You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary: Fixed Memory Corruption Panic in Async Callbacks
The Bug
The library was misusing cgo.Handle in every asynchronous function (e.g., MapAsync, RequestAdapter, RequestDevice, and internal error scope checks).
The code was creating a cgo.Handle and then passing a pointer to that local variable (unsafe.Pointer(&handle)) to a C function. Since these functions are asynchronous, the Go function returns immediately and its stack frame is destroyed. When the C callback eventually fires, it attempts to dereference that now-invalid stack pointer to retrieve the handle, leading to: panic: runtime/cgo: misuse of an invalid Handle
Affected Platforms
This issue likely affects all desktop platforms (macOS, Windows, Linux) where Go's CGO implementation is used. It was specifically observed and reproduced on macOS.
How to Reproduce
Use any asynchronous function in the library, such as Buffer.MapAsync.
Perform frequent asynchronous operations (e.g., reading back data every frame).
Within 10-20 seconds, the application will crash with a runtime/cgo panic when a callback attempts to process an invalid pointer from a previous call's stack.
The Fix
The fix implements the standard, safe pattern for passing cgo.Handle through C:
Pass by Value: Instead of passing the address of the handle variable, the handle (which is a uintptr under the hood) is converted directly to an unsafe.Pointer and passed as the userdata.
// Before (BROKEN)handle:=cgo.NewHandle(cb)
C.some_async_func(..., unsafe.Pointer(&handle))
// After (FIXED)handle:=cgo.NewHandle(cb)
C.some_async_func(..., unsafe.Pointer(handle))
Cast on Recovery: In the Go callback exported to C, the userdata is cast back to a cgo.Handle directly without dereferencing a pointer.
// Before (BROKEN)handle:=*(*cgo.Handle)(userdata)
// After (FIXED)handle:=cgo.Handle(userdata)
This ensures that the handle value itself is preserved in the C userdata field, independent of the lifetime of the calling function's stack.
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution!
I think that this fix for #6 might be superseded by #13, which has a more robust implementation of handles. We can see if your issue is addressed once we merge #13; if it is not, I will take another look at this.
Since these functions are asynchronous, the Go function returns immediately and its stack frame is destroyed. When the C callback eventually fires, it attempts to dereference that now-invalid stack pointer to retrieve the handle, leading to:
panic: runtime/cgo: misuse of an invalid Handle
That is not how go works. If it recognizes that the pointer escapes (like it does here), it will move the allocation to the heap.
// After (FIXED)
handle := cgo.NewHandle(cb)
C.some_async_func(..., unsafe.Pointer(handle))
This is wrong. Have a look at the documentation of runtime.Handle:
Some C functions accept a void* argument that points to an arbitrary data value supplied by the caller. It is not safe to coerce a Handle (an integer) to a Go unsafe.Pointer, but instead we can pass the address of the cgo.Handle to the void* parameter, as in this variant of the previous example.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary: Fixed Memory Corruption Panic in Async Callbacks
The Bug
The library was misusing
cgo.Handlein every asynchronous function (e.g.,MapAsync,RequestAdapter,RequestDevice, and internal error scope checks).The code was creating a
cgo.Handleand then passing a pointer to that local variable (unsafe.Pointer(&handle)) to a C function. Since these functions are asynchronous, the Go function returns immediately and its stack frame is destroyed. When the C callback eventually fires, it attempts to dereference that now-invalid stack pointer to retrieve the handle, leading to:panic: runtime/cgo: misuse of an invalid HandleAffected Platforms
This issue likely affects all desktop platforms (macOS, Windows, Linux) where Go's CGO implementation is used. It was specifically observed and reproduced on macOS.
How to Reproduce
Buffer.MapAsync.runtime/cgopanic when a callback attempts to process an invalid pointer from a previous call's stack.The Fix
The fix implements the standard, safe pattern for passing
cgo.Handlethrough C:Pass by Value: Instead of passing the address of the handle variable, the handle (which is a
uintptrunder the hood) is converted directly to anunsafe.Pointerand passed as theuserdata.Cast on Recovery: In the Go callback exported to C, the
userdatais cast back to acgo.Handledirectly without dereferencing a pointer.This ensures that the handle value itself is preserved in the C
userdatafield, independent of the lifetime of the calling function's stack.