc")
ir.Syms.DeferprocStack = typecheck.LookupRuntimeFunc("deferprocStack")
return ir.Syms.Typedmemmove
case "typedmemclr":
return ir.Syms.Typedmemclr
+ case "cgoCheckMemmove":
+ return ir.Syms.CgoCheckMemmove
+ case "cgoCheckPtrWrite":
+ return ir.Syms.CgoCheckPtrWrite
}
e.Fatalf(src.NoXPos, "unknown Syslook func %v", name)
return nil
--- /dev/null
+// Code generated by mkconsts.go. DO NOT EDIT.
+
+//go:build !goexperiment.cgocheck2
+// +build !goexperiment.cgocheck2
+
+package goexperiment
+
+const CgoCheck2 = false
+const CgoCheck2Int = 0
--- /dev/null
+// Code generated by mkconsts.go. DO NOT EDIT.
+
+//go:build goexperiment.cgocheck2
+// +build goexperiment.cgocheck2
+
+package goexperiment
+
+const CgoCheck2 = true
+const CgoCheck2Int = 1
// this compels the Go runtime to write to some arbitrary file, which
// may be exploited.
PageTrace bool
+
+ // CgoCheck2 enables an expensive cgo rule checker.
+ // When this experiment is enabled, cgo rule checks occur regardless
+ // of the GODEBUG=cgocheck setting provided at runtime.
+ CgoCheck2 bool
}
package runtime
import (
+ "internal/goexperiment"
"runtime/internal/atomic"
"unsafe"
)
func atomicwb(ptr *unsafe.Pointer, new unsafe.Pointer) {
slot := (*uintptr)(unsafe.Pointer(ptr))
if !getg().m.p.ptr().wbBuf.putFast(*slot, uintptr(new)) {
- wbBufFlush(slot, uintptr(new))
+ wbBufFlush()
}
}
if writeBarrier.enabled {
atomicwb((*unsafe.Pointer)(ptr), new)
}
+ if goexperiment.CgoCheck2 {
+ cgoCheckPtrWrite((*unsafe.Pointer)(ptr), new)
+ }
atomic.StorepNoWB(noescape(ptr), new)
}
if writeBarrier.enabled {
atomicwb(ptr, new)
}
+ if goexperiment.CgoCheck2 {
+ cgoCheckPtrWrite(ptr, new)
+ }
return atomic.Casp1(ptr, old, new)
}
if writeBarrier.enabled {
atomicwb(ptr, new)
}
+ if goexperiment.CgoCheck2 {
+ cgoCheckPtrWrite(ptr, new)
+ }
sync_atomic_StoreUintptr((*uintptr)(unsafe.Pointer(ptr)), uintptr(new))
}
if writeBarrier.enabled {
atomicwb(ptr, new)
}
+ if goexperiment.CgoCheck2 {
+ cgoCheckPtrWrite(ptr, new)
+ }
old := unsafe.Pointer(sync_atomic_SwapUintptr((*uintptr)(noescape(unsafe.Pointer(ptr))), uintptr(new)))
return old
}
if writeBarrier.enabled {
atomicwb(ptr, new)
}
+ if goexperiment.CgoCheck2 {
+ cgoCheckPtrWrite(ptr, new)
+ }
return sync_atomic_CompareAndSwapUintptr((*uintptr)(noescape(unsafe.Pointer(ptr))), uintptr(old), uintptr(new))
}
import (
"internal/goarch"
+ "internal/goexperiment"
"runtime/internal/sys"
"unsafe"
)
// cgoCheckPointer checks if the argument contains a Go pointer that
// points to a Go pointer, and panics if it does.
func cgoCheckPointer(ptr any, arg any) {
- if debug.cgocheck == 0 {
+ if !goexperiment.CgoCheck2 && debug.cgocheck == 0 {
return
}
// exported Go function. It panics if the result is or contains a Go
// pointer.
func cgoCheckResult(val any) {
- if debug.cgocheck == 0 {
+ if !goexperiment.CgoCheck2 && debug.cgocheck == 0 {
return
}
// license that can be found in the LICENSE file.
// Code to check that pointer writes follow the cgo rules.
-// These functions are invoked via the write barrier when debug.cgocheck > 1.
+// These functions are invoked when GOEXPERIMENT=cgocheck2 is enabled.
package runtime
const cgoWriteBarrierFail = "Go pointer stored into non-Go memory"
-// cgoCheckWriteBarrier is called whenever a pointer is stored into memory.
+// cgoCheckPtrWrite is called whenever a pointer is stored into memory.
// It throws if the program is storing a Go pointer into non-Go memory.
//
-// This is called from the write barrier, so its entire call tree must
-// be nosplit.
+// This is called from generated code when GOEXPERIMENT=cgocheck2 is enabled.
