Source file src/runtime/cgocall.go
1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Cgo call and callback support. 6 // 7 // To call into the C function f from Go, the cgo-generated code calls 8 // runtime.cgocall(_cgo_Cfunc_f, frame), where _cgo_Cfunc_f is a 9 // gcc-compiled function written by cgo. 10 // 11 // runtime.cgocall (below) calls entersyscall so as not to block 12 // other goroutines or the garbage collector, and then calls 13 // runtime.asmcgocall(_cgo_Cfunc_f, frame). 14 // 15 // runtime.asmcgocall (in asm_$GOARCH.s) switches to the m->g0 stack 16 // (assumed to be an operating system-allocated stack, so safe to run 17 // gcc-compiled code on) and calls _cgo_Cfunc_f(frame). 18 // 19 // _cgo_Cfunc_f invokes the actual C function f with arguments 20 // taken from the frame structure, records the results in the frame, 21 // and returns to runtime.asmcgocall. 22 // 23 // After it regains control, runtime.asmcgocall switches back to the 24 // original g (m->curg)'s stack and returns to runtime.cgocall. 25 // 26 // After it regains control, runtime.cgocall calls exitsyscall, which blocks 27 // until this m can run Go code without violating the $GOMAXPROCS limit, 28 // and then unlocks g from m. 29 // 30 // The above description skipped over the possibility of the gcc-compiled 31 // function f calling back into Go. If that happens, we continue down 32 // the rabbit hole during the execution of f. 33 // 34 // To make it possible for gcc-compiled C code to call a Go function p.GoF, 35 // cgo writes a gcc-compiled function named GoF (not p.GoF, since gcc doesn't 36 // know about packages). The gcc-compiled C function f calls GoF. 37 // 38 // GoF initializes "frame", a structure containing all of its 39 // arguments and slots for p.GoF's results. It calls 40 // crosscall2(_cgoexp_GoF, frame, framesize, ctxt) using the gcc ABI. 41 // 42 // crosscall2 (in cgo/asm_$GOARCH.s) is a four-argument adapter from 43 // the gcc function call ABI to the gc function call ABI. At this 44 // point we're in the Go runtime, but we're still running on m.g0's 45 // stack and outside the $GOMAXPROCS limit. crosscall2 calls 46 // runtime.cgocallback(_cgoexp_GoF, frame, ctxt) using the gc ABI. 47 // (crosscall2's framesize argument is no longer used, but there's one 48 // case where SWIG calls crosscall2 directly and expects to pass this 49 // argument. See _cgo_panic.) 50 // 51 // runtime.cgocallback (in asm_$GOARCH.s) switches from m.g0's stack 52 // to the original g (m.curg)'s stack, on which it calls 53 // runtime.cgocallbackg(_cgoexp_GoF, frame, ctxt). As part of the 54 // stack switch, runtime.cgocallback saves the current SP as 55 // m.g0.sched.sp, so that any use of m.g0's stack during the execution 56 // of the callback will be done below the existing stack frames. 57 // Before overwriting m.g0.sched.sp, it pushes the old value on the 58 // m.g0 stack, so that it can be restored later. 59 // 60 // runtime.cgocallbackg (below) is now running on a real goroutine 61 // stack (not an m.g0 stack). First it calls runtime.exitsyscall, which will 62 // block until the $GOMAXPROCS limit allows running this goroutine. 63 // Once exitsyscall has returned, it is safe to do things like call the memory 64 // allocator or invoke the Go callback function. runtime.cgocallbackg 65 // first defers a function to unwind m.g0.sched.sp, so that if p.GoF 66 // panics, m.g0.sched.sp will be restored to its old value: the m.g0 stack 67 // and the m.curg stack will be unwound in lock step. 68 // Then it calls _cgoexp_GoF(frame). 69 // 70 // _cgoexp_GoF, which was generated by cmd/cgo, unpacks the arguments 71 // from frame, calls p.GoF, writes the results back to frame, and 72 // returns. Now we start unwinding this whole process. 73 // 74 // runtime.cgocallbackg pops but does not execute the deferred 75 // function to unwind m.g0.sched.sp, calls runtime.entersyscall, and 76 // returns to runtime.cgocallback. 