Commit 28f1868f authored by Russ Cox's avatar Russ Cox

cmd/gc, runtime: make GODEBUG=gcdead=1 mode work with liveness

Trying to make GODEBUG=gcdead=1 work with liveness
and in particular ambiguously live variables.

1. In the liveness computation, mark all ambiguously live
variables as live for the entire function, except the entry.
They are zeroed directly after entry, and we need them not
to be poisoned thereafter.

2. In the liveness computation, compute liveness (and deadness)
for all parameters, not just pointer-containing parameters.
Otherwise gcdead poisons untracked scalar parameters and results.

3. Fix liveness debugging print for -live=2 to use correct bitmaps.
(Was not updated for compaction during compaction CL.)

4. Correct varkill during map literal initialization.
Was killing the map itself instead of the inserted value temp.

5. Disable aggressive varkill cleanup for call arguments if
the call appears in a defer or go statement.

6. In the garbage collector, avoid bug scanning empty
strings. An empty string is two zeros. The multiword
code only looked at the first zero and then interpreted
the next two bits in the bitmap as an ordinary word bitmap.
For a string the bits are 11 00, so if a live string was zero
length with a 0 base pointer, the poisoning code treated
the length as an ordinary word with code 00, meaning it
needed poisoning, turning the string into a poison-length
string with base pointer 0. By the same logic I believe that
a live nil slice (bits 11 01 00) will have its cap poisoned.
Always scan full multiword struct.

7. In the runtime, treat both poison words (PoisonGC and
PoisonStack) as invalid pointers that warrant crashes.

Manual testing as follows:

- Create a script called gcdead on your PATH containing:

        GODEBUG=gcdead=1 GOGC=10 GOTRACEBACK=2 exec "$@"
- Now you can build a test and then run 'gcdead ./foo.test'.
- More importantly, you can run 'go test -short -exec gcdead std'
   to run all the tests.

Fixes #7676.

While here, enable the precise scanning of slices, since that was
disabled due to bugs like these. That now works, both with and
without gcdead.

Fixes #7549.

