runtime: SIGSEGV in runtime.pageIndexOf when loading plugin on riscv64

[brsvh]

It appears that in certain conditions on riscv64, the runtime’s memory allocator miscomputes the arena pointer for new spans, causing pageIndexOf to return an invalid pointer that is later used in initSpan. This leads to a segmentation fault. I believe this is a bug in the runtime memory allocation logic on riscv64.

I have observed a segmentation fault when loading a plugin on a riscv64 system using Go 1.24.1. The crash occurs in the memory allocator, specifically within the runtime.pageIndexOf function, which is called from runtime.(*mheap).initSpan.

The error indicates that the arena pointer computed by pageIndexOf is invalid. In our case, the register t1 (which holds the arena pointer) is set to 0x1112b008c0404440, which does not appear to be a canonical, properly mapped address. The backtrace is as follows:

SIGSEGV: segmentation violation
PC=0x3fa1607dc4 m=3 sigcode=1 addr=0x8c0404440

goroutine 0 [idle]:
runtime.pageIndexOf(p=273469956096, arena=<optimized out>, pageIdx=<optimized out>, pageMask=<optimized out>)
    /home/bingshan/go-toolchains/go-1.24.1/src/runtime/mheap.go:739
runtime.(*mheap).initSpan(h=0x106c760 <runtime.mheap_>, s=0x3fb0364408, typ=0, spanclass=2, base=273469956096, npages=1)
    /home/bingshan/go-toolchains/go-1.24.1/src/runtime/mheap.go:1462 +0x25c
runtime.(*mheap).allocSpan(h=0x106c760, npages=1, typ=0, spanclass=2, s=<optimized out>)
    /home/bingshan/go-toolchains/go-1.24.1/src/runtime/mheap.go:1346 +0x450
runtime.(*mheap).alloc.func1()
    /home/bingshan/go-toolchains/go-1.24.1/src/runtime/mheap.go:970 +0x7c
runtime.systemstack(0x0)
    /home/bingshan/go-toolchains/go-1.24.1/src/runtime/asm_riscv64.s:132 +0x54

Register snapshot at crash:
  t1 = 0x1112b008c0404440  (Invalid arena pointer)
  s.base (passed to initSpan) = 273469956096

The plugin loads and begins to allocate memory (in our case during the plugin initialization I allocate a significant memory block). When a new span is allocated, its base address (in our case, approximately 273469956096) is passed to runtime.pageIndexOf. The computed arena pointer in register t1 then turns out to be 0x1112b008c0404440, an address that does not fall within a proper arena mapping. This leads to a segmentation fault when the runtime attempts to update the arena’s data structures.

I have tried varying the memory allocation size in the plugin’s initialization (e.g., allocating 65MB), and the crash consistently appears when the allocation pushes the span’s base into an uninitialized arena slot. I suspect that this bug manifests under high memory pressure or when spans are allocated across arena boundaries.

Environment

• Architecture: riscv64
• Platform: Linux
• Go: 1.24.1 (patched with commit 371ee14 and cdc9560)

Detailed infomation

I'm new to Go and have only captured some basic information. If more details are needed, feel free to ping me, I'm more than happy to provide them.

Starting program: /usr/bin/atuned 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib64/libthread_db.so.1".
[New Thread 0x3fb13e4180 (LWP 1084395)]
[New Thread 0x3fb0ba3180 (LWP 1084396)]
[New Thread 0x3fa3fff180 (LWP 1084398)]
[New Thread 0x3fa37fe180 (LWP 1084397)]
[New Thread 0x3fa2ffd180 (LWP 1084399)]
Thread 5 "atuned" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x3fa37fe180 (LWP 1084397)]
0x0000003fa1607dc4 in runtime.pageIndexOf (p=273469956096, arena=<optimized out>, pageIdx=<optimized out>, pageMask=<optimized out>) at /home/bingshan/go-toolchains/go-1.24.1/src/runtime/mheap.go:739
739		arena = mheap_.arenas[ai.l1()][ai.l2()]
bt
#0  0x0000003fa1607dc4 in runtime.pageIndexOf (p=273469956096, arena=<optimized out>, pageIdx=<optimized out>, pageMask=<optimized out>) at /home/bingshan/go-toolchains/go-1.24.1/src/runtime/mheap.go:739
#1  runtime.(*mheap).initSpan (h=0x106c760 <runtime.mheap_>, s=0x3fb0364408, typ=0 '\000', spanclass=2 '\002', base=273469956096, npages=1) at /home/bingshan/go-toolchains/go-1.24.1/src/runtime/mheap.go:1462
#2  0x0000003fa1607968 in runtime.(*mheap).allocSpan (h=0x106c760 <runtime.mheap_>, npages=1, typ=0 '\000', spanclass=2 '\002', s=<optimized out>) at /home/bingshan/go-toolchains/go-1.24.1/src/runtime/mheap.go:1346
#3  0x0000003fa160716c in runtime.(*mheap).alloc.func1 () at /home/bingshan/go-toolchains/go-1.24.1/src/runtime/mheap.go:970
#4  0x0000003fa164c9b4 in runtime.systemstack () at /home/bingshan/go-toolchains/go-1.24.1/src/runtime/asm_riscv64.s:132
#5  0x00000000003794c8 in runtime.mstart.abi0 ()
#6  0x0000000000000000 in ?? ()
PC not saved
info proc mappings
process 1084393
Mapped address spaces:

