Skip to content

x/vuln: Panics regularly #54995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
klauern opened this issue Sep 10, 2022 · 7 comments
Closed

x/vuln: Panics regularly #54995

klauern opened this issue Sep 10, 2022 · 7 comments
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo x/vuln
Milestone
Unreleased

Comments

@klauern
Copy link

klauern commented Sep 10, 2022
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.19.1 darwin/amd64

Does this issue reproduce at the latest version of golang.org/x/vuln?

As far as I know, yes. I don't know if there's a way to force latest to pull updates, but I did just run go install

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/nklauer/Library/Caches/go-build"
GOENV="/Users/nklauer/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/nklauer/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/nklauer/go"
GOPRIVATE=""
GOROOT="/usr/local/Cellar/go/1.19.1/libexec"
GOSUMDB="off"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.19.1/libexec/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.19.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/nklauer/dev/secure/ziggy/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/xf/1zy1skqj6lj51ym5mybtq_800000gq/T/go-build3917429776=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

I have tried running govulncheck on a few of my applications and so far the only thing I get back is a panic.

What did you expect to see?

What did you see instead?

panic: T

goroutine 2599 [running]:
golang.org/x/tools/go/ssa.(*Program).needMethods(0xc019045e10, {0x162deb8?, 0xc000ef4210?}, 0x0)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/methods.go:237 +0x5b9
golang.org/x/tools/go/ssa.(*Program).needMethods(0xc019045e10, {0x162ddf0?, 0xc000eca750?}, 0x0)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/methods.go:193 +0x487
golang.org/x/tools/go/ssa.(*Program).needMethods(0xc019045e10, {0x162de90?, 0xc000e91350?}, 0x0)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/methods.go:233 +0x710
golang.org/x/tools/go/ssa.(*Program).needMethods(0xc019045e10, {0x162ddf0?, 0xc01c8c22e0?}, 0x0)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/methods.go:181 +0x1b4
golang.org/x/tools/go/ssa.(*Program).needMethods(0xc019045e10, {0x162ddc8?, 0xc0009da700?}, 0x0)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/methods.go:215 +0x565
golang.org/x/tools/go/ssa.(*Program).needMethodsOf(0xc019045e10, {0x162ddc8?, 0xc0009da700?})
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/methods.go:145 +0x70
golang.org/x/tools/go/ssa.(*Package).build(0xc01903f380)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:2281 +0x111
sync.(*Once).doSlow(0x0?, 0x0?)
        /usr/local/Cellar/go/1.19.1/libexec/src/sync/once.go:74 +0xc2
sync.(*Once).Do(...)
        /usr/local/Cellar/go/1.19.1/libexec/src/sync/once.go:65
golang.org/x/tools/go/ssa.(*Package).Build(...)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:2269
golang.org/x/tools/go/ssa.(*Program).Build.func1(0x0?)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:2253 +0x4c
created by golang.org/x/tools/go/ssa.(*Program).Build
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:2252 +0x19c
@klauern klauern added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Sep 10, 2022
@gopherbot gopherbot added this to the Unreleased milestone Sep 10, 2022
@seankhliao
Copy link
Member

go version -m /path/to/govulncheck please?

@klauern
Copy link
Author

klauern commented Sep 10, 2022 

        path    golang.org/x/vuln/cmd/govulncheck
        mod     golang.org/x/vuln       v0.0.0-20220331201349-63200278c86a      h1:JMaGYGKpqcBrR0BJ/vCwedt3XaSrwgKS/jKxseWoy/o=
        dep     golang.org/x/mod        v0.6.0-dev.0.20211013180041-c96bc1413d57        h1:LQmS1nU0twXLA96Kt7U9qtHJEbBk3z6Q0V4UXjZkpr4=
        dep     golang.org/x/sys        v0.0.0-20211213223007-03aa0b5f6827      h1:A0Qkn7Z/n8zC1xd9LTw17AiKlBRK64tw3ejWQiEqca0=
        dep     golang.org/x/tools      v0.1.8  h1:P1HhGGuLW4aAclzjtmJdf0mJOjVUZUzOTqkAkWL+l6w=
        dep     golang.org/x/xerrors    v0.0.0-20200804184101-5ec99f83aff1      h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
        build   -compiler=gc
        build   CGO_ENABLED=1
        build   CGO_CFLAGS=
        build   CGO_CPPFLAGS=
        build   CGO_CXXFLAGS=
        build   CGO_LDFLAGS=
        build   GOARCH=amd64
        build   GOOS=darwin
        build   GOAMD64=v1

@seankhliao
Copy link
Member

seankhliao commented Sep 10, 2022
edited
Loading

That looks quite old, from ~5 months ago.
Please make sure to install a more up to date version.

