Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

runtime: SIGABRT with while fuzzing #22033

Closed
ericlagergren opened this issue Sep 26, 2017 · 5 comments

Comments

Projects
None yet
3 participants
@ericlagergren
Copy link
Contributor

commented Sep 26, 2017

What version of Go are you using (go version)?

1.9

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

GOOS=darwin
GOARCH=amd64

What did you do?

If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.

Running the following through go-fuzz

package fuzz

import (
	"fmt"

	"github.com/ericlagergren/decimal"
)

func Fuzz(data []byte) int {
	runtime.SetTraceback("all")

	d := new(decimal.Big)
	d.Context.OperatingMode = decimal.GDA
	d, ok := d.SetString(string(data))
	if !ok {
		if decimal.Regexp.Match(data) && d.Err() == nil {
			panic(fmt.Sprintf("should work: %q", data))
		}
		return 0
	}
	d2 := new(decimal.Big)
	d2.Context.OperatingMode = decimal.GDA
	d2, ok = d2.SetString(d.String())
	if !ok {
		panic(fmt.Sprintf("SetString(%q) == nil, false"))
	}
	if d.Cmp(d2) != 0 {
		panic(fmt.Sprintf(`
got   : %#v (%q)
wanted: %#v (%q)
`, d2, d2, d, d))
	}
	if !decimal.Regexp.Match(data) {
		panic(fmt.Sprintf("got: %q", data))
	}
	return 1
}

What did you expect to see?

Program run normally.

What did you see instead?

program hanged (timeout 10 seconds)

SIGABRT: abort
PC=0x105265b m=0 sigcode=0

goroutine 0 [idle]:
runtime.mach_semaphore_wait(0x803, 0x0, 0x7fff5fbff340, 0x102044a, 0x120dc20, 0x1206a40, 0x7fff5fbff348, 0x104d093, 0xffffffffffffffff, 0x0, ...)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/sys_darwin_amd64.s:445 +0xb
runtime.semasleep1(0xffffffffffffffff, 0x0)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/os_darwin.go:413 +0x52
runtime.semasleep.func1()
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/os_darwin.go:432 +0x33
runtime.systemstack(0x7fff5fbff370)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/asm_amd64.s:360 +0xab
runtime.semasleep(0xffffffffffffffff, 0x7fff00000000)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/os_darwin.go:431 +0x44
runtime.notesleep(0x1207050)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/lock_sema.go:167 +0xe9
runtime.stopm()
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/proc.go:1670 +0xe5
runtime.findrunnable(0xc420020000, 0x0)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/proc.go:2125 +0x4d2
runtime.schedule()
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/proc.go:2245 +0x12c
runtime.exitsyscall0(0xc420000180)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/proc.go:2809 +0x10e
runtime.mcall(0x7fff5fbff550)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/runtime/asm_amd64.s:286 +0x5b

goroutine 1 [runnable]:
math/big.nat.norm(0xc4a92cc000, 0xa6b7, 0xa6bb, 0xc4a91da000, 0xa6b6, 0x1e004)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/math/big/nat.go:43 +0xfa
math/big.nat.mulAddWW(0xc4200186f0, 0x1, 0x5, 0xc4a91da000, 0xa6b6, 0x1e004, 0x497cc8fe5aa45962, 0x0, 0x0, 0x103b5f7, ...)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/math/big/nat.go:179 +0x209
math/big.nat.mul(0xc4200186f0, 0x1, 0x5, 0xc4a91da000, 0xa6b6, 0x1e004, 0xc4200186f0, 0x1, 0x5, 0x1, ...)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/math/big/nat.go:402 +0xca3
math/big.nat.mul(0xc4200186f0, 0x1, 0x5, 0xc4200186f0, 0x1, 0x5, 0xc4a91da000, 0xa6b6, 0x1e004, 0x0, ...)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/math/big/nat.go:398 +0xd5b
math/big.(*Int).Mul(0xc42000a160, 0xc42000a160, 0xc420071d00, 0xa6b6)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/math/big/int.go:156 +0xa0
github.com/ericlagergren/decimal/internal/arith/checked.MulBigPow10(0xc42000a160, 0xc4000c8bc8, 0x0)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/gopath/src/github.com/ericlagergren/decimal/internal/arith/checked/checked.go:105 +0x147
github.com/ericlagergren/decimal.(*Big).Cmp(0xc46f98bf80, 0xc46f99c000, 0xc8bdb)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/gopath/src/github.com/ericlagergren/decimal/decimal.go:434 +0xa98
github.com/ericlagergren/decimal/fuzz/SetString.Fuzz(0x12c7000, 0x1a, 0x200000, 0x3)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/gopath/src/github.com/ericlagergren/decimal/fuzz/SetString/SetString.go:25 +0x195
go-fuzz-dep.Main(0x1158318)
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/goroot/src/go-fuzz-dep/main.go:49 +0xad
main.main()
	/var/folders/t8/1vtf9x6j6sg1hpxpzhgfkflm0000gn/T/go-fuzz-build498706011/gopath/src/github.com/ericlagergren/decimal/fuzz/SetString/go.fuzz.main/main.go:10 +0x2d

rax    0xe
rbx    0x1206f40
rcx    0x7fff5fbff2e8
rdx    0x7fff5fbff370
rdi    0x803
rsi    0x1
rbp    0x7fff5fbff320
rsp    0x7fff5fbff2e8
r8     0x0
r9     0x0
r10    0x0
r11    0x286
r12    0x44fa88b64bbd
r13    0x4811b1b19080
r14    0x14e7ce67a988fa00
r15    0x71
rip    0x105265b
rflags 0x286
cs     0x7
fs     0x0
gs     0x0
exit status 2
@ericlagergren

This comment has been minimized.

Copy link
Contributor Author

commented Sep 26, 2017

I've a feeling this has to do with allocating too much memory, but I just wanted to make sure.

I get this with some regularity while fuzzing. Usually it happens with a "large" decimal like 5295328256648829282e822216. However, decimals like that aren't large at all since they are represented as an int64, int32 pair (characteristic: 5295328256648829282, mantissa: 822216). The fuzzing function converts it to a string, but even then it's just an ~800kB string.

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Sep 26, 2017

We need more information. I don't see a bug here; I see a program that was running normally but was killed because it ran for more than 10 seconds. Are you saying that the program should have terminated sooner?

@ericlagergren

This comment has been minimized.

Copy link
Contributor Author

commented Sep 26, 2017

Right, this issue gave me pause enough to create an issue here. What more information is needed to determine whether this is an actual bug or just an overreaction on my part?

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Sep 26, 2017

The fuzzer doesn't really use the runtime much. It just calls your function with different inputs. So the first step would be to figure out which input the fuzzer is passing to your code. Then figure out what your code is doing with that input. Why did it take more than 10 seconds? It should be possible to recreate the problem without the fuzzer being involved at all.

@ericlagergren

This comment has been minimized.

Copy link
Contributor Author

commented Sep 27, 2017

@ianlancetaylor Sorry, I should've thought this though more than I did last night.

@golang golang locked and limited conversation to collaborators Sep 27, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.