//
//go:nosplit
//go:nowritebarrier
-func cgoCheckWriteBarrier(dst *uintptr, src uintptr) {
- if !cgoIsGoPointer(unsafe.Pointer(src)) {
+func cgoCheckPtrWrite(dst *unsafe.Pointer, src unsafe.Pointer) {
+ if !mainStarted {
+ // Something early in startup hates this function.
+ // Don't start doing any actual checking until the
+ // runtime has set itself up.
+ return
+ }
+ if !cgoIsGoPointer(src) {
return
}
if cgoIsGoPointer(unsafe.Pointer(dst)) {
}
systemstack(func() {
- println("write of Go pointer", hex(src), "to non-Go memory", hex(uintptr(unsafe.Pointer(dst))))
+ println("write of Go pointer", hex(uintptr(src)), "to non-Go memory", hex(uintptr(unsafe.Pointer(dst))))
throw(cgoWriteBarrierFail)
})
}
// cgoCheckMemmove is called when moving a block of memory.
+// It throws if the program is copying a block that contains a Go pointer
+// into non-Go memory.
+//
+// This is called from generated code when GOEXPERIMENT=cgocheck2 is enabled.
+//
+//go:nosplit
+//go:nowritebarrier
+func cgoCheckMemmove(typ *_type, dst, src unsafe.Pointer) {
+ cgoCheckMemmove2(typ, dst, src, 0, typ.size)
+}
+
+// cgoCheckMemmove2 is called when moving a block of memory.
// dst and src point off bytes into the value to copy.
// size is the number of bytes to copy.
// It throws if the program is copying a block that contains a Go pointer
// into non-Go memory.
-//
//go:nosplit
//go:nowritebarrier
-func cgoCheckMemmove(typ *_type, dst, src unsafe.Pointer, off, size uintptr) {
+func cgoCheckMemmove2(typ *_type, dst, src unsafe.Pointer, off, size uintptr) {
if typ.ptrdata == 0 {
return
}
cgocheck: setting cgocheck=0 disables all checks for packages
using cgo to incorrectly pass Go pointers to non-Go code.
Setting cgocheck=1 (the default) enables relatively cheap
- checks that may miss some errors. Setting cgocheck=2 enables
- expensive checks that should not miss any errors, but will
- cause your program to run slower.
+ checks that may miss some errors. A more complete, but slow,
+ cgocheck mode can be enabled using GOEXPERIMENT (which
+ requires a rebuild), see https://pkg.go.dev/internal/goexperiment for details.
efence: setting efence=1 causes the allocator to run in a mode
where each object is allocated on a unique page and addresses are
import (
"internal/abi"
"internal/goarch"
+ "internal/goexperiment"
"unsafe"
)
// barrier, so at worst we've unnecessarily greyed the old
// pointer that was in src.
memmove(dst, src, typ.size)
- if writeBarrier.cgo {
- cgoCheckMemmove(typ, dst, src, 0, typ.size)
+ if goexperiment.CgoCheck2 {
+ cgoCheckMemmove2(typ, dst, src, 0, typ.size)
}
}
}
memmove(dst, src, size)
- if writeBarrier.cgo {
- cgoCheckMemmove(typ, dst, src, off, size)
+ if goexperiment.CgoCheck2 {
+ cgoCheckMemmove2(typ, dst, src, off, size)
}
}
asanread(srcPtr, uintptr(n)*typ.size)
}
- if writeBarrier.cgo {
+ if goexperiment.CgoCheck2 {
cgoCheckSliceCopy(typ, dstPtr, srcPtr, n)
}
// make sure the underlying allocation contains pointers, usually
// by checking typ.ptrdata.
//
-// Callers must perform cgo checks if writeBarrier.cgo.
+// Callers must perform cgo checks if goexperiment.CgoCheck2.
//
//go:nosplit
func bulkBarrierPreWrite(dst, src, size uintptr) {
}
dstx := (*uintptr)(unsafe.Pointer(addr))
if !buf.putFast(*dstx, 0) {
- wbBufFlush(nil, 0)
+ wbBufFlush()
}
}
} else {
dstx := (*uintptr)(unsafe.Pointer(addr))
srcx := (*uintptr)(unsafe.Pointer(src + (addr - dst)))
if !buf.putFast(*dstx, *srcx) {
- wbBufFlush(nil, 0)
+ wbBufFlush()
}
}
}
}
srcx := (*uintptr)(unsafe.Pointer(addr - dst + src))
if !buf.putFast(0, *srcx) {
- wbBufFlush(nil, 0)
+ wbBufFlush()
}
}
}
dstx := (*uintptr)(unsafe.Pointer(dst + i))
if src == 0 {
if !buf.putFast(*dstx, 0) {
- wbBufFlush(nil, 0)
+ wbBufFlush()
}
} else {
srcx := (*uintptr)(unsafe.Pointer(src + i))
if !buf.putFast(*dstx, *srcx) {
- wbBufFlush(nil, 0)
+ wbBufFlush()
}
}
}
// Must not be preempted because it typically runs right before memmove,
// and the GC must observe them as an atomic action.
