runtime: set mspan limit field early and eagerly

mknyszek · gopherbot · commit 4c7567290ced · 2025-06-18T11:34:51.000-07:00
Currently the mspan limit field is set after allocSpan returns, *after* the span has already been published to the GC (including the conservative scanner). But the limit field is load-bearing, because it's checked to filter out invalid pointers. A stale limit value could cause a crash by having the conservative scanner access allocBits out of bounds. Fix this by setting the mspan limit field before publishing the span. For large objects and arena chunks, we adjust the limit down after allocSpan because we don't have access to the true object's size from allocSpan. However this is safe, since we first initialize the limit to something definitely safe (the actual span bounds) and only adjust it down after. Adjusting it down has the benefit of more precise debug output, but the window in which it's imprecise is also fine because a single object (logically, with arena chunks) occupies the whole span, so the 'invalid' part of the memory will just safely point back to that object. We can't do this for smaller objects because the limit will include space that does *not* contain any valid objects. Fixes #74288. Change-Id: I0a22e5b9bccc1bfdf51d2b73ea7130f1b99c0c7c Reviewed-on: https://go-review.googlesource.com/c/go/+/682655 Reviewed-by: Keith Randall <khr@google.com> Auto-Submit: Michael Knyszek <mknyszek@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Keith Randall <khr@golang.org>
diff --git a/src/runtime/arena.go b/src/runtime/arena.go
@@ -1052,10 +1052,18 @@ func (h *mheap) allocUserArenaChunk() *mspan {
 	h.initSpan(s, spanAllocHeap, spc, base, userArenaChunkPages)
 	s.isUserArenaChunk = true
 	s.elemsize -= userArenaChunkReserveBytes()
-	s.limit = s.base() + s.elemsize
 	s.freeindex = 1
 	s.allocCount = 1
 
+	// Adjust s.limit down to the object-containing part of the span.
+	//
+	// This is just to create a slightly tighter bound on the limit.
+	// It's totally OK if the garbage collector, in particular
+	// conservative scanning, can temporarily observes an inflated
+	// limit. It will simply mark the whole chunk or just skip it
+	// since we're in the mark phase anyway.
+	s.limit = s.base() + s.elemsize
+
 	// Adjust size to include redzone.
 	if asanenabled {
 		s.elemsize -= redZoneSize(s.elemsize)
diff --git a/src/runtime/mcache.go b/src/runtime/mcache.go
@@ -253,6 +253,14 @@ func (c *mcache) allocLarge(size uintptr, noscan bool) *mspan {
 	// Put the large span in the mcentral swept list so that it's
 	// visible to the background sweeper.
 	mheap_.central[spc].mcentral.fullSwept(mheap_.sweepgen).push(s)
+
+	// Adjust s.limit down to the object-containing part of the span.
+	//
+	// This is just to create a slightly tighter bound on the limit.
+	// It's totally OK if the garbage collector, in particular
+	// conservative scanning, can temporarily observes an inflated
+	// limit. It will simply mark the whole object or just skip it
+	// since we're in the mark phase anyway.
 	s.limit = s.base() + size
 	s.initHeapBits()
 	return s
diff --git a/src/runtime/mcentral.go b/src/runtime/mcentral.go
@@ -250,13 +250,10 @@ func (c *mcentral) uncacheSpan(s *mspan) {
 // grow allocates a new empty span from the heap and initializes it for c's size class.
 func (c *mcentral) grow() *mspan {
 	npages := uintptr(gc.SizeClassToNPages[c.spanclass.sizeclass()])
-	size := uintptr(gc.SizeClassToSize[c.spanclass.sizeclass()])
-
 	s := mheap_.alloc(npages, c.spanclass)
 	if s == nil {
 		return nil
 	}
-	s.limit = s.base() + size*uintptr(s.nelems)
 	s.initHeapBits()
 	return s
 }
diff --git a/src/runtime/mheap.go b/src/runtime/mheap.go
@@ -1445,7 +1445,6 @@ func (h *mheap) initSpan(s *mspan, typ spanAllocType, spanclass spanClass, base,
 	if typ.manual() {
 		s.manualFreeList = 0
 		s.nelems = 0
-		s.limit = s.base() + s.npages*pageSize
 		s.state.set(mSpanManual)
 	} else {
 		// We must set span properties before the span is published anywhere
@@ -1486,6 +1485,9 @@ func (h *mheap) initSpan(s *mspan, typ spanAllocType, spanclass spanClass, base,
 		s.gcmarkBits = newMarkBits(uintptr(s.nelems))
 		s.allocBits = newAllocBits(uintptr(s.nelems))
 
+		// Adjust s.limit down to the object-containing part of the span.
+		s.limit = s.base() + uintptr(s.elemsize)*uintptr(s.nelems)
+
 		// It's safe to access h.sweepgen without the heap lock because it's
 		// only ever updated with the world stopped and we run on the
 		// systemstack which blocks a STW transition.
@@ -1785,6 +1787,7 @@ func (span *mspan) init(base uintptr, npages uintptr) {
 	span.list = nil
 	span.startAddr = base
 	span.npages = npages
+	span.limit = base + npages*gc.PageSize // see go.dev/issue/74288; adjusted later for heap spans
 	span.allocCount = 0
 	span.spanclass = 0
 	span.elemsize = 0

Original file line number	Diff line number	Diff line change
`@@ -250,13 +250,10 @@ func (c mcentral) uncacheSpan(s mspan) {`
`250`	`250`	`// grow allocates a new empty span from the heap and initializes it for c's size class.`
`251`	`251`	`func (c mcentral) grow() mspan {`
`252`	`252`	`npages := uintptr(gc.SizeClassToNPages[c.spanclass.sizeclass()])`
`253`		`- size := uintptr(gc.SizeClassToSize[c.spanclass.sizeclass()])`
`254`		`-`
`255`	`253`	`s := mheap_.alloc(npages, c.spanclass)`
`256`	`254`	`if s == nil {`
`257`	`255`	`return nil`
`258`	`256`	`}`
`259`		`- s.limit = s.base() + size*uintptr(s.nelems)`
`260`	`257`	`s.initHeapBits()`
`261`	`258`	`return s`
`262`	`259`	`}`