testing: fuzz []byte arguments may be aliased slices

[nikolaydubina]

Go version

go version go1.24.0 darwin/arm64

Output of go env in your module/workspace:

AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN='//Users/nikolaydubina/go/bin'
GOCACHE='/Users/nikolaydubina/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/nikolaydubina/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/dt/1y99_j6s0yj7y151_dr026gh0000gn/T/go-build1433113609=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/nikolaydubina/Workspace/go-fuzz-bytes-collision/go.mod'
GOMODCACHE='/Users/nikolaydubina/go/pkg/mod'
GONOPROXY='github.com/ndx-technologies'
GONOSUMDB='github.com/ndx-technologies'
GOOS='darwin'
GOPATH='/Users/nikolaydubina/go'
GOPRIVATE='github.com/ndx-technologies'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/nikolaydubina/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.24.0'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

package main_test

import (
	"bytes"
	"testing"
)

func testCollisionTwoByteSlices(t *testing.T, a, b []byte) {
	aBefore := make([]byte, len(a))
	copy(aBefore, a)

	bBefore := make([]byte, len(b))
	copy(bBefore, b)

	aAfter := append(a, b...)

	if !bytes.Equal(aBefore, aAfter[:len(aBefore)]) {
		t.Error(aBefore, aAfter, a)
	}
	if !bytes.Equal(bBefore, b) {
		// WARNING: b nor bBefore was ever modified!
		t.Error(aBefore, bBefore, a, b, aAfter)
	}
}

func TestCollisionTwoByteSlices(t *testing.T) {
	// same test data from fuzz tests output files
	// fuzz tests keep adding files there, use any new file it creates
	a := []byte("\x8bl")
	b := []byte("\x8bl\xcef\x1ed\x05\x99\xbfu\xac\x1c")

	testCollisionTwoByteSlices(t, a, b)
}

func FuzzCollisionTwoByteSlices(f *testing.F) { f.Fuzz(testCollisionTwoByteSlices) }

Here is minimal example: https://github.com/nikolaydubina/go-fuzz-bytes-collision

What did you see happen?

$ go test -fuzz=FuzzCollisionTwoByteSlices .
fuzz: elapsed: 0s, gathering baseline coverage: 0/3 completed
fuzz: elapsed: 0s, gathering baseline coverage: 3/3 completed, now fuzzing with 16 workers
fuzz: minimizing 110-byte failing input file
fuzz: elapsed: 0s, minimizing
--- FAIL: FuzzCollisionTwoByteSlices (0.02s)
    --- FAIL: FuzzCollisionTwoByteSlices (0.00s)
        fuzz_byte_collision_test.go:22: [158 108 29 51] [158 108 29 51 108 5 153 191 132 158 108 5 153 117 5 153 191 117 140 28] [158 108 29 51] [158 108 29 51 158 108 29 51 108 5 153 191 132 158 108 5 153 117 5 153] [158 108 29 51 158 108 29 51 108 5 153 191 132 158 108 5 153 117 5 153 191 117 140 28]
    
    Failing input written to testdata/fuzz/FuzzCollisionTwoByteSlices/3fc7dfebadf0ffc6
    To re-run:
    go test -run=FuzzCollisionTwoByteSlices/3fc7dfebadf0ffc6
FAIL
exit status 1
FAIL    github.com/nikolaydubina/go-fuzz-bytes-collision        1.196s

keeps failing. each time it records new values to file. but manually running the same values in t.Test succeeds. also fuzz test passes "tests" before starting to fuzz, meaning even to fuzz test itself those values that it recorded is correct upon running again. this leads to believe something is wrong in "generation" / "first time creation of []byte args" step in fuzz tests.

What did you expect to see?

fuzz test should be ok, same as test above it

each argument to fuzz test (including []byte) should be independent from each other

[gabyhelp]

Related Issues

• testing: fuzzed function can corrupt internal state of fuzzer #48606
• testing: data race with parallel fuzzing #50488 (closed)
• [dev.fuzz] Crash data written to corpus is incorrect #47587 (closed)
• internal/fuzz: many data races when fuzzing trivial string input #48307 (closed)
• testing: successive integer and boolean mutations can be the same #48291
• testing: reflect panic when the fuzz function converts between string and []byte #48320 (closed)
• internal/fuzz: fuzzer appears to mutate "immutable" string inputs #48308 (closed)
• [dev.fuzz] minimization discards crasher in favour of a non-crasher #48327 (closed)
• internal/fuzz: test_fuzz_minimize failures missing "got the minimum size" beginning 2021-11-17 #49685 (closed)

Related Code Changes

• [dev.fuzz] internal/fuzz: avoid corruption of minimized crashers

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[seankhliao]

a simple solution would probably be to slices.Clip before invoking the test function

[sfllaw]

But… I want my fuzzer to test this edge case.

[nikolaydubina]

@seankhliao so no update on this?