-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/compile: fuzzing triggers various crashes or internal compiler errors on tip #49019
Comments
Although it's good to find bugs, four decades of using this technique to find bugs in compilers has failed to find much of use in my experience. Others may well feel differently, but most of the problematic generated programs are utter garbage and as long as the compiler fails to compile them, I'm happy. By the time the C fuzzer was generating arrays of functions of volatile unions of registers, I'd lost interest. That said (and believed), with all the recent change in the compiler it's probably worth running the fuzzer. I would argue though that fixing problems from clearly ridiculous programs is not worth anyone's time. Yet some of these do look easy to fix. The last two are clearly just missed overflows in some form, while the first is just the latest iteration of the problems handling recursive types, a perennial landmine. One service the reporter can do is to try to whittle the example down to a more compact expression of the problem. These ones win by that metric, so thank you. |
Crash 1 looks like #49019, which we're working on. CC @griesemer Thank you for the diligent report. It will be interesting to continue fuzzing as we approach the release. Hopefully as we fix the known bugs, crashes that fuzzing finds will become increasingly unrealistic. |
Hi @findleyr, did you maybe mean #48974? (The issue number you mentioned is this issue here). If so, I see #48974 is closed as of two days ago for the type checker (with a follow-on issue for cmd/compile), but FWIW, I still see Crash 1 from above still happening in the same way on tip as of early this AM with 8b9c0d1, which still hits Also, Crash 1 from above might be the same as Crash 14 I reported in #39634 (also found via fuzzing): Crash 14 from #39634 (comment): runtime: goroutine stack exceeds 1000000000-byte limitIn package main
func F[T *any](func(T) T) { F(func(T) t {}) } The stack for Crash 14 is now different compared to when it was reported in June 2020, which is presumably expected due evolution since that early prototype. Also, I updated that older crash to the new syntax. |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes, tip.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Fuzz cmd/compile using dvyukov/go-fuzz. (This is partially a follow-up to #39634, but there I was just fuzzing the type checker, whereas this was fuzzing the full cmd/compile).
Most of the fuzzing happened on an earlier commit, but roughly half of the original crashers that were initially found no longer reproduce on tip, or seem to be tracked elsewhere (e.g., #47631 (comment)).
What did you see?
Here are 4 crashers that still reproduce on latest tip with
go tool compile
:Crash 1: goroutine stack exceeds 1000000000-byte limit
In
types2.(*unifier).nifyEq
(vianifyEq -> nify -> nifyEq -> nify -> ...
)Crash 2: internal compiler error: label missing tag
In
escape.(*escape).stmt
:Crash 3: internal compiler error: bvset: index 6 is out of bounds with length 6
In
bitvec.BitVec.Set
(viatypebits.Set
andliveness.WriteFuncMap
):Crash 4: internal compiler error: bad type
In
types.typePos
(viatypes.CalcSize
):(FYI @mdempsky -- this is a belated follow-up from our conversation from a while ago).
The text was updated successfully, but these errors were encountered: