1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package runtime
6
7import (
8	"internal/abi"
9	"internal/goarch"
10	"internal/runtime/atomic"
11	"internal/runtime/syscall"
12	"unsafe"
13)
14
15// sigPerThreadSyscall is the same signal (SIGSETXID) used by glibc for
16// per-thread syscalls on Linux. We use it for the same purpose in non-cgo
17// binaries.
18const sigPerThreadSyscall = _SIGRTMIN + 1
19
20type mOS struct {
21	// profileTimer holds the ID of the POSIX interval timer for profiling CPU
22	// usage on this thread.
23	//
24	// It is valid when the profileTimerValid field is true. A thread
25	// creates and manages its own timer, and these fields are read and written
26	// only by this thread. But because some of the reads on profileTimerValid
27	// are in signal handling code, this field should be atomic type.
28	profileTimer      int32
29	profileTimerValid atomic.Bool
30
31	// needPerThreadSyscall indicates that a per-thread syscall is required
32	// for doAllThreadsSyscall.
33	needPerThreadSyscall atomic.Uint8
34}
35
36//go:noescape
37func futex(addr unsafe.Pointer, op int32, val uint32, ts, addr2 unsafe.Pointer, val3 uint32) int32
38
39// Linux futex.
40//
41//	futexsleep(uint32 *addr, uint32 val)
42//	futexwakeup(uint32 *addr)
43//
44// Futexsleep atomically checks if *addr == val and if so, sleeps on addr.
45// Futexwakeup wakes up threads sleeping on addr.
46// Futexsleep is allowed to wake up spuriously.
47
48const (
49	_FUTEX_PRIVATE_FLAG = 128
50	_FUTEX_WAIT_PRIVATE = 0 | _FUTEX_PRIVATE_FLAG
51	_FUTEX_WAKE_PRIVATE = 1 | _FUTEX_PRIVATE_FLAG
52)
53
54// Atomically,
55//
56//	if(*addr == val) sleep
57//
58// Might be woken up spuriously; that's allowed.
59// Don't sleep longer than ns; ns < 0 means forever.
60//
61//go:nosplit
62func futexsleep(addr *uint32, val uint32, ns int64) {
63	// Some Linux kernels have a bug where futex of
64	// FUTEX_WAIT returns an internal error code
65	// as an errno. Libpthread ignores the return value
66	// here, and so can we: as it says a few lines up,
67	// spurious wakeups are allowed.
68	if ns < 0 {
69		futex(unsafe.Pointer(addr), _FUTEX_WAIT_PRIVATE, val, nil, nil, 0)
70		return
71	}
72
73	var ts timespec
74	ts.setNsec(ns)
75	futex(unsafe.Pointer(addr), _FUTEX_WAIT_PRIVATE, val, unsafe.Pointer(&ts), nil, 0)
76}
77
78// If any procs are sleeping on addr, wake up at most cnt.
79//
80//go:nosplit
81func futexwakeup(addr *uint32, cnt uint32) {
82	ret := futex(unsafe.Pointer(addr), _FUTEX_WAKE_PRIVATE, cnt, nil, nil, 0)
83	if ret >= 0 {
84		return
85	}
86
87	// I don't know that futex wakeup can return
88	// EAGAIN or EINTR, but if it does, it would be
89	// safe to loop and call futex again.
90	systemstack(func() {
91		print("futexwakeup addr=", addr, " returned ", ret, "\n")
92	})
93
94	*(*int32)(unsafe.Pointer(uintptr(0x1006))) = 0x1006
95}
96
97func getproccount() int32 {
98	// This buffer is huge (8 kB) but we are on the system stack
99	// and there should be plenty of space (64 kB).
100	// Also this is a leaf, so we're not holding up the memory for long.
101	// See golang.org/issue/11823.
102	// The suggested behavior here is to keep trying with ever-larger
103	// buffers, but we don't have a dynamic memory allocator at the
104	// moment, so that's a bit tricky and seems like overkill.
105	const maxCPUs = 64 * 1024
106	var buf [maxCPUs / 8]byte
107	r := sched_getaffinity(0, unsafe.Sizeof(buf), &buf[0])
108	if r < 0 {
109		return 1
110	}
111	n := int32(0)
112	for _, v := range buf[:r] {
113		for v != 0 {
114			n += int32(v & 1)
115			v >>= 1
116		}
117	}
118	if n == 0 {
119		n = 1
120	}
121	return n
122}
123
124// Clone, the Linux rfork.
125const (
126	_CLONE_VM             = 0x100
127	_CLONE_FS             = 0x200
128	_CLONE_FILES          = 0x400
129	_CLONE_SIGHAND        = 0x800
130	_CLONE_PTRACE         = 0x2000
131	_CLONE_VFORK          = 0x4000
132	_CLONE_PARENT         = 0x8000
133	_CLONE_THREAD         = 0x10000
134	_CLONE_NEWNS          = 0x20000
135	_CLONE_SYSVSEM        = 0x40000
136	_CLONE_SETTLS         = 0x80000
137	_CLONE_PARENT_SETTID  = 0x100000
138	_CLONE_CHILD_CLEARTID = 0x200000
139	_CLONE_UNTRACED       = 0x800000
140	_CLONE_CHILD_SETTID   = 0x1000000
141	_CLONE_STOPPED        = 0x2000000
142	_CLONE_NEWUTS         = 0x4000000
143	_CLONE_NEWIPC         = 0x8000000
144
145	// As of QEMU 2.8.0 (5ea2fc84d), user emulation requires all six of these
146	// flags to be set when creating a thread; attempts to share the other
147	// five but leave SYSVSEM unshared will fail with -EINVAL.
148	//
149	// In non-QEMU environments CLONE_SYSVSEM is inconsequential as we do not
150	// use System V semaphores.
151
152	cloneFlags = _CLONE_VM | /* share memory */
153		_CLONE_FS | /* share cwd, etc */
154		_CLONE_FILES | /* share fd table */
155		_CLONE_SIGHAND | /* share sig handler table */
156		_CLONE_SYSVSEM | /* share SysV semaphore undo lists (see issue #20763) */
157		_CLONE_THREAD /* revisit - okay for now */
158)
159
160//go:noescape
161func clone(flags int32, stk, mp, gp, fn unsafe.Pointer) int32
162
163// May run with m.p==nil, so write barriers are not allowed.
164//
165//go:nowritebarrier
166func newosproc(mp *m) {
167	stk := unsafe.Pointer(mp.g0.stack.hi)
168	/*
169	 * note: strace gets confused if we use CLONE_PTRACE here.
170	 */
171	if false {
172		print("newosproc stk=", stk, " m=", mp, " g=", mp.g0, " clone=", abi.FuncPCABI0(clone), " id=", mp.id, " ostk=", &mp, "\n")
173	}
174
175	// Disable signals during clone, so that the new thread starts
176	// with signals disabled. It will enable them in minit.
177	var oset sigset
178	sigprocmask(_SIG_SETMASK, &sigset_all, &oset)
179	ret := retryOnEAGAIN(func() int32 {
180		r := clone(cloneFlags, stk, unsafe.Pointer(mp), unsafe.Pointer(mp.g0), unsafe.Pointer(abi.FuncPCABI0(mstart)))
181		// clone returns positive TID, negative errno.
182		// We don't care about the TID.
183		if r >= 0 {
184			return 0
185		}
186		return -r
187	})
188	sigprocmask(_SIG_SETMASK, &oset, nil)
189
190	if ret != 0 {
191		print("runtime: failed to create new OS thread (have ", mcount(), " already; errno=", ret, ")\n")
192		if ret == _EAGAIN {
193			println("runtime: may need to increase max user processes (ulimit -u)")
194		}
195		throw("newosproc")
196	}
197}
198
199// Version of newosproc that doesn't require a valid G.
200//
201//go:nosplit
202func newosproc0(stacksize uintptr, fn unsafe.Pointer) {
203	stack := sysAlloc(stacksize, &memstats.stacks_sys)
204	if stack == nil {
205		writeErrStr(failallocatestack)
206		exit(1)
207	}
208	ret := clone(cloneFlags, unsafe.Pointer(uintptr(stack)+stacksize), nil, nil, fn)
209	if ret < 0 {
210		writeErrStr(failthreadcreate)
211		exit(1)
212	}
213}
214
215const (
216	_AT_NULL     = 0  // End of vector
217	_AT_PAGESZ   = 6  // System physical page size
218	_AT_PLATFORM = 15 // string identifying platform
219	_AT_HWCAP    = 16 // hardware capability bit vector
220	_AT_SECURE   = 23 // secure mode boolean
221	_AT_RANDOM   = 25 // introduced in 2.6.29
222	_AT_HWCAP2   = 26 // hardware capability bit vector 2
223)
224
225var procAuxv = []byte("/proc/self/auxv\x00")
226
227var addrspace_vec [1]byte
228
229func mincore(addr unsafe.Pointer, n uintptr, dst *byte) int32
230
231var auxvreadbuf [128]uintptr
232
233func sysargs(argc int32, argv **byte) {
234	n := argc + 1
235
236	// skip over argv, envp to get to auxv
237	for argv_index(argv, n) != nil {
238		n++
239	}
240
241	// skip NULL separator
242	n++
243
244	// now argv+n is auxv
245	auxvp := (*[1 << 28]uintptr)(add(unsafe.Pointer(argv), uintptr(n)*goarch.PtrSize))
246
247	if pairs := sysauxv(auxvp[:]); pairs != 0 {
248		auxv = auxvp[: pairs*2 : pairs*2]
249		return
250	}
251	// In some situations we don't get a loader-provided
252	// auxv, such as when loaded as a library on Android.
253	// Fall back to /proc/self/auxv.
254	fd := open(&procAuxv[0], 0 /* O_RDONLY */, 0)
255	if fd < 0 {
256		// On Android, /proc/self/auxv might be unreadable (issue 9229), so we fallback to
257		// try using mincore to detect the physical page size.
258		// mincore should return EINVAL when address is not a multiple of system page size.
259		const size = 256 << 10 // size of memory region to allocate
260		p, err := mmap(nil, size, _PROT_READ|_PROT_WRITE, _MAP_ANON|_MAP_PRIVATE, -1, 0)
261		if err != 0 {
262			return
263		}
264		var n uintptr
265		for n = 4 << 10; n < size; n <<= 1 {
266			err := mincore(unsafe.Pointer(uintptr(p)+n), 1, &addrspace_vec[0])
267			if err == 0 {
268				physPageSize = n
269				break
270			}
271		}
272		if physPageSize == 0 {
273			physPageSize = size
274		}
275		munmap(p, size)
276		return
277	}
278
279	n = read(fd, noescape(unsafe.Pointer(&auxvreadbuf[0])), int32(unsafe.Sizeof(auxvreadbuf)))
280	closefd(fd)
281	if n < 0 {
282		return
283	}
284	// Make sure buf is terminated, even if we didn't read
285	// the whole file.
286	auxvreadbuf[len(auxvreadbuf)-2] = _AT_NULL
287	pairs := sysauxv(auxvreadbuf[:])
288	auxv = auxvreadbuf[: pairs*2 : pairs*2]
289}
290
291// secureMode holds the value of AT_SECURE passed in the auxiliary vector.
292var secureMode bool
293
294func sysauxv(auxv []uintptr) (pairs int) {
295	var i int
296	for ; auxv[i] != _AT_NULL; i += 2 {
297		tag, val := auxv[i], auxv[i+1]
298		switch tag {
299		case _AT_RANDOM:
300			// The kernel provides a pointer to 16-bytes
301			// worth of random data.
302			startupRand = (*[16]byte)(unsafe.Pointer(val))[:]
303
304		case _AT_PAGESZ:
305			physPageSize = val
306
307		case _AT_SECURE:
308			secureMode = val == 1
309		}
310
311		archauxv(tag, val)
312		vdsoauxv(tag, val)
313	}
314	return i / 2
315}
316
317var sysTHPSizePath = []byte("/sys/kernel/mm/transparent_hugepage/hpage_pmd_size\x00")
318
319func getHugePageSize() uintptr {
320	var numbuf [20]byte
321	fd := open(&sysTHPSizePath[0], 0 /* O_RDONLY */, 0)
322	if fd < 0 {
323		return 0
324	}
325	ptr := noescape(unsafe.Pointer(&numbuf[0]))
326	n := read(fd, ptr, int32(len(numbuf)))
327	closefd(fd)
328	if n <= 0 {
329		return 0
330	}
331	n-- // remove trailing newline
332	v, ok := atoi(slicebytetostringtmp((*byte)(ptr), int(n)))
333	if !ok || v < 0 {
334		v = 0
335	}
336	if v&(v-1) != 0 {
337		// v is not a power of 2
338		return 0
339	}
340	return uintptr(v)
341}
342
343func osinit() {
344	ncpu = getproccount()
345	physHugePageSize = getHugePageSize()
346	osArchInit()
347}
348
349var urandom_dev = []byte("/dev/urandom\x00")
350
351func readRandom(r []byte) int {
352	fd := open(&urandom_dev[0], 0 /* O_RDONLY */, 0)
353	n := read(fd, unsafe.Pointer(&r[0]), int32(len(r)))
354	closefd(fd)
355	return int(n)
356}
357
358func goenvs() {
359	goenvs_unix()
360}
361
362// Called to do synchronous initialization of Go code built with
363// -buildmode=c-archive or -buildmode=c-shared.
364// None of the Go runtime is initialized.
365//
366//go:nosplit
367//go:nowritebarrierrec
368func libpreinit() {
369	initsig(true)
370}
371
372// Called to initialize a new m (including the bootstrap m).
373// Called on the parent thread (main thread in case of bootstrap), can allocate memory.
374func mpreinit(mp *m) {
375	mp.gsignal = malg(32 * 1024) // Linux wants >= 2K
376	mp.gsignal.m = mp
377}
378
379func gettid() uint32
380
381// Called to initialize a new m (including the bootstrap m).
382// Called on the new thread, cannot allocate memory.
383func minit() {
384	minitSignals()
385
386	// Cgo-created threads and the bootstrap m are missing a
387	// procid. We need this for asynchronous preemption and it's
388	// useful in debuggers.
389	getg().m.procid = uint64(gettid())
390}
391
392// Called from dropm to undo the effect of an minit.
393//
394//go:nosplit
395func unminit() {
396	unminitSignals()
397	getg().m.procid = 0
398}
399
400// Called from exitm, but not from drop, to undo the effect of thread-owned
401// resources in minit, semacreate, or elsewhere. Do not take locks after calling this.
402func mdestroy(mp *m) {
403}
404
405// #ifdef GOARCH_386
406// #define sa_handler k_sa_handler
407// #endif
408
409func sigreturn__sigaction()
410func sigtramp() // Called via C ABI
411func cgoSigtramp()
412
413//go:noescape
414func sigaltstack(new, old *stackt)
415
416//go:noescape
417func setitimer(mode int32, new, old *itimerval)
418
419//go:noescape
420func timer_create(clockid int32, sevp *sigevent, timerid *int32) int32
421
422//go:noescape
423func timer_settime(timerid int32, flags int32, new, old *itimerspec) int32
424
425//go:noescape
426func timer_delete(timerid int32) int32
427
428//go:noescape
429func rtsigprocmask(how int32, new, old *sigset, size int32)
430
431//go:nosplit
432//go:nowritebarrierrec
433func sigprocmask(how int32, new, old *sigset) {
434	rtsigprocmask(how, new, old, int32(unsafe.Sizeof(*new)))
435}
436
437func raise(sig uint32)
438func raiseproc(sig uint32)
439
440//go:noescape
441func sched_getaffinity(pid, len uintptr, buf *byte) int32
442func osyield()
443
444//go:nosplit
445func osyield_no_g() {
446	osyield()
447}
448
449func pipe2(flags int32) (r, w int32, errno int32)
450
451//go:nosplit
452func fcntl(fd, cmd, arg int32) (ret int32, errno int32) {
453	r, _, err := syscall.Syscall6(syscall.SYS_FCNTL, uintptr(fd), uintptr(cmd), uintptr(arg), 0, 0, 0)
454	return int32(r), int32(err)
455}
456
457const (
458	_si_max_size    = 128
459	_sigev_max_size = 64
460)
461
462//go:nosplit
463//go:nowritebarrierrec
464func setsig(i uint32, fn uintptr) {
465	var sa sigactiont
466	sa.sa_flags = _SA_SIGINFO | _SA_ONSTACK | _SA_RESTORER | _SA_RESTART
467	sigfillset(&sa.sa_mask)
468	// Although Linux manpage says "sa_restorer element is obsolete and
469	// should not be used". x86_64 kernel requires it. Only use it on
470	// x86.
471	if GOARCH == "386" || GOARCH == "amd64" {
472		sa.sa_restorer = abi.FuncPCABI0(sigreturn__sigaction)
473	}
474	if fn == abi.FuncPCABIInternal(sighandler) { // abi.FuncPCABIInternal(sighandler) matches the callers in signal_unix.go
475		if iscgo {
476			fn = abi.FuncPCABI0(cgoSigtramp)
477		} else {
478			fn = abi.FuncPCABI0(sigtramp)
479		}
480	}
481	sa.sa_handler = fn
482	sigaction(i, &sa, nil)
483}
484
485//go:nosplit
486//go:nowritebarrierrec
487func setsigstack(i uint32) {
488	var sa sigactiont
489	sigaction(i, nil, &sa)
490	if sa.sa_flags&_SA_ONSTACK != 0 {
491		return
492	}
493	sa.sa_flags |= _SA_ONSTACK
494	sigaction(i, &sa, nil)
495}
496
497//go:nosplit
498//go:nowritebarrierrec
499func getsig(i uint32) uintptr {
500	var sa sigactiont
501	sigaction(i, nil, &sa)
502	return sa.sa_handler
503}
504
505// setSignalstackSP sets the ss_sp field of a stackt.
506//
507//go:nosplit
508func setSignalstackSP(s *stackt, sp uintptr) {
509	*(*uintptr)(unsafe.Pointer(&s.ss_sp)) = sp
510}
511
512//go:nosplit
513func (c *sigctxt) fixsigcode(sig uint32) {
514}
515
516// sysSigaction calls the rt_sigaction system call.
517//
518//go:nosplit
519func sysSigaction(sig uint32, new, old *sigactiont) {
520	if rt_sigaction(uintptr(sig), new, old, unsafe.Sizeof(sigactiont{}.sa_mask)) != 0 {
521		// Workaround for bugs in QEMU user mode emulation.
522		//
523		// QEMU turns calls to the sigaction system call into
524		// calls to the C library sigaction call; the C
525		// library call rejects attempts to call sigaction for
526		// SIGCANCEL (32) or SIGSETXID (33).
527		//
528		// QEMU rejects calling sigaction on SIGRTMAX (64).
529		//
530		// Just ignore the error in these case. There isn't
531		// anything we can do about it anyhow.
532		if sig != 32 && sig != 33 && sig != 64 {
533			// Use system stack to avoid split stack overflow on ppc64/ppc64le.
534			systemstack(func() {
535				throw("sigaction failed")
536			})
537		}
538	}
539}
540
541// rt_sigaction is implemented in assembly.
542//
543//go:noescape
544func rt_sigaction(sig uintptr, new, old *sigactiont, size uintptr) int32
545
546func getpid() int
547func tgkill(tgid, tid, sig int)
548
549// signalM sends a signal to mp.
550func signalM(mp *m, sig int) {
551	tgkill(getpid(), int(mp.procid), sig)
552}
553
554// validSIGPROF compares this signal delivery's code against the signal sources
555// that the profiler uses, returning whether the delivery should be processed.
556// To be processed, a signal delivery from a known profiling mechanism should
557// correspond to the best profiling mechanism available to this thread. Signals
558// from other sources are always considered valid.
559//
560//go:nosplit
561func validSIGPROF(mp *m, c *sigctxt) bool {
562	code := int32(c.sigcode())
563	setitimer := code == _SI_KERNEL
564	timer_create := code == _SI_TIMER
565
566	if !(setitimer || timer_create) {
567		// The signal doesn't correspond to a profiling mechanism that the
568		// runtime enables itself. There's no reason to process it, but there's
569		// no reason to ignore it either.
570		return true
571	}
572
573	if mp == nil {
574		// Since we don't have an M, we can't check if there's an active
575		// per-thread timer for this thread. We don't know how long this thread
576		// has been around, and if it happened to interact with the Go scheduler
577		// at a time when profiling was active (causing it to have a per-thread
578		// timer). But it may have never interacted with the Go scheduler, or
579		// never while profiling was active. To avoid double-counting, process
580		// only signals from setitimer.
581		//
582		// When a custom cgo traceback function has been registered (on
583		// platforms that support runtime.SetCgoTraceback), SIGPROF signals
584		// delivered to a thread that cannot find a matching M do this check in
585		// the assembly implementations of runtime.cgoSigtramp.
586		return setitimer
587	}
588
589	// Having an M means the thread interacts with the Go scheduler, and we can
590	// check whether there's an active per-thread timer for this thread.
591	if mp.profileTimerValid.Load() {
592		// If this M has its own per-thread CPU profiling interval timer, we
593		// should track the SIGPROF signals that come from that timer (for
594		// accurate reporting of its CPU usage; see issue 35057) and ignore any
595		// that it gets from the process-wide setitimer (to not over-count its
596		// CPU consumption).
597		return timer_create
598	}
599
600	// No active per-thread timer means the only valid profiler is setitimer.
601	return setitimer
602}
603
604func setProcessCPUProfiler(hz int32) {
605	setProcessCPUProfilerTimer(hz)
606}
607
608func setThreadCPUProfiler(hz int32) {
609	mp := getg().m
610	mp.profilehz = hz
611
612	// destroy any active timer
613	if mp.profileTimerValid.Load() {
614		timerid := mp.profileTimer
615		mp.profileTimerValid.Store(false)
616		mp.profileTimer = 0
617
618		ret := timer_delete(timerid)
619		if ret != 0 {
620			print("runtime: failed to disable profiling timer; timer_delete(", timerid, ") errno=", -ret, "\n")
621			throw("timer_delete")
622		}
623	}
624
625	if hz == 0 {
626		// If the goal was to disable profiling for this thread, then the job's done.
627		return
628	}
629
630	// The period of the timer should be 1/Hz. For every "1/Hz" of additional
631	// work, the user should expect one additional sample in the profile.
632	//
633	// But to scale down to very small amounts of application work, to observe
634	// even CPU usage of "one tenth" of the requested period, set the initial
635	// timing delay in a different way: So that "one tenth" of a period of CPU
636	// spend shows up as a 10% chance of one sample (for an expected value of
637	// 0.1 samples), and so that "two and six tenths" periods of CPU spend show
638	// up as a 60% chance of 3 samples and a 40% chance of 2 samples (for an
639	// expected value of 2.6). Set the initial delay to a value in the unifom
640	// random distribution between 0 and the desired period. And because "0"
641	// means "disable timer", add 1 so the half-open interval [0,period) turns
642	// into (0,period].
643	//
644	// Otherwise, this would show up as a bias away from short-lived threads and
645	// from threads that are only occasionally active: for example, when the
646	// garbage collector runs on a mostly-idle system, the additional threads it
647	// activates may do a couple milliseconds of GC-related work and nothing
648	// else in the few seconds that the profiler observes.
649	spec := new(itimerspec)
650	spec.it_value.setNsec(1 + int64(cheaprandn(uint32(1e9/hz))))
651	spec.it_interval.setNsec(1e9 / int64(hz))
652
653	var timerid int32
654	var sevp sigevent
655	sevp.notify = _SIGEV_THREAD_ID
656	sevp.signo = _SIGPROF
657	sevp.sigev_notify_thread_id = int32(mp.procid)
658	ret := timer_create(_CLOCK_THREAD_CPUTIME_ID, &sevp, &timerid)
659	if ret != 0 {
660		// If we cannot create a timer for this M, leave profileTimerValid false
661		// to fall back to the process-wide setitimer profiler.
662		return
663	}
664
665	ret = timer_settime(timerid, 0, spec, nil)
666	if ret != 0 {
667		print("runtime: failed to configure profiling timer; timer_settime(", timerid,
668			", 0, {interval: {",
669			spec.it_interval.tv_sec, "s + ", spec.it_interval.tv_nsec, "ns} value: {",
670			spec.it_value.tv_sec, "s + ", spec.it_value.tv_nsec, "ns}}, nil) errno=", -ret, "\n")
671		throw("timer_settime")
672	}
673
674	mp.profileTimer = timerid
675	mp.profileTimerValid.Store(true)
676}
677
678// perThreadSyscallArgs contains the system call number, arguments, and
679// expected return values for a system call to be executed on all threads.
