Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

testing: reflect panic when the fuzz function converts between string and []byte #48320

Closed
bcmills opened this issue Sep 10, 2021 · 3 comments
Closed
Labels
fuzz Issues related to native fuzzing support NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. release-blocker WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone

Comments

@bcmills
Copy link
Member

bcmills commented Sep 10, 2021

What version of Go are you using (go version)?

$ gotip version
go version devel go1.18-7c648e2ac Thu Sep 9 17:28:03 2021 +0000 linux/amd64

Does this issue reproduce with the latest release?

N/A

What operating system and processor architecture are you using (go env)?

go env Output
$ gotip env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/usr/local/google/home/bcmills/.cache/go-build"
GOENV="/usr/local/google/home/bcmills/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/tmp/tmp.kTefRYzwUx/.gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/tmp/tmp.kTefRYzwUx/.gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/google/home/bcmills/sdk/gotip"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/google/home/bcmills/sdk/gotip/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="devel go1.18-7c648e2ac Thu Sep 9 17:28:03 2021 +0000"
GCCGO="/usr/local/google/home/bcmills/bin/gccgo"
AR="ar"
CC="gcc"
CXX="c++"
CGO_ENABLED="1"
GOMOD="/tmp/tmp.kTefRYzwUx/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2246478704=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Run go test -fuzz=. . on the following program:

package main

import (
	"bytes"
	"strconv"
	"testing"
)

func FuzzFuzzer(f *testing.F) {
	f.Fuzz(func(t *testing.T, x int, s string) {
		b := []byte(s)
		if bytes.Contains(b, strconv.AppendInt(nil, int64(x), 10)) {
			t.Errorf("minimize this!")
		}
	})
}

What did you expect to see?

A fuzzer report of a string that causes the fuzz function to fail with the error "minimize this!".

What did you see instead?

An internal reflect.Call panic originating in testing/fuzz.go.

$ gotip test -fuzz=. .
found a crash, minimizing...
gathering baseline coverage, elapsed: 0.0s, workers: 12, left: 9
--- FAIL: FuzzFuzzer (0.04s)
        panic: reflect: Call using []uint8 as type string
        goroutine 45 [running]:
        runtime/debug.Stack()
                /usr/local/google/home/bcmills/sdk/gotip/src/runtime/debug/stack.go:24 +0x90
        testing.tRunner.func1.2({0x58cbc0, 0xc00010ac00})
                /usr/local/google/home/bcmills/sdk/gotip/src/testing/testing.go:1288 +0x265
        testing.tRunner.func1()
                /usr/local/google/home/bcmills/sdk/gotip/src/testing/testing.go:1295 +0x225
        panic({0x58cbc0, 0xc00010ac00})
                /usr/local/google/home/bcmills/sdk/gotip/src/runtime/panic.go:814 +0x207
        reflect.Value.call({0x590540, 0x5c7b28, 0x13}, {0x5ba083, 0x4}, {0xc000116900, 0x3, 0x4})
                /usr/local/google/home/bcmills/sdk/gotip/src/reflect/value.go:410 +0x1a85
        reflect.Value.Call({0x590540, 0x5c7b28, 0xc000111e10}, {0xc000116900, 0x3, 0x4})
                /usr/local/google/home/bcmills/sdk/gotip/src/reflect/value.go:338 +0xc5
        testing.(*F).Fuzz.func1.1(0x0)
                /usr/local/google/home/bcmills/sdk/gotip/src/testing/fuzz.go:389 +0x1c6
        testing.tRunner(0xc0002224e0, 0xc000178300)
                /usr/local/google/home/bcmills/sdk/gotip/src/testing/testing.go:1342 +0x102
        created by testing.(*F).Fuzz.func1
                /usr/local/google/home/bcmills/sdk/gotip/src/testing/fuzz.go:378 +0x4e5

        --- FAIL: FuzzFuzzer (0.00s)

    Crash written to testdata/corpus/FuzzFuzzer/68c7b94e01ef563d1b08df67bb9f87c640ed0df95d6badf631e7541693c2f99d
    To re-run:
    go test example -run=FuzzFuzzer/68c7b94e01ef563d1b08df67bb9f87c640ed0df95d6badf631e7541693c2f99d
FAIL
exit status 1
FAIL    example 0.059s
FAIL

cc @jayconrod @katiehockman

@bcmills bcmills added fuzz Issues related to native fuzzing support NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Sep 10, 2021
@bcmills bcmills changed the title [dev.fuzz] testing: reflect panic during minimization when the fuzz function converts between string and []byte [dev.fuzz] testing: reflect panic when the fuzz function converts between string and []byte Sep 10, 2021
@bcmills
Copy link
Member Author

bcmills commented Sep 10, 2021

I tried setting -fuzzminimizetime=0 after #48321, but it still fails in the same way. So maybe the crash doesn't actually have to do with minimization after all.

@katiehockman katiehockman added this to the Go1.18 milestone Sep 14, 2021
@rolandshoemaker rolandshoemaker self-assigned this Sep 15, 2021
@rsc rsc changed the title [dev.fuzz] testing: reflect panic when the fuzz function converts between string and []byte testing: reflect panic when the fuzz function converts between string and []byte Sep 21, 2021
@katiehockman
Copy link
Contributor

katiehockman commented Sep 30, 2021

@bcmills I'm not able to reproduce this. One cause of an error like this is that you have a corpus file in testdata/FuzzFuzzer, or with f.Add, which is encoded as a []byte instead of a string. Would you mind 1) confirming that you don't have anything in testdata/FuzzFuzzer, and 2) that you can still reproduce this at tip?

@katiehockman katiehockman added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Sep 30, 2021
@bcmills
Copy link
Member Author

bcmills commented Oct 1, 2021

This no longer reproduces for me either. I think it went away when we took out the implicit input conversions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
fuzz Issues related to native fuzzing support NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. release-blocker WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
Status: No status
Development

No branches or pull requests

3 participants