panic.go

     1  // Copyright 2014 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package runtime
     6  
     7  import (
     8  	"internal/abi"
     9  	"internal/goarch"
    10  	"internal/runtime/atomic"
    11  	"internal/runtime/sys"
    12  	"internal/stringslite"
    13  	"unsafe"
    14  )
    15  
    16  // throwType indicates the current type of ongoing throw, which affects the
    17  // amount of detail printed to stderr. Higher values include more detail.
    18  type throwType uint32
    19  
    20  const (
    21  	// throwTypeNone means that we are not throwing.
    22  	throwTypeNone throwType = iota
    23  
    24  	// throwTypeUser is a throw due to a problem with the application.
    25  	//
    26  	// These throws do not include runtime frames, system goroutines, or
    27  	// frame metadata.
    28  	throwTypeUser
    29  
    30  	// throwTypeRuntime is a throw due to a problem with Go itself.
    31  	//
    32  	// These throws include as much information as possible to aid in
    33  	// debugging the runtime, including runtime frames, system goroutines,
    34  	// and frame metadata.
    35  	throwTypeRuntime
    36  )
    37  
    38  // We have two different ways of doing defers. The older way involves creating a
    39  // defer record at the time that a defer statement is executing and adding it to a
    40  // defer chain. This chain is inspected by the deferreturn call at all function
    41  // exits in order to run the appropriate defer calls. A cheaper way (which we call
    42  // open-coded defers) is used for functions in which no defer statements occur in
    43  // loops. In that case, we simply store the defer function/arg information into
    44  // specific stack slots at the point of each defer statement, as well as setting a
    45  // bit in a bitmask. At each function exit, we add inline code to directly make
    46  // the appropriate defer calls based on the bitmask and fn/arg information stored
    47  // on the stack. During panic/Goexit processing, the appropriate defer calls are
    48  // made using extra funcdata info that indicates the exact stack slots that
    49  // contain the bitmask and defer fn/args.
    50  
    51  // Check to make sure we can really generate a panic. If the panic
    52  // was generated from the runtime, or from inside malloc, then convert
    53  // to a throw of msg.
    54  // pc should be the program counter of the compiler-generated code that
    55  // triggered this panic.
    56  func panicCheck1(pc uintptr, msg string) {
    57  	if goarch.IsWasm == 0 && stringslite.HasPrefix(funcname(findfunc(pc)), "runtime.") {
    58  		// Note: wasm can't tail call, so we can't get the original caller's pc.
    59  		throw(msg)
    60  	}
    61  	// TODO: is this redundant? How could we be in malloc
    62  	// but not in the runtime? internal/runtime/*, maybe?
    63  	gp := getg()
    64  	if gp != nil && gp.m != nil && gp.m.mallocing != 0 {
    65  		throw(msg)
    66  	}
    67  }
    68  
    69  // Same as above, but calling from the runtime is allowed.
    70  //
    71  // Using this function is necessary for any panic that may be
    72  // generated by runtime.sigpanic, since those are always called by the
    73  // runtime.
    74  func panicCheck2(err string) {
    75  	// panic allocates, so to avoid recursive malloc, turn panics
    76  	// during malloc into throws.
    77  	gp := getg()
    78  	if gp != nil && gp.m != nil && gp.m.mallocing != 0 {
    79  		throw(err)
    80  	}
    81  }
    82  
    83  // Many of the following panic entry-points turn into throws when they
    84  // happen in various runtime contexts. These should never happen in
    85  // the runtime, and if they do, they indicate a serious issue and
    86  // should not be caught by user code.
    87  //
    88  // The panic{Index,Slice,divide,shift} functions are called by
    89  // code generated by the compiler for out of bounds index expressions,
    90  // out of bounds slice expressions, division by zero, and shift by negative.
    91  // The panicdivide (again), panicoverflow, panicfloat, and panicmem
    92  // functions are called by the signal handler when a signal occurs
    93  // indicating the respective problem.
    94  //
    95  // Since panic{Index,Slice,shift} are never called directly, and
    96  // since the runtime package should never have an out of bounds slice
    97  // or array reference or negative shift, if we see those functions called from the
    98  // runtime package we turn the panic into a throw. That will dump the
    99  // entire runtime stack for easier debugging.
   100  //
   101  // The entry points called by the signal handler will be called from
   102  // runtime.sigpanic, so we can't disallow calls from the runtime to
   103  // these (they always look like they're called from the runtime).
   104  // Hence, for these, we just check for clearly bad runtime conditions.
   105  //
   106  // The goPanic{Index,Slice} functions are only used by wasm. All the other architectures
   107  // use panic{Bounds,Extend} in assembly, which then call to panicBounds{64,32,32X}.
   108  
   109  // failures in the comparisons for s[x], 0 <= x < y (y == len(s))
   110  //
   111  //go:yeswritebarrierrec
   112  func goPanicIndex(x int, y int) {
   113  	panicCheck1(sys.GetCallerPC(), "index out of range")
   114  	panic(boundsError{x: int64(x), signed: true, y: y, code: abi.BoundsIndex})
   115  }
   116  
   117  //go:yeswritebarrierrec
   118  func goPanicIndexU(x uint, y int) {
   119  	panicCheck1(sys.GetCallerPC(), "index out of range")
   120  	panic(boundsError{x: int64(x), signed: false, y: y, code: abi.BoundsIndex})
   121  }
   122  
   123  // failures in the comparisons for s[:x], 0 <= x <= y (y == len(s) or cap(s))
   124  //
   125  //go:yeswritebarrierrec
   126  func goPanicSliceAlen(x int, y int) {
   127  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   128  	panic(boundsError{x: int64(x), signed: true, y: y, code: abi.BoundsSliceAlen})
   129  }
   130  
   131  //go:yeswritebarrierrec
   132  func goPanicSliceAlenU(x uint, y int) {
   133  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   134  	panic(boundsError{x: int64(x), signed: false, y: y, code: abi.BoundsSliceAlen})
   135  }
   136  
   137  //go:yeswritebarrierrec
   138  func goPanicSliceAcap(x int, y int) {
   139  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   140  	panic(boundsError{x: int64(x), signed: true, y: y, code: abi.BoundsSliceAcap})
   141  }
   142  
   143  //go:yeswritebarrierrec
   144  func goPanicSliceAcapU(x uint, y int) {
   145  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   146  	panic(boundsError{x: int64(x), signed: false, y: y, code: abi.BoundsSliceAcap})
   147  }
   148  
   149  // failures in the comparisons for s[x:y], 0 <= x <= y
   150  //
   151  //go:yeswritebarrierrec
   152  func goPanicSliceB(x int, y int) {
   153  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   154  	panic(boundsError{x: int64(x), signed: true, y: y, code: abi.BoundsSliceB})
   155  }
   156  
   157  //go:yeswritebarrierrec
   158  func goPanicSliceBU(x uint, y int) {
   159  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   160  	panic(boundsError{x: int64(x), signed: false, y: y, code: abi.BoundsSliceB})
   161  }
   162  
   163  // failures in the comparisons for s[::x], 0 <= x <= y (y == len(s) or cap(s))
   164  func goPanicSlice3Alen(x int, y int) {
   165  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   166  	panic(boundsError{x: int64(x), signed: true, y: y, code: abi.BoundsSlice3Alen})
   167  }
   168  func goPanicSlice3AlenU(x uint, y int) {
   169  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   170  	panic(boundsError{x: int64(x), signed: false, y: y, code: abi.BoundsSlice3Alen})
   171  }
   172  func goPanicSlice3Acap(x int, y int) {
   173  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   174  	panic(boundsError{x: int64(x), signed: true, y: y, code: abi.BoundsSlice3Acap})
   175  }
   176  func goPanicSlice3AcapU(x uint, y int) {
   177  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   178  	panic(boundsError{x: int64(x), signed: false, y: y, code: abi.BoundsSlice3Acap})
   179  }
   180  
   181  // failures in the comparisons for s[:x:y], 0 <= x <= y
   182  func goPanicSlice3B(x int, y int) {
   183  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   184  	panic(boundsError{x: int64(x), signed: true, y: y, code: abi.BoundsSlice3B})
   185  }
   186  func goPanicSlice3BU(x uint, y int) {
   187  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   188  	panic(boundsError{x: int64(x), signed: false, y: y, code: abi.BoundsSlice3B})
   189  }
   190  
   191  // failures in the comparisons for s[x:y:], 0 <= x <= y
   192  func goPanicSlice3C(x int, y int) {
   193  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   194  	panic(boundsError{x: int64(x), signed: true, y: y, code: abi.BoundsSlice3C})
   195  }
   196  func goPanicSlice3CU(x uint, y int) {
   197  	panicCheck1(sys.GetCallerPC(), "slice bounds out of range")
   198  	panic(boundsError{x: int64(x), signed: false, y: y, code: abi.BoundsSlice3C})
   199  }
   200  
   201  // failures in the conversion ([x]T)(s) or (*[x]T)(s), 0 <= x <= y, y == len(s)
   202  func goPanicSliceConvert(x int, y int) {
   203  	panicCheck1(sys.GetCallerPC(), "slice length too short to convert to array or pointer to array")
   204  	panic(boundsError{x: int64(x), signed: true, y: y, code: abi.BoundsConvert})
   205  }
   206  
   207  // Implemented in assembly. Declared here to mark them as ABIInternal.
   208  func panicBounds() // in asm_GOARCH.s files, called from generated code
   209  func panicExtend() // in asm_GOARCH.s files, called from generated code (on 32-bit archs)
   210  
   211  func panicBounds64(pc uintptr, regs *[16]int64) { // called from panicBounds on 64-bit archs
   212  	f := findfunc(pc)
   213  	v := pcdatavalue(f, abi.PCDATA_PanicBounds, pc-1)
   214  
   215  	code, signed, xIsReg, yIsReg, xVal, yVal := abi.BoundsDecode(int(v))
   216  
   217  	if code == abi.BoundsIndex {
   218  		panicCheck1(pc, "index out of range")
   219  	} else {
   220  		panicCheck1(pc, "slice bounds out of range")
   221  	}
   222  
   223  	var e boundsError
   224  	e.code = code
   225  	e.signed = signed
   226  	if xIsReg {
   227  		e.x = regs[xVal]
   228  	} else {
   229  		e.x = int64(xVal)
   230  	}
   231  	if yIsReg {
   232  		e.y = int(regs[yVal])
   233  	} else {
   234  		e.y = yVal
   235  	}
   236  	panic(e)
   237  }
   238  
   239  func panicBounds32(pc uintptr, regs *[16]int32) { // called from panicBounds on 32-bit archs
   240  	f := findfunc(pc)
   241  	v := pcdatavalue(f, abi.PCDATA_PanicBounds, pc-1)
   242  
   243  	code, signed, xIsReg, yIsReg, xVal, yVal := abi.BoundsDecode(int(v))
   244  
   245  	if code == abi.BoundsIndex {
   246  		panicCheck1(pc, "index out of range")
   247  	} else {
   248  		panicCheck1(pc, "slice bounds out of range")
   249  	}
   250  
   251  	var e boundsError
   252  	e.code = code
   253  	e.signed = signed
   254  	if xIsReg {
   255  		if signed {
   256  			e.x = int64(regs[xVal])
   257  		} else {
   258  			e.x = int64(uint32(regs[xVal]))
   259  		}
   260  	} else {
   261  		e.x = int64(xVal)
   262  	}
   263  	if yIsReg {
   264  		e.y = int(regs[yVal])
   265  	} else {
   266  		e.y = yVal
   267  	}
   268  	panic(e)
   269  }
   270  
   271  func panicBounds32X(pc uintptr, regs *[16]int32) { // called from panicExtend on 32-bit archs
   272  	f := findfunc(pc)
   273  	v := pcdatavalue(f, abi.PCDATA_PanicBounds, pc-1)
   274  
   275  	code, signed, xIsReg, yIsReg, xVal, yVal := abi.BoundsDecode(int(v))
   276  
   277  	if code == abi.BoundsIndex {
   278  		panicCheck1(pc, "index out of range")
   279  	} else {
   280  		panicCheck1(pc, "slice bounds out of range")
   281  	}
   282  
   283  	var e boundsError
   284  	e.code = code
   285  	e.signed = signed
   286  	if xIsReg {
   287  		// Our 4-bit register numbers are actually 2 2-bit register numbers.
   288  		lo := xVal & 3
   289  		hi := xVal >> 2
   290  		e.x = int64(regs[hi])<<32 + int64(uint32(regs[lo]))
   291  	} else {
   292  		e.x = int64(xVal)
   293  	}
   294  	if yIsReg {
   295  		e.y = int(regs[yVal])
   296  	} else {
   297  		e.y = yVal
   298  	}
   299  	panic(e)
   300  }
   301  
   302  var shiftError = error(errorString("negative shift amount"))
   303  
   304  //go:yeswritebarrierrec
   305  func panicshift() {
   306  	panicCheck1(sys.GetCallerPC(), "negative shift amount")
   307  	panic(shiftError)
   308  }
   309  
   310  var divideError = error(errorString("integer divide by zero"))
   311  
   312  //go:yeswritebarrierrec
   313  func panicdivide() {
   314  	panicCheck2("integer divide by zero")
   315  	panic(divideError)
   316  }
   317  
   318  var overflowError = error(errorString("integer overflow"))
   319  
   320  func panicoverflow() {
   321  	panicCheck2("integer overflow")
   322  	panic(overflowError)
   323  }
   324  
   325  var floatError = error(errorString("floating point error"))
   326  
   327  func panicfloat() {
   328  	panicCheck2("floating point error")
   329  	panic(floatError)
   330  }
   331  
   332  var memoryError = error(errorString("invalid memory address or nil pointer dereference"))
   333  
   334  func panicmem() {
   335  	panicCheck2("invalid memory address or nil pointer dereference")
   336  	panic(memoryError)
   337  }
   338  
   339  func panicmemAddr(addr uintptr) {
   340  	panicCheck2("invalid memory address or nil pointer dereference")
   341  	panic(errorAddressString{msg: "invalid memory address or nil pointer dereference", addr: addr})
   342  }
   343  
   344  var simdImmError = error(errorString("out-of-range immediate for simd intrinsic"))
   345  
   346  func panicSimdImm() {
   347  	panicCheck2("simd immediate error")
   348  	panic(simdImmError)
   349  }
   350  
   351  // Create a new deferred function fn, which has no arguments and results.
   352  // The compiler turns a defer statement into a call to this.
   353  func deferproc(fn func()) {
   354  	gp := getg()
   355  	if gp.m.curg != gp {
   356  		// go code on the system stack can't defer
   357  		throw("defer on system stack")
   358  	}
   359  
   360  	d := newdefer()
   361  	d.link = gp._defer
   362  	gp._defer = d
   363  	d.fn = fn
   364  	d.pc = sys.GetCallerPC()
   365  	// We must not be preempted between calling GetCallerSP and
   366  	// storing it to d.sp because GetCallerSP's result is a
   367  	// uintptr stack pointer.
   368  	d.sp = sys.GetCallerSP()
   369  }
   370  
   371  var rangeDoneError = error(errorString("range function continued iteration after function for loop body returned false"))
   372  var rangePanicError = error(errorString("range function continued iteration after loop body panic"))
   373  var rangeExhaustedError = error(errorString("range function continued iteration after whole loop exit"))
   374  var rangeMissingPanicError = error(errorString("range function recovered a loop body panic and did not resume panicking"))
   375  
   376  //go:noinline
   377  func panicrangestate(state int) {
   378  	switch abi.RF_State(state) {
   379  	case abi.RF_DONE:
   380  		panic(rangeDoneError)
   381  	case abi.RF_PANIC:
   382  		panic(rangePanicError)
   383  	case abi.RF_EXHAUSTED:
   384  		panic(rangeExhaustedError)
   385  	case abi.RF_MISSING_PANIC:
   386  		panic(rangeMissingPanicError)
   387  	}
   388  	throw("unexpected state passed to panicrangestate")
   389  }
   390  
   391  // deferrangefunc is called by functions that are about to
   392  // execute a range-over-function loop in which the loop body
   393  // may execute a defer statement. That defer needs to add to
   394  // the chain for the current function, not the func literal synthesized
   395  // to represent the loop body. To do that, the original function
   396  // calls deferrangefunc to obtain an opaque token representing
   397  // the current frame, and then the loop body uses deferprocat
   398  // instead of deferproc to add to that frame's defer lists.
   399  //
   400  // The token is an 'any' with underlying type *atomic.Pointer[_defer].
   401  // It is the atomically-updated head of a linked list of _defer structs
   402  // representing deferred calls. At the same time, we create a _defer
   403  // struct on the main g._defer list with d.head set to this head pointer.
   404  //
   405  // The g._defer list is now a linked list of deferred calls,
   406  // but an atomic list hanging off:
   407  //
   408  //		g._defer => d4 -> d3 -> drangefunc -> d2 -> d1 -> nil
   409  //	                             | .head
   410  //	                             |
   411  //	                             +--> dY -> dX -> nil
   412  //
   413  // with each -> indicating a d.link pointer, and where drangefunc
   414  // has the d.rangefunc = true bit set.
   415  // Note that the function being ranged over may have added
   416  // its own defers (d4 and d3), so drangefunc need not be at the
   417  // top of the list when deferprocat is used. This is why we pass
   418  // the atomic head explicitly.
   419  //
   420  // To keep misbehaving programs from crashing the runtime,
   421  // deferprocat pushes new defers onto the .head list atomically.
   422  // The fact that it is a separate list from the main goroutine
   423  // defer list means that the main goroutine's defers can still
   424  // be handled non-atomically.
   425  //
   426  // In the diagram, dY and dX are meant to be processed when
   427  // drangefunc would be processed, which is to say the defer order
   428  // should be d4, d3, dY, dX, d2, d1. To make that happen,
   429  // when defer processing reaches a d with rangefunc=true,
   430  // it calls deferconvert to atomically take the extras
   431  // away from d.head and then adds them to the main list.
   432  //
   433  // That is, deferconvert changes this list:
   434  //
   435  //		g._defer => drangefunc -> d2 -> d1 -> nil
   436  //	                 | .head
   437  //	                 |
   438  //	                 +--> dY -> dX -> nil
   439  //
   440  // into this list:
   441  //
   442  //	g._defer => dY -> dX -> d2 -> d1 -> nil
   443  //
   444  // It also poisons *drangefunc.head so that any future
   445  // deferprocat using that head will throw.
   446  // (The atomic head is ordinary garbage collected memory so that
   447  // it's not a problem if user code holds onto it beyond
   448  // the lifetime of drangefunc.)
   449  //
   450  // TODO: We could arrange for the compiler to call into the
   451  // runtime after the loop finishes normally, to do an eager
   452  // deferconvert, which would catch calling the loop body
   453  // and having it defer after the loop is done. If we have a
   454  // more general catch of loop body misuse, though, this
   455  // might not be worth worrying about in addition.
   456  //
   457  // See also ../cmd/compile/internal/rangefunc/rewrite.go.
   458  func deferrangefunc() any {
   459  	gp := getg()
   460  	if gp.m.curg != gp {
   461  		// go code on the system stack can't defer
   462  		throw("defer on system stack")
   463  	}
   464  
   465  	d := newdefer()
   466  	d.link = gp._defer
   467  	gp._defer = d
   468  	d.pc = sys.GetCallerPC()
   469  	// We must not be preempted between calling GetCallerSP and
   470  	// storing it to d.sp because GetCallerSP's result is a
   471  	// uintptr stack pointer.
   472  	d.sp = sys.GetCallerSP()
   473  
   474  	d.rangefunc = true
   475  	d.head = new(atomic.Pointer[_defer])
   476  
   477  	return d.head
   478  }
   479  
   480  // badDefer returns a fixed bad defer pointer for poisoning an atomic defer list head.
   481  func badDefer() *_defer {
   482  	return (*_defer)(unsafe.Pointer(uintptr(1)))
   483  }
   484  
   485  // deferprocat is like deferproc but adds to the atomic list represented by frame.
   486  // See the doc comment for deferrangefunc for details.
   487  func deferprocat(fn func(), frame any) {
   488  	head := frame.(*atomic.Pointer[_defer])
   489  	if raceenabled {
   490  		racewritepc(unsafe.Pointer(head), sys.GetCallerPC(), abi.FuncPCABIInternal(deferprocat))
   491  	}
   492  	d1 := newdefer()
   493  	d1.fn = fn
   494  	for {
   495  		d1.link = head.Load()
   496  		if d1.link == badDefer() {
   497  			throw("defer after range func returned")
   498  		}
   499  		if head.CompareAndSwap(d1.link, d1) {
   500  			break
   501  		}
   502  	}
   503  }
   504  
   505  // deferconvert converts the rangefunc defer list of d0 into an ordinary list
   506  // following d0.
   507  // See the doc comment for deferrangefunc for details.
   508  func deferconvert(d0 *_defer) {
   509  	head := d0.head
   510  	if raceenabled {
   511  		racereadpc(unsafe.Pointer(head), sys.GetCallerPC(), abi.FuncPCABIInternal(deferconvert))
   512  	}
   513  	tail := d0.link
   514  	d0.rangefunc = false
   515  
   516  	var d *_defer
   517  	for {
   518  		d = head.Load()
   519  		if head.CompareAndSwap(d, badDefer()) {
   520  			break
   521  		}
   522  	}
   523  	if d == nil {
   524  		return
   525  	}
   526  	for d1 := d; ; d1 = d1.link {
   527  		d1.sp = d0.sp
   528  		d1.pc = d0.pc
   529  		if d1.link == nil {
   530  			d1.link = tail
   531  			break
   532  		}
   533  	}
   534  	d0.link = d
   535  	return
   536  }
   537  
   538  // deferprocStack queues a new deferred function with a defer record on the stack.
   539  // The defer record must have its fn field initialized.
   540  // All other fields can contain junk.
   541  // Nosplit because of the uninitialized pointer fields on the stack.
   542  //
   543  //go:nosplit
   544  func deferprocStack(d *_defer) {
   545  	gp := getg()
   546  	if gp.m.curg != gp {
   547  		// go code on the system stack can't defer
   548  		throw("defer on system stack")
   549  	}
   550  
   551  	// fn is already set.
   552  	// The other fields are junk on entry to deferprocStack and
   553  	// are initialized here.
   554  	d.heap = false
   555  	d.rangefunc = false
   556  	d.sp = sys.GetCallerSP()
   557  	d.pc = sys.GetCallerPC()
   558  	// The lines below implement:
   559  	//   d.link = gp._defer
   560  	//   d.head = nil
   561  	//   gp._defer = d
   562  	// But without write barriers. The first two are writes to
   563  	// the stack so they don't need a write barrier, and furthermore
   564  	// are to uninitialized memory, so they must not use a write barrier.
   565  	// The third write does not require a write barrier because we
   566  	// explicitly mark all the defer structures, so we don't need to
   567  	// keep track of pointers to them with a write barrier.
   568  	*(*uintptr)(unsafe.Pointer(&d.link)) = uintptr(unsafe.Pointer(gp._defer))
   569  	*(*uintptr)(unsafe.Pointer(&d.head)) = 0
   570  	*(*uintptr)(unsafe.Pointer(&gp._defer)) = uintptr(unsafe.Pointer(d))
   571  }
   572  
   573  // Each P holds a pool for defers.
   574  
   575  // Allocate a Defer, usually using per-P pool.
   576  // Each defer must be released with freedefer.  The defer is not
   577  // added to any defer chain yet.
   578  func newdefer() *_defer {
   579  	var d *_defer
   580  	mp := acquirem()
   581  	pp := mp.p.ptr()
   582  	if len(pp.deferpool) == 0 && sched.deferpool != nil {
   583  		lock(&sched.deferlock)
   584  		for len(pp.deferpool) < cap(pp.deferpool)/2 && sched.deferpool != nil {
   585  			d := sched.deferpool
   586  			sched.deferpool = d.link
   587  			d.link = nil
   588  			pp.deferpool = append(pp.deferpool, d)
   589  		}
   590  		unlock(&sched.deferlock)
   591  	}
   592  	if n := len(pp.deferpool); n > 0 {
   593  		d = pp.deferpool[n-1]
   594  		pp.deferpool[n-1] = nil
   595  		pp.deferpool = pp.deferpool[:n-1]
   596  	}
   597  	releasem(mp)
   598  	mp, pp = nil, nil
   599  
   600  	if d == nil {
   601  		// Allocate new defer.
   602  		d = new(_defer)
   603  	}
   604  	d.heap = true
   605  	return d
   606  }
   607  
   608  // popDefer pops the head of gp's defer list and frees it.
   609  func popDefer(gp *g) {
   610  	d := gp._defer
   611  	d.fn = nil // Can in theory point to the stack
   612  	// We must not copy the stack between the updating gp._defer and setting
   613  	// d.link to nil. Between these two steps, d is not on any defer list, so
   614  	// stack copying won't adjust stack pointers in it (namely, d.link). Hence,
   615  	// if we were to copy the stack, d could then contain a stale pointer.
   616  	gp._defer = d.link
   617  	d.link = nil
   618  	// After this point we can copy the stack.
   619  
   620  	if !d.heap {
   621  		return
   622  	}
   623  
   624  	mp := acquirem()
   625  	pp := mp.p.ptr()
   626  	if len(pp.deferpool) == cap(pp.deferpool) {
   627  		// Transfer half of local cache to the central cache.
   628  		var first, last *_defer
   629  		for len(pp.deferpool) > cap(pp.deferpool)/2 {
   630  			n := len(pp.deferpool)
   631  			d := pp.deferpool[n-1]
   632  			pp.deferpool[n-1] = nil
   633  			pp.deferpool = pp.deferpool[:n-1]
   634  			if first == nil {
   635  				first = d
   636  			} else {
   637  				last.link = d
   638  			}
   639  			last = d
   640  		}
   641  		lock(&sched.deferlock)
   642  		last.link = sched.deferpool
   643  		sched.deferpool = first
   644  		unlock(&sched.deferlock)
   645  	}
   646  
   647  	*d = _defer{}
   648  
   649  	pp.deferpool = append(pp.deferpool, d)
   650  
   651  	releasem(mp)
   652  	mp, pp = nil, nil
   653  }
   654  
   655  // deferreturn runs deferred functions for the caller's frame.
   656  // The compiler inserts a call to this at the end of any
   657  // function which calls defer.