680type perThreadSyscallArgs struct {
681	trap uintptr
682	a1   uintptr
683	a2   uintptr
684	a3   uintptr
685	a4   uintptr
686	a5   uintptr
687	a6   uintptr
688	r1   uintptr
689	r2   uintptr
690}
691
692// perThreadSyscall is the system call to execute for the ongoing
693// doAllThreadsSyscall.
694//
695// perThreadSyscall may only be written while mp.needPerThreadSyscall == 0 on
696// all Ms.
697var perThreadSyscall perThreadSyscallArgs
698
699// syscall_runtime_doAllThreadsSyscall and executes a specified system call on
700// all Ms.
701//
702// The system call is expected to succeed and return the same value on every
703// thread. If any threads do not match, the runtime throws.
704//
705//go:linkname syscall_runtime_doAllThreadsSyscall syscall.runtime_doAllThreadsSyscall
706//go:uintptrescapes
707func syscall_runtime_doAllThreadsSyscall(trap, a1, a2, a3, a4, a5, a6 uintptr) (r1, r2, err uintptr) {
708	if iscgo {
709		// In cgo, we are not aware of threads created in C, so this approach will not work.
710		panic("doAllThreadsSyscall not supported with cgo enabled")
711	}
712
713	// STW to guarantee that user goroutines see an atomic change to thread
714	// state. Without STW, goroutines could migrate Ms while change is in
715	// progress and e.g., see state old -> new -> old -> new.
716	//
717	// N.B. Internally, this function does not depend on STW to
718	// successfully change every thread. It is only needed for user
719	// expectations, per above.
720	stw := stopTheWorld(stwAllThreadsSyscall)
721
722	// This function depends on several properties:
723	//
724	// 1. All OS threads that already exist are associated with an M in
725	//    allm. i.e., we won't miss any pre-existing threads.
726	// 2. All Ms listed in allm will eventually have an OS thread exist.
727	//    i.e., they will set procid and be able to receive signals.
728	// 3. OS threads created after we read allm will clone from a thread
729	//    that has executed the system call. i.e., they inherit the
730	//    modified state.
731	//
732	// We achieve these through different mechanisms:
733	//
734	// 1. Addition of new Ms to allm in allocm happens before clone of its
735	//    OS thread later in newm.
736	// 2. newm does acquirem to avoid being preempted, ensuring that new Ms
737	//    created in allocm will eventually reach OS thread clone later in
738	//    newm.
739	// 3. We take allocmLock for write here to prevent allocation of new Ms
740	//    while this function runs. Per (1), this prevents clone of OS
741	//    threads that are not yet in allm.
742	allocmLock.lock()
743
744	// Disable preemption, preventing us from changing Ms, as we handle
745	// this M specially.
746	//
747	// N.B. STW and lock() above do this as well, this is added for extra
748	// clarity.
749	acquirem()
750
751	// N.B. allocmLock also prevents concurrent execution of this function,
752	// serializing use of perThreadSyscall, mp.needPerThreadSyscall, and
753	// ensuring all threads execute system calls from multiple calls in the
754	// same order.
755
756	r1, r2, errno := syscall.Syscall6(trap, a1, a2, a3, a4, a5, a6)
757	if GOARCH == "ppc64" || GOARCH == "ppc64le" {
758		// TODO(https://go.dev/issue/51192 ): ppc64 doesn't use r2.
759		r2 = 0
760	}
761	if errno != 0 {
762		releasem(getg().m)
763		allocmLock.unlock()
764		startTheWorld(stw)
765		return r1, r2, errno
766	}
767
768	perThreadSyscall = perThreadSyscallArgs{
769		trap: trap,
770		a1:   a1,
771		a2:   a2,
772		a3:   a3,
773		a4:   a4,
774		a5:   a5,
775		a6:   a6,
776		r1:   r1,
777		r2:   r2,
778	}
779
780	// Wait for all threads to start.
781	//
782	// As described above, some Ms have been added to allm prior to
783	// allocmLock, but not yet completed OS clone and set procid.
