runtime: check the correct sanity condition in the page allocator

Currently there are a few sanity checks in the page allocator which should fail immediately but because it's a check for a negative number on a uint, it's actually dead-code. If there's a bug in the page allocator which would cause the sanity check to fail, this could cause memory corruption by returning an invalid address (more precisely, one might either see a segfault, or span overlap). This change fixes these sanity checks to check the correct condition. Fixes #38130. Change-Id: Ia19786cece783d39f26df24dec8788833a6a3f21 Reviewed-on: https://go-review.googlesource.com/c/go/+/226297 Reviewed-by: Giovanni Bajo <rasky@develer.com> Reviewed-by: Cherry Zhang <cherryyz@google.com>
2025-12-08 06:10:04 +00:00 · 2020-03-28 16:11:15 +00:00 · 2020-03-28 16:11:15 +00:00 · 89e13c88e4
commit 89e13c88e4
parent 0b7c202e98
2 changed files with 3 additions and 3 deletions
--- a/src/runtime/mpagealloc.go
+++ b/src/runtime/mpagealloc.go
@ -724,7 +724,7 @@ nextLevel:
 	// is what the final level represents.
 	ci := chunkIdx(i)
 	j, searchIdx := s.chunkOf(ci).find(npages, 0)
-	if j < 0 {
+	if j == ^uint(0) {
 		// We couldn't find any space in this chunk despite the summaries telling
 		// us it should be there. There's likely a bug, so dump some state and throw.
 		sum := s.summary[len(s.summary)-1][i]
@ -766,7 +766,7 @@ func (s *pageAlloc) alloc(npages uintptr) (addr uintptr, scav uintptr) {
 		i := chunkIndex(s.searchAddr)
 		if max := s.summary[len(s.summary)-1][i].max(); max >= uint(npages) {
 			j, searchIdx := s.chunkOf(i).find(npages, chunkPageIndex(s.searchAddr))
-			if j < 0 {
+			if j == ^uint(0) {
 				print("runtime: max = ", max, ", npages = ", npages, "\n")
 				print("runtime: searchIdx = ", chunkPageIndex(s.searchAddr), ", s.searchAddr = ", hex(s.searchAddr), "\n")
 				throw("bad summary data")