Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

testing: reflect panic when the fuzz function converts between string and []byte #48320

Open
bcmills opened this issue Sep 10, 2021 · 1 comment
Open

Comments

@bcmills
Copy link
Member

@bcmills bcmills commented Sep 10, 2021

What version of Go are you using (go version)?

$ gotip version
go version devel go1.18-7c648e2ac Thu Sep 9 17:28:03 2021 +0000 linux/amd64

Does this issue reproduce with the latest release?

N/A

What operating system and processor architecture are you using (go env)?

go env Output
$ gotip env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/usr/local/google/home/bcmills/.cache/go-build"
GOENV="/usr/local/google/home/bcmills/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/tmp/tmp.kTefRYzwUx/.gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/tmp/tmp.kTefRYzwUx/.gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/google/home/bcmills/sdk/gotip"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/google/home/bcmills/sdk/gotip/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="devel go1.18-7c648e2ac Thu Sep 9 17:28:03 2021 +0000"
GCCGO="/usr/local/google/home/bcmills/bin/gccgo"
AR="ar"
CC="gcc"
CXX="c++"
CGO_ENABLED="1"
GOMOD="/tmp/tmp.kTefRYzwUx/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2246478704=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Run go test -fuzz=. . on the following program:

package main

import (
	"bytes"
	"strconv"
	"testing"
)

func FuzzFuzzer(f *testing.F) {
	f.Fuzz(func(t *testing.T, x int, s string) {
		b := []byte(s)
		if bytes.Contains(b, strconv.AppendInt(nil, int64(x), 10)) {
			t.Errorf("minimize this!")
		}
	})
}

What did you expect to see?

A fuzzer report of a string that causes the fuzz function to fail with the error "minimize this!".

What did you see instead?

An internal reflect.Call panic originating in testing/fuzz.go.

$ gotip test -fuzz=. .
found a crash, minimizing...
gathering baseline coverage, elapsed: 0.0s, workers: 12, left: 9
--- FAIL: FuzzFuzzer (0.04s)
        panic: reflect: Call using []uint8 as type string
        goroutine 45 [running]:
        runtime/debug.Stack()
                /usr/local/google/home/bcmills/sdk/gotip/src/runtime/debug/stack.go:24 +0x90
        testing.tRunner.func1.2({0x58cbc0, 0xc00010ac00})
                /usr/local/google/home/bcmills/sdk/gotip/src/testing/testing.go:1288 +0x265
        testing.tRunner.func1()
                /usr/local/google/home/bcmills/sdk/gotip/src/testing/testing.go:1295 +0x225
        panic({0x58cbc0, 0xc00010ac00})
                /usr/local/google/home/bcmills/sdk/gotip/src/runtime/panic.go:814 +0x207
        reflect.Value.call({0x590540, 0x5c7b28, 0x13}, {0x5ba083, 0x4}, {0xc000116900, 0x3, 0x4})
                /usr/local/google/home/bcmills/sdk/gotip/src/reflect/value.go:410 +0x1a85
        reflect.Value.Call({0x590540, 0x5c7b28, 0xc000111e10}, {0xc000116900, 0x3, 0x4})
                /usr/local/google/home/bcmills/sdk/gotip/src/reflect/value.go:338 +0xc5
        testing.(*F).Fuzz.func1.1(0x0)
                /usr/local/google/home/bcmills/sdk/gotip/src/testing/fuzz.go:389 +0x1c6
        testing.tRunner(0xc0002224e0, 0xc000178300)
                /usr/local/google/home/bcmills/sdk/gotip/src/testing/testing.go:1342 +0x102
        created by testing.(*F).Fuzz.func1
                /usr/local/google/home/bcmills/sdk/gotip/src/testing/fuzz.go:378 +0x4e5

        --- FAIL: FuzzFuzzer (0.00s)

    Crash written to testdata/corpus/FuzzFuzzer/68c7b94e01ef563d1b08df67bb9f87c640ed0df95d6badf631e7541693c2f99d
    To re-run:
    go test example -run=FuzzFuzzer/68c7b94e01ef563d1b08df67bb9f87c640ed0df95d6badf631e7541693c2f99d
FAIL
exit status 1
FAIL    example 0.059s
FAIL

cc @jayconrod @katiehockman

@bcmills bcmills changed the title [dev.fuzz] testing: reflect panic during minimization when the fuzz function converts between string and []byte [dev.fuzz] testing: reflect panic when the fuzz function converts between string and []byte Sep 10, 2021
@bcmills
Copy link
Member Author

@bcmills bcmills commented Sep 10, 2021

I tried setting -fuzzminimizetime=0 after #48321, but it still fails in the same way. So maybe the crash doesn't actually have to do with minimization after all.

@katiehockman katiehockman added this to the Go1.18 milestone Sep 14, 2021
@rolandshoemaker rolandshoemaker self-assigned this Sep 15, 2021
@rsc rsc changed the title [dev.fuzz] testing: reflect panic when the fuzz function converts between string and []byte testing: reflect panic when the fuzz function converts between string and []byte Sep 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants