runtime: restore caller's frame pointer when recovering from panic

When recovering from a panic, restore the caller's frame pointer before
returning control to the caller. Otherwise, if the function proceeds to
run more deferred calls before returning, the deferred functions will
get invalid frame pointers pointing to an address lower in the stack.
This can cause frame pointer unwinding to crash, such as if an execution
trace event is recorded during the deferred call on architectures which
support frame pointer unwinding.

Fixes #61766

Change-Id: I45f41aedcc397133560164ab520ca638bbd93c4e
Reviewed-on: https://go-review.googlesource.com/c/go/+/516157
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Felix Geisendörfer <felix.geisendoerfer@datadoghq.com>

1 files changed, 11 insertions, 1 deletions

diff --git a/src/runtime/panic.go b/src/runtime/panic.go
index 5b7f35a0a5..59241143d0 100644
--- a/src/runtime/panic.go
+++ b/src/runtime/panic.go
@@ -898,7 +898,7 @@ var paniclk mutex
 // defers instead.
 func recovery(gp *g) {
 	p := gp._panic
-	pc, sp := p.retpc, uintptr(p.sp)
+	pc, sp, fp := p.retpc, uintptr(p.sp), uintptr(p.fp)
 	p0, saveOpenDeferState := p, p.deferBitsPtr != nil && *p.deferBitsPtr != 0
 
 	// Unwind the panic stack.
@@ -990,6 +990,16 @@ func recovery(gp *g) {
 	gp.sched.sp = sp
 	gp.sched.pc = pc
 	gp.sched.lr = 0
+	// fp points to the stack pointer at the caller, which is the top of the
+	// stack frame. The frame pointer used for unwinding is the word
+	// immediately below it.
+	gp.sched.bp = fp - goarch.PtrSize
+	if !usesLR {
+		// on x86, fp actually points one word higher than the top of
+		// the frame since the return address is saved on the stack by
+		// the caller
+		gp.sched.bp -= goarch.PtrSize
+	}
 	gp.sched.ret = 1
 	gogo(&gp.sched)
 }