77 // 78 // After it regains control, runtime.cgocallback switches back to 79 // m.g0's stack (the pointer is still in m.g0.sched.sp), restores the old 80 // m.g0.sched.sp value from the stack, and returns to crosscall2. 81 // 82 // crosscall2 restores the callee-save registers for gcc and returns 83 // to GoF, which unpacks any result values and returns to f. 84 85 package runtime 86 87 import ( 88 "internal/abi" 89 "internal/goarch" 90 "internal/goexperiment" 91 "internal/runtime/sys" 92 "unsafe" 93 ) 94 95 // Addresses collected in a cgo backtrace when crashing. 96 // Length must match arg.Max in x_cgo_callers in runtime/cgo/gcc_traceback.c. 97 type cgoCallers [32]uintptr 98 99 // argset matches runtime/cgo/linux_syscall.c:argset_t 100 type argset struct { 101 args unsafe.Pointer 102 retval uintptr 103 } 104 105 // wrapper for syscall package to call cgocall for libc (cgo) calls. 106 // 107 //go:linkname syscall_cgocaller syscall.cgocaller 108 //go:nosplit 109 //go:uintptrescapes 110 func syscall_cgocaller(fn unsafe.Pointer, args ...uintptr) uintptr { 111 as := argset{args: unsafe.Pointer(&args[0])} 112 cgocall(fn, unsafe.Pointer(&as)) 113 return as.retval 114 } 115 116 var ncgocall uint64 // number of cgo calls in total for dead m 117 118 // Call from Go to C. 119 // 120 // This must be nosplit because it's used for syscalls on some 121 // platforms. Syscalls may have untyped arguments on the stack, so 122 // it's not safe to grow or scan the stack. 123 // 124 // cgocall should be an internal detail, 125 // but widely used packages access it using linkname. 126 // Notable members of the hall of shame include: 127 // - github.com/ebitengine/purego 128 // 129 // Do not remove or change the type signature. 130 // See go.dev/issue/67401. 131 // 132 //go:linkname cgocall 133 //go:nosplit 134 func cgocall(fn, arg unsafe.Pointer) int32 { 135 if !iscgo && GOOS != "solaris" && GOOS != "illumos" && GOOS != "windows" { 136 throw("cgocall unavailable") 137 } 138 139 if fn == nil { 140 throw("cgocall nil") 141 } 142 143 if raceenabled { 144 racereleasemerge(unsafe.Pointer(&racecgosync)) 145 } 146 147 mp := getg().m 148 mp.ncgocall++ 149 150 // Reset traceback. 151 mp.cgoCallers[0] = 0 152 153 // Announce we are entering a system call 154 // so that the scheduler knows to create another 155 // M to run goroutines while we are in the 156 // foreign code. 157 // 158 // The call to asmcgocall is guaranteed not to 159 // grow the stack and does not allocate memory, 160 // so it is safe to call while "in a system call", outside 161 // the $GOMAXPROCS accounting. 162 // 163 // fn may call back into Go code, in which case we'll exit the 164 // "system call", run the Go code (which may grow the stack), 165 // and then re-enter the "system call" reusing the PC and SP 166 // saved by entersyscall here. 167 entersyscall() 168 169 // Tell asynchronous preemption that we're entering external 170 // code. We do this after entersyscall because this may block 171 // and cause an async preemption to fail, but at this point a 172 // sync preemption will succeed (though this is not a matter 173 // of correctness). 174 osPreemptExtEnter(mp) 175 176 mp.incgo = true 177 // We use ncgo as a check during execution tracing for whether there is 178 // any C on the call stack, which there will be after this point. If 179 // there isn't, we can use frame pointer unwinding to collect call 180 // stacks efficiently. This will be the case for the first Go-to-C call 181 // on a stack, so it's preferable to update it here, after we emit a 182 // trace event in entersyscall above. 183 mp.ncgo++ 184 185 errno := asmcgocall(fn, arg) 186 187 // Update accounting before exitsyscall because exitsyscall may 188 // reschedule us on to a different M. 189 mp.incgo = false 190 mp.ncgo-- 191 192 osPreemptExtExit(mp) 193 194 // Save current syscall parameters, so m.winsyscall can be 195 // used again if callback decide to make syscall. 