          Start Addr           End Addr       Size     Offset  Perms  objfile
             0x10000           0xfea000   0xfda000        0x0  r-xp   /usr/bin/atuned
            0xfea000           0xfed000     0x3000   0xfd9000  r--p   /usr/bin/atuned
            0xfed000          0x105f000    0x72000   0xfdc000  rw-p   /usr/bin/atuned
           0x105f000          0x1092000    0x33000        0x0  rw-p   [heap]
           0x1092000          0x10b3000    0x21000        0x0  rw-p   [heap]
        0x3f8c000000       0x3f8c021000    0x21000        0x0  rw-p   
        0x3f8c021000       0x3f90000000  0x3fdf000        0x0  ---p   
        0x3f94000000       0x3f94021000    0x21000        0x0  rw-p   
        0x3f94021000       0x3f98000000  0x3fdf000        0x0  ---p   
        0x3f9c000000       0x3f9c021000    0x21000        0x0  rw-p   
        0x3f9c021000       0x3fa0000000  0x3fdf000        0x0  ---p   
        0x3fa1000000       0x3fa1ef0000   0xef0000        0x0  r-xp   /usr/lib/atuned/modules/daemon_profile_server.so
        0x3fa1ef0000       0x3fa2659000   0x769000   0xef0000  r--p   /usr/lib/atuned/modules/daemon_profile_server.so
        0x3fa2659000       0x3fa26eb000    0x92000  0x1659000  rw-p   /usr/lib/atuned/modules/daemon_profile_server.so
        0x3fa26eb000       0x3fa271f000    0x34000        0x0  rw-p   
        0x3fa27fd000       0x3fa27fe000     0x1000        0x0  ---p   
        0x3fa27fe000       0x3fa2ffe000   0x800000        0x0  rw-p   
        0x3fa2ffe000       0x3fa2fff000     0x1000        0x0  ---p   
        0x3fa2fff000       0x3fa37ff000   0x800000        0x0  rw-p   
        0x3fa37ff000       0x3fa3800000     0x1000        0x0  ---p   
        0x3fa3800000       0x3fa4000000   0x800000        0x0  rw-p   
        0x3fa4000000       0x3fa4021000    0x21000        0x0  rw-p   
        0x3fa4021000       0x3fa8000000  0x3fdf000        0x0  ---p   
        0x3fa8000000       0x3fa8021000    0x21000        0x0  rw-p   
        0x3fa8021000       0x3fac000000  0x3fdf000        0x0  ---p   
        0x3fac000000       0x3fac400000   0x400000        0x0  rw-p   
        0x3fac400000       0x3fb0000000  0x3c00000        0x0  ---p   
        0x3fb01c3000       0x3fb03a3000   0x1e0000        0x0  rw-p   
        0x3fb03a3000       0x3fb03a4000     0x1000        0x0  ---p   
        0x3fb03a4000       0x3fb0ba4000   0x800000        0x0  rw-p   
        0x3fb0ba4000       0x3fb0be4000    0x40000        0x0  rw-p   
        0x3fb0be4000       0x3fb0be5000     0x1000        0x0  ---p   
        0x3fb0be5000       0x3fb13e5000   0x800000        0x0  rw-p   
        0x3fb13e5000       0x3fb1405000    0x20000        0x0  rw-p   
        0x3fb1405000       0x3fb1505000   0x100000        0x0  rw-p   
        0x3fb1505000       0x3fb1516000    0x11000        0x0  rw-p   
        0x3fb1516000       0x3fb3516000  0x2000000        0x0  rw-p   
        0x3fb3516000       0x3fb3595000    0x7f000        0x0  ---p   
        0x3fb3595000       0x3fb3596000     0x1000        0x0  rw-p   
        0x3fb3596000       0x3fd3595000 0x1ffff000        0x0  ---p   
        0x3fd3595000       0x3fd3596000     0x1000        0x0  rw-p   
        0x3fd3596000       0x3ff3525000 0x1ff8f000        0x0  ---p   
        0x3ff3525000       0x3ff3526000     0x1000        0x0  rw-p   
        0x3ff3526000       0x3ff7517000  0x3ff1000        0x0  ---p   
        0x3ff7517000       0x3ff7518000     0x1000        0x0  rw-p   
        0x3ff7518000       0x3ff7d16000   0x7fe000        0x0  ---p   
        0x3ff7d16000       0x3ff7d17000     0x1000        0x0  rw-p   
        0x3ff7d17000       0x3ff7e16000    0xff000        0x0  ---p   
        0x3ff7e16000       0x3ff7e78000    0x62000        0x0  rw-p   
        0x3ff7e78000       0x3ff7fb0000   0x138000        0x0  r-xp   /usr/lib64/libc.so.6
        0x3ff7fb0000       0x3ff7fb3000     0x3000   0x138000  r--p   /usr/lib64/libc.so.6
        0x3ff7fb3000       0x3ff7fb5000     0x2000   0x13b000  rw-p   /usr/lib64/libc.so.6
        0x3ff7fb5000       0x3ff7fc2000     0xd000        0x0  rw-p   
        0x3ff7fc2000       0x3ff7fcc000     0xa000        0x0  r-xp   /usr/lib64/libresolv.so.2
        0x3ff7fcc000       0x3ff7fcd000     0x1000     0xa000  r--p   /usr/lib64/libresolv.so.2
        0x3ff7fcd000       0x3ff7fce000     0x1000     0xb000  rw-p   /usr/lib64/libresolv.so.2
        0x3ff7fce000       0x3ff7fd0000     0x2000        0x0  rw-p   
        0x3ff7fdc000       0x3ff7fde000     0x2000        0x0  r--p   [vvar]
        0x3ff7fde000       0x3ff7fe0000     0x2000        0x0  r-xp   [vdso]
        0x3ff7fe0000       0x3ff7ffc000    0x1c000        0x0  r-xp   /usr/lib/ld-linux-riscv64-lp64d.so.1
        0x3ff7ffc000       0x3ff7ffe000     0x2000    0x1b000  r--p   /usr/lib/ld-linux-riscv64-lp64d.so.1
        0x3ff7ffe000       0x3ff8000000     0x2000    0x1d000  rw-p   /usr/lib/ld-linux-riscv64-lp64d.so.1
        0x3ffffdf000       0x4000000000    0x21000        0x0  rw-p   [stack]
disassamble
Dump of assembler code for function runtime.(*mheap).initSpan:
   0x0000003fa1607b68 <+0>:	ld	t1,16(s11)
   0x0000003fa1607b6c <+4>:	bltu	t1,sp,0x3fa1607ba8 <runtime.(*mheap).initSpan+64>
   0x0000003fa1607b70 <+8>:	sd	a0,8(sp)
   0x0000003fa1607b74 <+12>:	sd	a1,16(sp)
   0x0000003fa1607b78 <+16>:	sb	a2,24(sp)
   0x0000003fa1607b7c <+20>:	sb	a3,25(sp)
   0x0000003fa1607b80 <+24>:	sd	a4,32(sp)
   0x0000003fa1607b84 <+28>:	sd	a5,40(sp)
   0x0000003fa1607b88 <+32>:	jal	t0,0x3fa164ca88 <runtime.morestack_noctxt>
   0x0000003fa1607b8c <+36>:	ld	a0,8(sp)
   0x0000003fa1607b90 <+40>:	ld	a1,16(sp)
   0x0000003fa1607b94 <+44>:	lbu	a2,24(sp)
   0x0000003fa1607b98 <+48>:	lbu	a3,25(sp)
   0x0000003fa1607b9c <+52>:	ld	a4,32(sp)
   0x0000003fa1607ba0 <+56>:	ld	a5,40(sp)
   0x0000003fa1607ba4 <+60>:	j	0x3fa1607b68 <runtime.(*mheap).initSpan>
   0x0000003fa1607ba8 <+64>:	sd	ra,-64(sp)
   0x0000003fa1607bac <+68>:	addi	sp,sp,-64
   0x0000003fa1607bb0 <+72>:	sd	ra,0(sp)
   0x0000003fa1607bb4 <+76>:	sd	a0,72(sp)
   0x0000003fa1607bb8 <+80>:	sd	a1,80(sp)
   0x0000003fa1607bbc <+84>:	sb	a2,88(sp)
   0x0000003fa1607bc0 <+88>:	sb	a3,89(sp)
   0x0000003fa1607bc4 <+92>:	sd	a4,96(sp)
