cmd/cgo/internal/testsanitizers: TestASANFuzz does not take into account subprocess hungs

[mateusz834]

On gotip:

[mateusz@arch src (master)]$ go test cmd/cgo/internal/testsanitizers -run TestASANFuzz  -v
=== RUN   TestASANFuzz
=== PAUSE TestASANFuzz
=== CONT  TestASANFuzz
    asan_test.go:120: /home/mateusz/code/go/go/bin/go test -x -asan -c -o /tmp/TestASANFuzz2010007148/001/asan_fuzz_test.exe testdata/asan_fuzz_test.go
    (..........)
    asan_test.go:129: /tmp/TestASANFuzz2010007148/001/asan_fuzz_test.exe -test.fuzz=Fuzz -test.fuzzcachedir=/tmp/TestASANFuzz2010007148/001
    asan_test.go:131: fuzz: elapsed: 0s, gathering baseline coverage: 0/3 completed
        failure while testing seed corpus entry: FuzzReverse/seed#1
        fuzz: elapsed: 0s, gathering baseline coverage: 0/3 completed
        --- FAIL: FuzzReverse (0.14s)
            fuzzing process hung or terminated unexpectedly: exit status 1
        FAIL
--- PASS: TestASANFuzz (0.92s)

The subprocess hits a AddressSanitizer:

[mateusz@arch src (master)]$ go test -c -o out -asan cmd/cgo/internal/testsanitizers/testdata/asan_fuzz_test.go
[mateusz@arch src (master)]$ strace -f -s 512 --trace=write ./out -test.fuzz=. -test.fuzzcachedir /tmp 2>&1 | grep Address
[pid 1911355] write(2, "==1911328==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000976520 at pc 0x000000701f89 bp 0x000000000000 sp 0x10c0000cbda0\n", 142) = 142
[pid 1911349] write(2, "==1911329==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000976520 at pc 0x000000701f89 bp 0x000000000000 sp 0x10c0000cbda0\n", 142) = 142
[pid 1911354] write(2, "==1911330==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000976520 at pc 0x000000701f89 bp 0x000000000000 sp 0x10c0000cbda0\n", 142) = 142
[pid 1911355] write(2, "SUMMARY: AddressSanitizer: global-buffer-overflow /home/mateusz/code/go/go/src/internal/fuzz/coverage.go:25 in internal/fuzz.SnapshotCoverage\n", 142) = 142
[pid 1911349] write(2, "SUMMARY: AddressSanitizer: global-buffer-overflow /home/mateusz/code/go/go/src/internal/fuzz/coverage.go:25 in internal/fuzz.SnapshotCoverage\n", 142) = 142
[pid 1911354] write(2, "SUMMARY: AddressSanitizer: global-buffer-overflow /home/mateusz/code/go/go/src/internal/fuzz/coverage.go:25 in internal/fuzz.SnapshotCoverage\n", 142) = 142

This test passes, where it should not, it should wait for a real fuzz failure, like this one:

[mateusz@arch src (master)]$ go test -fuzz .  cmd/cgo/internal/testsanitizers/testdata/asan_fuzz_test.go
fuzz: elapsed: 0s, gathering baseline coverage: 0/4 completed
failure while testing seed corpus entry: FuzzReverse/def578230616f8b9
fuzz: elapsed: 0s, gathering baseline coverage: 1/4 completed
--- FAIL: FuzzReverse (0.02s)
    --- FAIL: FuzzReverse (0.00s)
        asan_fuzz_test.go:27: got "�" want "\xff"

[mateusz834]

The asan_fuzz_test.go should fail with a sentinel error, and it should be matched in the test (TestASANFuzz). I have not looked at the AddressSanitizer though (whether it is real).

[gabyhelp]

Related Issues

• internal/fuzz: odr-violation error #66966 (closed)
• testing: fuzzer aborts with "fuzzing process hung or terminated unexpectedly while minimizing: EOF" #52569
• misc/cgo/testsanitizers: occasional hangs in TestTSAN/tsan12 #52998 (closed)
• testing: fuzzed function can corrupt internal state of fuzzer #48606
• runtime: TestASAN fails with SEGV on unknown address on linux/riscv64 #57691
• testing: fuzzer doesn't timeout infinite loops #48611 (closed)
• testing: fuzzing failed to run if test run with open TCP connections #71560 (closed)
• [dev.fuzz] cmd/go: hangs in "gathering baseline coverage" #46633 (closed)
• cmd/cgo/internal/testsanitizers: TestMSAN failures #62109

Related Code Changes

• misc/cgo/testsanitizers: don't hang if test program loops

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[dr2chase]

@golang/fuzzing

[fasaxc]

This also affects Go 1.24.0

$ go version
go version go1.24.0 linux/amd64

I hit it while running my own Fuzz test.

[fasaxc]

Looks like the problem is that asan is not aware of the special _counters buffer. In the Go code it is defined as 0-length byte array but the linker points it at the real counters buffer.

[gopherbot]

Change https://go.dev/cl/673575 mentions this issue: cmd/compile: don't instrument counter globals in internal/fuzz