@klauern
Copy link
Author

klauern commented Sep 10, 2022

hm, ok, I cleaned the cache and reinstalled, now I get a different error:

at 13:30:26 ❯ go clean -cache -modcache -i -r

at 13:36:47 ❯ go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v0.0.0-20220331201349-63200278c86a
go: downloading golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57
go: downloading golang.org/x/tools v0.1.8
go: downloading golang.org/x/sys v0.0.0-20211213223007-03aa0b5f6827
go: downloading golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1

 ❯ govulncheck ./...
panic: no concrete method: func (*crypto/elliptic.nistCurve[*crypto/internal/nistec.P224Point]).Add(x1 *math/big.Int, y1 *math/big.Int, x2 *math/big.Int, y2 *math/big.Int) (*math/big.Int, *math/big.Int)

goroutine 2482 [running]:
golang.org/x/tools/go/ssa.(*Program).declaredFunc(0xc01b1c12b0, 0xc006bccd20)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/methods.go:124 +0xf9
golang.org/x/tools/go/ssa.(*Program).addMethod(0x162ddf0?, 0xc019da4050, 0xc010eafb80)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/methods.go:86 +0x14a
golang.org/x/tools/go/ssa.(*Program).needMethods(0xc01b1c12b0, {0x162ddf0?, 0xc00bbb1d30?}, 0x0)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/methods.go:173 +0x787
golang.org/x/tools/go/ssa.(*Program).needMethodsOf(0xc01b1c12b0, {0x162ddf0?, 0xc00bbb1d30?})
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/methods.go:145 +0x70
golang.org/x/tools/go/ssa.emitConv(0xc01b8f3cc0, {0x1632868, 0xc00c4f3920}, {0x162ddc8?, 0xc00e664540})
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/emit.go:210 +0x405
golang.org/x/tools/go/ssa.emitStore(0x0?, {0x1631f68, 0xc00c4f38c0}, {0x1632868, 0xc00c4f3920}, 0x8c97a7)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/emit.go:261 +0x9b
golang.org/x/tools/go/ssa.(*address).store(0xc00f027ad0, 0xc01b8f3cc0?, {0x1632868?, 0xc00c4f3920?})
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/lvalue.go:41 +0x47
golang.org/x/tools/go/ssa.(*builder).assign(0xc01b83ab40?, 0x1631f20?, {0x1630510?, 0xc00f027ad0}, {0x162f730?, 0xc00e38f340?}, 0xb8?, 0x0)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:506 +0x4eb
golang.org/x/tools/go/ssa.(*builder).compLit(0xc01b8f3cc0?, 0xc01b8f3cc0, {0x1631740, 0xc00c4f3800}, 0xc0065b6940, 0x1, 0xc014143888)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:1182 +0x129b
golang.org/x/tools/go/ssa.(*builder).addr(0xc00f027a70?, 0xc01b8f3cc0, {0x162f4f0?, 0xc0065b6940}, 0x0)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:360 +0x1b1
golang.org/x/tools/go/ssa.(*builder).expr0(0x14d6540?, 0xc01b8f3cc0, {0x162f4f0?, 0xc0065b6940}, {0x7, {0x162de40, 0xc00bbb1c30}, {0x0, 0x0}})
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:787 +0x19df
golang.org/x/tools/go/ssa.(*builder).expr(0xc00f0279e0?, 0xc01b8f3cc0, {0x162f4f0?, 0xc0065b6940?})
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:530 +0x19f
golang.org/x/tools/go/ssa.(*builder).assign(0x14d6840?, 0xc01b6af1a0?, {0x1630890?, 0x19436a0}, {0x162f4f0?, 0xc0065b6940?}, 0x0?, 0x0)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:502 +0x3e5
golang.org/x/tools/go/ssa.(*Package).build(0xc01b83ab40)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:2331 +0xb45
sync.(*Once).doSlow(0xc017f35970?, 0xc017f58150?)
        /usr/local/Cellar/go/1.19.1/libexec/src/sync/once.go:74 +0xc2
sync.(*Once).Do(...)
        /usr/local/Cellar/go/1.19.1/libexec/src/sync/once.go:65
golang.org/x/tools/go/ssa.(*Package).Build(...)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:2269
golang.org/x/tools/go/ssa.(*Program).Build.func1(0x0?)
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:2253 +0x4c
created by golang.org/x/tools/go/ssa.(*Program).Build
        /Users/nklauer/go/pkg/mod/golang.org/x/tools@v0.1.8/go/ssa/builder.go:2252 +0x19c

@klauern
Copy link
Author

klauern commented Sep 10, 2022

Is there another command I need to run to properly clean/purge whatever older libs I might have?

@seankhliao
Copy link
Member

seankhliao commented Sep 10, 2022
edited
Loading

That's still the same version, probably cached in your GOPROXY (you'll also want to rotate the credentials you leaked in the initial report).

@klauern
Copy link
Author

klauern commented Sep 10, 2022

Thanks for the catch on that. I was able to get it to work by turning off the proxy var. Appreciate the help

@klauern klauern closed this as completed Sep 10, 2022
@golang golang locked and limited conversation to collaborators Sep 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge vulncheck or vulndb Issues for the x/vuln or x/vulndb repo x/vuln
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@klauern @gopherbot @seankhliao