1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
// run
// Copyright 2020 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package main
import "fmt"
const N = 40
func main() {
var x [N]int // stack-allocated memory
for i := range x {
x[i] = 0x999
}
// This defer checks to see if x is uncorrupted.
defer func(p *[N]int) {
recover()
for i := range p {
if p[i] != 0x999 {
for j := range p {
fmt.Printf("p[%d]=0x%x\n", j, p[j])
}
panic("corrupted stack variable")
}
}
}(&x)
// This defer starts a new goroutine, which will (hopefully)
// overwrite x on the garbage stack.
defer func() {
c := make(chan bool)
go func() {
useStack(1000)
c <- true
}()
<-c
}()
// This defer causes a stack copy.
// The old stack is now garbage.
defer func() {
useStack(1000)
}()
// Trigger a segfault.
*g = 0
// Make the return statement unreachable.
// That makes the stack map at the deferreturn call empty.
// In particular, the argument to the first defer is not
// marked as a pointer, so it doesn't get adjusted
// during the stack copy.
for {
}
}
var g *int64
func useStack(n int) {
if n == 0 {
return
}
useStack(n - 1)
}
|