   0x0000003fa1607bc8 <+96>:	sd	a5,104(sp)
   0x0000003fa1607bcc <+100>:	mv	a0,a1
   0x0000003fa1607bd0 <+104>:	mv	a1,a4
   0x0000003fa1607bd4 <+108>:	mv	a2,a5
   0x0000003fa1607bd8 <+112>:	jal	0x3fa16086c0 <runtime.(*mspan).init>
   0x0000003fa1607bdc <+116>:	ld	a0,72(sp)
   0x0000003fa1607be0 <+120>:	ld	a1,96(sp)
   0x0000003fa1607be4 <+124>:	ld	a2,104(sp)
   0x0000003fa1607be8 <+128>:	jal	0x3fa16072d8 <runtime.(*mheap).allocNeedsZero>
   0x0000003fa1607bec <+132>:	zext.b	t0,a0
   0x0000003fa1607bf0 <+136>:	beqz	t0,0x3fa1607c04 <runtime.(*mheap).initSpan+156>
   0x0000003fa1607bf4 <+140>:	li	t2,1
   0x0000003fa1607bf8 <+144>:	ld	a3,80(sp)
   0x0000003fa1607bfc <+148>:	sb	t2,100(a3)
   0x0000003fa1607c00 <+152>:	j	0x3fa1607c0c <runtime.(*mheap).initSpan+164>
   0x0000003fa1607c04 <+156>:	li	t2,1
   0x0000003fa1607c08 <+160>:	ld	a3,80(sp)
   0x0000003fa1607c0c <+164>:	lbu	s0,88(sp)
   0x0000003fa1607c10 <+168>:	sd	s0,40(sp)
   0x0000003fa1607c14 <+172>:	beqz	s0,0x3fa1607c54 <runtime.(*mheap).initSpan+236>
   0x0000003fa1607c18 <+176>:	sd	zero,40(a3)
   0x0000003fa1607c1c <+180>:	sh	zero,50(a3)
   0x0000003fa1607c20 <+184>:	ld	t0,32(a3)
   0x0000003fa1607c24 <+188>:	slli	t0,t0,0xd
   0x0000003fa1607c28 <+192>:	ld	t1,24(a3)
   0x0000003fa1607c2c <+196>:	add	t0,t1,t0
   0x0000003fa1607c30 <+200>:	addi	t1,a3,99
   0x0000003fa1607c34 <+204>:	sd	t0,112(a3)
   0x0000003fa1607c38 <+208>:	nop
   0x0000003fa1607c3c <+212>:	li	t0,2
   0x0000003fa1607c40 <+216>:	fence
   0x0000003fa1607c44 <+220>:	sb	t0,0(t1)
   0x0000003fa1607c48 <+224>:	fence
   0x0000003fa1607c4c <+228>:	ld	a0,72(sp)
   0x0000003fa1607c50 <+232>:	j	0x3fa1607d7c <runtime.(*mheap).initSpan+532>
   0x0000003fa1607c54 <+236>:	lbu	s1,89(sp)
   0x0000003fa1607c58 <+240>:	sb	s1,98(a3)
   0x0000003fa1607c5c <+244>:	slli	s1,s1,0x38
   0x0000003fa1607c60 <+248>:	srli	s1,s1,0x39
   0x0000003fa1607c64 <+252>:	ld	a1,104(sp)
   0x0000003fa1607c68 <+256>:	slli	a2,a1,0xd
   0x0000003fa1607c6c <+260>:	zext.b	a4,s1
   0x0000003fa1607c70 <+264>:	bnez	a4,0x3fa1607c88 <runtime.(*mheap).initSpan+288>
   0x0000003fa1607c74 <+268>:	sd	a2,104(a3)
   0x0000003fa1607c78 <+272>:	li	t0,1
   0x0000003fa1607c7c <+276>:	sh	t0,50(a3)
   0x0000003fa1607c80 <+280>:	sw	zero,92(a3)
   0x0000003fa1607c84 <+284>:	j	0x3fa1607d04 <runtime.(*mheap).initSpan+412>
   0x0000003fa1607c88 <+288>:	slli	t0,s1,0x38
   0x0000003fa1607c8c <+292>:	srai	t0,t0,0x38
   0x0000003fa1607c90 <+296>:	li	t1,68
   0x0000003fa1607c94 <+300>:	bgeu	t0,t1,0x3fa1607e50 <runtime.(*mheap).initSpan+744>
   0x0000003fa1607c98 <+304>:	slli	t1,t0,0x1
   0x0000003fa1607c9c <+308>:	auipc	s1,0x10de
   0x0000003fa1607ca0 <+312>:	ld	s1,-1748(s1) # 0x3fa26e55c8
   0x0000003fa1607ca4 <+316>:	add	t1,s1,t1
   0x0000003fa1607ca8 <+320>:	lhu	t1,0(t1)
   0x0000003fa1607cac <+324>:	sd	t1,104(a3)
   0x0000003fa1607cb0 <+328>:	lbu	s1,98(a3)
   0x0000003fa1607cb4 <+332>:	andi	s1,s1,1
   0x0000003fa1607cb8 <+336>:	beqz	s1,0x3fa1607cc4 <runtime.(*mheap).initSpan+348>
   0x0000003fa1607cbc <+340>:	bnez	t1,0x3fa1607ce4 <runtime.(*mheap).initSpan+380>
