Skip to content

cmd/cgo/internal/testsanitizers: TestASANFuzz does not take into account subprocess hungs #72766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mateusz834 opened this issue Mar 10, 2025 · 5 comments
Open

cmd/cgo/internal/testsanitizers: TestASANFuzz does not take into account subprocess hungs #72766

mateusz834 opened this issue Mar 10, 2025 · 5 comments
Labels
BugReport Issues describing a possible bug in the Go implementation. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Comments

@mateusz834
Copy link
Member

mateusz834 commented Mar 10, 2025
edited
Loading

On gotip:

[mateusz@arch src (master)]$ go test cmd/cgo/internal/testsanitizers -run TestASANFuzz  -v
=== RUN   TestASANFuzz
=== PAUSE TestASANFuzz
=== CONT  TestASANFuzz
    asan_test.go:120: /home/mateusz/code/go/go/bin/go test -x -asan -c -o /tmp/TestASANFuzz2010007148/001/asan_fuzz_test.exe testdata/asan_fuzz_test.go
    (..........)
    asan_test.go:129: /tmp/TestASANFuzz2010007148/001/asan_fuzz_test.exe -test.fuzz=Fuzz -test.fuzzcachedir=/tmp/TestASANFuzz2010007148/001
    asan_test.go:131: fuzz: elapsed: 0s, gathering baseline coverage: 0/3 completed
        failure while testing seed corpus entry: FuzzReverse/seed#1
        fuzz: elapsed: 0s, gathering baseline coverage: 0/3 completed
        --- FAIL: FuzzReverse (0.14s)
            fuzzing process hung or terminated unexpectedly: exit status 1
        FAIL
--- PASS: TestASANFuzz (0.92s)

The subprocess hits a AddressSanitizer:

[mateusz@arch src (master)]$ go test -c -o out -asan cmd/cgo/internal/testsanitizers/testdata/asan_fuzz_test.go
[mateusz@arch src (master)]$ strace -f -s 512 --trace=write ./out -test.fuzz=. -test.fuzzcachedir /tmp 2>&1 | grep Address
[pid 1911355] write(2, "==1911328==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000976520 at pc 0x000000701f89 bp 0x000000000000 sp 0x10c0000cbda0\n", 142) = 142
[pid 1911349] write(2, "==1911329==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000976520 at pc 0x000000701f89 bp 0x000000000000 sp 0x10c0000cbda0\n", 142) = 142
[pid 1911354] write(2, "==1911330==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000976520 at pc 0x000000701f89 bp 0x000000000000 sp 0x10c0000cbda0\n", 142) = 142
[pid 1911355] write(2, "SUMMARY: AddressSanitizer: global-buffer-overflow /home/mateusz/code/go/go/src/internal/fuzz/coverage.go:25 in internal/fuzz.SnapshotCoverage\n", 142) = 142
[pid 1911349] write(2, "SUMMARY: AddressSanitizer: global-buffer-overflow /home/mateusz/code/go/go/src/internal/fuzz/coverage.go:25 in internal/fuzz.SnapshotCoverage\n", 142) = 142
[pid 1911354] write(2, "SUMMARY: AddressSanitizer: global-buffer-overflow /home/mateusz/code/go/go/src/internal/fuzz/coverage.go:25 in internal/fuzz.SnapshotCoverage\n", 142) = 142

This test passes, where it should not, it should wait for a real fuzz failure, like this one:

[mateusz@arch src (master)]$ go test -fuzz .  cmd/cgo/internal/testsanitizers/testdata/asan_fuzz_test.go
fuzz: elapsed: 0s, gathering baseline coverage: 0/4 completed
failure while testing seed corpus entry: FuzzReverse/def578230616f8b9
fuzz: elapsed: 0s, gathering baseline coverage: 1/4 completed
--- FAIL: FuzzReverse (0.02s)
    --- FAIL: FuzzReverse (0.00s)
        asan_fuzz_test.go:27: got "�" want "\xff"
@mateusz834
Copy link
Member Author

The asan_fuzz_test.go should fail with a sentinel error, and it should be matched in the test (TestASANFuzz). I have not looked at the AddressSanitizer though (whether it is real).

@gabyhelp
Copy link

Related Issues

Related Code Changes

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp added the BugReport Issues describing a possible bug in the Go implementation. label Mar 10, 2025
@dr2chase
Copy link
Contributor

@golang/fuzzing

@dr2chase dr2chase added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 14, 2025
@fasaxc
Copy link

fasaxc commented Mar 27, 2025

This also affects Go 1.24.0

$ go version
go version go1.24.0 linux/amd64

I hit it while running my own Fuzz test.

@fasaxc
Copy link

fasaxc commented Mar 27, 2025

Looks like the problem is that asan is not aware of the special _counters buffer. In the Go code it is defined as 0-length byte array but the linker points it at the real counters buffer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BugReport Issues describing a possible bug in the Go implementation. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fasaxc @dr2chase @mateusz834 @gabyhelp