testing: reflect panic when the fuzz function converts between string and []byte #48320
Description
What version of Go are you using (go version)?
$ gotip version go version devel go1.18-7c648e2ac Thu Sep 9 17:28:03 2021 +0000 linux/amd64
Does this issue reproduce with the latest release?
N/A
What operating system and processor architecture are you using (go env)?
go env Output
$ gotip env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/usr/local/google/home/bcmills/.cache/go-build" GOENV="/usr/local/google/home/bcmills/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/tmp/tmp.kTefRYzwUx/.gopath/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/tmp/tmp.kTefRYzwUx/.gopath" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/google/home/bcmills/sdk/gotip" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/google/home/bcmills/sdk/gotip/pkg/tool/linux_amd64" GOVCS="" GOVERSION="devel go1.18-7c648e2ac Thu Sep 9 17:28:03 2021 +0000" GCCGO="/usr/local/google/home/bcmills/bin/gccgo" AR="ar" CC="gcc" CXX="c++" CGO_ENABLED="1" GOMOD="/tmp/tmp.kTefRYzwUx/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2246478704=/tmp/go-build -gno-record-gcc-switches"
What did you do?
Run go test -fuzz=. . on the following program:
package main
import (
"bytes"
"strconv"
"testing"
)
func FuzzFuzzer(f *testing.F) {
f.Fuzz(func(t *testing.T, x int, s string) {
b := []byte(s)
if bytes.Contains(b, strconv.AppendInt(nil, int64(x), 10)) {
t.Errorf("minimize this!")
}
})
}
What did you expect to see?
A fuzzer report of a string that causes the fuzz function to fail with the error "minimize this!".
What did you see instead?
An internal reflect.Call panic originating in testing/fuzz.go.
$ gotip test -fuzz=. .
found a crash, minimizing...
gathering baseline coverage, elapsed: 0.0s, workers: 12, left: 9
--- FAIL: FuzzFuzzer (0.04s)
panic: reflect: Call using []uint8 as type string
goroutine 45 [running]:
runtime/debug.Stack()
/usr/local/google/home/bcmills/sdk/gotip/src/runtime/debug/stack.go:24 +0x90
testing.tRunner.func1.2({0x58cbc0, 0xc00010ac00})
/usr/local/google/home/bcmills/sdk/gotip/src/testing/testing.go:1288 +0x265
testing.tRunner.func1()
/usr/local/google/home/bcmills/sdk/gotip/src/testing/testing.go:1295 +0x225
panic({0x58cbc0, 0xc00010ac00})
/usr/local/google/home/bcmills/sdk/gotip/src/runtime/panic.go:814 +0x207
reflect.Value.call({0x590540, 0x5c7b28, 0x13}, {0x5ba083, 0x4}, {0xc000116900, 0x3, 0x4})
/usr/local/google/home/bcmills/sdk/gotip/src/reflect/value.go:410 +0x1a85
reflect.Value.Call({0x590540, 0x5c7b28, 0xc000111e10}, {0xc000116900, 0x3, 0x4})
/usr/local/google/home/bcmills/sdk/gotip/src/reflect/value.go:338 +0xc5
testing.(*F).Fuzz.func1.1(0x0)
/usr/local/google/home/bcmills/sdk/gotip/src/testing/fuzz.go:389 +0x1c6
testing.tRunner(0xc0002224e0, 0xc000178300)
/usr/local/google/home/bcmills/sdk/gotip/src/testing/testing.go:1342 +0x102
created by testing.(*F).Fuzz.func1
/usr/local/google/home/bcmills/sdk/gotip/src/testing/fuzz.go:378 +0x4e5
--- FAIL: FuzzFuzzer (0.00s)
Crash written to testdata/corpus/FuzzFuzzer/68c7b94e01ef563d1b08df67bb9f87c640ed0df95d6badf631e7541693c2f99d
To re-run:
go test example -run=FuzzFuzzer/68c7b94e01ef563d1b08df67bb9f87c640ed0df95d6badf631e7541693c2f99d
FAIL
exit status 1
FAIL example 0.059s
FAIL