From 198074abd7ec36ee71198a109d98f1ccdb7c5533 Mon Sep 17 00:00:00 2001
From: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Date: Tue, 17 Jan 2023 01:29:02 +0700
Subject: [PATCH] cmd/compile: fix unsafe.{SliceData,StringData} escape
 analysis memory corruption

Fixes #57823

Change-Id: I54654d3ecb20b75afa9052c5c9db2072a86188d4
Reviewed-on: https://go-review.googlesource.com/c/go/+/461759
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Reviewed-by: Keith Randall <khr@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Cuong Manh Le <cuong.manhle.vn@gmail.com>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
---
 src/cmd/compile/internal/escape/call.go |  6 +-
 test/fixedbugs/issue57823.go            | 76 +++++++++++++++++++++++++
 2 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 test/fixedbugs/issue57823.go

diff --git a/src/cmd/compile/internal/escape/call.go b/src/cmd/compile/internal/escape/call.go
index 4f602ca15fe779..e2235520e5cd73 100644
--- a/src/cmd/compile/internal/escape/call.go
+++ b/src/cmd/compile/internal/escape/call.go
@@ -180,10 +180,14 @@ func (e *escape) callCommon(ks []hole, call ir.Node, init *ir.Nodes, wrapper *ir
 			argument(e.discardHole(), &call.Args[i])
 		}
 
-	case ir.OLEN, ir.OCAP, ir.OREAL, ir.OIMAG, ir.OCLOSE, ir.OUNSAFESTRINGDATA, ir.OUNSAFESLICEDATA:
+	case ir.OLEN, ir.OCAP, ir.OREAL, ir.OIMAG, ir.OCLOSE:
 		call := call.(*ir.UnaryExpr)
 		argument(e.discardHole(), &call.X)
 
+	case ir.OUNSAFESTRINGDATA, ir.OUNSAFESLICEDATA:
+		call := call.(*ir.UnaryExpr)
+		argument(ks[0], &call.X)
+
 	case ir.OUNSAFEADD, ir.OUNSAFESLICE, ir.OUNSAFESTRING:
 		call := call.(*ir.BinaryExpr)
 		argument(ks[0], &call.X)
diff --git a/test/fixedbugs/issue57823.go b/test/fixedbugs/issue57823.go
new file mode 100644
index 00000000000000..d6708f6de8d422
--- /dev/null
+++ b/test/fixedbugs/issue57823.go
@@ -0,0 +1,76 @@
+// run
+
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"runtime"
+	"unsafe"
+)
+
+//go:noinline
+func g(x *byte) *byte { return x }
+
+func main() {
+	slice()
+	str("AAAAAAAA", "BBBBBBBBB")
+}
+
+func wait(done <-chan struct{}) bool {
+	for i := 0; i < 10; i++ {
+		runtime.GC()
+		select {
+		case <-done:
+			return true
+		default:
+		}
+	}
+	return false
+}
+
+func slice() {
+	s := make([]byte, 100)
+	s[0] = 1
+	one := unsafe.SliceData(s)
+
+	done := make(chan struct{})
+	runtime.SetFinalizer(one, func(*byte) { close(done) })
+
+	h := g(one)
+
+	if wait(done) {
+		panic("GC'd early")
+	}
+
+	if *h != 1 {
+		panic("lost one")
+	}
+
+	if !wait(done) {
+		panic("never GC'd")
+	}
+}
+
+var strDone = make(chan struct{})
+
+//go:noinline
+func str(x, y string) {
+	s := x + y // put in temporary on stack
+	p := unsafe.StringData(s)
+	runtime.SetFinalizer(p, func(*byte) { close(strDone) })
+
+	if wait(strDone) {
+		panic("GC'd early")
+	}
+
+	if *p != 'A' {
+		panic("lost p")
+	}
+
+	if !wait(strDone) {
+		panic("never GC'd")
+	}
+}