reflect: scanning invalid return slots during a makeFunc call

[randall77]

package main

import (
	"io"
	"reflect"
	"runtime"
	"unsafe"
)

var badPtr uintptr

var sink []byte

func init() {
	// Allocate large enough to use largeAlloc.
	b := make([]byte, 1<<16-1)
	sink = b // force heap allocation
	//  Any space between the object and the end of page is invalid to point to.
	badPtr = uintptr(unsafe.Pointer(&b[len(b)-1])) + 1
}

func f(d func(error) error) error {
	// Initialize callee args section with a bad pointer.
	g(badPtr, badPtr, badPtr, badPtr)

	// Then call a function which returns a pointer.
	// That return slot starts out holding a bad pointer.
	return d(io.EOF)
}

//go:noinline
func g(x, y, z, w uintptr) {
}

type T struct {
}

func (t *T) Foo(e error) error {
	runtime.GC()
	return e
}

func main() {
	// Functions
	d := reflect.MakeFunc(reflect.TypeOf(func(e error) error { return e }),
		func(args []reflect.Value) []reflect.Value {
			runtime.GC()
			return args
		}).Interface().(func(error) error)
	f(d)

	// Methods
	x := reflect.ValueOf(&T{}).Method(0).Interface().(func(error) error)
	f(x)
}

runtime: pointer 0xc00009dfff to unused region of span span.base()=0xc00008e000 span.limit=0xc00009dfff span.state=1
runtime: found in object at *(0xc0000a2f00+0x10)
object=0xc0000a2f00 s.base()=0xc00009e000 s.limit=0xc0000a6000 s.spanclass=0 s.elemsize=4096 s.state=mSpanManual
 *(object+0) = 0x4b90a0
 *(object+8) = 0xc000010050
 *(object+16) = 0xc00009dfff <==
 *(object+24) = 0xc00009dfff

This looks like an extended version of #27695. Possibly when there are args as well as results?

[randall77]

@gopherbot , please open backport issues for 1.11 and 1.10.

[gopherbot]

Backport issue(s) opened: #28751 (for 1.10), #28752 (for 1.11).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

[gopherbot]

Change https://golang.org/cl/149217 mentions this issue: runtime: when using explicit argmap, also use arglen