parent ebe5f203
......@@ -185,12 +185,12 @@ visitcode(Node *n, uint32 min)
typedef struct EscState EscState;
static void escfunc(EscState*, Node *func);
static void esclist(EscState*, NodeList *l);
static void esc(EscState*, Node *n);
static void esclist(EscState*, NodeList *l, Node *up);
static void esc(EscState*, Node *n, Node *up);
static void escloopdepthlist(EscState*, NodeList *l);
static void escloopdepth(EscState*, Node *n);
static void escassign(EscState*, Node *dst, Node *src);
static void esccall(EscState*, Node*);
static void esccall(EscState*, Node*, Node *up);
static void escflows(EscState*, Node *dst, Node *src);
static void escflood(EscState*, Node *dst);
static void escwalk(EscState*, int level, Node *dst, Node *src);
......@@ -347,7 +347,7 @@ escfunc(EscState *e, Node *func)
escflows(e, &e->theSink, ll->n);
escloopdepthlist(e, curfn->nbody);
esclist(e, curfn->nbody);
esclist(e, curfn->nbody, curfn);
curfn = savefn;
e->loopdepth = saveld;
......@@ -405,14 +405,14 @@ escloopdepth(EscState *e, Node *n)
static void
esclist(EscState *e, NodeList *l)
esclist(EscState *e, NodeList *l, Node *up)
for(; l; l=l->next)
esc(e, l->n);
esc(e, l->n, up);
static void
esc(EscState *e, Node *n)
esc(EscState *e, Node *n, Node *up)
int lno;
NodeList *ll, *lr;
......@@ -424,19 +424,19 @@ esc(EscState *e, Node *n)
lno = setlineno(n);
// ninit logically runs at a different loopdepth than the rest of the for loop.
esclist(e, n->ninit);
esclist(e, n->ninit, n);
if(n->op == OFOR || n->op == ORANGE)
esc(e, n->left);
esc(e, n->right);
esc(e, n->ntest);
esc(e, n->nincr);
esclist(e, n->nbody);
esclist(e, n->nelse);
esclist(e, n->list);
esclist(e, n->rlist);
esc(e, n->left, n);
esc(e, n->right, n);
esc(e, n->ntest, n);
esc(e, n->nincr, n);
esclist(e, n->nbody, n);
esclist(e, n->nelse, n);
esclist(e, n->list, n);
esclist(e, n->rlist, n);
if(n->op == OFOR || n->op == ORANGE)
......@@ -522,7 +522,7 @@ esc(EscState *e, Node *n)
esccall(e, n);
esccall(e, n, up);
case OAS2FUNC: // x,y = f()
......@@ -843,7 +843,7 @@ escassignfromtag(EscState *e, Strlit *note, NodeList *dsts, Node *src)
// different for methods vs plain functions and for imported vs
// this-package
static void
esccall(EscState *e, Node *n)
esccall(EscState *e, Node *n, Node *up)
NodeList *ll, *lr;
Node *a, *fn, *src;
......@@ -965,7 +965,7 @@ esccall(EscState *e, Node *n)
n->right = src;
if(haspointers(t->type)) {
if(escassignfromtag(e, t->note, n->escretval, src) == EscNone) {
if(escassignfromtag(e, t->note, n->escretval, src) == EscNone && up->op != ODEFER && up->op != OPROC) {
a = src;
while(a->op == OCONVNOP)
a = a->left;
......@@ -69,6 +69,9 @@ struct BasicBlock {
// State to denote whether the block has been visited during a
// traversal.
int mark;
// For use during livenessepilogue.
int lastbitmapindex;
// A collection of global state used by liveness analysis.
......@@ -273,11 +276,20 @@ getvariables(Node *fn)
result = arraynew(0, sizeof(Node*));
for(ll = fn->dcl; ll != nil; ll = ll->next) {
if(ll->n->op == ONAME) {
// In order for GODEBUG=gcdead=1 to work, each bitmap needs
// to contain information about all variables covered by the bitmap.
// For local variables, the bitmap only covers the stkptrsize
// bytes in the frame where variables containing pointers live.
// For arguments and results, the bitmap covers all variables,
