Source file src/runtime/cgocall.go
1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Cgo call and callback support. 6 // 7 // To call into the C function f from Go, the cgo-generated code calls 8 // runtime.cgocall(_cgo_Cfunc_f, frame), where _cgo_Cfunc_f is a 9 // gcc-compiled function written by cgo. 10 // 11 // runtime.cgocall (below) calls entersyscall so as not to block 12 // other goroutines or the garbage collector, and then calls 13 // runtime.asmcgocall(_cgo_Cfunc_f, frame). 14 // 15 // runtime.asmcgocall (in asm_$GOARCH.s) switches to the m->g0 stack 16 // (assumed to be an operating system-allocated stack, so safe to run 17 // gcc-compiled code on) and calls _cgo_Cfunc_f(frame). 18 // 19 // _cgo_Cfunc_f invokes the actual C function f with arguments 20 // taken from the frame structure, records the results in the frame, 21 // and returns to runtime.asmcgocall. 22 // 23 // After it regains control, runtime.asmcgocall switches back to the 24 // original g (m->curg)'s stack and returns to runtime.cgocall. 25 // 26 // After it regains control, runtime.cgocall calls exitsyscall, which blocks 27 // until this m can run Go code without violating the $GOMAXPROCS limit, 28 // and then unlocks g from m. 29 // 30 // The above description skipped over the possibility of the gcc-compiled 31 // function f calling back into Go. If that happens, we continue down 32 // the rabbit hole during the execution of f. 33 // 34 // To make it possible for gcc-compiled C code to call a Go function p.GoF, 35 // cgo writes a gcc-compiled function named GoF (not p.GoF, since gcc doesn't 36 // know about packages). The gcc-compiled C function f calls GoF. 37 // 38 // GoF initializes "frame", a structure containing all of its 39 // arguments and slots for p.GoF's results. It calls 40 // crosscall2(_cgoexp_GoF, frame, framesize, ctxt) using the gcc ABI. 41 // 42 // crosscall2 (in cgo/asm_$GOARCH.s) is a four-argument adapter from 43 // the gcc function call ABI to the gc function call ABI. At this 44 // point we're in the Go runtime, but we're still running on m.g0's 45 // stack and outside the $GOMAXPROCS limit. crosscall2 calls 46 // runtime.cgocallback(_cgoexp_GoF, frame, ctxt) using the gc ABI. 47 // (crosscall2's framesize argument is no longer used, but there's one 48 // case where SWIG calls crosscall2 directly and expects to pass this 49 // argument. See _cgo_panic.) 50 // 51 // runtime.cgocallback (in asm_$GOARCH.s) switches from m.g0's stack 52 // to the original g (m.curg)'s stack, on which it calls 53 // runtime.cgocallbackg(_cgoexp_GoF, frame, ctxt). As part of the 54 // stack switch, runtime.cgocallback saves the current SP as 55 // m.g0.sched.sp, so that any use of m.g0's stack during the execution 56 // of the callback will be done below the existing stack frames. 57 // Before overwriting m.g0.sched.sp, it pushes the old value on the 58 // m.g0 stack, so that it can be restored later. 59 // 60 // runtime.cgocallbackg (below) is now running on a real goroutine 61 // stack (not an m.g0 stack). First it calls runtime.exitsyscall, which will 62 // block until the $GOMAXPROCS limit allows running this goroutine. 63 // Once exitsyscall has returned, it is safe to do things like call the memory 64 // allocator or invoke the Go callback function. runtime.cgocallbackg 65 // first defers a function to unwind m.g0.sched.sp, so that if p.GoF 66 // panics, m.g0.sched.sp will be restored to its old value: the m.g0 stack 67 // and the m.curg stack will be unwound in lock step. 68 // Then it calls _cgoexp_GoF(frame). 69 // 70 // _cgoexp_GoF, which was generated by cmd/cgo, unpacks the arguments 71 // from frame, calls p.GoF, writes the results back to frame, and 72 // returns. Now we start unwinding this whole process. 73 // 74 // runtime.cgocallbackg pops but does not execute the deferred 75 // function to unwind m.g0.sched.sp, calls runtime.entersyscall, and 76 // returns to runtime.cgocallback. 