   658  func deferreturn() {
   659  	var p _panic
   660  	p.deferreturn = true
   661  
   662  	p.start(sys.GetCallerPC(), unsafe.Pointer(sys.GetCallerSP()))
   663  	for {
   664  		fn, ok := p.nextDefer()
   665  		if !ok {
   666  			break
   667  		}
   668  		fn()
   669  	}
   670  }
   671  
   672  // Goexit terminates the goroutine that calls it. No other goroutine is affected.
   673  // Goexit runs all deferred calls before terminating the goroutine. Because Goexit
   674  // is not a panic, any recover calls in those deferred functions will return nil.
   675  //
   676  // Calling Goexit from the main goroutine terminates that goroutine
   677  // without func main returning. Since func main has not returned,
   678  // the program continues execution of other goroutines.
   679  // If all other goroutines exit, the program crashes.
   680  //
   681  // It crashes if called from a thread not created by the Go runtime.
   682  func Goexit() {
   683  	// Create a panic object for Goexit, so we can recognize when it might be
   684  	// bypassed by a recover().
   685  	var p _panic
   686  	p.goexit = true
   687  
   688  	p.start(sys.GetCallerPC(), unsafe.Pointer(sys.GetCallerSP()))
   689  	for {
   690  		fn, ok := p.nextDefer()
   691  		if !ok {
   692  			break
   693  		}
   694  		fn()
   695  	}
   696  
   697  	goexit1()
   698  }
   699  
   700  // Call all Error and String methods before freezing the world.
   701  // Used when crashing with panicking.
   702  func preprintpanics(p *_panic) {
   703  	defer func() {
   704  		text := "panic while printing panic value"
   705  		switch r := recover().(type) {
   706  		case nil:
   707  			// nothing to do
   708  		case string:
   709  			throw(text + ": " + r)
   710  		default:
   711  			throw(text + ": type " + toRType(efaceOf(&r)._type).string())
   712  		}
   713  	}()
   714  	for p != nil {
   715  		if p.link != nil && *efaceOf(&p.link.arg) == *efaceOf(&p.arg) {
   716  			// This panic contains the same value as the next one in the chain.
   717  			// Mark it as repanicked. We will skip printing it twice in a row.
   718  			p.link.repanicked = true
   719  			p = p.link
   720  			continue
   721  		}
   722  		switch v := p.arg.(type) {
   723  		case error:
   724  			p.arg = v.Error()
   725  		case stringer:
   726  			p.arg = v.String()
   727  		}
   728  		p = p.link
   729  	}
   730  }
   731  
   732  // Print all currently active panics. Used when crashing.
   733  // Should only be called after preprintpanics.
   734  func printpanics(p *_panic) {
   735  	if p.link != nil {
   736  		printpanics(p.link)
   737  		if p.link.repanicked {
   738  			return
   739  		}
   740  		if !p.link.goexit {
   741  			print("\t")
   742  		}
   743  	}
   744  	if p.goexit {
   745  		return
   746  	}
   747  	print("panic: ")
   748  	printpanicval(p.arg)
   749  	if p.recovered && p.repanicked {
   750  		print(" [recovered, repanicked]")
   751  	} else if p.recovered {
   752  		print(" [recovered]")
   753  	}
   754  	print("\n")
   755  }
   756  
   757  // readvarintUnsafe reads the uint32 in varint format starting at fd, and returns the
   758  // uint32 and a pointer to the byte following the varint.
   759  //
   760  // The implementation is the same with runtime.readvarint, except that this function
   761  // uses unsafe.Pointer for speed.
   762  func readvarintUnsafe(fd unsafe.Pointer) (uint32, unsafe.Pointer) {
   763  	var r uint32
   764  	var shift int
   765  	for {
   766  		b := *(*uint8)(fd)
   767  		fd = add(fd, unsafe.Sizeof(b))
   768  		if b < 128 {
   769  			return r + uint32(b)<<shift, fd
   770  		}
   771  		r += uint32(b&0x7F) << (shift & 31)
   772  		shift += 7
   773  		if shift > 28 {
   774  			panic("Bad varint")
   775  		}
   776  	}
   777  }
   778  
   779  // A PanicNilError happens when code calls panic(nil).
   780  //
   781  // Before Go 1.21, programs that called panic(nil) observed recover returning nil.
   782  // Starting in Go 1.21, programs that call panic(nil) observe recover returning a *PanicNilError.
   783  // Programs can change back to the old behavior by setting GODEBUG=panicnil=1.
   784  type PanicNilError struct {
   785  	// This field makes PanicNilError structurally different from
   786  	// any other struct in this package, and the _ makes it different
   787  	// from any struct in other packages too.
   788  	// This avoids any accidental conversions being possible
   789  	// between this struct and some other struct sharing the same fields,
   790  	// like happened in go.dev/issue/56603.
   791  	_ [0]*PanicNilError
   792  }
   793  
   794  func (*PanicNilError) Error() string { return "panic called with nil argument" }
   795  func (*PanicNilError) RuntimeError() {}
   796  
   797  var panicnil = &godebugInc{name: "panicnil"}
   798  
   799  // The implementation of the predeclared function panic.
   800  // The compiler emits calls to this function.
   801  //
   802  // gopanic should be an internal detail,
   803  // but historically, widely used packages access it using linkname.
   804  //
   805  // Do not remove or change the type signature.
   806  // See go.dev/issue/67401.
   807  //
   808  //go:linkname gopanic
   809  func gopanic(e any) {
   810  	if e == nil {
   811  		if debug.panicnil.Load() != 1 {
   812  			e = new(PanicNilError)
   813  		} else {
   814  			panicnil.IncNonDefault()
   815  		}
   816  	}
   817  
   818  	gp := getg()
   819  	if gp.m.curg != gp {
   820  		print("panic: ")
   821  		printpanicval(e)
   822  		print("\n")
   823  		throw("panic on system stack")
   824  	}
   825  
   826  	if gp.m.mallocing != 0 {
   827  		print("panic: ")
   828  		printpanicval(e)
   829  		print("\n")
   830  		throw("panic during malloc")
   831  	}
   832  	if gp.m.preemptoff != "" {
   833  		print("panic: ")
   834  		printpanicval(e)
   835  		print("\n")
   836  		print("preempt off reason: ")
   837  		print(gp.m.preemptoff)
   838  		print("\n")
   839  		throw("panic during preemptoff")
   840  	}
   841  	if gp.m.locks != 0 {
   842  		print("panic: ")
   843  		printpanicval(e)
   844  		print("\n")
   845  		throw("panic holding locks")
   846  	}
   847  
   848  	var p _panic
   849  	p.arg = e
   850  
   851  	runningPanicDefers.Add(1)
   852  
   853  	p.start(sys.GetCallerPC(), unsafe.Pointer(sys.GetCallerSP()))
   854  	for {
   855  		fn, ok := p.nextDefer()
   856  		if !ok {
   857  			break
   858  		}
   859  		fn()
   860  	}
   861  
   862  	// If we're tracing, flush the current generation to make the trace more
   863  	// readable.
   864  	//
   865  	// TODO(aktau): Handle a panic from within traceAdvance more gracefully.
   866  	// Currently it would hang. Not handled now because it is very unlikely, and
   867  	// already unrecoverable.
   868  	if traceEnabled() {
   869  		traceAdvance(false)
   870  	}
   871  
   872  	// ran out of deferred calls - old-school panic now
   873  	// Because it is unsafe to call arbitrary user code after freezing
   874  	// the world, we call preprintpanics to invoke all necessary Error
   875  	// and String methods to prepare the panic strings before startpanic.
   876  	preprintpanics(&p)
   877  
   878  	fatalpanic(&p)   // should not return
   879  	*(*int)(nil) = 0 // not reached
   880  }
   881  
   882  // start initializes a panic to start unwinding the stack.
   883  //
   884  // If p.goexit is true, then start may return multiple times.
   885  func (p *_panic) start(pc uintptr, sp unsafe.Pointer) {
   886  	gp := getg()
   887  
   888  	// Record the caller's PC and SP, so recovery can identify panics
   889  	// that have been recovered. Also, so that if p is from Goexit, we
   890  	// can restart its defer processing loop if a recovered panic tries
   891  	// to jump past it.
   892  	p.startPC = sys.GetCallerPC()
   893  	p.startSP = unsafe.Pointer(sys.GetCallerSP())
   894  
   895  	if p.deferreturn {
   896  		p.sp = sp
   897  
   898  		if s := (*savedOpenDeferState)(gp.param); s != nil {
   899  			// recovery saved some state for us, so that we can resume
   900  			// calling open-coded defers without unwinding the stack.
   901  
   902  			gp.param = nil
   903  
   904  			p.retpc = s.retpc
   905  			p.deferBitsPtr = (*byte)(add(sp, s.deferBitsOffset))
   906  			p.slotsPtr = add(sp, s.slotsOffset)
   907  		}
   908  
   909  		return
   910  	}
   911  
   912  	p.link = gp._panic
   913  	gp._panic = (*_panic)(noescape(unsafe.Pointer(p)))
   914  
   915  	// Initialize state machine, and find the first frame with a defer.
