[release-branch.go1.23] runtime: size maps.Clone destination bucket array safely

In rare situations, like during same-sized grows, the source map for
maps.Clone may be overloaded (has more than 6.5 entries per
bucket). This causes the runtime to allocate a larger bucket array for
the destination map than for the source map. The maps.Clone code
walks off the end of the source array if it is smaller than the
destination array.

This is a pretty simple fix, ensuring that the destination bucket
array is never longer than the source bucket array. Maybe a better fix
is to make the Clone code handle shorter source arrays correctly, but
this fix is deliberately simple to reduce the risk of backporting this
fix.

Fixes #69156

Change-Id: I824c93d1db690999f25a3c43b2816fc28ace7509
Reviewed-on: https://go-review.googlesource.com/c/go/+/610377
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Cuong Manh Le <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Keith Randall <[email protected]>

Author: randall77

src/runtime/map.go

@@ -1209,6 +1209,11 @@ func (h *hmap) sameSizeGrow() bool {
 	return h.flags&sameSizeGrow != 0
 }
 
+//go:linkname sameSizeGrowForIssue69110Test
+func sameSizeGrowForIssue69110Test(h *hmap) bool {
+	return h.sameSizeGrow()
+}
+
 // noldbuckets calculates the number of buckets prior to the current map growth.
 func (h *hmap) noldbuckets() uintptr {
 	oldB := h.B
@@ -1668,7 +1673,16 @@ func moveToBmap(t *maptype, h *hmap, dst *bmap, pos int, src *bmap) (*bmap, int)
 }
 
 func mapclone2(t *maptype, src *hmap) *hmap {
-	dst := makemap(t, src.count, nil)
+	hint := src.count
+	if overLoadFactor(hint, src.B) {
+		// Note: in rare cases (e.g. during a same-sized grow) the map
+		// can be overloaded. Make sure we don't allocate a destination
+		// bucket array larger than the source bucket array.
+		// This will cause the cloned map to be overloaded also,
+		// but that's better than crashing. See issue 69110.
+		hint = int(loadFactorNum * (bucketShift(src.B) / loadFactorDen))
+	}
+	dst := makemap(t, hint, nil)
 	dst.hash0 = src.hash0
 	dst.nevacuate = 0
 	// flags do not need to be copied here, just like a new map has no flags.

test/fixedbugs/issue69110.go

@@ -0,0 +1,57 @@
+// run
+
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"maps"
+	_ "unsafe"
+)
+
+func main() {
+	for i := 0; i < 100; i++ {
+		f()
+	}
+}
+
+const NB = 4
+
+func f() {
+	// Make a map with NB buckets, at max capacity.
+	// 6.5 entries/bucket.
+	ne := NB * 13 / 2
+	m := map[int]int{}
+	for i := 0; i < ne; i++ {
+		m[i] = i
+	}
+
+	// delete/insert a lot, to hopefully get lots of overflow buckets
+	// and trigger a same-size grow.
+	ssg := false
+	for i := ne; i < ne+1000; i++ {
+		delete(m, i-ne)
+		m[i] = i
+		if sameSizeGrow(m) {
+			ssg = true
+			break
+		}
+	}
+	if !ssg {
+		return
+	}
+
+	// Insert 1 more entry, which would ordinarily trigger a growth.
+	// We can't grow while growing, so we instead go over our
+	// target capacity.
+	m[-1] = -1
+
+	// Cloning in this state will make a map with a destination bucket
+	// array twice the size of the source.
+	_ = maps.Clone(m)
+}
+
+//go:linkname sameSizeGrow runtime.sameSizeGrowForIssue69110Test
+func sameSizeGrow(m map[int]int) bool