77 // 78 // After it regains control, runtime.cgocallback switches back to 79 // m.g0's stack (the pointer is still in m.g0.sched.sp), restores the old 80 // m.g0.sched.sp value from the stack, and returns to crosscall2. 81 // 82 // crosscall2 restores the callee-save registers for gcc and returns 83 // to GoF, which unpacks any result values and returns to f. 84 85 package runtime 86 87 import ( 88 "internal/abi" 89 "internal/goarch" 90 "internal/goexperiment" 91 "internal/runtime/sys" 92 "unsafe" 93 ) 94 95 // Addresses collected in a cgo backtrace when crashing. 96 // Length must match arg.Max in x_cgo_callers in runtime/cgo/gcc_traceback.c. 97 type cgoCallers [32]uintptr 98 99 // argset matches runtime/cgo/linux_syscall.c:argset_t 100 type argset struct { 101 args unsafe.Pointer 102 retval uintptr 103 } 104 105 // wrapper for syscall package to call cgocall for libc (cgo) calls. 106 // 107 //go:linkname syscall_cgocaller syscall.cgocaller 108 //go:nosplit 109 //go:uintptrescapes 110 func syscall_cgocaller(fn unsafe.Pointer, args ...uintptr) uintptr { 111 as := argset{args: unsafe.Pointer(&args[0])} 112 cgocall(fn, unsafe.Pointer(&as)) 113 return as.retval 114 } 115 116 var ncgocall uint64 // number of cgo calls in total for dead m 117 118 // Call from Go to C. 119 // 120 // This must be nosplit because it's used for syscalls on some 121 // platforms. Syscalls may have untyped arguments on the stack, so 122 // it's not safe to grow or scan the stack. 123 // 124 // cgocall should be an internal detail, 125 // but widely used packages access it using linkname. 126 // Notable members of the hall of shame include: 127 // - github.com/ebitengine/purego 128 // 129 // Do not remove or change the type signature. 130 // See go.dev/issue/67401. 131 // 132 //go:linkname cgocall 133 //go:nosplit 134 func cgocall(fn, arg unsafe.Pointer) int32 { 135 if !iscgo && GOOS != "solaris" && GOOS != "illumos" && GOOS != "windows" { 136 throw("cgocall unavailable") 137 } 138 139 if fn == nil { 140 throw("cgocall nil") 141 } 142 143 if raceenabled { 144 racereleasemerge(unsafe.Pointer(&racecgosync)) 145 } 146 147 mp := getg().m 148 mp.ncgocall++ 149 150 // Reset traceback. 151 mp.cgoCallers[0] = 0 152 153 // Announce we are entering a system call 154 // so that the scheduler knows to create another 155 // M to run goroutines while we are in the 156 // foreign code. 157 // 158 // The call to asmcgocall is guaranteed not to 159 // grow the stack and does not allocate memory, 160 // so it is safe to call while "in a system call", outside 161 // the $GOMAXPROCS accounting. 162 // 163 // fn may call back into Go code, in which case we'll exit the 164 // "system call", run the Go code (which may grow the stack), 165 // and then re-enter the "system call" reusing the PC and SP 166 // saved by entersyscall here. 167 entersyscall() 168 169 // Tell asynchronous preemption that we're entering external 170 // code. We do this after entersyscall because this may block 171 // and cause an async preemption to fail, but at this point a 172 // sync preemption will succeed (though this is not a matter 173 // of correctness). 174 osPreemptExtEnter(mp) 175 176 mp.incgo = true 177 // We use ncgo as a check during execution tracing for whether there is 178 // any C on the call stack, which there will be after this point. If 179 // there isn't, we can use frame pointer unwinding to collect call 180 // stacks efficiently. This will be the case for the first Go-to-C call 181 // on a stack, so it's preferable to update it here, after we emit a 182 // trace event in entersyscall above. 183 mp.ncgo++ 184 185 errno := asmcgocall(fn, arg) 186 187 // Update accounting before exitsyscall because exitsyscall may 188 // reschedule us on to a different M. 189 mp.incgo = false 190 mp.ncgo-- 191 192 osPreemptExtExit(mp) 193 194 // After exitsyscall we can be rescheduled on a different M, 195 // so we need to restore the original M's winsyscall. 196 winsyscall := mp.winsyscall 197 198 exitsyscall() 199 200 getg().m.winsyscall = winsyscall 201 202 // Note that raceacquire must be called only after exitsyscall has 203 // wired this M to a P. 204 if raceenabled { 205 raceacquire(unsafe.Pointer(&racecgosync)) 206 } 207 208 if sys.DITSupported { 209 // C code may have enabled or disabled DIT on this thread, restore 210 // our state to the expected one. 211 ditEnabled := sys.DITEnabled() 212 gp := getg() 213 if !gp.ditWanted && ditEnabled { 214 sys.DisableDIT() 215 } else if gp.ditWanted && !ditEnabled { 216 sys.EnableDIT() 217 } 218 } 219 220 // From the garbage collector's perspective, time can move 221 // backwards in the sequence above. If there's a callback into 222 // Go code, GC will see this function at the call to 223 // asmcgocall. When the Go call later returns to C, the 224 // syscall PC/SP is rolled back and the GC sees this function 225 // back at the call to entersyscall. Normally, fn and arg 226 // would be live at entersyscall and dead at asmcgocall, so if 227 // time moved backwards, GC would see these arguments as dead 228 // and then live. Prevent these undead arguments from crashing 229 // GC by forcing them to stay live across this time warp. 230 KeepAlive(fn) 231 KeepAlive(arg) 232 KeepAlive(mp) 233 234 return errno 235 } 236 237 // Set or reset the system stack bounds for a callback on sp. 238 // 239 // Must be nosplit because it is called by needm prior to fully initializing 240 // the M. 241 // 242 //go:nosplit 243 func callbackUpdateSystemStack(mp *m, sp uintptr, signal bool) { 244 g0 := mp.g0 245 246 if !mp.isextra { 247 // We allocated the stack for standard Ms. Don't replace the 248 // stack bounds with estimated ones when we already initialized 249 // with the exact ones. 250 return 251 } 252 253 inBound := sp > g0.stack.lo && sp <= g0.stack.hi 254 if inBound && mp.g0StackAccurate { 255 // This M has called into Go before and has the stack bounds 256 // initialized. We have the accurate stack bounds, and the SP 257 // is in bounds. We expect it continues to run within the same 258 // bounds. 259 return 260 } 261 262 // We don't have an accurate stack bounds (either it never calls 263 // into Go before, or we couldn't get the accurate bounds), or the 264 // current SP is not within the previous bounds (the stack may have 265 // changed between calls). We need to update the stack bounds. 266 // 267 // N.B. we need to update the stack bounds even if SP appears to 268 // already be in bounds, if our bounds are estimated dummy bounds 269 // (below). We may be in a different region within the same actual 270 // stack bounds, but our estimates were not accurate. Or the actual 271 // stack bounds could have shifted but still have partial overlap with 272 // our dummy bounds. If we failed to update in that case, we could find 273 // ourselves seemingly called near the bottom of the stack bounds, where 274 // we quickly run out of space. 275 276 // Set the stack bounds to match the current stack. If we don't 277 // actually know how big the stack is, like we don't know how big any 278 // scheduling stack is, but we assume there's at least 32 kB. If we 279 // can get a more accurate stack bound from pthread, use that, provided 280 // it actually contains SP. 281 g0.stack.hi = sp + 1024 282 g0.stack.lo = sp - 32*1024 283 mp.g0StackAccurate = false 284 if !signal && _cgo_getstackbound != nil { 285 // Don't adjust if called from the signal handler. 286 // We are on the signal stack, not the pthread stack. 287 // (We could get the stack bounds from sigaltstack, but 288 // we're getting out of the signal handler very soon 289 // anyway. Not worth it.) 290 var bounds [2]uintptr 291 asmcgocall(_cgo_getstackbound, unsafe.Pointer(&bounds)) 292 // getstackbound is an unsupported no-op on Windows. 293 // 294 // On Unix systems, if the API to get accurate stack bounds is 295 // not available, it returns zeros. 296 // 297 // Don't use these bounds if they don't contain SP. Perhaps we 298 // were called by something not using the standard thread 299 // stack. 300 if bounds[0] != 0 && sp > bounds[0] && sp <= bounds[1] { 301 g0.stack.lo = bounds[0] 302 g0.stack.hi = bounds[1] 303 mp.g0StackAccurate = true 304 } 305 } 306 g0.stackguard0 = g0.stack.lo + stackGuard 307 g0.stackguard1 = g0.stackguard0 308 } 309 310 // Call from C back to Go. fn must point to an ABIInternal Go entry-point. 311 // 312 //go:nosplit 313 func cgocallbackg(fn, frame unsafe.Pointer, ctxt uintptr) { 314 gp := getg() 315 if gp != gp.m.curg { 316 println("runtime: bad g in cgocallback") 317 exit(2) 318 } 319 320 sp := gp.m.g0.sched.sp // system sp saved by cgocallback. 321 oldStack := gp.m.g0.stack 322 oldAccurate := gp.m.g0StackAccurate 323 callbackUpdateSystemStack(gp.m, sp, false) 324 325 // The call from C is on gp.m's g0 stack, so we must ensure 326 // that we stay on that M. We have to do this before calling 327 // exitsyscall, since it would otherwise be free to move us to 328 // a different M. The call to unlockOSThread is in this function 329 // after cgocallbackg1, or in the case of panicking, in unwindm. 330 lockOSThread() 331 332 checkm := gp.m 333 334 // Save current syscall parameters, so m.winsyscall can be 335 // used again if callback decide to make syscall. 336 winsyscall := gp.m.winsyscall 337 338 // entersyscall saves the caller's SP to allow the GC to trace the Go 339 // stack. However, since we're returning to an earlier stack frame and 340 // need to pair with the entersyscall() call made by cgocall, we must 341 // save syscall* and let reentersyscall restore them. 342 // 343 // Note: savedsp and savedbp MUST be held in locals as an unsafe.Pointer. 344 // When we call into Go, the stack is free to be moved. If these locals 345 // aren't visible in the stack maps, they won't get updated properly, 346 // and will end up being stale when restored by reentersyscall. 347 savedsp := unsafe.Pointer(gp.syscallsp) 348 savedpc := gp.syscallpc 349 savedbp := unsafe.Pointer(gp.syscallbp) 350 exitsyscall() // coming out of cgo call 351 gp.m.incgo = false 352 if gp.m.isextra { 353 gp.m.isExtraInC = false 354 } 355 356 osPreemptExtExit(gp.m) 357 358 if gp.nocgocallback { 359 panic("runtime: function marked with #cgo nocallback called back into Go") 360 } 361 362 cgocallbackg1(fn, frame, ctxt) 363 364 // At this point we're about to call unlockOSThread. 365 // The following code must not change to a different m. 366 // This is enforced by checking incgo in the schedule function. 367 gp.m.incgo = true 368 unlockOSThread() 369 370 if gp.m.isextra && gp.m.ncgo == 0 { 371 // There are no active cgocalls above this frame (ncgo == 0), 372 // thus there can't be more Go frames above this frame. 373 gp.m.isExtraInC = true 374 } 375 376 if gp.m != checkm { 377 throw("m changed unexpectedly in cgocallbackg") 378 } 379 380 osPreemptExtEnter(gp.m) 381 382 // going back to cgo call 383 reentersyscall(savedpc, uintptr(savedsp), uintptr(savedbp)) 384 385 gp.m.winsyscall = winsyscall 386 387 // Restore the old g0 stack bounds 388 gp.m.g0.stack = oldStack 389 gp.m.g0.stackguard0 = oldStack.lo + stackGuard 390 gp.m.g0.stackguard1 = gp.m.g0.stackguard0 391 gp.m.g0StackAccurate = oldAccurate 392 } 393 394 func cgocallbackg1(fn, frame unsafe.Pointer, ctxt uintptr) { 395 gp := getg() 396 397 if gp.m.needextram || extraMWaiters.Load() > 0 { 398 gp.m.needextram = false 399 systemstack(newextram) 400 } 401 402 if ctxt != 0 { 403 s := append(gp.cgoCtxt, ctxt) 404 405 // Now we need to set gp.cgoCtxt = s, but we could get 406 // a SIGPROF signal while manipulating the slice, and 407 // the SIGPROF handler could pick up gp.cgoCtxt while 408 // tracing up the stack. We need to ensure that the 409 // handler always sees a valid slice, so set the 410 // values in an order such that it always does. 411 p := (*slice)(unsafe.Pointer(&gp.cgoCtxt)) 412 atomicstorep(unsafe.Pointer(&p.array), unsafe.Pointer(&s[0])) 413 p.cap = cap(s) 414 p.len = len(s) 415 416 defer func(gp *g) { 417 // Decrease the length of the slice by one, safely. 418 p := (*slice)(unsafe.Pointer(&gp.cgoCtxt)) 419 p.len-- 420 }(gp) 421 } 422 423 if gp.m.ncgo == 0 { 424 // The C call to Go came from a thread not currently running 425 // any Go. In the case of -buildmode=c-archive or c-shared, 426 // this call may be coming in before package initialization 427 // is complete. Don't proceed until it is. 428 // 429 // We check a bool first for speed, and wait on a channel 430 // if it's not ready. 431 // 432 // In race mode, skip the optimization and always use the 433 // channel, which has the race instrumentation. 434 if raceenabled || !mainInitDone.Load() { 435 <-mainInitDoneChan 436 } 437 } 438 439 // Check whether the profiler needs to be turned on or off; this route to 440 // run Go code does not use runtime.execute, so bypasses the check there. 441 hz := sched.profilehz 442 if gp.m.profilehz != hz { 443 setThreadCPUProfiler(hz) 444 } 445 446 // Add entry to defer stack in case of panic. 447 restore := true 448 defer unwindm(&restore) 449 450 var ditStateM, ditStateG bool 451 if debug.dataindependenttiming == 1 && gp.m.isextra { 452 // We only need to enable DIT for threads that were created by C, as it 453 // should already by enabled on threads that were created by Go. 454 ditStateM = sys.EnableDIT() 455 } else if sys.DITSupported && debug.dataindependenttiming != 1 { 456 // C code may have enabled or disabled DIT on this thread. Set the flag 457 // on the M and G accordingly, saving their previous state to restore 458 // on return from the callback. 459 ditStateM, ditStateG = gp.m.ditEnabled, gp.ditWanted 460 ditEnabled := sys.DITEnabled() 461 gp.ditWanted = ditEnabled 462 gp.m.ditEnabled = ditEnabled 463 } 464 465 if raceenabled { 466 raceacquire(unsafe.Pointer(&racecgosync)) 467 } 468 469 // Invoke callback. This function is generated by cmd/cgo and 470 // will unpack the argument frame and call the Go function. 471 var cb func(frame unsafe.Pointer) 472 cbFV := funcval{uintptr(fn)} 473 *(*unsafe.Pointer)(unsafe.Pointer(&cb)) = noescape(unsafe.Pointer(&cbFV)) 474 cb(frame) 475 476 if raceenabled { 477 racereleasemerge(unsafe.Pointer(&racecgosync)) 478 } 479 480 if debug.dataindependenttiming == 1 && !ditStateM { 481 // Only unset DIT if it wasn't already enabled when cgocallback was called. 482 sys.DisableDIT() 483 } else if sys.DITSupported && debug.dataindependenttiming != 1 { 484 // Restore DIT state on M and G. 485 gp.ditWanted = ditStateG 486 gp.m.ditEnabled = ditStateM 487 if !ditStateM { 488 sys.DisableDIT() 489 } 490 } 491 492 // Do not unwind m->g0->sched.sp. 493 // Our caller, cgocallback, will do that. 494 restore = false 495 } 496 497 func unwindm(restore *bool) { 498 if *restore { 499 // Restore sp saved by cgocallback during 500 // unwind of g's stack (see comment at top of file). 501 mp := acquirem() 502 sched := &mp.g0.sched 503 sched.sp = *(*uintptr)(unsafe.Pointer(sched.sp + alignUp(sys.MinFrameSize, sys.StackAlign))) 504 505 // Do the accounting that cgocall will not have a chance to do 506 // during an unwind. 507 // 508 // In the case where a Go call originates from C, ncgo is 0 509 // and there is no matching cgocall to end. 510 if mp.ncgo > 0 { 511 mp.incgo = false 512 mp.ncgo-- 513 osPreemptExtExit(mp) 514 } 515 516 // Undo the call to lockOSThread in cgocallbackg, only on the 517 // panicking path. In normal return case cgocallbackg will call 518 // unlockOSThread, ensuring no preemption point after the unlock. 