// so we must include all the variables, even the ones without
// pointers.
switch(ll->n->class) {
case PAUTO:
arrayadd(result, &ll->n);
case PPARAM:
arrayadd(result, &ll->n);
......@@ -1101,18 +1113,9 @@ twobitwalktype1(Type *t, vlong *xoffset, Bvec *bv)
// struct { byte *array; uintgo len; uintgo cap; }
if((*xoffset & (widthptr-1)) != 0)
fatal("twobitwalktype1: invalid TARRAY alignment, %T", t);
if(0) {
bvset(bv, (*xoffset / widthptr) * BitsPerPointer + 0);
bvset(bv, (*xoffset / widthptr) * BitsPerPointer + 1);
bvset(bv, (*xoffset / widthptr) * BitsPerPointer + 2); // 3:1 = multiword/slice
} else {
// Until bug 7564 is fixed, we consider a slice as
// a separate pointer and integer.
bvset(bv, (*xoffset / widthptr) * BitsPerPointer + 1); // 2 = live ptr
bvset(bv, (*xoffset / widthptr) * BitsPerPointer + 2); // 1 = live scalar
// mark capacity as live
bvset(bv, (*xoffset / widthptr) * BitsPerPointer + 4); // 1 = live scalar
*xoffset += t->width;
} else
for(i = 0; i < t->bound; i++)
......@@ -1412,10 +1415,11 @@ static void
livenessepilogue(Liveness *lv)
BasicBlock *bb, *pred;
Bvec *livein, *liveout, *uevar, *varkill, *args, *locals, *avarinit, *any, *all;
Bvec *ambig, *livein, *liveout, *uevar, *varkill, *args, *locals, *avarinit, *any, *all;
Node *n;
Prog *p, *next;
int32 i, j, numlive, startmsg, nmsg, nvars, pos;
int64 xoffset;
char **msg;
Fmt fmt;
......@@ -1427,6 +1431,7 @@ livenessepilogue(Liveness *lv)
avarinit = bvalloc(nvars);
any = bvalloc(nvars);
all = bvalloc(nvars);
ambig = bvalloc(localswords() * BitsPerPointer);
msg = nil;
nmsg = 0;
startmsg = 0;
......@@ -1471,14 +1476,17 @@ livenessepilogue(Liveness *lv)
bvandnot(liveout, any, all);
if(!bvisempty(liveout)) {
for(pos = 0; pos < liveout->n; pos++) {
bvset(all, pos); // silence future warnings in this block
if(!bvget(liveout, pos))
bvset(all, pos); // silence future warnings in this block
n = *(Node**)arrayget(lv->vars, pos);
if(!n->needzero) {
n->needzero = 1;
if(debuglive >= 1)
warnl(p->lineno, "%N: %lN is ambiguously live", curfn->nname, n);
// Record in 'ambiguous' bitmap.
xoffset = n->xoffset + stkptrsize;
twobitwalktype1(n->type, &xoffset, ambig);
......@@ -1509,6 +1517,11 @@ livenessepilogue(Liveness *lv)
if(p == bb->last)
bb->lastbitmapindex = arraylength(lv->livepointers) - 1;
for(i = 0; i < arraylength(lv->cfg); i++) {
bb = *(BasicBlock**)arrayget(lv->cfg, i);
if(debuglive >= 1 && strcmp(curfn->nname->sym->name, "init") != 0 && curfn->nname->sym->name[0] != '.') {
nmsg = arraylength(lv->livepointers);
......@@ -1519,7 +1532,7 @@ livenessepilogue(Liveness *lv)
// walk backward, emit pcdata and populate the maps
pos = arraylength(lv->livepointers) - 1;
pos = bb->lastbitmapindex;
if(pos < 0) {
// the first block we encounter should have the ATEXT so
// at no point should pos ever be less than zero.
......@@ -1563,6 +1576,12 @@ livenessepilogue(Liveness *lv)
locals = *(Bvec**)arrayget(lv->livepointers, pos);
twobitlivepointermap(lv, liveout, lv->vars, args, locals);
// Ambiguously live variables are zeroed immediately after
// function entry. Mark them live for all the non-entry bitmaps
// so that GODEBUG=gcdead=1 mode does not poison them.
if(p->as == ACALL)
bvor(locals, locals, ambig);
// Show live pointer bitmaps.
// We're interpreting the args and locals bitmap instead of liveout so that we
