reflect: eliminate write barrier for copying result in callReflect

cherrymui · nebulabox · commit 3e7f550699d9 · 2019-02-20T16:06:08.000+08:00
We are copying the results to uninitialized stack space. Write barrier is not needed. Fixes golang#30041. Change-Id: Ia91d74dbafd96dc2bd92de0cb479808991dda03e Reviewed-on: https://go-review.googlesource.com/c/160737 Run-TryBot: Cherry Zhang <cherryyz@google.com> Reviewed-by: Keith Randall <khr@golang.org>
diff --git a/src/reflect/value.go b/src/reflect/value.go
@@ -561,10 +561,11 @@ func callReflect(ctxt *makeFuncImpl, frame unsafe.Pointer, retValid *bool) {
 				continue
 			}
 			addr := add(ptr, off, "typ.size > 0")
+			// We are writing to stack. No write barrier.
 			if v.flag&flagIndir != 0 {
-				typedmemmove(typ, addr, v.ptr)
+				memmove(addr, v.ptr, typ.size)
 			} else {
-				*(*unsafe.Pointer)(addr) = v.ptr
+				*(*uintptr)(addr) = uintptr(v.ptr)
 			}
 			off += typ.size
 		}
diff --git a/test/fixedbugs/issue30041.go b/test/fixedbugs/issue30041.go
@@ -0,0 +1,63 @@
+// run
+
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Issue 30041: copying results of a reflect-generated
+// call on stack should not have write barrier.
+
+package main
+
+import (
+	"reflect"
+	"runtime"
+	"unsafe"
+)
+
+var badPtr uintptr
+
+var sink []byte
+
+func init() {
+	// Allocate large enough to use largeAlloc.
+	b := make([]byte, 1<<16-1)
+	sink = b // force heap allocation
+	//  Any space between the object and the end of page is invalid to point to.
+	badPtr = uintptr(unsafe.Pointer(&b[len(b)-1])) + 1
+}
+
+type ft func() *int
+
+var fn ft
+
+func rf([]reflect.Value) []reflect.Value {
+	a := reflect.ValueOf((*int)(nil))
+	return []reflect.Value{a}
+}
+
+const N = 1000
+
+func main() {
+	fn = reflect.MakeFunc(reflect.TypeOf(fn), rf).Interface().(ft)
+
+	// Keep running GC so the write barrier is on.
+	go func() {
+		for i := 0; i < N; i++ {
+			runtime.GC()
+		}
+	}()
+
+	var x [10]uintptr
+	for i := range x {
+		x[i] = badPtr
+	}
+	for i := 0; i < N; i++ {
+		runtime.Gosched()
+		use(x) // prepare bad pointers on stack
+		fn()
+	}
+}
+
+//go:noinline
+func use([10]uintptr) {}

Original file line number	Diff line number	Diff line change
`@@ -561,10 +561,11 @@ func callReflect(ctxt makeFuncImpl, frame unsafe.Pointer, retValid bool) {`
`561`	`561`	`continue`
`562`	`562`	`}`
`563`	`563`	`addr := add(ptr, off, "typ.size > 0")`
	`564`	`+ // We are writing to stack. No write barrier.`
`564`	`565`	`if v.flag&flagIndir != 0 {`
`565`		`- typedmemmove(typ, addr, v.ptr)`
	`566`	`+ memmove(addr, v.ptr, typ.size)`
`566`	`567`	`} else {`
`567`		`- (unsafe.Pointer)(addr) = v.ptr`
	`568`	`+ (uintptr)(addr) = uintptr(v.ptr)`
`568`	`569`	`}`
`569`	`570`	`off += typ.size`
`570`	`571`	`}`