196 winsyscall := mp.winsyscall 197 198 exitsyscall() 199 200 getg().m.winsyscall = winsyscall 201 202 // Note that raceacquire must be called only after exitsyscall has 203 // wired this M to a P. 204 if raceenabled { 205 raceacquire(unsafe.Pointer(&racecgosync)) 206 } 207 208 // From the garbage collector's perspective, time can move 209 // backwards in the sequence above. If there's a callback into 210 // Go code, GC will see this function at the call to 211 // asmcgocall. When the Go call later returns to C, the 212 // syscall PC/SP is rolled back and the GC sees this function 213 // back at the call to entersyscall. Normally, fn and arg 214 // would be live at entersyscall and dead at asmcgocall, so if 215 // time moved backwards, GC would see these arguments as dead 216 // and then live. Prevent these undead arguments from crashing 217 // GC by forcing them to stay live across this time warp. 218 KeepAlive(fn) 219 KeepAlive(arg) 220 KeepAlive(mp) 221 222 return errno 223 } 224 225 // Set or reset the system stack bounds for a callback on sp. 226 // 227 // Must be nosplit because it is called by needm prior to fully initializing 228 // the M. 229 // 230 //go:nosplit 231 func callbackUpdateSystemStack(mp *m, sp uintptr, signal bool) { 232 g0 := mp.g0 233 234 if !mp.isextra { 235 // We allocated the stack for standard Ms. Don't replace the 236 // stack bounds with estimated ones when we already initialized 237 // with the exact ones. 238 return 239 } 240 241 inBound := sp > g0.stack.lo && sp <= g0.stack.hi 242 if inBound && mp.g0StackAccurate { 243 // This M has called into Go before and has the stack bounds 244 // initialized. We have the accurate stack bounds, and the SP 245 // is in bounds. We expect it continues to run within the same 246 // bounds. 247 return 248 } 249 250 // We don't have an accurate stack bounds (either it never calls 251 // into Go before, or we couldn't get the accurate bounds), or the 252 // current SP is not within the previous bounds (the stack may have 253 // changed between calls). We need to update the stack bounds. 254 // 255 // N.B. we need to update the stack bounds even if SP appears to 256 // already be in bounds, if our bounds are estimated dummy bounds 257 // (below). We may be in a different region within the same actual 258 // stack bounds, but our estimates were not accurate. Or the actual 259 // stack bounds could have shifted but still have partial overlap with 260 // our dummy bounds. If we failed to update in that case, we could find 261 // ourselves seemingly called near the bottom of the stack bounds, where 262 // we quickly run out of space. 263 264 // Set the stack bounds to match the current stack. If we don't 265 // actually know how big the stack is, like we don't know how big any 266 // scheduling stack is, but we assume there's at least 32 kB. If we 267 // can get a more accurate stack bound from pthread, use that, provided 268 // it actually contains SP. 269 g0.stack.hi = sp + 1024 270 g0.stack.lo = sp - 32*1024 271 mp.g0StackAccurate = false 272 if !signal && _cgo_getstackbound != nil { 273 // Don't adjust if called from the signal handler. 274 // We are on the signal stack, not the pthread stack. 275 // (We could get the stack bounds from sigaltstack, but 276 // we're getting out of the signal handler very soon 277 // anyway. Not worth it.) 278 var bounds [2]uintptr 279 asmcgocall(_cgo_getstackbound, unsafe.Pointer(&bounds)) 280 // getstackbound is an unsupported no-op on Windows. 281 // 282 // On Unix systems, if the API to get accurate stack bounds is 283 // not available, it returns zeros. 284 // 285 // Don't use these bounds if they don't contain SP. Perhaps we 286 // were called by something not using the standard thread 287 // stack. 