// include the bits added by the avarinit logic in the
......@@ -1628,6 +1647,7 @@ livenessepilogue(Liveness *lv)
......@@ -1772,7 +1792,7 @@ printbitset(int printed, char *name, Array *vars, Bvec *bits)
static void
livenessprintdebug(Liveness *lv)
int i, j, printed, nsafe;
int i, j, pcdata, printed;
BasicBlock *bb;
Prog *p;
Bvec *uevar, *varkill, *avarinit, *args, *locals;
......@@ -1784,7 +1804,7 @@ livenessprintdebug(Liveness *lv)
varkill = bvalloc(arraylength(lv->vars));
avarinit = bvalloc(arraylength(lv->vars));
nsafe = 0;
pcdata = 0;
for(i = 0; i < arraylength(lv->cfg); i++) {
if(i > 0)
......@@ -1815,6 +1835,8 @@ livenessprintdebug(Liveness *lv)
// program listing, with individual effects listed
for(p = bb->first;; p = p->link) {
print("%P\n", p);
if(p->as == APCDATA && p->from.offset == PCDATA_StackMapIndex)
pcdata = p->to.offset;
progeffects(p, lv->vars, uevar, varkill, avarinit);
printed = 0;
printed = printbitset(printed, "uevar", lv->vars, uevar);
......@@ -1823,9 +1845,8 @@ livenessprintdebug(Liveness *lv)
if(issafepoint(p)) {
args = *(Bvec**)arrayget(lv->argslivepointers, nsafe);
locals = *(Bvec**)arrayget(lv->livepointers, nsafe);
args = *(Bvec**)arrayget(lv->argslivepointers, pcdata);
locals = *(Bvec**)arrayget(lv->livepointers, pcdata);
printed = 0;
for(j = 0; j < arraylength(lv->vars); j++) {
......@@ -1014,7 +1014,7 @@ ctxt = 0;
a = nod(OVARKILL, key, N);
typecheck(&a, Etop);
*init = list(*init, a);
a = nod(OVARKILL, var, N);
a = nod(OVARKILL, val, N);
typecheck(&a, Etop);
*init = list(*init, a);
......@@ -637,4 +637,5 @@ void runtime·memorydump(void);
int32 runtime·setgcpercent(int32);
// Value we use to mark dead pointers when GODEBUG=gcdead=1.
#define PoisonPtr ((uintptr)0x6969696969696969LL)
#define PoisonGC ((uintptr)0xf969696969696969ULL)
#define PoisonStack ((uintptr)0x6868686868686868ULL)
......@@ -1455,14 +1455,14 @@ scanbitvector(Func *f, bool precise, byte *scanp, BitVector *bv, bool afterprolo
switch(bits) {
case BitsDead:
*(uintptr*)scanp = PoisonPtr;
*(uintptr*)scanp = PoisonGC;
case BitsScalar:
case BitsPointer:
p = *(byte**)scanp;
if(p != nil) {
if(precise && (p < (byte*)PageSize || (uintptr)p == PoisonPtr)) {
if(precise && (p < (byte*)PageSize || (uintptr)p == PoisonGC || (uintptr)p == PoisonStack)) {
// Looks like a junk value in a pointer slot.
// Liveness analysis wrong?
m->traceback = 2;
......@@ -1473,8 +1473,7 @@ scanbitvector(Func *f, bool precise, byte *scanp, BitVector *bv, bool afterprolo
case BitsMultiWord:
p = *(byte**)scanp;
if(p != nil) {
p = scanp;
word >>= BitsPerPointer;
scanp += PtrSize;
......@@ -1490,25 +1489,38 @@ scanbitvector(Func *f, bool precise, byte *scanp, BitVector *bv, bool afterprolo
switch(word & 3) {
case BitsString:
if(((String*)(scanp - PtrSize))->len != 0)
if(((String*)p)->len != 0)
case BitsSlice:
if(((Slice*)(scanp - PtrSize))->cap < ((Slice*)(scanp - PtrSize))->len) {
word >>= BitsPerPointer;
scanp += PtrSize;
if(i == 0) {
// Get next chunk of bits
remptrs -= 32;
word = *wordp++;
if(remptrs < 32)
i = remptrs;
i = 32;
i /= BitsPerPointer;
if(((Slice*)p)->cap < ((Slice*)p)->len) {
m->traceback = 2;
runtime·printf("bad slice in frame %s at %p: %p/%p/%p\n", runtime·funcname(f), scanp, ((byte**)scanp)[0], ((byte**)scanp)[1], ((byte**)scanp)[2]);
