go语言局部变量分配在栈还是堆

96
CodingCode
0.5 2017.09.16 18:34* 字数 973

一个问题引发的思考?
如下go语言代码

package main

func foo(m0 int) (*int) {
  var m1 int = 11;
  return &m1
}

func main() {
  m := foo(100)
  println(*m)
}

编译运行:

$ go build main.go && ./main 
11

竟然没有出现任何编译错误。
熟悉C/C++语言的同学,立马就能看出这个程序是存在"问题"的,即函数foo把局部变量m1的地址给返回了,当函数foo返回的时候,m1的地址是会消亡的,这个代码有很严重的问题,一般的C/C++编译器都会给出警告错误:

$ cat main.c 
#include <stdio.h>

int * foo(int m0) {
  int m1 = 11;
  return &m1;
}

int main() {
  int * m = foo(100);
  printf("%d\n", *m);
}
$
$
$ gcc main.c 
main.c:8:11: warning: address of stack memory associated with local variable 'm1' returned [-Wreturn-stack-address]
  return &m1;
          ^~
1 warning generated.

如上C/C++编译器明确给出了警告,foo把一个局部变量的地址返回了;反而高大上的go没有给出任何警告,难道是go编译器识别不出这个问题吗?
答案不是的,参考go FAQ里面的一段话:

How do I know whether a variable is allocated on the heap or the stack?

From a correctness standpoint, you don't need to know. Each variable in Go exists as long as there are references to it. The storage location chosen by the implementation is irrelevant to the semantics of the language.

The storage location does have an effect on writing efficient programs. When possible, the Go compilers will allocate variables that are local to a function in that function's stack frame. However, if the compiler cannot prove that the variable is not referenced after the function returns, then the compiler must allocate the variable on the garbage-collected heap to avoid dangling pointer errors. Also, if a local variable is very large, it might make more sense to store it on the heap rather than the stack.

In the current compilers, if a variable has its address taken, that variable is a candidate for allocation on the heap. However, a basic escape analysis recognizes some cases when such variables will not live past the return from the function and can reside on the stack.

意思是说go语言编译器会自动决定把一个变量放在栈还是放在堆,编译器会做逃逸分析(escape analysis),当发现变量的作用域没有跑出函数范围,就可以在栈上,反之则必须分配在堆。
go语言声称这样可以释放程序员关于内存的使用限制,更多的让程序员关注于程序功能逻辑本身。

个人觉得这是扯淡,属于自作主张的小聪明,非常不喜欢这个设计。还是C/C++的逻辑非常清楚:简单逻辑是,声明的局部变量分配在栈,通过动态申请(malloc, new)的内存在堆里。

不爽归不爽,既然go语言这么实践了,我们还是来举证一下这个例子:

$ cat main.go
package main

func foo(m0 int) (*int) {
  var m1 int = 11;
  var m2 int = 12; 
  var m3 int = 13; 
  var m4 int = 14; 
  var m5 int = 15; 

  println(&m0, &m1, &m2, &m3, &m4, &m5)
  println(&m0, &m1, &m2, &m3, &m4, &m5)
  println(&m0, &m1, &m2, &m3, &m4, &m5)
  println(&m0, &m1, &m2, &m3, &m4, &m5)
  println(&m0, &m1, &m2, &m3, &m4, &m5)

  return &m3
}

func main() {
  m := foo(100)
  println(*m)
}
$
$ go tool compile -m main.go |more
main.go:16:10: &m3 escapes to heap
main.go:6:7: moved to heap: m3
main.go:10:11: foo &m0 does not escape
main.go:10:16: foo &m1 does not escape
...
$
$ go build main.go && ./main 
0xc420041f58 0xc420041f38 0xc420041f30 0xc420012068 0xc420041f28 0xc420041f20
0xc420041f58 0xc420041f38 0xc420041f30 0xc420012068 0xc420041f28 0xc420041f20
0xc420041f58 0xc420041f38 0xc420041f30 0xc420012068 0xc420041f28 0xc420041f20
0xc420041f58 0xc420041f38 0xc420041f30 0xc420012068 0xc420041f28 0xc420041f20
0xc420041f58 0xc420041f38 0xc420041f30 0xc420012068 0xc420041f28 0xc420041f20
13

可以看出同样定义的局部变量m0, m1, .... m5,他们的的地址是有差异的:m0作为传入参数是分配在栈上,m1, m2, m4, m5也分配在栈上的连续地址,而m3的地址却在堆上,因为编译器分析出m3变量有逃逸行为。

我们再看一下编译器生成的汇编码:

var m1 int = 11;
  0x003e 00062 (/.../src/main/main.go:4) MOVQ  $11, "".m1+40(SP)
var m2 int = 12;
  0x0047 00071 (/.../src/main/main.go:5) MOVQ  $12, "".m2+32(SP)
var m3 int = 13;
  0x0050 00080 (/.../src/main/main.go:5) LEAQ  type.int(SB), AX
  0x0057 00087 (/.../src/main/main.go:6) MOVQ  AX, (SP)
  0x005b 00091 (/.../src/main/main.go:6) PCDATA  $0, $0
  0x005b 00091 (/.../src/main/main.go:6) CALL  runtime.newobject(SB)
  0x0060 00096 (/.../src/main/main.go:6) MOVQ  8(SP), AX
  0x0065 00101 (/.../src/main/main.go:6) MOVQ  AX, "".&m3+288(SP)
  0x006d 00109 (/.../src/main/main.go:6) MOVQ  $13, (AX)
var m4 int = 14;
  0x0074 00116 (/.../src/main/main.go:7) MOVQ  $14, "".m4+24(SP)
var m5 int = 15;
  0x007d 00125 (/.../src/main/main.go:8) MOVQ  $15, "".m5+16(SP)

看到对m3的处理调用了库函数runtime.newobject(...),所以把m3存放在堆中。

看来确实是go语言会根据局部变量有没有发生逃逸行为来自动决定一个局部变量是分配在栈,还是分配在堆。

对于动态new出来的局部变量,go语言编译器也会根据是否有逃逸行为来决定是分配在堆还是栈,而不是直接分配在堆中。

$ cat main.go
package main

func foo(m0 * int) (*int) {
  var m1 * int = new(int);
  var m2 * int = new(int);
  var m3 * int = new(int);
  var m4 * int = new(int);
  var m5 * int = new(int);

  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)
  println(m0, m1, m2, m3, m4, m5)

  return m3
}

func main() {
  n := 100
  m := foo(&n)
  println(*m)
}
$
$
$ go tool compile -m main.go |more
main.go:6:21: new(int) escapes to heap
main.go:3:22: foo m0 does not escape
main.go:4:21: foo new(int) does not escape
main.go:5:21: foo new(int) does not escape
main.go:7:21: foo new(int) does not escape
main.go:8:21: foo new(int) does not escape
main.go:29:12: main &n does not escape
$
$ go build main.go && ./main 
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0xc420041f60 0xc420041f28 0xc420041f20 0xc420012068 0xc420041f18 0xc420041f30
0

和前面例子一样,m0作为参数分配在栈中,而 m1, m2, m4, m5也是分配在栈中,尽管他们都是通过new动态分配出来的,只有m3分配在堆中,原因是m3有逃逸行为。

结论就是一个函数内局部变量,不管是不是动态new出来的,它会被分配在堆还是栈,是由编译器做逃逸分析之后做出的决定。

GoLang