519 // Here we don't need to worry about preemption, because we're 520 // panicking out of the callback and unwinding the g0 stack, 521 // instead of reentering cgo (which requires the same thread). 522 unlockOSThread() 523 524 releasem(mp) 525 } 526 } 527 528 // called from assembly. 529 func badcgocallback() { 530 throw("misaligned stack in cgocallback") 531 } 532 533 // called from (incomplete) assembly. 534 func cgounimpl() { 535 throw("cgo not implemented") 536 } 537 538 var racecgosync uint64 // represents possible synchronization in C code 539 540 // Pointer checking for cgo code. 541 542 // We want to detect all cases where a program that does not use 543 // unsafe makes a cgo call passing a Go pointer to memory that 544 // contains an unpinned Go pointer. Here a Go pointer is defined as a 545 // pointer to memory allocated by the Go runtime. Programs that use 546 // unsafe can evade this restriction easily, so we don't try to catch 547 // them. The cgo program will rewrite all possibly bad pointer 548 // arguments to call cgoCheckPointer, where we can catch cases of a Go 549 // pointer pointing to an unpinned Go pointer. 550 551 // Complicating matters, taking the address of a slice or array 552 // element permits the C program to access all elements of the slice 553 // or array. In that case we will see a pointer to a single element, 554 // but we need to check the entire data structure. 555 556 // The cgoCheckPointer call takes additional arguments indicating that 557 // it was called on an address expression. An additional argument of 558 // true means that it only needs to check a single element. An 559 // additional argument of a slice or array means that it needs to 560 // check the entire slice/array, but nothing else. Otherwise, the 561 // pointer could be anything, and we check the entire heap object, 562 // which is conservative but safe. 563 564 // When and if we implement a moving garbage collector, 565 // cgoCheckPointer will pin the pointer for the duration of the cgo 566 // call. (This is necessary but not sufficient; the cgo program will 567 // also have to change to pin Go pointers that cannot point to Go 568 // pointers.) 569 570 // cgoCheckPointer checks if the argument contains a Go pointer that 571 // points to an unpinned Go pointer, and panics if it does. 572 func cgoCheckPointer(ptr any, arg any) { 573 if !goexperiment.CgoCheck2 && debug.cgocheck == 0 { 574 return 575 } 576 577 ep := efaceOf(&ptr) 578 t := ep._type 579 580 top := true 581 if arg != nil && (t.Kind() == abi.Pointer || t.Kind() == abi.UnsafePointer) { 582 p := ep.data 583 if !t.IsDirectIface() { 584 p = *(*unsafe.Pointer)(p) 585 } 586 if p == nil || !cgoIsGoPointer(p) { 587 return 588 } 589 aep := efaceOf(&arg) 590 switch aep._type.Kind() { 591 case abi.Bool: 592 if t.Kind() == abi.UnsafePointer { 593 // We don't know the type of the element. 594 break 595 } 596 pt := (*ptrtype)(unsafe.Pointer(t)) 597 cgoCheckArg(pt.Elem, p, true, false, cgoCheckPointerFail) 598 return 599 case abi.Slice: 600 // Check the slice rather than the pointer. 601 ep = aep 602 t = ep._type 603 case abi.Array: 604 // Check the array rather than the pointer. 605 // Pass top as false since we have a pointer 606 // to the array. 607 ep = aep 608 t = ep._type 609 top = false 610 case abi.Pointer: 611 // The Go code is indexing into a pointer to an array, 612 // and we have been passed the pointer-to-array. 613 // Check the array rather than the pointer. 614 pt := (*abi.PtrType)(unsafe.Pointer(aep._type)) 615 t = pt.Elem 616 if t.Kind() != abi.Array { 617 throw("can't happen") 618 } 619 ep = aep 620 top = false 621 default: 622 throw("can't happen") 623 } 624 } 625 626 cgoCheckArg(t, ep.data, !t.IsDirectIface(), top, cgoCheckPointerFail) 627 } 628 629 type cgoErrorMsg int 630 631 const ( 632 cgoCheckPointerFail cgoErrorMsg = iota 633 cgoResultFail 634 ) 635 636 // cgoCheckArg is the real work of cgoCheckPointer and cgoCheckResult. 