288 if bounds[0] != 0 && sp > bounds[0] && sp <= bounds[1] { 289 g0.stack.lo = bounds[0] 290 g0.stack.hi = bounds[1] 291 mp.g0StackAccurate = true 292 } 293 } 294 g0.stackguard0 = g0.stack.lo + stackGuard 295 g0.stackguard1 = g0.stackguard0 296 } 297 298 // Call from C back to Go. fn must point to an ABIInternal Go entry-point. 299 // 300 //go:nosplit 301 func cgocallbackg(fn, frame unsafe.Pointer, ctxt uintptr) { 302 gp := getg() 303 if gp != gp.m.curg { 304 println("runtime: bad g in cgocallback") 305 exit(2) 306 } 307 308 sp := gp.m.g0.sched.sp // system sp saved by cgocallback. 309 oldStack := gp.m.g0.stack 310 oldAccurate := gp.m.g0StackAccurate 311 callbackUpdateSystemStack(gp.m, sp, false) 312 313 // The call from C is on gp.m's g0 stack, so we must ensure 314 // that we stay on that M. We have to do this before calling 315 // exitsyscall, since it would otherwise be free to move us to 316 // a different M. The call to unlockOSThread is in this function 317 // after cgocallbackg1, or in the case of panicking, in unwindm. 318 lockOSThread() 319 320 checkm := gp.m 321 322 // Save current syscall parameters, so m.winsyscall can be 323 // used again if callback decide to make syscall. 324 winsyscall := gp.m.winsyscall 325 326 // entersyscall saves the caller's SP to allow the GC to trace the Go 327 // stack. However, since we're returning to an earlier stack frame and 328 // need to pair with the entersyscall() call made by cgocall, we must 329 // save syscall* and let reentersyscall restore them. 330 // 331 // Note: savedsp and savedbp MUST be held in locals as an unsafe.Pointer. 332 // When we call into Go, the stack is free to be moved. If these locals 333 // aren't visible in the stack maps, they won't get updated properly, 334 // and will end up being stale when restored by reentersyscall. 335 savedsp := unsafe.Pointer(gp.syscallsp) 336 savedpc := gp.syscallpc 337 savedbp := unsafe.Pointer(gp.syscallbp) 338 exitsyscall() // coming out of cgo call 339 gp.m.incgo = false 340 if gp.m.isextra { 341 gp.m.isExtraInC = false 342 } 343 344 osPreemptExtExit(gp.m) 345 346 if gp.nocgocallback { 347 panic("runtime: function marked with #cgo nocallback called back into Go") 348 } 349 350 cgocallbackg1(fn, frame, ctxt) 351 352 // At this point we're about to call unlockOSThread. 353 // The following code must not change to a different m. 354 // This is enforced by checking incgo in the schedule function. 355 gp.m.incgo = true 356 unlockOSThread() 357 358 if gp.m.isextra { 359 gp.m.isExtraInC = true 360 } 361 362 if gp.m != checkm { 363 throw("m changed unexpectedly in cgocallbackg") 364 } 365 366 osPreemptExtEnter(gp.m) 367 368 // going back to cgo call 369 reentersyscall(savedpc, uintptr(savedsp), uintptr(savedbp)) 370 371 gp.m.winsyscall = winsyscall 372 373 // Restore the old g0 stack bounds 374 gp.m.g0.stack = oldStack 375 gp.m.g0.stackguard0 = oldStack.lo + stackGuard 376 gp.m.g0.stackguard1 = gp.m.g0.stackguard0 377 gp.m.g0StackAccurate = oldAccurate 378 } 379 380 func cgocallbackg1(fn, frame unsafe.Pointer, ctxt uintptr) { 381 gp := getg() 382 383 if gp.m.needextram || extraMWaiters.Load() > 0 { 384 gp.m.needextram = false 385 systemstack(newextram) 386 } 387 388 if ctxt != 0 { 389 s := append(gp.cgoCtxt, ctxt) 390 391 // Now we need to set gp.cgoCtxt = s, but we could get 392 // a SIGPROF signal while manipulating the slice, and 393 // the SIGPROF handler could pick up gp.cgoCtxt while 394 // tracing up the stack. We need to ensure that the 395 // handler always sees a valid slice, so set the 396 // values in an order such that it always does. 397 p := (*slice)(unsafe.Pointer(&gp.cgoCtxt)) 398 atomicstorep(unsafe.Pointer(&p.array), unsafe.Pointer(&s[0])) 399 p.cap = cap(s) 400 p.len = len(s) 401 402 defer func(gp *g) { 403 // Decrease the length of the slice by one, safely. 