runtime·printf("bad slice in frame %s at %p: %p/%p/%p\n", runtime·funcname(f), p, ((byte**)p)[0], ((byte**)p)[1], ((byte**)p)[2]);
runtime·throw("slice capacity smaller than length");
if(((Slice*)(scanp - PtrSize))->cap != 0)
enqueue1(wbufp, (Obj){scanp - PtrSize, PtrSize, 0});
if(((Slice*)p)->cap != 0)
enqueue1(wbufp, (Obj){p, PtrSize, 0});
case BitsIface:
case BitsEface:
scaninterfacedata(word & 3, scanp - PtrSize, afterprologue, wbufp);
if(*(byte**)p != nil)
scaninterfacedata(word & 3, p, afterprologue, wbufp);
word >>= BitsPerPointer;
scanp += PtrSize;
......@@ -356,17 +356,17 @@ adjustpointers(byte **scanp, BitVector *bv, AdjustInfo *adjinfo, Func *f)
switch(bv->data[i / (32 / BitsPerPointer)] >> (i * BitsPerPointer & 31) & 3) {
case BitsDead:
scanp[i] = (byte*)0x6868686868686868LL;
scanp[i] = (byte*)PoisonStack;
case BitsScalar:
case BitsPointer:
p = scanp[i];
if(f != nil && (byte*)0 < p && (p < (byte*)PageSize || (uintptr)p == PoisonPtr)) {
if(f != nil && (byte*)0 < p && (p < (byte*)PageSize || (uintptr)p == PoisonGC || (uintptr)p == PoisonStack)) {
// Looks like a junk value in a pointer slot.
// Live analysis wrong?
m->traceback = 2;
runtime·printf("%p: %p %s\n", &scanp[i], p, runtime·funcname(f));
runtime·printf("runtime: bad pointer in frame %s at %p: %p\n", runtime·funcname(f), &scanp[i], p);
runtime·throw("bad pointer!");
if(minp <= p && p < maxp) {
......@@ -23,20 +23,24 @@ func f2(b bool) {
func f3(b bool) {
// Because x and y are ambiguously live, they appear
// live throughout the function, to avoid being poisoned
// in GODEBUG=gcdead=1 mode.
print(0) // ERROR "live at call to printint: x y$"
if b == false {
print(0) // nothing live here
print(0) // ERROR "live at call to printint: x y$"
if b {
var x *int
print(&x) // ERROR "live at call to printpointer: x$"
print(&x) // ERROR "live at call to printpointer: x$"
print(&x) // ERROR "live at call to printpointer: x y$"
print(&x) // ERROR "live at call to printpointer: x y$"
} else {
var y *int
print(&y) // ERROR "live at call to printpointer: y$"
print(&y) // ERROR "live at call to printpointer: y$"
print(&y) // ERROR "live at call to printpointer: x y$"
print(&y) // ERROR "live at call to printpointer: x y$"
print(0) // ERROR "live at call to printint: x y$" "x \(type \*int\) is ambiguously live" "y \(type \*int\) is ambiguously live"
......@@ -371,6 +375,29 @@ func f27(b bool) {
call27(func() {x++}) // ERROR "live at call to call27: autotmp_[0-9]+$"
call27(func() {x++}) // ERROR "live at call to call27: autotmp_[0-9]+$"
// but defer does escape to later execution in the function
func f27defer(b bool) {
x := 0
if b {
defer call27(func() {x++}) // ERROR "live at call to deferproc: autotmp_[0-9]+$" "live at call to deferreturn: autotmp_[0-9]+$"
defer call27(func() {x++}) // ERROR "live at call to deferproc: autotmp_[0-9]+ autotmp_[0-9]+$" "live at call to deferreturn: autotmp_[0-9]+ autotmp_[0-9]+$" "ambiguously live"
println() // ERROR "live at call to printnl: autotmp_[0-9]+ autotmp_[0-9]+$"
} // ERROR "live at call to deferreturn: autotmp_[0-9]+ autotmp_[0-9]+$"
// and newproc (go) escapes to the heap
func f27go(b bool) {
x := 0
if b {
go call27(func() {x++}) // ERROR "live at call to new: &x" "live at call to newproc: &x$"
go call27(func() {x++}) // ERROR "live at call to new: &x"
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment