runtime: possible memory corruption caused by CL 304470 "cmd/compile, runtime: add metadata for argument printing in traceback" #49075
Comments
katiehockman
added
the
NeedsInvestigation
|
How often does this happen? Is there any way we could reproduce? |
|
@catenacyber says it is still happening multiple times a day on OSS-Fuzz. Philippe, do you have any hints about an easy way to get a reproduction case on our own machines? |
Around 50 times a day on oss-fuzz
I did not manage to reproduce it myself, did not try very hard though...
Well, the hard thing is that this bug does not reproduce for a specific input.
Then, I guess you need to wait one hour, and relaunch the fuzzer if it did not trigger the bug, until it does
Is there some environment variable to do so ? |
|
Maybe oss-fuzz uses |
No, you'd have to edit the code to replace pool allocations with |
so rebuild the standard library ? |
|
Just edit it, rebuild will be automatic. |
|
So, I did google/oss-fuzz#6623 with regex.go not using |
|
google/oss-fuzz#6623 looks worth a shot. Thanks. |
|
It looks like the bug is still happening but much less often. One last stack trace is
Any more clues ? |
Could you bisect to a particular commit that introduced the corruption? |
oss-fuzz uses latest Golang release, so they switched from 1.16.x to 1.17 on August 16th, but we do not know which commit exactly in this major release induced the buggy behavior... |
|
I have another possible theory: Is there any way you can get at the regexp and the contents of the string? In this case, My theory is that |
|
Put the hex encoded version of one string here : |
|
If it's an alignment issue, could we try to reproduce by mmap'ing a large block and creating a string with all the different possible alignments / ending pointer bytes? |
|
What is the regexp that is being used? |
|
regexp.MustCompile( |
|
So, there are kinds of a lot of answers to split.... |
|
Nothing obvious with the string+regexp you posted. Putting it at different alignments doesn't seem to trigger anything. |
|
This string posted comes with stack trace |
|
When running manually, it seems my string is always aligned on 16 bytes.like |
|
That doesn't seem right. The string posted is only 227927 bytes, but the stack trace shows that is is 9841664 bytes. To unalign a string, do: |
|
So, the string must have been corrupted before the call to |
|
I'm not sure I understand. How did you get the string, if not just dumping the 0x962c00 bytes starting at address 0x10c000ac201f ? |
oss-fuzz provides the stack trace, and the input that triggered it. |
|
Hm, then I guess the values in the stack traces are incorrect. Which can happen, especially with regabi introduced in 1.17. Another thing to try, run with |
FWIW, I was not able to reproduce either using the oss-fuzz local execution steps on a clean Linux VM (amd64, Ubuntu 20.04) following the directions outlined above in #49075 (comment), with 3 separate runs that totaled about 24 hours. I also ran for about 24 hours using dvyukov/go-fuzz against the same gonids fuzz target, which also did not crash (although I don't think there is an enormous amount of signal from that result, given libFuzzer and go-fuzz have different process restart strategies, different mutations, different propensity for creating large inputs, and so on). @catenacyber some questions for you:
That said, it might be that size of inputs in the corpus is not meaningful if this turns out to be due to some corruption.
In any event, sorry if anything I wrote is off base, but curious for your thoughts. |
I'm having a hard time to see how that CL can cause memory corruption. The code changed in that CL doesn't write to memory at run time, so it shouldn't corrupt anything. One exception is when Maybe it is miscompilation? That CL only adds a new metadata, which shouldn't affect program execution. The only possibility would be the added metadata corrupts some other data in the binary. In that case, I would expect it reproduces more reliably, though. Would it be possible to get one instance of failing binary and the source code? Maybe we could see if it is a miscompilation by inspecting the binary. Maybe we could run it over and over again locally to reproduce. |
|
So, first, triple checking : 1 Looking at oss-fuzz builds cf https://oss-fuzz-build-logs.storage.googleapis.com/index.html#gonids 2 We can see that the build from July 4th https://oss-fuzz-build-logs.storage.googleapis.com/log-abf6907c-7bbb-48e5-b055-2addef901dc7.txt has 3 The build from July 5th https://oss-fuzz-build-logs.storage.googleapis.com/log-fa1e00b7-57ab-4fe6-ac86-76a314a1c6c3.txt has `Note: switching to '537cde0b4b'. 4 Then on oss-fuzz https://oss-fuzz.com/testcase-detail/5194651375108096 (that may be restricted for an access, I can provide sceenshots), we see 68 crashes from 202206300609, 32 from 202207050612, and 0 from builds in between 5 If d4aa720 is good and 537cde0 is bad, as there is no commit in between, 537cde0 introduced this behavior
As a fuzzer, the program is supposed to panic sometimes and print the stack trace, is that what I do not know if this is relevant, but this fuzz target uses go routines (which is not common for fuzz targets)
I will try to get one binary |
The easiest is probably
Not exactly. When an unrecoverable panic occurs, it will print a stack trace, which uses the code added in that CL. But an unrecoverable panic would occur first, and that CL doesn't change whether such panic occurs.
Could you be sure that the memory corruption is not caused by the user code, or by the C++ code? Have you tried to run under the race detector while fuzzing? |
No results
How could I get such an insurance ? New fact : |
Running the test under the race detector would be a step, if it works.
The stack trace looks pretty much the same as the original one. It is the same stack of functions. |
If the bug really was introduced in that commit, would the race detector really help? It looks like many of the code changes in that commit are in the [Edit: I guess you're saying that since the stack trace is the same stack of functions, it's not that commit, and so the race detector may still help.] |
|
I don't think the bug is introduced in that CL. And the comment above #49075 (comment) also suggests that. The race detector would be helpful to see if there is any issue in the user code. I don't think we are really clear that it is a runtime bug. |
Indeed, but oss-fuzz/clusterfuzz fails to parse it the same way because of missing braces That led oss-fuzz to think the stack traces were different, hence the bugs were different, hence git bisect showed that the bug appeared with this formatting change. The golang bug was not introduced by that commit, but one in https://github.com/golang/go/commit/b05903a9f6408065c390ea6c62e523d9f51853a5..https://github.com/golang/go/commit/d3853fb4e6ee2b9f873ab2e41adc0e62a82e73e4 : we have known good and bad revisions (even with the different stack trace) So, see you in 10-ish days |
|
Here's the commit range more conveniently rendered at go.googlesource.com (not sure how to do it on GitHub): https://go.googlesource.com/go/+log/b05903a9f6408065c390ea6c62e523d9f51853a5..d3853fb4e6ee2b9f873ab2e41adc0e62a82e73e4 |
|
I am seeing other stack traces that may be related :
I can post the complete stack traces if needed |
|
Since we now know this isn't a recent regression, I'm moving this issue to 1.20. Looking forward to further bisection. :) |
|
Current bisection leaves 4ce49b4...9dd71ba |
|
So @aclements I think the commit introducing the regression is yours 9dd71ba |
|
And so, I bet the bug was already present previously in some non-default setup ?.. |
|
This looks like a pretty massive change... Let me know if I can help by providing additional information :
|
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49328 is the new bug tracker with the fixed golang stack trace :-) |
cf golang/go#49075 Try to git bisect this unreproducible bug
|
Friendly ping @aclements : what can I do next to help understand this ABI bug cf #40724 ? |
Unfortunately, this just tells us it has something to do with register ABI, and not much else. You probably can't meaningfully bisect further back because register ABI didn't work much earlier than that commit. That leaves us with old-fashioned debugging. I would start with our usual GC issue debugging pattern:
|
|
Thanks Austin for getting back to this.
Can I set the env variable after I start the program ? |
katiehockman commentedOct 19, 2021
OSS-Fuzz reported an issue a few weeks ago that we suspect is memory corruption caused by the runtime. This started on August 16th, so is likely a Go 1.17 issue.
A slice bounds out of range issue is being reported from calls to
regexp.MustCompile(,\s*).SplitHowever, this is not reproducible with the inputs provided by OSS-Fuzz, so we expect something else is going on.
Below are some of the panic logs:
From rsc@:
The relevant code is processing the
[][]intreturned fromregexp.(*Regexp).FindAllStringIndex.That
[][]intis prepared by repeated append:Each of the
match[0:2]being appended is prepared inregexp.(*Regexp).doExecuteby:appending to a zero-length, non-nil slice to copy
m.matchcap.And each of the
m.matchcapis associated with the*regexp.machine m, which is kept in async.Poolfor reuse.The specific corruption is that the integers in the
[][]intare clear non-integers (like pointers),which suggests that either one of the appends is losing the reference accidentally during GC
or something in sync.Pool is wonky.
This could also be something strange that OSS-Fuzz is doing, and doesn't necessarily represent a real-world use case.
/cc @golang/security
The text was updated successfully, but these errors were encountered: