runtime: make entersyscall/exitsyscall safe for stack splits

It is fundamentally unsafe to grow the stack once someone
has made a call to syscall.Syscall. That function takes 6 uintptr
arguments, but depending on the call some are pointers.
In fact, some might be pointers to stack values, and we don't know which.
That makes it impossible to copy the stack somewhere else.
Since we want to delete all the stack splitting code, relying only
on stack copying, make sure that Syscall never needs to split the stack.

The only thing Syscall does is:
        call entersyscall
        make the system call
        call exitsyscall

As long as we make sure that entersyscall and exitsyscall
can live in the nosplit region, they won't ask for more stack.

Do this by making entersyscall and exitsyscall set up the
stack guard so that any call to a function with a split check
will cause a crash. Then move non-essential slow-path
work onto the m stack using onM and mark the rest of the
work nosplit. The linker will verify that the chain of nosplits
fits in the total nosplit budget.

LGTM=iant
R=golang-codereviews, iant
CC=dvyukov, golang-codereviews, khr, r
https://golang.org/cl/140950043

1 files changed, 2 insertions, 0 deletions

diff --git a/src/pkg/runtime/stack.c b/src/pkg/runtime/stack.c
index 6a57ab08cf..8456f79369 100644
--- a/src/pkg/runtime/stack.c
+++ b/src/pkg/runtime/stack.c
@@ -876,6 +876,8 @@ runtime·newstack(void)
 			g->m->morebuf.g, g->m, g->m->curg, g->m->g0, g->m->gsignal);
 		runtime·throw("runtime: wrong goroutine in newstack");
 	}
+	if(g->throwsplit)
+		runtime·throw("runtime: stack split at bad time");
 
 	// The goroutine must be executing in order to call newstack, so the possible states are
 	// Grunning and Gsyscall (and, due to GC, also Gscanrunning and Gscansyscall).