runtime: restore caller's frame pointer when recovering from panic

When recovering from a panic, restore the caller's frame pointer before returning control to the caller. Otherwise, if the function proceeds to run more deferred calls before returning, the deferred functions will get invalid frame pointers pointing to an address lower in the stack. This can cause frame pointer unwinding to crash, such as if an execution trace event is recorded during the deferred call on architectures which support frame pointer unwinding. Fixes #61766 Change-Id: I45f41aedcc397133560164ab520ca638bbd93c4e Reviewed-on: https://go-review.googlesource.com/c/go/+/516157 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Felix Geisendörfer <felix.geisendoerfer@datadoghq.com>
2025-12-08 06:10:04 +00:00 · 2023-08-04 17:31:43 -04:00 · 2023-08-04 17:31:43 -04:00 · b51a4dd6c4
commit b51a4dd6c4
parent 94d36fbc4a
3 changed files with 49 additions and 1 deletions
--- a/src/runtime/panic.go
+++ b/src/runtime/panic.go
@ -898,7 +898,7 @@ var paniclk mutex
 // defers instead.
 func recovery(gp *g) {
 	p := gp._panic
-	pc, sp := p.retpc, uintptr(p.sp)
+	pc, sp, fp := p.retpc, uintptr(p.sp), uintptr(p.fp)
 	p0, saveOpenDeferState := p, p.deferBitsPtr != nil && *p.deferBitsPtr != 0

 	// Unwind the panic stack.
@ -990,6 +990,16 @@ func recovery(gp *g) {
 	gp.sched.sp = sp
 	gp.sched.pc = pc
 	gp.sched.lr = 0
+	// fp points to the stack pointer at the caller, which is the top of the
+	// stack frame. The frame pointer used for unwinding is the word
+	// immediately below it.
+	gp.sched.bp = fp - goarch.PtrSize
+	if !usesLR {
+		// on x86, fp actually points one word higher than the top of
+		// the frame since the return address is saved on the stack by
+		// the caller
+		gp.sched.bp -= goarch.PtrSize
+	}
 	gp.sched.ret = 1
 	gogo(&gp.sched)
 }