784	//
785	// At minimum we must wait for a thread to set procid before we can
786	// send it a signal.
787	//
788	// We take this one step further and wait for all threads to start
789	// before sending any signals. This prevents system calls from getting
790	// applied twice: once in the parent and once in the child, like so:
791	//
792	//          A                     B                  C
793	//                         add C to allm
794	// doAllThreadsSyscall
795	//   allocmLock.lock()
796	//   signal B
797	//                         <receive signal>
798	//                         execute syscall
799	//                         <signal return>
800	//                         clone C
801	//                                             <thread start>
802	//                                             set procid
803	//   signal C
804	//                                             <receive signal>
805	//                                             execute syscall
806	//                                             <signal return>
807	//
808	// In this case, thread C inherited the syscall-modified state from
809	// thread B and did not need to execute the syscall, but did anyway
810	// because doAllThreadsSyscall could not be sure whether it was
811	// required.
812	//
813	// Some system calls may not be idempotent, so we ensure each thread
814	// executes the system call exactly once.
815	for mp := allm; mp != nil; mp = mp.alllink {
816		for atomic.Load64(&mp.procid) == 0 {
817			// Thread is starting.
818			osyield()
819		}
820	}
821
822	// Signal every other thread, where they will execute perThreadSyscall
823	// from the signal handler.
824	gp := getg()
825	tid := gp.m.procid
826	for mp := allm; mp != nil; mp = mp.alllink {
827		if atomic.Load64(&mp.procid) == tid {
828			// Our thread already performed the syscall.
829			continue
830		}
831		mp.needPerThreadSyscall.Store(1)
832		signalM(mp, sigPerThreadSyscall)
833	}
834
835	// Wait for all threads to complete.
836	for mp := allm; mp != nil; mp = mp.alllink {
837		if mp.procid == tid {
838			continue
839		}
840		for mp.needPerThreadSyscall.Load() != 0 {
841			osyield()
842		}
843	}
844
845	perThreadSyscall = perThreadSyscallArgs{}
846
847	releasem(getg().m)
848	allocmLock.unlock()
849	startTheWorld(stw)
850
851	return r1, r2, errno
852}
853
854// runPerThreadSyscall runs perThreadSyscall for this M if required.
855//
856// This function throws if the system call returns with anything other than the
857// expected values.
858//
859//go:nosplit
860func runPerThreadSyscall() {
861	gp := getg()
862	if gp.m.needPerThreadSyscall.Load() == 0 {
863		return
864	}
865
866	args := perThreadSyscall
867	r1, r2, errno := syscall.Syscall6(args.trap, args.a1, args.a2, args.a3, args.a4, args.a5, args.a6)
868	if GOARCH == "ppc64" || GOARCH == "ppc64le" {
869		// TODO(https://go.dev/issue/51192 ): ppc64 doesn't use r2.
870		r2 = 0
871	}
872	if errno != 0 || r1 != args.r1 || r2 != args.r2 {
873		print("trap:", args.trap, ", a123456=[", args.a1, ",", args.a2, ",", args.a3, ",", args.a4, ",", args.a5, ",", args.a6, "]\n")
874		print("results: got {r1=", r1, ",r2=", r2, ",errno=", errno, "}, want {r1=", args.r1, ",r2=", args.r2, ",errno=0}\n")
875		fatal("AllThreadsSyscall6 results differ between threads; runtime corrupted")
876	}
877
878	gp.m.needPerThreadSyscall.Store(0)
879}
880
881const (
882	_SI_USER  = 0
883	_SI_TKILL = -6
884)
885
886// sigFromUser reports whether the signal was sent because of a call
887// to kill or tgkill.
888//
889//go:nosplit
890func (c *sigctxt) sigFromUser() bool {
891	code := int32(c.sigcode())
892	return code == _SI_USER || code == _SI_TKILL
893}
894
895//go:nosplit
896func mprotect(addr unsafe.Pointer, n uintptr, prot int32) (ret int32, errno int32) {
897	r, _, err := syscall.Syscall6(syscall.SYS_MPROTECT, uintptr(addr), n, uintptr(prot), 0, 0, 0)
898	return int32(r), int32(err)
899}
900