404 p := (*slice)(unsafe.Pointer(&gp.cgoCtxt)) 405 p.len-- 406 }(gp) 407 } 408 409 if gp.m.ncgo == 0 { 410 // The C call to Go came from a thread not currently running 411 // any Go. In the case of -buildmode=c-archive or c-shared, 412 // this call may be coming in before package initialization 413 // is complete. Wait until it is. 414 <-main_init_done 415 } 416 417 // Check whether the profiler needs to be turned on or off; this route to 418 // run Go code does not use runtime.execute, so bypasses the check there. 419 hz := sched.profilehz 420 if gp.m.profilehz != hz { 421 setThreadCPUProfiler(hz) 422 } 423 424 // Add entry to defer stack in case of panic. 425 restore := true 426 defer unwindm(&restore) 427 428 if raceenabled { 429 raceacquire(unsafe.Pointer(&racecgosync)) 430 } 431 432 // Invoke callback. This function is generated by cmd/cgo and 433 // will unpack the argument frame and call the Go function. 434 var cb func(frame unsafe.Pointer) 435 cbFV := funcval{uintptr(fn)} 436 *(*unsafe.Pointer)(unsafe.Pointer(&cb)) = noescape(unsafe.Pointer(&cbFV)) 437 cb(frame) 438 439 if raceenabled { 440 racereleasemerge(unsafe.Pointer(&racecgosync)) 441 } 442 443 // Do not unwind m->g0->sched.sp. 444 // Our caller, cgocallback, will do that. 445 restore = false 446 } 447 448 func unwindm(restore *bool) { 449 if *restore { 450 // Restore sp saved by cgocallback during 451 // unwind of g's stack (see comment at top of file). 452 mp := acquirem() 453 sched := &mp.g0.sched 454 sched.sp = *(*uintptr)(unsafe.Pointer(sched.sp + alignUp(sys.MinFrameSize, sys.StackAlign))) 455 456 // Do the accounting that cgocall will not have a chance to do 457 // during an unwind. 458 // 459 // In the case where a Go call originates from C, ncgo is 0 460 // and there is no matching cgocall to end. 461 if mp.ncgo > 0 { 462 mp.incgo = false 463 mp.ncgo-- 464 osPreemptExtExit(mp) 465 } 466 467 // Undo the call to lockOSThread in cgocallbackg, only on the 468 // panicking path. In normal return case cgocallbackg will call 469 // unlockOSThread, ensuring no preemption point after the unlock. 470 // Here we don't need to worry about preemption, because we're 471 // panicking out of the callback and unwinding the g0 stack, 472 // instead of reentering cgo (which requires the same thread). 473 unlockOSThread() 474 475 releasem(mp) 476 } 477 } 478 479 // called from assembly. 480 func badcgocallback() { 481 throw("misaligned stack in cgocallback") 482 } 483 484 // called from (incomplete) assembly. 485 func cgounimpl() { 486 throw("cgo not implemented") 487 } 488 489 var racecgosync uint64 // represents possible synchronization in C code 490 491 // Pointer checking for cgo code. 492 493 // We want to detect all cases where a program that does not use 494 // unsafe makes a cgo call passing a Go pointer to memory that 495 // contains an unpinned Go pointer. Here a Go pointer is defined as a 496 // pointer to memory allocated by the Go runtime. Programs that use 497 // unsafe can evade this restriction easily, so we don't try to catch 498 // them. The cgo program will rewrite all possibly bad pointer 499 // arguments to call cgoCheckPointer, where we can catch cases of a Go 500 // pointer pointing to an unpinned Go pointer. 501 502 // Complicating matters, taking the address of a slice or array 503 // element permits the C program to access all elements of the slice 504 // or array. In that case we will see a pointer to a single element, 505 // but we need to check the entire data structure. 506 507 // The cgoCheckPointer call takes additional arguments indicating that 508 // it was called on an address expression. An additional argument of 509 // true means that it only needs to check a single element. An 510 // additional argument of a slice or array means that it needs to 511 // check the entire slice/array, but nothing else. Otherwise, the 512 // pointer could be anything, and we check the entire heap object, 513 // which is conservative but safe. 514 515 // When and if we implement a moving garbage collector, 516 // cgoCheckPointer will pin the pointer for the duration of the cgo 517 // call. (This is necessary but not sufficient; the cgo program will 518 // also have to change to pin Go pointers that cannot point to Go 519 // pointers.) 