   916  	//
   917  	// Note: We could use startPC and startSP here, but callers will
   918  	// never have defer statements themselves. By starting at their
   919  	// caller instead, we avoid needing to unwind through an extra
   920  	// frame. It also somewhat simplifies the terminating condition for
   921  	// deferreturn.
   922  	p.pc, p.sp = pc, sp
   923  	p.nextFrame()
   924  }
   925  
   926  // nextDefer returns the next deferred function to invoke, if any.
   927  //
   928  // Note: The "ok bool" result is necessary to correctly handle when
   929  // the deferred function itself was nil (e.g., "defer (func())(nil)").
   930  func (p *_panic) nextDefer() (func(), bool) {
   931  	gp := getg()
   932  
   933  	if !p.deferreturn {
   934  		if gp._panic != p {
   935  			throw("bad panic stack")
   936  		}
   937  
   938  		if p.recovered {
   939  			mcall(recovery) // does not return
   940  			throw("recovery failed")
   941  		}
   942  	}
   943  
   944  	for {
   945  		for p.deferBitsPtr != nil {
   946  			bits := *p.deferBitsPtr
   947  
   948  			// Check whether any open-coded defers are still pending.
   949  			//
   950  			// Note: We need to check this upfront (rather than after
   951  			// clearing the top bit) because it's possible that Goexit
   952  			// invokes a deferred call, and there were still more pending
   953  			// open-coded defers in the frame; but then the deferred call
   954  			// panic and invoked the remaining defers in the frame, before
   955  			// recovering and restarting the Goexit loop.
   956  			if bits == 0 {
   957  				p.deferBitsPtr = nil
   958  				break
   959  			}
   960  
   961  			// Find index of top bit set.
   962  			i := 7 - uintptr(sys.LeadingZeros8(bits))
   963  
   964  			// Clear bit and store it back.
   965  			bits &^= 1 << i
   966  			*p.deferBitsPtr = bits
   967  
   968  			return *(*func())(add(p.slotsPtr, i*goarch.PtrSize)), true
   969  		}
   970  
   971  	Recheck:
   972  		if d := gp._defer; d != nil && d.sp == uintptr(p.sp) {
   973  			if d.rangefunc {
   974  				deferconvert(d)
   975  				popDefer(gp)
   976  				goto Recheck
   977  			}
   978  
   979  			fn := d.fn
   980  
   981  			p.retpc = d.pc
   982  
   983  			// Unlink and free.
   984  			popDefer(gp)
   985  
   986  			return fn, true
   987  		}
   988  
   989  		if !p.nextFrame() {
   990  			return nil, false
   991  		}
   992  	}
   993  }
   994  
   995  // nextFrame finds the next frame that contains deferred calls, if any.
   996  func (p *_panic) nextFrame() (ok bool) {
   997  	if p.pc == 0 {
   998  		return false
   999  	}
  1000  
  1001  	gp := getg()
  1002  	systemstack(func() {
  1003  		var limit uintptr
  1004  		if d := gp._defer; d != nil {
  1005  			limit = d.sp
  1006  		}
  1007  
  1008  		var u unwinder
  1009  		u.initAt(p.pc, uintptr(p.sp), 0, gp, 0)
  1010  		for {
  1011  			if !u.valid() {
  1012  				p.pc = 0
  1013  				return // ok == false
  1014  			}
  1015  
  1016  			// TODO(mdempsky): If we populate u.frame.fn.deferreturn for
  1017  			// every frame containing a defer (not just open-coded defers),
  1018  			// then we can simply loop until we find the next frame where
  1019  			// it's non-zero.
  1020  
  1021  			if u.frame.sp == limit {
  1022  				break // found a frame with linked defers
  1023  			}
  1024  
  1025  			if p.initOpenCodedDefers(u.frame.fn, unsafe.Pointer(u.frame.varp)) {
  1026  				break // found a frame with open-coded defers
  1027  			}
  1028  
  1029  			if p.link != nil && uintptr(u.frame.sp) == uintptr(p.link.startSP) && uintptr(p.link.sp) > u.frame.sp {
  1030  				// Skip ahead to where the next panic up the stack was last looking
  1031  				// for defers. See issue 77062.
  1032  				//
  1033  				// The startSP condition is to check when we have walked up the stack
  1034  				// to where the next panic up the stack started. If so, the processing
  1035  				// of that panic has run all the defers up to its current scanning
  1036  				// position.
  1037  				//
  1038  				// The final condition is just to make sure that the line below
  1039  				// is actually helpful.
  1040  				u.initAt(p.link.pc, uintptr(p.link.sp), 0, gp, 0)
  1041  				continue
  1042  			}
  1043  
  1044  			u.next()
  1045  		}
  1046  
  1047  		p.pc = u.frame.pc
  1048  		p.sp = unsafe.Pointer(u.frame.sp)
  1049  		p.fp = unsafe.Pointer(u.frame.fp)
  1050  
  1051  		ok = true
  1052  	})
  1053  
  1054  	return
  1055  }
  1056  
  1057  func (p *_panic) initOpenCodedDefers(fn funcInfo, varp unsafe.Pointer) bool {
  1058  	fd := funcdata(fn, abi.FUNCDATA_OpenCodedDeferInfo)
  1059  	if fd == nil {
  1060  		return false
  1061  	}
  1062  
  1063  	if fn.deferreturn == 0 {
  1064  		throw("missing deferreturn")
  1065  	}
  1066  
  1067  	deferBitsOffset, fd := readvarintUnsafe(fd)
  1068  	deferBitsPtr := (*uint8)(add(varp, -uintptr(deferBitsOffset)))
  1069  	if *deferBitsPtr == 0 {
  1070  		return false // has open-coded defers, but none pending
  1071  	}
  1072  
  1073  	slotsOffset, fd := readvarintUnsafe(fd)
  1074  
  1075  	p.retpc = fn.entry() + uintptr(fn.deferreturn)
  1076  	p.deferBitsPtr = deferBitsPtr
  1077  	p.slotsPtr = add(varp, -uintptr(slotsOffset))
  1078  
  1079  	return true
  1080  }
  1081  
  1082  // The implementation of the predeclared function recover.
  1083  func gorecover() any {
  1084  	gp := getg()
  1085  	p := gp._panic
  1086  	if p == nil || p.goexit || p.recovered {
  1087  		return nil
  1088  	}
  1089  
  1090  	// Check to see if the function that called recover() was
  1091  	// deferred directly from the panicking function.
  1092  	// For code like:
  1093  	//     func foo() {
  1094  	//         defer bar()
  1095  	//         panic("panic")
  1096  	//     }
  1097  	//     func bar() {
  1098  	//         recover()
  1099  	//     }
  1100  	// Normally the stack would look like this:
  1101  	//     foo
  1102  	//     runtime.gopanic
  1103  	//     bar
  1104  	//     runtime.gorecover
  1105  	//
  1106  	// However, if the function we deferred requires a wrapper
  1107  	// of some sort, we need to ignore the wrapper. In that case,
  1108  	// the stack looks like:
  1109  	//     foo
  1110  	//     runtime.gopanic
  1111  	//     wrapper
  1112  	//     bar
  1113  	//     runtime.gorecover
  1114  	// And we should also successfully recover.
  1115  	//
  1116  	// Finally, in the weird case "defer recover()", the stack looks like:
  1117  	//     foo
  1118  	//     runtime.gopanic
  1119  	//     wrapper
  1120  	//     runtime.gorecover
  1121  	// And we should not recover in that case.
  1122  	//
  1123  	// So our criteria is, there must be exactly one non-wrapper
  1124  	// frame between gopanic and gorecover.
  1125  	//
  1126  	// We don't recover this:
  1127  	//     defer func() { func() { recover() }() }()
  1128  	// because there are 2 non-wrapper frames.
  1129  	//
  1130  	// We don't recover this:
  1131  	//     defer recover()
  1132  	// because there are 0 non-wrapper frames.
  1133  	canRecover := false
  1134  	systemstack(func() {
  1135  		var u unwinder
  1136  		u.init(gp, 0)
  1137  		u.next() // skip systemstack_switch
  1138  		u.next() // skip gorecover
  1139  		nonWrapperFrames := 0
  1140  	loop:
  1141  		for ; u.valid(); u.next() {
  1142  			for iu, f := newInlineUnwinder(u.frame.fn, u.symPC()); f.valid(); f = iu.next(f) {
  1143  				sf := iu.srcFunc(f)
  1144  				switch sf.funcID {
  1145  				case abi.FuncIDWrapper:
  1146  					continue
  1147  				case abi.FuncID_gopanic:
  1148  					if u.frame.sp == uintptr(p.startSP) && nonWrapperFrames > 0 {
  1149  						canRecover = true
  1150  					}
  1151  					break loop
  1152  				default:
  1153  					nonWrapperFrames++
  1154  					if nonWrapperFrames > 1 {
  1155  						break loop
  1156  					}
  1157  				}
  1158  			}
  1159  		}
  1160  	})
  1161  	if !canRecover {
  1162  		return nil
  1163  	}
  1164  	p.recovered = true
  1165  	return p.arg
  1166  }
  1167  
  1168  //go:linkname sync_throw sync.throw
  1169  func sync_throw(s string) {
  1170  	throw(s)
  1171  }
  1172  
  1173  //go:linkname sync_fatal sync.fatal
  1174  func sync_fatal(s string) {
  1175  	fatal(s)
  1176  }
  1177  
  1178  //go:linkname rand_fatal crypto/rand.fatal
  1179  func rand_fatal(s string) {
  1180  	fatal(s)
  1181  }
  1182  
  1183  //go:linkname sysrand_fatal crypto/internal/sysrand.fatal
  1184  func sysrand_fatal(s string) {
  1185  	fatal(s)
  1186  }
  1187  
  1188  //go:linkname fips_fatal crypto/internal/fips140.fatal
  1189  func fips_fatal(s string) {
  1190  	fatal(s)
  1191  }
  1192  
  1193  //go:linkname maps_fatal internal/runtime/maps.fatal
  1194  func maps_fatal(s string) {
  1195  	fatal(s)
  1196  }
  1197  
  1198  //go:linkname internal_sync_throw internal/sync.throw
  1199  func internal_sync_throw(s string) {
  1200  	throw(s)
  1201  }
  1202  
  1203  //go:linkname internal_sync_fatal internal/sync.fatal
  1204  func internal_sync_fatal(s string) {
  1205  	fatal(s)
  1206  }
  1207  
  1208  //go:linkname cgroup_throw internal/runtime/cgroup.throw
  1209  func cgroup_throw(s string) {
  1210  	throw(s)
  1211  }
  1212  
  1213  // throw triggers a fatal error that dumps a stack trace and exits.
  1214  //
  1215  // throw should be used for runtime-internal fatal errors where Go itself,
  1216  // rather than user code, may be at fault for the failure.
  1217  //
  1218  // throw should be an internal detail,
  1219  // but widely used packages access it using linkname.
  1220  // Notable members of the hall of shame include:
  1221  //   - github.com/bytedance/sonic
  1222  //   - github.com/cockroachdb/pebble
  1223  //   - github.com/dgraph-io/ristretto
  1224  //   - github.com/outcaste-io/ristretto
  1225  //   - github.com/pingcap/br
  1226  //   - gvisor.dev/gvisor
  1227  //   - github.com/sagernet/gvisor
  1228  //
  1229  // Do not remove or change the type signature.
  1230  // See go.dev/issue/67401.
  1231  //
  1232  //go:linkname throw
  1233  //go:nosplit
  1234  func throw(s string) {
  1235  	// Everything throw does should be recursively nosplit so it
  1236  	// can be called even when it's unsafe to grow the stack.
  1237  	systemstack(func() {
  1238  		print("fatal error: ")
  1239  		printindented(s) // logically printpanicval(s), but avoids convTstring write barrier
  1240  		print("\n")
  1241  	})
  1242  
  1243  	fatalthrow(throwTypeRuntime)
  1244  }
  1245  
  1246  // fatal triggers a fatal error that dumps a stack trace and exits.
  1247  //
  1248  // fatal is equivalent to throw, but is used when user code is expected to be
  1249  // at fault for the failure, such as racing map writes.
  1250  //
  1251  // fatal does not include runtime frames, system goroutines, or frame metadata
  1252  // (fp, sp, pc) in the stack trace unless GOTRACEBACK=system or higher.
  1253  //
  1254  //go:nosplit
  1255  func fatal(s string) {
  1256  	p := getg()._panic
  1257  	// Everything fatal does should be recursively nosplit so it
  1258  	// can be called even when it's unsafe to grow the stack.
  1259  	printlock() // Prevent multiple interleaved fatal reports. See issue 69447.
  1260  	systemstack(func() {
  1261  		printPreFatalDeferPanic(p)
  1262  		print("fatal error: ")
  1263  		printindented(s) // logically printpanicval(s), but avoids convTstring write barrier
  1264  		print("\n")
  1265  	})
  1266  
  1267  	fatalthrow(throwTypeUser)
  1268  	printunlock()
  1269  }
  1270  
  1271  // printPreFatalDeferPanic prints the panic
  1272  // when fatal occurs in panics while running defer.
  1273  func printPreFatalDeferPanic(p *_panic) {
  1274  	// Don`t call preprintpanics, because
  1275  	// don't want to call String/Error on the panicked values.
  1276  	// When we fatal we really want to just print and exit,
  1277  	// no more executing user Go code.
  1278  	for x := p; x != nil; x = x.link {
  1279  		if x.link != nil && *efaceOf(&x.link.arg) == *efaceOf(&x.arg) {
  1280  			// This panic contains the same value as the next one in the chain.
  1281  			// Mark it as repanicked. We will skip printing it twice in a row.
  1282  			x.link.repanicked = true
  1283  		}
  1284  	}
  1285  	if p != nil {
  1286  		printpanics(p)
  1287  		// make fatal have the same indentation as non-first panics.
  1288  		print("\t")
  1289  	}
  1290  }
  1291  
  1292  // runningPanicDefers is non-zero while running deferred functions for panic.
  1293  // This is used to try hard to get a panic stack trace out when exiting.
  1294  var runningPanicDefers atomic.Uint32
  1295  
  1296  // panicking is non-zero when crashing the program for an unrecovered panic.
  1297  var panicking atomic.Uint32
  1298  
  1299  // paniclk is held while printing the panic information and stack trace,
  1300  // so that two concurrent panics don't overlap their output.
  1301  var paniclk mutex
  1302  
  1303  // Unwind the stack after a deferred function calls recover
  1304  // after a panic. Then arrange to continue running as though
  1305  // the caller of the deferred function returned normally.
  1306  //
  1307  // However, if unwinding the stack would skip over a Goexit call, we
  1308  // return into the Goexit loop instead, so it can continue processing
  1309  // defers instead.
  1310  func recovery(gp *g) {
  1311  	p := gp._panic
  1312  	pc, sp, fp := p.retpc, uintptr(p.sp), uintptr(p.fp)
  1313  	p0, saveOpenDeferState := p, p.deferBitsPtr != nil && *p.deferBitsPtr != 0
  1314  
  1315  	// The linker records the f-relative address of a call to deferreturn in f's funcInfo.
  1316  	// Assuming a "normal" call to recover() inside one of f's deferred functions
  1317  	// invoked for a panic, that is the desired PC for exiting f.
  1318  	f := findfunc(pc)
  1319  	if f.deferreturn == 0 {
  1320  		throw("no deferreturn")
  1321  	}
  1322  	gotoPc := f.entry() + uintptr(f.deferreturn)
  1323  
  1324  	// Unwind the panic stack.
  1325  	for ; p != nil && uintptr(p.startSP) < sp; p = p.link {
  1326  		// Don't allow jumping past a pending Goexit.
  1327  		// Instead, have its _panic.start() call return again.
  1328  		//
  1329  		// TODO(mdempsky): In this case, Goexit will resume walking the
  1330  		// stack where it left off, which means it will need to rewalk
  1331  		// frames that we've already processed.
  1332  		//
  1333  		// There's a similar issue with nested panics, when the inner
  1334  		// panic supersedes the outer panic. Again, we end up needing to
  1335  		// walk the same stack frames.
  1336  		//
  1337  		// These are probably pretty rare occurrences in practice, and
  1338  		// they don't seem any worse than the existing logic. But if we
  1339  		// move the unwinding state into _panic, we could detect when we
  1340  		// run into where the last panic started, and then just pick up
  1341  		// where it left off instead.
  1342  		//
  1343  		// With how subtle defer handling is, this might not actually be
  1344  		// worthwhile though.
  1345  		if p.goexit {
  1346  			gotoPc, sp = p.startPC, uintptr(p.startSP)
  1347  			saveOpenDeferState = false // goexit is unwinding the stack anyway
  1348  			break
  1349  		}
  1350  
  1351  		runningPanicDefers.Add(-1)
  1352  	}
  1353  	gp._panic = p
  1354  
  1355  	if p == nil { // must be done with signal
  1356  		gp.sig = 0
  1357  	}
  1358  
  1359  	if gp.param != nil {
  1360  		throw("unexpected gp.param")
  1361  	}
  1362  	if saveOpenDeferState {
  1363  		// If we're returning to deferreturn and there are more open-coded
  1364  		// defers for it to call, save enough state for it to be able to
  1365  		// pick up where p0 left off.