637 // The argument p is either a pointer to the value (of type t), or the value 638 // itself, depending on indir. The top parameter is whether we are at the top 639 // level, where Go pointers are allowed. Go pointers to pinned objects are 640 // allowed as long as they don't reference other unpinned pointers. 641 func cgoCheckArg(t *_type, p unsafe.Pointer, indir, top bool, msg cgoErrorMsg) { 642 if !t.Pointers() || p == nil { 643 // If the type has no pointers there is nothing to do. 644 return 645 } 646 647 switch t.Kind() { 648 default: 649 throw("can't happen") 650 case abi.Array: 651 at := (*arraytype)(unsafe.Pointer(t)) 652 if !indir { 653 if at.Len != 1 { 654 throw("can't happen") 655 } 656 cgoCheckArg(at.Elem, p, !at.Elem.IsDirectIface(), top, msg) 657 return 658 } 659 for i := uintptr(0); i < at.Len; i++ { 660 cgoCheckArg(at.Elem, p, true, top, msg) 661 p = add(p, at.Elem.Size_) 662 } 663 case abi.Chan, abi.Map: 664 // These types contain internal pointers that will 665 // always be allocated in the Go heap. It's never OK 666 // to pass them to C. 667 panic(cgoFormatErr(msg, t.Kind())) 668 case abi.Func: 669 if indir { 670 p = *(*unsafe.Pointer)(p) 671 } 672 if !cgoIsGoPointer(p) { 673 return 674 } 675 panic(cgoFormatErr(msg, t.Kind())) 676 case abi.Interface: 677 it := *(**_type)(p) 678 if it == nil { 679 return 680 } 681 // A type known at compile time is OK since it's 682 // constant. A type not known at compile time will be 683 // in the heap and will not be OK. 684 if inheap(uintptr(unsafe.Pointer(it))) { 685 panic(cgoFormatErr(msg, t.Kind())) 686 } 687 p = *(*unsafe.Pointer)(add(p, goarch.PtrSize)) 688 if !cgoIsGoPointer(p) { 689 return 690 } 691 if !top && !isPinned(p) { 692 panic(cgoFormatErr(msg, t.Kind())) 693 } 694 cgoCheckArg(it, p, !it.IsDirectIface(), false, msg) 695 case abi.Slice: 696 st := (*slicetype)(unsafe.Pointer(t)) 697 s := (*slice)(p) 698 p = s.array 699 if p == nil || !cgoIsGoPointer(p) { 700 return 701 } 702 if !top && !isPinned(p) { 703 panic(cgoFormatErr(msg, t.Kind())) 704 } 705 if !st.Elem.Pointers() { 706 return 707 } 708 for i := 0; i < s.cap; i++ { 709 cgoCheckArg(st.Elem, p, true, false, msg) 710 p = add(p, st.Elem.Size_) 711 } 712 case abi.String: 713 ss := (*stringStruct)(p) 714 if !cgoIsGoPointer(ss.str) { 715 return 716 } 717 if !top && !isPinned(ss.str) { 718 panic(cgoFormatErr(msg, t.Kind())) 719 } 720 case abi.Struct: 721 st := (*structtype)(unsafe.Pointer(t)) 722 if !indir { 723 if len(st.Fields) != 1 { 724 throw("can't happen") 725 } 726 cgoCheckArg(st.Fields[0].Typ, p, !st.Fields[0].Typ.IsDirectIface(), top, msg) 727 return 728 } 729 for _, f := range st.Fields { 730 if !f.Typ.Pointers() { 731 continue 732 } 733 cgoCheckArg(f.Typ, add(p, f.Offset), true, top, msg) 734 } 735 case abi.Pointer, abi.UnsafePointer: 736 if indir { 737 p = *(*unsafe.Pointer)(p) 738 if p == nil { 739 return 740 } 741 } 742 743 if !cgoIsGoPointer(p) { 744 return 745 } 746 if !top && !isPinned(p) { 747 panic(cgoFormatErr(msg, t.Kind())) 748 } 749 750 cgoCheckUnknownPointer(p, msg) 751 } 752 } 753 754 // cgoCheckUnknownPointer is called for an arbitrary pointer into Go 755 // memory. It checks whether that Go memory contains any other 756 // pointer into unpinned Go memory. If it does, we panic. 757 // The return values are unused but useful to see in panic tracebacks. 758 func cgoCheckUnknownPointer(p unsafe.Pointer, msg cgoErrorMsg) (base, i uintptr) { 759 if inheap(uintptr(p)) { 760 b, span, _ := findObject(uintptr(p), 0, 0) 761 base = b 762 if base == 0 { 763 return 764 } 765 tp := span.typePointersOfUnchecked(base) 766 for { 767 var addr uintptr 768 if tp, addr = tp.next(base + span.elemsize); addr == 0 { 769 break 770 } 771 pp := *(*unsafe.Pointer)(unsafe.Pointer(addr)) 772 if cgoIsGoPointer(pp) && !isPinned(pp) { 773 panic(cgoFormatErr(msg, abi.Pointer)) 774 } 775 } 776 return 777 } 778 779 for _, datap := range activeModules() { 780 if cgoInRange(p, datap.data, datap.edata) || cgoInRange(p, datap.bss, datap.ebss) { 781 // We have no way to know the size of the object. 782 // We have to assume that it might contain a pointer. 783 panic(cgoFormatErr(msg, abi.Pointer)) 784 } 785 // In the text or noptr sections, we know that the 786 // pointer does not point to a Go pointer. 787 } 788 789 return 790 } 791 792 // cgoIsGoPointer reports whether the pointer is a Go pointer--a 793 // pointer to Go memory. We only care about Go memory that might 794 // contain pointers. 795 // 796 //go:nosplit 797 //go:nowritebarrierrec 798 func cgoIsGoPointer(p unsafe.Pointer) bool { 799 if p == nil { 800 return false 801 } 802 803 if inHeapOrStack(uintptr(p)) { 804 return true 805 } 806 807 for _, datap := range activeModules() { 808 if cgoInRange(p, datap.data, datap.edata) || cgoInRange(p, datap.bss, datap.ebss) { 809 return true 810 } 811 } 812 813 return false 814 } 815 816 // cgoInRange reports whether p is between start and end. 817 // 818 //go:nosplit 819 //go:nowritebarrierrec 820 func cgoInRange(p unsafe.Pointer, start, end uintptr) bool { 821 return start <= uintptr(p) && uintptr(p) < end 822 } 823 824 // cgoCheckResult is called to check the result parameter of an 825 // exported Go function. It panics if the result is or contains any 826 // other pointer into unpinned Go memory. 827 func cgoCheckResult(val any) { 828 if !goexperiment.CgoCheck2 && debug.cgocheck == 0 { 829 return 830 } 831 832 ep := efaceOf(&val) 833 t := ep._type 834 if t == nil { 835 return 836 } 837 cgoCheckArg(t, ep.data, !t.IsDirectIface(), false, cgoResultFail) 838 } 839 840 // cgoFormatErr is called by cgoCheckArg and cgoCheckUnknownPointer 841 // to format panic error messages. 842 func cgoFormatErr(error cgoErrorMsg, kind abi.Kind) errorString { 843 var msg, kindname string 844 var cgoFunction string = "unknown" 845 var offset int 846 var buf [20]byte 847 848 // We expect one of these abi.Kind from cgoCheckArg 849 switch kind { 850 case abi.Chan: 851 kindname = "channel" 852 case abi.Func: 853 kindname = "function" 854 case abi.Interface: 855 kindname = "interface" 856 case abi.Map: 857 kindname = "map" 858 case abi.Pointer: 859 kindname = "pointer" 860 case abi.Slice: 861 kindname = "slice" 862 case abi.String: 863 kindname = "string" 864 case abi.Struct: 865 kindname = "struct" 866 case abi.UnsafePointer: 867 kindname = "unsafe pointer" 868 default: 869 kindname = "pointer" 870 } 871 872 // The cgo function name might need an offset to be obtained 873 if error == cgoResultFail { 874 offset = 21 875 } 876 877 // Relatively to cgoFormatErr, this is the stack frame: 878 // 0. cgoFormatErr 879 // 1. cgoCheckArg or cgoCheckUnknownPointer 880 // 2. cgoCheckPointer or cgoCheckResult 881 // 3. cgo function 882 pc, path, line, ok := Caller(3) 883 if ok && error == cgoResultFail { 884 function := FuncForPC(pc) 885 886 if function != nil { 887 // Expected format of cgo function name: 888 // - caller: _cgoexp_3c910ddb72c4_foo 889 if offset > len(function.Name()) { 890 cgoFunction = function.Name() 891 } else { 892 cgoFunction = function.Name()[offset:] 893 } 894 } 895 } 896 897 switch error { 898 case cgoResultFail: 899 msg = path + ":" + string(itoa(buf[:], uint64(line))) 900 msg += ": result of Go function " + cgoFunction + " called from cgo" 901 msg += " is unpinned Go " + kindname + " or points to unpinned Go " + kindname 902 case cgoCheckPointerFail: 903 msg += "argument of cgo function has Go pointer to unpinned Go " + kindname 904 } 905 906 return errorString(msg) 907 } 908