   0x0000003fa1607cc0 <+344>:	j	0x3fa1607e4c <runtime.(*mheap).initSpan+740>
   0x0000003fa1607cc4 <+348>:	li	s1,512
   0x0000003fa1607cc8 <+352>:	bltu	s1,t1,0x3fa1607ce4 <runtime.(*mheap).initSpan+380>
   0x0000003fa1607ccc <+356>:	srli	s1,a2,0x6
   0x0000003fa1607cd0 <+360>:	sub	s1,a2,s1
   0x0000003fa1607cd4 <+364>:	beqz	t1,0x3fa1607e48 <runtime.(*mheap).initSpan+736>
   0x0000003fa1607cd8 <+368>:	divu	t1,s1,t1
   0x0000003fa1607cdc <+372>:	sh	t1,50(a3)
   0x0000003fa1607ce0 <+376>:	j	0x3fa1607cec <runtime.(*mheap).initSpan+388>
   0x0000003fa1607ce4 <+380>:	divu	t1,a2,t1
   0x0000003fa1607ce8 <+384>:	sh	t1,50(a3)
   0x0000003fa1607cec <+388>:	slli	t0,t0,0x2
   0x0000003fa1607cf0 <+392>:	auipc	t1,0x10d6
   0x0000003fa1607cf4 <+396>:	ld	t1,-408(t1) # 0x3fa26ddb58
   0x0000003fa1607cf8 <+400>:	add	t0,t1,t0
   0x0000003fa1607cfc <+404>:	lwu	t0,0(t0)
   0x0000003fa1607d00 <+408>:	sw	t0,92(a3)
   0x0000003fa1607d04 <+412>:	sh	zero,48(a3)
   0x0000003fa1607d08 <+416>:	sh	zero,52(a3)
   0x0000003fa1607d0c <+420>:	li	t0,-1
   0x0000003fa1607d10 <+424>:	sd	t0,56(a3)
   0x0000003fa1607d14 <+428>:	lhu	a0,50(a3)
   0x0000003fa1607d18 <+432>:	jal	0x3fa1609e78 <runtime.newMarkBits>
   0x0000003fa1607d1c <+436>:	ld	t0,80(sp)
   0x0000003fa1607d20 <+440>:	sd	a0,72(t0)
   0x0000003fa1607d24 <+444>:	lhu	a0,50(t0)
   0x0000003fa1607d28 <+448>:	addi	t1,t0,88
   0x0000003fa1607d2c <+452>:	sd	t1,56(sp)
   0x0000003fa1607d30 <+456>:	addi	t0,t0,99
   0x0000003fa1607d34 <+460>:	sd	t0,48(sp)
   0x0000003fa1607d38 <+464>:	jal	0x3fa1609e78 <runtime.newMarkBits>
   0x0000003fa1607d3c <+468>:	ld	a3,80(sp)
   0x0000003fa1607d40 <+472>:	sd	a0,64(a3)
   0x0000003fa1607d44 <+476>:	ld	a0,72(sp)
   0x0000003fa1607d48 <+480>:	lb	zero,0(a0)
   0x0000003fa1607d4c <+484>:	lui	t6,0x10
   0x0000003fa1607d50 <+488>:	add	t6,t6,a0
   0x0000003fa1607d54 <+492>:	lwu	t0,320(t6) # 0x10140
   0x0000003fa1607d58 <+496>:	ld	t1,56(sp)
   0x0000003fa1607d5c <+500>:	amoswap.w.aqrl	zero,t0,(t1)
   0x0000003fa1607d60 <+504>:	nop
   0x0000003fa1607d64 <+508>:	nop
   0x0000003fa1607d68 <+512>:	li	t0,1
   0x0000003fa1607d6c <+516>:	ld	t1,48(sp)
   0x0000003fa1607d70 <+520>:	fence
   0x0000003fa1607d74 <+524>:	sb	t0,0(t1)
   0x0000003fa1607d78 <+528>:	fence
   0x0000003fa1607d7c <+532>:	ld	a1,24(a3)
   0x0000003fa1607d80 <+536>:	ld	a2,104(sp)
   0x0000003fa1607d84 <+540>:	jal	0x3fa16071e8 <runtime.(*mheap).setSpans>
   0x0000003fa1607d88 <+544>:	ld	t0,40(sp)
   0x0000003fa1607d8c <+548>:	bnez	t0,0x3fa1607e34 <runtime.(*mheap).initSpan+716>
   0x0000003fa1607d90 <+552>:	ld	t2,80(sp)
   0x0000003fa1607d94 <+556>:	ld	t2,24(t2)
   0x0000003fa1607d98 <+560>:	nop
   0x0000003fa1607d9c <+564>:	nop
   0x0000003fa1607da0 <+568>:	nop
   0x0000003fa1607da4 <+572>:	srli	t0,t2,0x1a
   0x0000003fa1607da8 <+576>:	lui	t1,0x400
   0x0000003fa1607dac <+580>:	bgeu	t0,t1,0x3fa1607e44 <runtime.(*mheap).initSpan+732>
   0x0000003fa1607db0 <+584>:	auipc	t6,0x10da
   0x0000003fa1607db4 <+588>:	ld	t6,-1624(t6) # 0x3fa26e1758
   0x0000003fa1607db8 <+592>:	lui	t6,0x10
   0x0000003fa1607dbc <+596>:	add	t6,t6,t6
   0x0000003fa1607dc0 <+600>:	ld	t1,472(t6) # 0x101d8
=> 0x0000003fa1607dc4 <+604>:	lb	zero,0(t1) # 0x400000 <reflect.StructOf+3416>
   0x0000003fa1607dc8 <+608>:	slli	t0,t0,0x3
   0x0000003fa1607dcc <+612>:	add	t0,t1,t0
   0x0000003fa1607dd0 <+616>:	ld	t0,0(t0)
   0x0000003fa1607dd4 <+620>:	lb	zero,0(t0)
   0x0000003fa1607dd8 <+624>:	lui	t6,0x10
   0x0000003fa1607ddc <+628>:	add	t0,t0,t6
   0x0000003fa1607de0 <+632>:	srli	t1,t2,0x10
   0x0000003fa1607de4 <+636>:	andi	t1,t1,1023
   0x0000003fa1607de8 <+640>:	add	t0,t0,t1
   0x0000003fa1607dec <+644>:	andi	t1,t0,-4
   0x0000003fa1607df0 <+648>:	andi	t0,t0,3
   0x0000003fa1607df4 <+652>:	slli	t0,t0,0x3
   0x0000003fa1607df8 <+656>:	srli	t2,t2,0xd
   0x0000003fa1607dfc <+660>:	andi	t2,t2,7
   0x0000003fa1607e00 <+664>:	li	s0,1
   0x0000003fa1607e04 <+668>:	sll	t2,s0,t2
   0x0000003fa1607e08 <+672>:	zext.b	t2,t2
   0x0000003fa1607e0c <+676>:	sll	t0,t2,t0
   0x0000003fa1607e10 <+680>:	amoor.w.aqrl	zero,t0,(t1)
   0x0000003fa1607e14 <+684>:	ld	t0,72(sp)
   0x0000003fa1607e18 <+688>:	lb	zero,0(t0)
   0x0000003fa1607e1c <+692>:	lui	t6,0x10
   0x0000003fa1607e20 <+696>:	addiw	t6,t6,352 # 0x10160
   0x0000003fa1607e24 <+700>:	add	t0,t0,t6
   0x0000003fa1607e28 <+704>:	ld	t1,104(sp)
   0x0000003fa1607e2c <+708>:	amoadd.d.aqrl	t6,t1,(t0)
   0x0000003fa1607e30 <+712>:	add	t2,t1,t6
   0x0000003fa1607e34 <+716>:	fence
   0x0000003fa1607e38 <+720>:	ld	ra,0(sp)
   0x0000003fa1607e3c <+724>:	addi	sp,sp,64
   0x0000003fa1607e40 <+728>:	ret
   0x0000003fa1607e44 <+732>:	jal	0x3fa164ee68 <runtime.panicIndexU>
   0x0000003fa1607e48 <+736>:	jal	0x3fa1615660 <runtime.panicdivide>
   0x0000003fa1607e4c <+740>:	jal	0x3fa1615660 <runtime.panicdivide>
   0x0000003fa1607e50 <+744>:	jal	0x3fa164ee58 <runtime.panicIndex>
   0x0000003fa1607e54 <+748>:	nop
End of assembler dump.
print/x $t1
$1 = 0x1112b008c0404440
info registers
ra             0x3fa1607d88	0x3fa1607d88 <runtime.(*mheap).initSpan+544>
sp             0x3fa37fd6d8	0x3fa37fd6d8
gp             0x105f460	0x105f460 <html/template[scriptTagRe]>
tp             0x3fa37fe8e0	0x3fa37fe8e0
t0             0xfeb	4075
t1             0x1112b008c0404440	1230239199857230912
t2             0x3fac146000	273469956096
fp             0x1fd60a3	0x1fd60a3
s1             0x3fb1505518	273557771544
a0             0x106c760	17221472
a1             0x3fac146000	273469956096
a2             0x1	1
a3             0x3fb0364408	273539286024
a4             0x1	1
a5             0x148000	1343488
a6             0x1	1
a7             0x0	0
s2             0x3fac39b0c8	273472401608
s3             0xd3d40	867648
s4             0x3f79d71b4ca8b09	285870213051353865
s5             0x100eb40	16837440
s6             0xd3d40	867648
s7             0x80	128
s8             0xfe	254
s9             0x3fac1e31a0	273470599584
s10            0x3fac1e3178	273470599544
s11            0x3fac10a1c0	273469710784
t3             0x20af10f0819eb1	9199686544105137
t4             0xffffffffffffffff	-1
t5             0xb8aff2579958	203065824614744
t6             0x20000	131072
pc             0x3fa1607dc4	0x3fa1607dc4 <runtime.(*mheap).initSpan+604>
quit

[mengzhuo]

cc @golang/riscv64

[mengzhuo]

Thank you for reporting this, can you reproduce this issue on master?
The original project is quite complicate to build, can you provide a minimal reproduce procedure?

[mknyszek]

In triage, what stands out to us is that the SIGSEGV is reporting a different address than what's in the register. Is the pointer tagged in some way?

Also, we assume the address space is 48 bits on most platforms, so at first we thought maybe your system was handing out addresses outside of that space, but this is failing on the arena pointer itself, not on looking up the arena pointer.

We're also a little concerned about the patches 371ee14 and cdc9560. It's possible those commits depend on something else in Go 1.25. Can you reproduce with the toolchain at tip-of-tree?

[brsvh]

Sorry for delayed response

The original project is qu over the past week, I've been caught up in the challenge of crafting a minimal reproducible example.ite complicate to build, can you provide a minimal reproduce procedure?

Over the past week, I've been caught up in the challenge of crafting a minimal reproducible example.

I attempted to create some minimal examples in Go 1.24, allocating heap memory of varying sizes to try and trigger this error at the boundary of the arena. However, I have been unable to reproduce the issue so far.

[brsvh]

We're also a little concerned about the patches 371ee14 and cdc9560. It's possible those commits depend on something else in Go 1.25. Can you reproduce with the toolchain at tip-of-tree?

Thanks for the heads-up. I tried building with the main branch 05ed8a0, and the issue disappeared. I believe it was indeed caused by the code you were concerned about.

The problem seems to be resolved at this point, but out of curiosity, I'd still like to understand exactly which parts of the code were involved.