  1366  		gp.param = unsafe.Pointer(&savedOpenDeferState{
  1367  			retpc: p0.retpc,
  1368  
  1369  			// We need to save deferBitsPtr and slotsPtr too, but those are
  1370  			// stack pointers. To avoid issues around heap objects pointing
  1371  			// to the stack, save them as offsets from SP.
  1372  			deferBitsOffset: uintptr(unsafe.Pointer(p0.deferBitsPtr)) - uintptr(p0.sp),
  1373  			slotsOffset:     uintptr(p0.slotsPtr) - uintptr(p0.sp),
  1374  		})
  1375  	}
  1376  
  1377  	// TODO(mdempsky): Currently, we rely on frames containing "defer"
  1378  	// to end with "CALL deferreturn; RET". This allows deferreturn to
  1379  	// finish running any pending defers in the frame.
  1380  	//
  1381  	// But we should be able to tell whether there are still pending
  1382  	// defers here. If there aren't, we can just jump directly to the
  1383  	// "RET" instruction. And if there are, we don't need an actual
  1384  	// "CALL deferreturn" instruction; we can simulate it with something
  1385  	// like:
  1386  	//
  1387  	//	if usesLR {
  1388  	//		lr = pc
  1389  	//	} else {
  1390  	//		sp -= sizeof(pc)
  1391  	//		*(*uintptr)(sp) = pc
  1392  	//	}
  1393  	//	pc = funcPC(deferreturn)
  1394  	//
  1395  	// So that we effectively tail call into deferreturn, such that it
  1396  	// then returns to the simple "RET" epilogue. That would save the
  1397  	// overhead of the "deferreturn" call when there aren't actually any
  1398  	// pending defers left, and shrink the TEXT size of compiled
  1399  	// binaries. (Admittedly, both of these are modest savings.)
  1400  
  1401  	// Ensure we're recovering within the appropriate stack.
  1402  	if sp != 0 && (sp < gp.stack.lo || gp.stack.hi < sp) {
  1403  		print("recover: ", hex(sp), " not in [", hex(gp.stack.lo), ", ", hex(gp.stack.hi), "]\n")
  1404  		throw("bad recovery")
  1405  	}
  1406  
  1407  	// branch directly to the deferreturn
  1408  	gp.sched.sp = sp
  1409  	gp.sched.pc = gotoPc
  1410  	gp.sched.lr = 0
  1411  	// Restore the bp on platforms that support frame pointers.
  1412  	// N.B. It's fine to not set anything for platforms that don't
  1413  	// support frame pointers, since nothing consumes them.
  1414  	switch {
  1415  	case goarch.IsAmd64 != 0:
  1416  		// on x86, fp actually points one word higher than the top of
  1417  		// the frame since the return address is saved on the stack by
  1418  		// the caller
  1419  		gp.sched.bp = fp - 2*goarch.PtrSize
  1420  	case goarch.IsArm64 != 0:
  1421  		// on arm64, the architectural bp points one word higher
  1422  		// than the sp. fp is totally useless to us here, because it
  1423  		// only gets us to the caller's fp.
  1424  		gp.sched.bp = sp - goarch.PtrSize
  1425  	}
  1426  	gogo(&gp.sched)
  1427  }
  1428  
  1429  // fatalthrow implements an unrecoverable runtime throw. It freezes the
  1430  // system, prints stack traces starting from its caller, and terminates the
  1431  // process.
  1432  //
  1433  //go:nosplit
  1434  func fatalthrow(t throwType) {
  1435  	pc := sys.GetCallerPC()
  1436  	sp := sys.GetCallerSP()
  1437  	gp := getg()
  1438  
  1439  	if gp.m.throwing == throwTypeNone {
  1440  		gp.m.throwing = t
  1441  	}
  1442  
  1443  	// Switch to the system stack to avoid any stack growth, which may make
  1444  	// things worse if the runtime is in a bad state.
  1445  	systemstack(func() {
  1446  		if isSecureMode() {
  1447  			exit(2)
  1448  		}
  1449  
  1450  		startpanic_m()
  1451  
  1452  		if dopanic_m(gp, pc, sp, nil) {
  1453  			// crash uses a decent amount of nosplit stack and we're already
  1454  			// low on stack in throw, so crash on the system stack (unlike
  1455  			// fatalpanic).
  1456  			crash()
  1457  		}
  1458  
  1459  		exit(2)
  1460  	})
  1461  
  1462  	*(*int)(nil) = 0 // not reached
  1463  }
  1464  
  1465  // fatalpanic implements an unrecoverable panic. It is like fatalthrow, except
  1466  // that if msgs != nil, fatalpanic also prints panic messages and decrements
  1467  // runningPanicDefers once main is blocked from exiting.
  1468  //
  1469  //go:nosplit
  1470  func fatalpanic(msgs *_panic) {
  1471  	pc := sys.GetCallerPC()
  1472  	sp := sys.GetCallerSP()
  1473  	gp := getg()
  1474  	var docrash bool
  1475  	// Switch to the system stack to avoid any stack growth, which
  1476  	// may make things worse if the runtime is in a bad state.
  1477  	systemstack(func() {
  1478  		if startpanic_m() && msgs != nil {
  1479  			// There were panic messages and startpanic_m
  1480  			// says it's okay to try to print them.
  1481  
  1482  			// startpanic_m set panicking, which will
  1483  			// block main from exiting, so now OK to
  1484  			// decrement runningPanicDefers.
  1485  			runningPanicDefers.Add(-1)
  1486  
  1487  			printpanics(msgs)
  1488  		}
  1489  
  1490  		// If this panic is the result of a synctest bubble deadlock,
  1491  		// print stacks for the goroutines in the bubble.
  1492  		var bubble *synctestBubble
  1493  		if de, ok := msgs.arg.(synctestDeadlockError); ok {
  1494  			bubble = de.bubble
  1495  		}
  1496  
  1497  		docrash = dopanic_m(gp, pc, sp, bubble)
  1498  	})
  1499  
  1500  	if docrash {
  1501  		// By crashing outside the above systemstack call, debuggers
  1502  		// will not be confused when generating a backtrace.
  1503  		// Function crash is marked nosplit to avoid stack growth.
  1504  		crash()
  1505  	}
  1506  
  1507  	systemstack(func() {
  1508  		exit(2)
  1509  	})
  1510  
  1511  	*(*int)(nil) = 0 // not reached
  1512  }
  1513  
  1514  // startpanic_m prepares for an unrecoverable panic.
  1515  //
  1516  // It returns true if panic messages should be printed, or false if
  1517  // the runtime is in bad shape and should just print stacks.
  1518  //
  1519  // It must not have write barriers even though the write barrier
  1520  // explicitly ignores writes once dying > 0. Write barriers still
  1521  // assume that g.m.p != nil, and this function may not have P
  1522  // in some contexts (e.g. a panic in a signal handler for a signal
  1523  // sent to an M with no P).
  1524  //
  1525  //go:nowritebarrierrec
  1526  func startpanic_m() bool {
  1527  	gp := getg()
  1528  	if mheap_.cachealloc.size == 0 { // very early
  1529  		print("runtime: panic before malloc heap initialized\n")
  1530  	}
  1531  	// Disallow malloc during an unrecoverable panic. A panic
  1532  	// could happen in a signal handler, or in a throw, or inside
  1533  	// malloc itself. We want to catch if an allocation ever does
  1534  	// happen (even if we're not in one of these situations).
  1535  	gp.m.mallocing++
  1536  
  1537  	// If we're dying because of a bad lock count, set it to a
  1538  	// good lock count so we don't recursively panic below.
  1539  	if gp.m.locks < 0 {
  1540  		gp.m.locks = 1
  1541  	}
  1542  
  1543  	switch gp.m.dying {
  1544  	case 0:
  1545  		// Setting dying >0 has the side-effect of disabling this G's writebuf.
  1546  		gp.m.dying = 1
  1547  		panicking.Add(1)
  1548  		lock(&paniclk)
  1549  		if debug.schedtrace > 0 || debug.scheddetail > 0 {
  1550  			schedtrace(true)
  1551  		}
  1552  		freezetheworld()
  1553  		return true
  1554  	case 1:
  1555  		// Something failed while panicking.
  1556  		// Just print a stack trace and exit.
  1557  		gp.m.dying = 2
  1558  		print("panic during panic\n")
  1559  		return false
  1560  	case 2:
  1561  		// This is a genuine bug in the runtime, we couldn't even
  1562  		// print the stack trace successfully.
  1563  		gp.m.dying = 3
  1564  		print("stack trace unavailable\n")
  1565  		exit(4)
  1566  		fallthrough
  1567  	default:
  1568  		// Can't even print! Just exit.
  1569  		exit(5)
  1570  		return false // Need to return something.
  1571  	}
  1572  }
  1573  
  1574  var didothers bool
  1575  var deadlock mutex
  1576  
  1577  // gp is the crashing g running on this M, but may be a user G, while getg() is
  1578  // always g0.
  1579  // If bubble is non-nil, print the stacks for goroutines in this group as well.