520 521 // cgoCheckPointer checks if the argument contains a Go pointer that 522 // points to an unpinned Go pointer, and panics if it does. 523 func cgoCheckPointer(ptr any, arg any) { 524 if !goexperiment.CgoCheck2 && debug.cgocheck == 0 { 525 return 526 } 527 528 ep := efaceOf(&ptr) 529 t := ep._type 530 531 top := true 532 if arg != nil && (t.Kind_&abi.KindMask == abi.Pointer || t.Kind_&abi.KindMask == abi.UnsafePointer) { 533 p := ep.data 534 if t.Kind_&abi.KindDirectIface == 0 { 535 p = *(*unsafe.Pointer)(p) 536 } 537 if p == nil || !cgoIsGoPointer(p) { 538 return 539 } 540 aep := efaceOf(&arg) 541 switch aep._type.Kind_ & abi.KindMask { 542 case abi.Bool: 543 if t.Kind_&abi.KindMask == abi.UnsafePointer { 544 // We don't know the type of the element. 545 break 546 } 547 pt := (*ptrtype)(unsafe.Pointer(t)) 548 cgoCheckArg(pt.Elem, p, true, false, cgoCheckPointerFail) 549 return 550 case abi.Slice: 551 // Check the slice rather than the pointer. 552 ep = aep 553 t = ep._type 554 case abi.Array: 555 // Check the array rather than the pointer. 556 // Pass top as false since we have a pointer 557 // to the array. 558 ep = aep 559 t = ep._type 560 top = false 561 case abi.Pointer: 562 // The Go code is indexing into a pointer to an array, 563 // and we have been passed the pointer-to-array. 564 // Check the array rather than the pointer. 565 pt := (*abi.PtrType)(unsafe.Pointer(aep._type)) 566 t = pt.Elem 567 if t.Kind_&abi.KindMask != abi.Array { 568 throw("can't happen") 569 } 570 ep = aep 571 top = false 572 default: 573 throw("can't happen") 574 } 575 } 576 577 cgoCheckArg(t, ep.data, t.Kind_&abi.KindDirectIface == 0, top, cgoCheckPointerFail) 578 } 579 580 const cgoCheckPointerFail = "cgo argument has Go pointer to unpinned Go pointer" 581 const cgoResultFail = "cgo result is unpinned Go pointer or points to unpinned Go pointer" 582 583 // cgoCheckArg is the real work of cgoCheckPointer. The argument p 584 // is either a pointer to the value (of type t), or the value itself, 585 // depending on indir. The top parameter is whether we are at the top 586 // level, where Go pointers are allowed. Go pointers to pinned objects are 587 // allowed as long as they don't reference other unpinned pointers. 588 func cgoCheckArg(t *_type, p unsafe.Pointer, indir, top bool, msg string) { 589 if !t.Pointers() || p == nil { 590 // If the type has no pointers there is nothing to do. 591 return 592 } 593 594 switch t.Kind_ & abi.KindMask { 595 default: 596 throw("can't happen") 597 case abi.Array: 598 at := (*arraytype)(unsafe.Pointer(t)) 599 if !indir { 600 if at.Len != 1 { 601 throw("can't happen") 602 } 603 cgoCheckArg(at.Elem, p, at.Elem.Kind_&abi.KindDirectIface == 0, top, msg) 604 return 605 } 606 for i := uintptr(0); i < at.Len; i++ { 607 cgoCheckArg(at.Elem, p, true, top, msg) 608 p = add(p, at.Elem.Size_) 609 } 610 case abi.Chan, abi.Map: 611 // These types contain internal pointers that will 612 // always be allocated in the Go heap. It's never OK 613 // to pass them to C. 614 panic(errorString(msg)) 615 case abi.Func: 616 if indir { 617 p = *(*unsafe.Pointer)(p) 618 } 619 if !cgoIsGoPointer(p) { 620 return 621 } 622 panic(errorString(msg)) 623 case abi.Interface: 624 it := *(**_type)(p) 625 if it == nil { 626 return 627 } 628 // A type known at compile time is OK since it's 629 // constant. A type not known at compile time will be 630 // in the heap and will not be OK. 631 if inheap(uintptr(unsafe.Pointer(it))) { 632 panic(errorString(msg)) 633 } 634 p = *(*unsafe.Pointer)(add(p, goarch.PtrSize)) 635 if !cgoIsGoPointer(p) { 636 return 637 } 638 if !top && !isPinned(p) { 639 panic(errorString(msg)) 640 } 641 cgoCheckArg(it, p, it.Kind_&abi.KindDirectIface == 0, false, msg) 642 case abi.Slice: 643 st := (*slicetype)(unsafe.Pointer(t)) 644 s := (*slice)(p) 645 p = s.array 646 if p == nil || !cgoIsGoPointer(p) { 647 return 648 } 649 if !top && !isPinned(p) { 650 panic(errorString(msg)) 651 } 652 if !st.Elem.Pointers() { 653 return 654 } 655 for i := 0; i < s.cap; i++ { 656 cgoCheckArg(st.Elem, p, true, false, msg) 657 p = add(p, st.Elem.Size_) 658 } 659 case abi.String: 660 ss := (*stringStruct)(p) 661 if !cgoIsGoPointer(ss.str) { 662 return 663 } 664 if !top && !isPinned(ss.str) { 665 panic(errorString(msg)) 666 } 667 case abi.Struct: 668 st := (*structtype)(unsafe.Pointer(t)) 669 if !indir { 670 if len(st.Fields) != 1 { 671 throw("can't happen") 672 } 673 cgoCheckArg(st.Fields[0].Typ, p, st.Fields[0].Typ.Kind_&abi.KindDirectIface == 0, top, msg) 674 return 675 } 676 for _, f := range st.Fields { 677 if !f.Typ.Pointers() { 678 continue 679 } 680 cgoCheckArg(f.Typ, add(p, f.Offset), true, top, msg) 681 } 682 case abi.Pointer, abi.UnsafePointer: 683 if indir { 684 p = *(*unsafe.Pointer)(p) 685 if p == nil { 686 return 687 } 688 } 689 690 if !cgoIsGoPointer(p) { 691 return 692 } 693 if !top && !isPinned(p) { 694 panic(errorString(msg)) 695 } 696 697 cgoCheckUnknownPointer(p, msg) 698 } 699 } 700 701 // cgoCheckUnknownPointer is called for an arbitrary pointer into Go 702 // memory. It checks whether that Go memory contains any other 703 // pointer into unpinned Go memory. If it does, we panic. 704 // The return values are unused but useful to see in panic tracebacks. 705 func cgoCheckUnknownPointer(p unsafe.Pointer, msg string) (base, i uintptr) { 706 if inheap(uintptr(p)) { 707 b, span, _ := findObject(uintptr(p), 0, 0) 708 base = b 709 if base == 0 { 710 return 711 } 712 tp := span.typePointersOfUnchecked(base) 713 for { 714 var addr uintptr 715 if tp, addr = tp.next(base + span.elemsize); addr == 0 { 716 break 717 } 718 pp := *(*unsafe.Pointer)(unsafe.Pointer(addr)) 719 if cgoIsGoPointer(pp) && !isPinned(pp) { 720 panic(errorString(msg)) 721 } 722 } 723 return 724 } 725 726 for _, datap := range activeModules() { 727 if cgoInRange(p, datap.data, datap.edata) || cgoInRange(p, datap.bss, datap.ebss) { 728 // We have no way to know the size of the object. 729 // We have to assume that it might contain a pointer. 730 panic(errorString(msg)) 731 } 732 // In the text or noptr sections, we know that the 733 // pointer does not point to a Go pointer. 734 } 735 736 return 737 } 738 739 // cgoIsGoPointer reports whether the pointer is a Go pointer--a 740 // pointer to Go memory. We only care about Go memory that might 741 // contain pointers. 742 // 743 //go:nosplit 744 //go:nowritebarrierrec 745 func cgoIsGoPointer(p unsafe.Pointer) bool { 746 if p == nil { 747 return false 748 } 749 750 if inHeapOrStack(uintptr(p)) { 751 return true 752 } 753 754 for _, datap := range activeModules() { 755 if cgoInRange(p, datap.data, datap.edata) || cgoInRange(p, datap.bss, datap.ebss) { 756 return true 757 } 758 } 759 760 return false 761 } 762 763 // cgoInRange reports whether p is between start and end. 764 // 765 //go:nosplit 766 //go:nowritebarrierrec 767 func cgoInRange(p unsafe.Pointer, start, end uintptr) bool { 768 return start <= uintptr(p) && uintptr(p) < end 769 } 770 771 // cgoCheckResult is called to check the result parameter of an 772 // exported Go function. It panics if the result is or contains any 773 // other pointer into unpinned Go memory. 774 func cgoCheckResult(val any) { 775 if !goexperiment.CgoCheck2 && debug.cgocheck == 0 { 776 return 777 } 778 779 ep := efaceOf(&val) 780 t := ep._type 781 cgoCheckArg(t, ep.data, t.Kind_&abi.KindDirectIface == 0, false, cgoResultFail) 782 } 783