//
-// Callers must perform cgo checks if writeBarrier.cgo.
+// Callers must perform cgo checks if goexperiment.CgoCheck2.
//
//go:nosplit
func typeBitsBulkBarrier(typ *_type, dst, src, size uintptr) {
dstx := (*uintptr)(unsafe.Pointer(dst + i))
srcx := (*uintptr)(unsafe.Pointer(src + i))
if !buf.putFast(*dstx, *srcx) {
- wbBufFlush(nil, 0)
+ wbBufFlush()
}
}
}
var writeBarrier struct {
enabled bool // compiler emits a check of this before calling write barrier
pad [3]byte // compiler uses 32-bit load for "enabled" field
- needed bool // whether we need a write barrier for current GC phase
- cgo bool // whether we need a write barrier for a cgo check
+ needed bool // identical to enabled, for now (TODO: dedup)
alignme uint64 // guarantee alignment so that compiler can use a 32 or 64-bit load
}
func setGCPhase(x uint32) {
atomic.Store(&gcphase, x)
writeBarrier.needed = gcphase == _GCmark || gcphase == _GCmarktermination
- writeBarrier.enabled = writeBarrier.needed || writeBarrier.cgo
+ writeBarrier.enabled = writeBarrier.needed
}
// gcMarkWorkerMode represents the mode that a concurrent mark worker
// Flush the write barrier
// buffer; this may create
// more work.
- wbBufFlush(nil, 0)
+ wbBufFlush()
b = gcw.tryGet()
}
}
if b == 0 {
// Flush the write barrier buffer;
// this may create more work.
- wbBufFlush(nil, 0)
+ wbBufFlush()
b = gcw.tryGet()
}
}
func (b *wbBuf) reset() {
start := uintptr(unsafe.Pointer(&b.buf[0]))
b.next = start
- if writeBarrier.cgo {
- // Effectively disable the buffer by forcing a flush
- // on every barrier.
- b.end = uintptr(unsafe.Pointer(&b.buf[wbBufEntryPointers]))
- } else if testSmallBuf {
+ if testSmallBuf {
// For testing, allow two barriers in the buffer. If
// we only did one, then barriers of non-heap pointers
// would be no-ops. This lets us combine a buffered
//
// buf := &getg().m.p.ptr().wbBuf
// if !buf.putFast(old, new) {
-// wbBufFlush(...)
+// wbBufFlush()
// }
// ... actual memory write ...
//
-// The arguments to wbBufFlush depend on whether the caller is doing
-// its own cgo pointer checks. If it is, then this can be
-// wbBufFlush(nil, 0). Otherwise, it must pass the slot address and
-// new.
-//
// The caller must ensure there are no preemption points during the
// above sequence. There must be no preemption points while buf is in
// use because it is a per-P resource. There must be no preemption
}
// wbBufFlush flushes the current P's write barrier buffer to the GC
-// workbufs. It is passed the slot and value of the write barrier that
-// caused the flush so that it can implement cgocheck.
+// workbufs.
//
// This must not have write barriers because it is part of the write
// barrier implementation.
//
//go:nowritebarrierrec
//go:nosplit
-func wbBufFlush(dst *uintptr, src uintptr) {
+func wbBufFlush() {
// Note: Every possible return from this function must reset
// the buffer's next pointer to prevent buffer overflow.
return
}
- if writeBarrier.cgo && dst != nil {
- // This must be called from the stack that did the
- // write. It's nosplit all the way down.
- cgoCheckWriteBarrier(dst, src)
- if !writeBarrier.needed {
- // We were only called for cgocheck.
- getg().m.p.ptr().wbBuf.discard()
- return
- }
- }
-
// Switch to the system stack so we don't have to worry about
// the untyped stack slots or safe points.
systemstack(func() {
// World is effectively started now, as P's can run.
worldStarted()
- // For cgocheck > 1, we turn on the write barrier at all times
- // and check all pointer writes. We can't do this until after
- // procresize because the write barrier needs a P.
- if debug.cgocheck > 1 {
- writeBarrier.cgo = true
- writeBarrier.enabled = true
- for _, pp := range allp {
- pp.wbBuf.reset()
- }
- }
-
if buildVersion == "" {
// Condition should never trigger. This code just serves
// to ensure runtimeĀ·buildVersion is kept in the resulting binary.
}
}
}
+
+ if debug.cgocheck > 1 {
+ throw("cgocheck > 1 mode is no longer supported at runtime. Use GOEXPERIMENT=cgocheck2 at build time instead.")
+ }
}
//go:linkname setTraceback runtime/debug.SetTraceback