  1580  func dopanic_m(gp *g, pc, sp uintptr, bubble *synctestBubble) bool {
  1581  	if gp.sig != 0 {
  1582  		signame := signame(gp.sig)
  1583  		if signame != "" {
  1584  			print("[signal ", signame)
  1585  		} else {
  1586  			print("[signal ", hex(gp.sig))
  1587  		}
  1588  		print(" code=", hex(gp.sigcode0), " addr=", hex(gp.sigcode1), " pc=", hex(gp.sigpc), "]\n")
  1589  	}
  1590  
  1591  	level, all, docrash := gotraceback()
  1592  	if level > 0 {
  1593  		if gp != gp.m.curg {
  1594  			all = true
  1595  		}
  1596  		if gp != gp.m.g0 {
  1597  			print("\n")
  1598  			goroutineheader(gp)
  1599  			traceback(pc, sp, 0, gp)
  1600  		} else if level >= 2 || gp.m.throwing >= throwTypeRuntime {
  1601  			print("\nruntime stack:\n")
  1602  			traceback(pc, sp, 0, gp)
  1603  		}
  1604  		if !didothers {
  1605  			if all {
  1606  				didothers = true
  1607  				tracebackothers(gp)
  1608  			} else if bubble != nil {
  1609  				// This panic is caused by a synctest bubble deadlock.
  1610  				// Print stacks for goroutines in the deadlocked bubble.
  1611  				tracebacksomeothers(gp, func(other *g) bool {
  1612  					return bubble == other.bubble
  1613  				})
  1614  			}
  1615  		}
  1616  
  1617  	}
  1618  	unlock(&paniclk)
  1619  
  1620  	if panicking.Add(-1) != 0 {
  1621  		// Some other m is panicking too.
  1622  		// Let it print what it needs to print.
  1623  		// Wait forever without chewing up cpu.
  1624  		// It will exit when it's done.
  1625  		lock(&deadlock)
  1626  		lock(&deadlock)
  1627  	}
  1628  
  1629  	printDebugLog()
  1630  
  1631  	return docrash
  1632  }
  1633  
  1634  // canpanic returns false if a signal should throw instead of
  1635  // panicking.
  1636  //
  1637  //go:nosplit
  1638  func canpanic() bool {
  1639  	gp := getg()
  1640  	mp := acquirem()
  1641  
  1642  	// Is it okay for gp to panic instead of crashing the program?
  1643  	// Yes, as long as it is running Go code, not runtime code,
  1644  	// and not stuck in a system call.
  1645  	if gp != mp.curg {
  1646  		releasem(mp)
  1647  		return false
  1648  	}
  1649  	// N.B. mp.locks != 1 instead of 0 to account for acquirem.
  1650  	if mp.locks != 1 || mp.mallocing != 0 || mp.throwing != throwTypeNone || mp.preemptoff != "" || mp.dying != 0 {
  1651  		releasem(mp)
  1652  		return false
  1653  	}
  1654  	status := readgstatus(gp)
  1655  	if status&^_Gscan != _Grunning || gp.syscallsp != 0 {
  1656  		releasem(mp)
  1657  		return false
  1658  	}
  1659  	if GOOS == "windows" && mp.libcallsp != 0 {
  1660  		releasem(mp)
  1661  		return false
  1662  	}
  1663  	releasem(mp)
  1664  	return true
  1665  }
  1666  
  1667  // shouldPushSigpanic reports whether pc should be used as sigpanic's
  1668  // return PC (pushing a frame for the call). Otherwise, it should be
  1669  // left alone so that LR is used as sigpanic's return PC, effectively
  1670  // replacing the top-most frame with sigpanic. This is used by
  1671  // preparePanic.
  1672  func shouldPushSigpanic(gp *g, pc, lr uintptr) bool {
  1673  	if pc == 0 {
  1674  		// Probably a call to a nil func. The old LR is more
  1675  		// useful in the stack trace. Not pushing the frame
  1676  		// will make the trace look like a call to sigpanic
  1677  		// instead. (Otherwise the trace will end at sigpanic
  1678  		// and we won't get to see who faulted.)
  1679  		return false
  1680  	}
  1681  	// If we don't recognize the PC as code, but we do recognize
  1682  	// the link register as code, then this assumes the panic was
  1683  	// caused by a call to non-code. In this case, we want to
  1684  	// ignore this call to make unwinding show the context.
  1685  	//
  1686  	// If we running C code, we're not going to recognize pc as a
  1687  	// Go function, so just assume it's good. Otherwise, traceback
  1688  	// may try to read a stale LR that looks like a Go code
  1689  	// pointer and wander into the woods.
  1690  	if gp.m.incgo || findfunc(pc).valid() {
  1691  		// This wasn't a bad call, so use PC as sigpanic's
  1692  		// return PC.
  1693  		return true
  1694  	}
  1695  	if findfunc(lr).valid() {
  1696  		// This was a bad call, but the LR is good, so use the
  1697  		// LR as sigpanic's return PC.
  1698  		return false
  1699  	}
  1700  	// Neither the PC or LR is good. Hopefully pushing a frame
  1701  	// will work.
  1702  	return true
  1703  }
  1704  
  1705  // isAbortPC reports whether pc is the program counter at which
  1706  // runtime.abort raises a signal.
  1707  //
  1708  // It is nosplit because it's part of the isgoexception
  1709  // implementation.
  1710  //
  1711  //go:nosplit
  1712  func isAbortPC(pc uintptr) bool {
  1713  	f := findfunc(pc)
  1714  	if !f.valid() {
  1715  		return false
  1716  	}
  1717  	return f.funcID == abi.FuncID_abort
  1718  }
  1719  
  1720  // For debugging only.
  1721  //go:noinline
  1722  //go:nosplit
  1723  func dumpPanicDeferState(where string, gp *g) {
  1724  	systemstack(func() {
  1725  		println("DUMPPANICDEFERSTATE", where)
  1726  		p := gp._panic
  1727  		d := gp._defer
  1728  		var u unwinder
  1729  		for u.init(gp, 0); u.valid(); u.next() {
  1730  			// Print frame.
  1731  			println("  frame sp=", hex(u.frame.sp), "fp=", hex(u.frame.fp), "pc=", pcName(u.frame.pc), "+", pcOff(u.frame.pc))
  1732  			// Print panic.
  1733  			for p != nil && uintptr(p.sp) == u.frame.sp {
  1734  				println("    panic", p, "sp=", p.sp, "fp=", p.fp, "arg=", p.arg, "recovered=", p.recovered, "pc=", pcName(p.pc), "+", pcOff(p.pc), "retpc=", pcName(p.retpc), "+", pcOff(p.retpc), "startsp=", p.startSP, "startPC=", hex(p.startPC), pcName(p.startPC), "+", pcOff(p.startPC))
  1735  				p = p.link
  1736  			}
  1737  
  1738  			// Print linked defers.
  1739  			for d != nil && d.sp == u.frame.sp {
  1740  				println("    defer(link)", "heap=", d.heap, "rangefunc=", d.rangefunc, fnName(d.fn))
  1741  				d = d.link
  1742  			}
  1743  
  1744  			// Print open-coded defers.
  1745  			// (A function is all linked or all open-coded, so we don't
  1746  			// need to interleave this loop with the one above.)
  1747  			fd := funcdata(u.frame.fn, abi.FUNCDATA_OpenCodedDeferInfo)
  1748  			if fd != nil {
  1749  				deferBitsOffset, fd := readvarintUnsafe(fd)
  1750  				m := *(*uint8)(unsafe.Pointer(u.frame.varp - uintptr(deferBitsOffset)))
  1751  				slotsOffset, fd := readvarintUnsafe(fd)
  1752  				slots := u.frame.varp - uintptr(slotsOffset)
  1753  				for i := 7; i >= 0; i-- {
  1754  					if m>>i&1 == 0 {
  1755  						continue
  1756  					}
  1757  					fn := *(*func())(unsafe.Pointer(slots + uintptr(i)*goarch.PtrSize))
  1758  					println("    defer(open)", fnName(fn))
  1759  				}
  1760  			}
  1761  
  1762  		}
  1763  		if p != nil {
  1764  			println("  REMAINING PANICS!", p)
  1765  		}
  1766  		if d != nil {
  1767  			println("  REMAINING DEFERS!")
  1768  		}
  1769  	})
  1770  }
  1771  
  1772  func pcName(pc uintptr) string {
  1773  	fn := findfunc(pc)
  1774  	if !fn.valid() {
  1775  		return "<unk>"
  1776  	}
  1777  	return funcname(fn)
  1778  }
  1779  func pcOff(pc uintptr) hex {
  1780  	fn := findfunc(pc)
  1781  	if !fn.valid() {
  1782  		return 0
  1783  	}
  1784  	return hex(pc - fn.entry())
  1785  }
  1786  func fnName(fn func()) string {
  1787  	return pcName(**(**uintptr)(unsafe.Pointer(&fn)))
  1788  }
  1789
View as plain text