libgo patch committed: Better detection of memory overflow

Message ID	mcrwqzdet6k.fsf@google.com
State	New
Headers	show Return-Path: <gcc-patches-return-327602-incoming=patchwork.ozlabs.org@gcc.gnu.org> Comment: DKIM? See http://www.dkim.org Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gcc.gnu.org; h=Received:Received:X-SWARE-Spam-Status:X-Spam-Check-By:Received:Received:X-Google-DKIM-Signature:Received:Received:From:To:Subject:Date:Message-ID:User-Agent:MIME-Version:Content-Type:X-Gm-Message-State:X-IsSubscribed:Mailing-List:Precedence:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:Sender:Delivered-To; b=nuY/BhllzGIKBropGrsRNNzFTR+FwqPhievLSPOCMlmiFo8Z8oNi1iPmqBuA1R qcfG5hQexftWbgR/AZUgirBAdiLWERWu+P7ehMyDJZABjQ8a9tY+A1ASf/qAD3pb fIoVfkJNK5scdYU3QyHRFiIrQbSjN2gpewj6NBzPjqKVg=; From: Ian Lance Taylor <iant@google.com> To: gcc-patches@gcc.gnu.org, gofrontend-dev@googlegroups.com Subject: libgo patch committed: Better detection of memory overflow Date: Fri, 28 Sep 2012 14:25:23 -0700 Message-ID: <mcrwqzdet6k.fsf@google.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk Sender: gcc-patches-owner@gcc.gnu.org

Message ID

mcrwqzdet6k.fsf@google.com

State

New

Headers

Comment: DKIM? See http://www.dkim.org
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gcc.gnu.org;
	h=Received:Received:X-SWARE-Spam-Status:X-Spam-Check-By:Received:Received:X-Google-DKIM-Signature:Received:Received:From:To:Subject:Date:Message-ID:User-Agent:MIME-Version:Content-Type:X-Gm-Message-State:X-IsSubscribed:Mailing-List:Precedence:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help:Sender:Delivered-To;
	b=nuY/BhllzGIKBropGrsRNNzFTR+FwqPhievLSPOCMlmiFo8Z8oNi1iPmqBuA1R
	qcfG5hQexftWbgR/AZUgirBAdiLWERWu+P7ehMyDJZABjQ8a9tY+A1ASf/qAD3pb
	fIoVfkJNK5scdYU3QyHRFiIrQbSjN2gpewj6NBzPjqKVg=;
From: Ian Lance Taylor <iant@google.com>
To: gcc-patches@gcc.gnu.org, gofrontend-dev@googlegroups.com
Subject: libgo patch committed: Better detection of memory overflow
Date: Fri, 28 Sep 2012 14:25:23 -0700
Message-ID: <mcrwqzdet6k.fsf@google.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
Sender: gcc-patches-owner@gcc.gnu.org

Commit Message

Ian Lance Taylor Sept. 28, 2012, 9:25 p.m. UTC

This patch, which brings in some bits of code from the master Go
library, does a better job of detecting when a memory allocation request
will overflow.  This lets us panic in a way that the program can see,
rather than crashing.  Bootstrapped and ran Go testsuite on
x86_64-unknown-linux-gnu.  Committed to mainline and 4.7 branch.

Ian

diff -r 3e4478623419 libgo/runtime/chan.c
--- a/libgo/runtime/chan.c	Fri Sep 28 10:41:20 2012 -0700
+++ b/libgo/runtime/chan.c	Fri Sep 28 14:06:03 2012 -0700
@@ -3,6 +3,8 @@ 
 // license that can be found in the LICENSE file.
 
 #include "runtime.h"
+#include "arch.h"
+#include "malloc.h"
 #include "go-type.h"
 
 #define	NOSELGEN	1
@@ -88,7 +90,7 @@ 
 	
 	elem = t->__element_type;
 
-	if(hint < 0 || (int32)hint != hint || (elem->__size > 0 && (uintptr)hint > ((uintptr)-1) / elem->__size))
+	if(hint < 0 || (int32)hint != hint || (elem->__size > 0 && (uintptr)hint > MaxMem / elem->__size))
 		runtime_panicstring("makechan: size out of range");
 
 	n = sizeof(*c);
diff -r 3e4478623419 libgo/runtime/go-append.c
--- a/libgo/runtime/go-append.c	Fri Sep 28 10:41:20 2012 -0700
+++ b/libgo/runtime/go-append.c	Fri Sep 28 14:06:03 2012 -0700
@@ -54,6 +54,9 @@ 
 	  while (m < count);
 	}
 
+      if ((uintptr) m > MaxMem / element_size)
+	runtime_panicstring ("growslice: cap out of range");
+
       n = __go_alloc (m * element_size);
       __builtin_memcpy (n, a.__values, a.__count * element_size);
 
diff -r 3e4478623419 libgo/runtime/go-make-slice.c
--- a/libgo/runtime/go-make-slice.c	Fri Sep 28 10:41:20 2012 -0700
+++ b/libgo/runtime/go-make-slice.c	Fri Sep 28 14:06:03 2012 -0700
@@ -37,7 +37,7 @@ 
   if (cap < len
       || (uintptr_t) icap != cap
       || (std->__element_type->__size > 0
-	  && cap > (uintptr_t) -1U / std->__element_type->__size))
+	  && cap > MaxMem / std->__element_type->__size))
     runtime_panicstring ("makeslice: cap out of range");
 
   ret.__count = ilen;
diff -r 3e4478623419 libgo/runtime/malloc.h
--- a/libgo/runtime/malloc.h	Fri Sep 28 10:41:20 2012 -0700
+++ b/libgo/runtime/malloc.h	Fri Sep 28 14:06:03 2012 -0700
@@ -128,6 +128,15 @@ 
 	MaxGcproc = 4,
 };
 
+// Maximum memory allocation size, a hint for callers.
+// This must be a #define instead of an enum because it
+// is so large.
+#if __SIZEOF_POINTER__ == 8
+#define	MaxMem	(16ULL<<30)	/* 16 GB */
+#else
+#define	MaxMem	((uintptr)-1)
+#endif
+
 // A generic linked list of blocks.  (Typically the block is bigger than sizeof(MLink).)
 struct MLink
 {

libgo patch committed: Better detection of memory overflow

Commit Message

Patch