go: runtime: possible memory corruption caused by CL 304470 "cmd/compile, runtime: add metadata for argument printing in traceback"

OSS-Fuzz reported an issue a few weeks ago that we suspect is memory corruption caused by the runtime. This started on August 16th, so is likely a Go 1.17 issue.

A slice bounds out of range issue is being reported from calls to regexp.MustCompile(,\s*).Split However, this is not reproducible with the inputs provided by OSS-Fuzz, so we expect something else is going on.

Below are some of the panic logs:

panic: runtime error: slice bounds out of range [:18416820578376] with length 59413

goroutine 17 [running, locked to thread]:
regexp.(*Regexp).Split(0x10c0000b2640, {0x10c0001c801f, 0x76dbc0}, 0xffffffffffffffff)
	regexp/regexp.go:1266 +0x61c
github.com/google/gonids.(*Rule).option(0x10c000068000, {0x100c000096970, {0x10c0001c8016, 0x8}}, 0x10c00029a040)
	github.com/google/gonids/parser.go:675 +0x36cf
github.com/google/gonids.parseRuleAux({0x10c0001c8000, 0x630000350400}, 0x0)
	github.com/google/gonids/parser.go:943 +0x6b3
github.com/google/gonids.ParseRule(...)
	github.com/google/gonids/parser.go:972
github.com/google/gonids.FuzzParseRule({0x630000350400, 0x0, 0x10c000000601})
	github.com/google/gonids/fuzz.go:20 +0x54
main.LLVMFuzzerTestOneInput(...)
	./main.1689543426.go:21

panic: runtime error: slice bounds out of range [628255583:13888]

goroutine 17 [running, locked to thread]:
regexp.(*Regexp).Split(0x10c0000b2640, {0x10c00033601f, 0x76dbc0}, 0xffffffffffffffff)
	regexp/regexp.go:1266 +0x617
github.com/google/gonids.(*Rule).option(0x10c00026cc00, {0x100c00026e190, {0x10c000336016, 0x7}}, 0x10c0001a4300)
	github.com/google/gonids/parser.go:675 +0x36cf
github.com/google/gonids.parseRuleAux({0x10c000336000, 0x62f00064a400}, 0x0)
	github.com/google/gonids/parser.go:943 +0x6b3
github.com/google/gonids.ParseRule(...)
	github.com/google/gonids/parser.go:972
github.com/google/gonids.FuzzParseRule({0x62f00064a400, 0x0, 0x10c000000601})
	github.com/google/gonids/fuzz.go:20 +0x54
main.LLVMFuzzerTestOneInput(...)
	./main.1689543426.go:21
AddressSanitizer:DEADLYSIGNAL

panic: runtime error: slice bounds out of range [473357973:29412]

goroutine 17 [running, locked to thread]:
regexp.(*Regexp).Split(0x10c0000b2640, {0x10c0002a001f, 0x76dbc0}, 0xffffffffffffffff)
	regexp/regexp.go:1266 +0x617
github.com/google/gonids.(*Rule).option(0x10c0001b0180, {0x100c000280100, {0x10c0002a0016, 0xb}}, 0x10c0001ae040)
	github.com/google/gonids/parser.go:675 +0x36cf
github.com/google/gonids.parseRuleAux({0x10c0002a0000, 0x632000930800}, 0x0)
	github.com/google/gonids/parser.go:943 +0x6b3
github.com/google/gonids.ParseRule(...)
	github.com/google/gonids/parser.go:972
github.com/google/gonids.FuzzParseRule({0x632000930800, 0x0, 0x10c000000601})
	github.com/google/gonids/fuzz.go:20 +0x54
main.LLVMFuzzerTestOneInput(...)
	./main.1689543426.go:21

From rsc@:

The relevant code is processing the [][]int returned from regexp.(*Regexp).FindAllStringIndex. That [][]int is prepared by repeated append:

func (re *Regexp) FindAllStringIndex(s string, n int) [][]int {
    if n < 0 {
        n = len(s) + 1
    }
    var result [][]int
    re.allMatches(s, nil, n, func(match []int) {
        if result == nil {
            result = make([][]int, 0, startSize)
        }
        result = append(result, match[0:2])
    })
    return result
}

Each of the match[0:2] being appended is prepared in regexp.(*Regexp).doExecute by:

dstCap = append(dstCap, m.matchcap...)

appending to a zero-length, non-nil slice to copy m.matchcap.

And each of the m.matchcap is associated with the *regexp.machine m, which is kept in a sync.Pool for reuse.

The specific corruption is that the integers in the [][]int are clear non-integers (like pointers), which suggests that either one of the appends is losing the reference accidentally during GC or something in sync.Pool is wonky.

This could also be something strange that OSS-Fuzz is doing, and doesn’t necessarily represent a real-world use case.

/cc @golang/security

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 169 (160 by maintainers)

Commits related to this issue

Most upvoted comments

I just wanted to pipe in and say thank you to @catenacyber for doggedly running this down.

I managed to reproduce the bug locally ! But with the fuzz target built externally (not the one I build locally)

The stack trace looks pretty much the same as the original one. It is the same stack of functions.

Indeed, but oss-fuzz/clusterfuzz fails to parse it the same way because of missing braces {}in the regexp to parse them cf GOLANG_STACK_FRAME_FUNCTION_REGEX definition here https://github.com/google/clusterfuzz/blob/08f52cd1b9c304cf39988561f1241cee9fd5673a/src/clusterfuzz/stacktraces/constants.py#L308

That led oss-fuzz to think the stack traces were different, hence the bugs were different, hence git bisect showed that the bug appeared with this formatting change.

The golang bug was not introduced by that commit, but one in https://github.com/golang/go/commit/b05903a9f6408065c390ea6c62e523d9f51853a5..https://github.com/golang/go/commit/d3853fb4e6ee2b9f873ab2e41adc0e62a82e73e4 : we have known good and bad revisions (even with the different stack trace)

So, see you in 10-ish days

Looks like bisection is making progress : 645cb62ee3 is good 162d4f9c92 is bad

270 commits to check between them

So far so good, with this patch to libFuzzer:

--- a/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp
+++ b/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp
@@ -82,6 +82,7 @@ static void SetSigaction(int signum,
   // dedicated stack) in order to be able to detect stack overflows; keep the
   // flag if it's set.
   new_sigact.sa_flags = SA_SIGINFO | (sigact.sa_flags & SA_ONSTACK);
+  new_sigact.sa_flags |= SA_ONSTACK;
   new_sigact.sa_sigaction = callback;
   if (sigaction(signum, &new_sigact, nullptr)) {
     Printf("libFuzzer: sigaction failed with %d\n", errno);

I’m not sure that’s a general fix, but for Go it’s enough because Go does its own sigaltstack. Maybe everyone who cares does their own sigaltstack? In that case, this may be all that’s required.

45dc81d8565adb7d0a62502d039f4930e73d75e0 looks like a good candidate for the fix by @randall77

Since we now know this isn’t a recent regression, I’m moving this issue to 1.20.

Looking forward to further bisection. 😃

One commit per day, 2k commits: So approximately 11 days, maybe a few more with skips and confirmation?

It can take months (or longer!) to track down runtime bugs, particularly those without clear reproduction steps. Waiting two weeks for a git bisection seems fine.

Could you bisect to a particular commit that introduced the corruption?

@josharian I am starting https://github.com/google/oss-fuzz/pull/7876 to try to get the commit responsible for it This git bisect gives at most one result per day and we have 2k commits, but more than 2 weeks have passed and there is no progress yet on this…

To define struct sigaction yourself in Go, you could copy the various definitions of sigactiont in the runtime package.

Some more investigation and I think I have a theory as to what is going wrong here.

TL;DR libfuzzer is setting up a signal handler for alarms which will run on the Go stack. When the signal arrives, the Go stack overflows and corrupts nearby memory. libfuzzer needs to set up its signal handler to run on an alternate signal stack, not whatever stack happens to be running when the signal arrives.

To debug, I modified the stdlib’s regexp library. The corruption I was seeing was in (*Regexp).FindAllStringIndex. At the point of the inner append the data looks fine, but looping over the result slice at the end finds entries with bogus indexes. A few consecutive entries were being overwritten, like this:

  8018 0x10c000143800 []int{62178, 62179}
  8019 0x10c000143810 []int{62181, 62182}
  8020 0x10c000143820 []int{62184, 62185}
  8021 0x10c000143830 []int{62187, 62188}
  8022 0x10c000143840 []int{140727637055916, 0}
  8023 0x10c000143850 []int{18416821092544, 18416820092928}
  8024 0x10c000143860 []int{18416821092528, 140285865550569}
  8025 0x10c000143870 []int{62199, 94762962272900}
  8026 0x10c000143880 []int{62202, 62203}
  8027 0x10c000143890 []int{62205, 62206}
  8028 0x10c0001438a0 []int{62208, 62209}
  8029 0x10c0001438b0 []int{62211, 62212}

(Each line is the index i in the result array, &result[i][0], and result[i]. The small numbers are correct data, the 0s and large numbers are bogus. Note particularly that the corruption has a “hole” in it where the original data survived. Indexes change from run to run, but the general pattern is constant.)

So the entries are getting overwritten somehow. No GCs were running, and clobberfree=1 didn’t change the values being written, so probably not a GC thing. Unless previous objects allocated to that space were still being used somehow? In any case, I had to find the thing doing the writes.

So I hacked up regexp some more to find the writer. When an entire page consists of just the backing stores of these 2-int slices, I map that page read-only, and see what faults on it. I was expecting to see code that was doing the clobbering write, but instead I got a strange error - a SEGV happened on a random instruction that can’t fault. The fault address was not specified. That made me think that the kernel was sending us the SEGV, we weren’t triggering it ourselves. And that made me think that a signal handler was triggered at that instruction, which SEGVd (or the kernel issued the SEGV because it couldn’t even set up the signal context). In the instance I was looking at, a read-only-mapped page was not too far away towards lower addresses.

A few more runs caught the signal handler in the act:

(gdb) where
#0  0x00007ffff7ccb18d in std::chrono::_V2::system_clock::now() () from /lib/x86_64-linux-gnu/libstdc++.so.6
#1  0x00005555555bfdf5 in fuzzer::Fuzzer::AlarmCallback() ()
#2  <signal handler called>
#3  0x0000555555796054 in regexp.(*Regexp).FindAllStringIndex.func1 (
    match=<error reading variable: access outside bounds of object referenced via synthetic pointer>)

In the original bug, this handler ran just fine, but very seldomly, depending on timing, stack alignment, heap allocation order, etc., its stack frames would clobber something important. With my write fault setup it fails more often, and always before any corruption described above manifests.

I’m still confused as to the pattern of overwrites. If my theory is correct, I would expect the overwrites to be at the very top of pages, as the signal handler’s stack would have grown down from the subsequent page. But instead I see just a stencil of 8 uint64s overwritten, and although often high-ish in a page (the top 1/4), not right at the top. Unless the handler’s stack frame is large (>2KB) and mostly not written to? Maybe?

I can test more once I can build my own clang/libfuzzer. At the rate it is going, it is going to take ~8 hours 😦 Hopefully rebuilds go faster.

Other clue : if I totally disable GC (commenting out runtime.GC() in fuzz.go after the debug.SetGCPercent(-1)), there is no crash

@randall77 could you explain what happened ?

I’m not entirely sure. The failure mode before that CL is that we could take the address of a stack variable using a LEAQ before that variable was initialized, i.e. it contained junk. If the garbage collector got a hold of that pointer in that state, it would see invalid stack object contents, including bad pointers, and those bad pointers might make it think an object came back from the dead. I’m not sure how it would cause the error you are seeing though.

Why does it happen somehow consistently with ASAN and libfuzzer ? and this big input to regexp.Split with many results > (on a stack whose memory gets corrupted)

ASAN/libfuzzer instrumentation introduce additional function calls where the bad pointer might be observed. Again, not really sure what happens in this particular case but it is possible.

Why was it introduced by https://github.com/golang/go/commit/9dd71ba91397c7f69571ae7f0810d64f2f38547a ?

No idea, except that regabi certainly changes around what function prologs look like, which is where these LEAQs tend to be.

It is in theory possible to get better answers. I could prepare a CL like f959fb3 but it only does its change based on GOCOMPILEDEBUG=gossahash=… We could then binary search for the particular function on which applying f959fb3 fixes the issue. Then we could look at the code of just that function. The code is not that hard to do, but with the low failure rate the binary search would take a while and I’m not sure it is worth it.

Maybe the fuzzer instrumentationis the source of the bug?

What instrumentation are you referring to ? I cannot reproduce with a simple C driver instead of libFuzzer, even if the Go code is still instrumented the same. (and libFuzzer code should not executing when the bug happens) Do you suggest another test ?

Also, I do not seem to reproduce the bug when building with -race

I can reproduce with removing the lexer goroutine in gonids I can not reproduce with replacing libFuzzer with a custom C driver… I can not reproduce with replacing the fuzz target by a direct call to regexp.Split…

I guess my next step would be to rewrite the fuzz target to use all the code in one file, and then try to minimize it…

Some system stack trace :

SCHED 34144ms: gomaxprocs=16 idleprocs=15 threads=10 spinningthreads=0 idlethreads=6 runqueue=0 gcwaiting=0 nmidlelocked=0 stopwait=0 sysmonwait=0
  P0: status=1 schedtick=4483 syscalltick=33 m=1 runqsize=0 gfreecnt=0 timerslen=0
  P1: status=0 schedtick=405 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P2: status=0 schedtick=1291 syscalltick=6 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P3: status=0 schedtick=2435 syscalltick=12 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P4: status=0 schedtick=510 syscalltick=1 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P5: status=0 schedtick=1 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P6: status=0 schedtick=0 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P7: status=0 schedtick=0 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P8: status=0 schedtick=0 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P9: status=0 schedtick=0 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P10: status=0 schedtick=0 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P11: status=0 schedtick=0 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P12: status=0 schedtick=0 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P13: status=0 schedtick=0 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P14: status=0 schedtick=0 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  P15: status=0 schedtick=0 syscalltick=0 m=-1 runqsize=0 gfreecnt=0 timerslen=0
  M9: p=-1 curg=-1 mallocing=0 throwing=0 preemptoff= locks=0 dying=0 spinning=false blocked=true lockedg=-1
  M8: p=-1 curg=-1 mallocing=0 throwing=0 preemptoff= locks=0 dying=0 spinning=false blocked=true lockedg=-1
  M7: p=-1 curg=34 mallocing=0 throwing=0 preemptoff= locks=0 dying=0 spinning=false blocked=false lockedg=34
  M6: p=-1 curg=-1 mallocing=0 throwing=0 preemptoff= locks=0 dying=0 spinning=false blocked=true lockedg=-1
  M5: p=-1 curg=-1 mallocing=0 throwing=0 preemptoff= locks=0 dying=0 spinning=false blocked=true lockedg=-1
  M4: p=-1 curg=-1 mallocing=0 throwing=0 preemptoff= locks=0 dying=0 spinning=false blocked=true lockedg=-1
  M3: p=-1 curg=-1 mallocing=0 throwing=0 preemptoff= locks=0 dying=0 spinning=false blocked=true lockedg=-1
  M2: p=-1 curg=-1 mallocing=0 throwing=0 preemptoff= locks=0 dying=0 spinning=false blocked=false lockedg=-1
  M1: p=0 curg=17 mallocing=1 throwing=0 preemptoff= locks=2 dying=1 spinning=false blocked=false lockedg=17
  M0: p=-1 curg=-1 mallocing=0 throwing=0 preemptoff= locks=0 dying=0 spinning=false blocked=true lockedg=-1
  G19: status=4(GC worker (idle)) m=-1 lockedm=-1
  G17: status=2(sleep) m=1 lockedm=1
  G2: status=4(force gc (idle)) m=-1 lockedm=-1
  G3: status=4(GC sweep wait) m=-1 lockedm=-1
  G4: status=4(GC scavenge wait) m=-1 lockedm=-1
  G18: status=4(finalizer wait) m=-1 lockedm=-1
  G34: status=6() m=7 lockedm=7
  G5: status=4(GC worker (idle)) m=-1 lockedm=-1
  G6: status=4(GC worker (idle)) m=-1 lockedm=-1
  G7: status=4(GC worker (idle)) m=-1 lockedm=-1
  G8: status=4(GC worker (idle)) m=-1 lockedm=-1
  G9: status=4(GC worker (idle)) m=-1 lockedm=-1
  G10: status=4(GC worker (idle)) m=-1 lockedm=-1
  G11: status=4(GC worker (idle)) m=-1 lockedm=-1
  G12: status=4(GC worker (idle)) m=-1 lockedm=-1
  G13: status=4(GC worker (idle)) m=-1 lockedm=-1
  G14: status=4(GC worker (idle)) m=-1 lockedm=-1
  G15: status=4(GC worker (idle)) m=-1 lockedm=-1
  G35: status=4(GC worker (idle)) m=-1 lockedm=-1
  G36: status=4(GC worker (idle)) m=-1 lockedm=-1
  G37: status=4(GC worker (idle)) m=-1 lockedm=-1
  G38: status=4(GC worker (idle)) m=-1 lockedm=-1
panic: runtime error: slice bounds out of range [:18416821616320] with length 854986

goroutine 17 [running, locked to thread]:
panic({0x770280, 0x10c002560000})
	runtime/panic.go:987 +0x3ba fp=0x10c0001c5138 sp=0x10c0001c5078 pc=0x5a001a
runtime.goPanicSliceAlen(0x10c0001c3ec0, 0xd0bca)
	runtime/panic.go:127 +0x7f fp=0x10c0001c5178 sp=0x10c0001c5138 pc=0x59e3ff
regexp.(*Regexp).Split(0x10c0001ac640, {0x10c0001d201b, 0xd0bca}, 0xffffffffffffffff)
	regexp/regexp.go:1288 +0xb1d fp=0x10c0001c52a8 sp=0x10c0001c5178 pc=0x68a25d
github.com/google/gonids.(*Rule).option(0x10c001c22000, {0xd0be7?, {0x10c0001d2012?, 0x7efe472f9900?}}, 0x10c001c1e000)
	github.com/google/gonids/parser.go:678 +0x1d71 fp=0x10c0001c5c90 sp=0x10c0001c52a8 pc=0x698851
github.com/google/gonids.parseRuleAux({0x10c0001d2000, 0xd0be7}, 0x0)
	github.com/google/gonids/parser.go:946 +0x8a9 fp=0x10c0001c5da8 sp=0x10c0001c5c90 pc=0x69f4a9
github.com/google/gonids.ParseRule(...)
	github.com/google/gonids/parser.go:975
github.com/google/gonids.FuzzParseRule({0x7efe40bba800?, 0xd0be7?, 0x10c000008601?})
	github.com/google/gonids/fuzz.go:35 +0x16f fp=0x10c0001c5e08 sp=0x10c0001c5da8 pc=0x68adef
main.LLVMFuzzerTestOneInput(...)
	./main.3979697629.go:21
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(0x7fff5060a5c8)
	_cgo_gotypes.go:50 +0x74 fp=0x10c0001c5e30 sp=0x10c0001c5e08 pc=0x6b1fb4
runtime.cgocallbackg1(0x6b1f40, 0x10c0001c5fe0?, 0x0)
	runtime/cgocall.go:316 +0x2c2 fp=0x10c0001c5f00 sp=0x10c0001c5e30 pc=0x5707e2
runtime.cgocallbackg(0x0?, 0x0?, 0x0?)
	runtime/cgocall.go:235 +0x109 fp=0x10c0001c5f90 sp=0x10c0001c5f00 pc=0x570469
runtime.cgocallbackg(0x6b1f40, 0x7fff5060a5c8, 0x0)
	<autogenerated>:1 +0x31 fp=0x10c0001c5fb8 sp=0x10c0001c5f90 pc=0x5cf151
runtime.cgocallback(0x0, 0x0, 0x0)
	runtime/asm_amd64.s:994 +0xb3 fp=0x10c0001c5fe0 sp=0x10c0001c5fb8 pc=0x5cc933
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c0001c5fe8 sp=0x10c0001c5fe0 pc=0x5ccb81

goroutine 19 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c00005e750 sp=0x10c00005e730 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c00005e7e0 sp=0x10c00005e750 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c00005e7e8 sp=0x10c00005e7e0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c000062fb0 sp=0x10c000062f90 pc=0x5a3076
runtime.goparkunlock(...)
	runtime/proc.go:369
runtime.forcegchelper()
	runtime/proc.go:302 +0xad fp=0x10c000062fe0 sp=0x10c000062fb0 pc=0x5a2f0d
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c000062fe8 sp=0x10c000062fe0 pc=0x5ccb81
created by runtime.init.7
	runtime/proc.go:290 +0x25
[originating from goroutine 1]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.init.7(...)
	runtime/proc.go:291 +0x25
runtime.doInit(...)
	runtime/proc.go:6318 +0x128
runtime.main(...)
	runtime/proc.go:202 +0x113
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 3 [GC sweep wait]:
runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c000063790 sp=0x10c000063770 pc=0x5a3076
runtime.goparkunlock(...)
	runtime/proc.go:369
runtime.bgsweep(0x0?)
	runtime/mgcsweep.go:297 +0xd7 fp=0x10c0000637c8 sp=0x10c000063790 pc=0x58fef7
runtime.gcenable.func1()
	runtime/mgc.go:178 +0x26 fp=0x10c0000637e0 sp=0x10c0000637c8 pc=0x584a86
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c0000637e8 sp=0x10c0000637e0 pc=0x5ccb81
created by runtime.gcenable
	runtime/mgc.go:178 +0x6b
[originating from goroutine 1]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcenable(...)
	runtime/mgc.go:179 +0x6b
runtime.main(...)
	runtime/proc.go:211 +0x148
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 4 [GC scavenge wait]:
runtime.gopark(0x10c00001c0e0?, 0x716308?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c000063f70 sp=0x10c000063f50 pc=0x5a3076
runtime.goparkunlock(...)
	runtime/proc.go:369
runtime.(*scavengerState).park(0x121a940)
	runtime/mgcscavenge.go:389 +0x53 fp=0x10c000063fa0 sp=0x10c000063f70 pc=0x58df53
runtime.bgscavenge(0x0?)
	runtime/mgcscavenge.go:622 +0x65 fp=0x10c000063fc8 sp=0x10c000063fa0 pc=0x58e545
runtime.gcenable.func2()
	runtime/mgc.go:179 +0x26 fp=0x10c000063fe0 sp=0x10c000063fc8 pc=0x584a26
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c000063fe8 sp=0x10c000063fe0 pc=0x5ccb81
created by runtime.gcenable
	runtime/mgc.go:179 +0xaa
[originating from goroutine 1]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcenable(...)
	runtime/mgc.go:180 +0xaa
runtime.main(...)
	runtime/proc.go:211 +0x148
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 18 [finalizer wait]:
runtime.gopark(0x10c0000626a8?, 0x5ccc63?, 0xd0?, 0x61?, 0x10c000062770?)
	runtime/proc.go:363 +0xd6 fp=0x10c000062628 sp=0x10c000062608 pc=0x5a3076
runtime.goparkunlock(...)
	runtime/proc.go:369
runtime.runfinq()
	runtime/mfinal.go:180 +0x10f fp=0x10c0000627e0 sp=0x10c000062628 pc=0x583b8f
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c0000627e8 sp=0x10c0000627e0 pc=0x5ccb81
created by runtime.createfing
	runtime/mfinal.go:157 +0x45
[originating from goroutine 1]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.createfing(...)
	runtime/mfinal.go:159 +0x45
runtime.SetFinalizer(...)
	runtime/mfinal.go:449 +0x325
os.newFile(...)
	os/file_unix.go:187 +0x547
os.NewFile(...)
	os/file_unix.go:106 +0x13b
os.init(...)
	os/file.go:65 +0x213
runtime.doInit(...)
	runtime/proc.go:6318 +0x128
runtime.doInit(...)
	runtime/proc.go:6295 +0x71
runtime.doInit(...)
	runtime/proc.go:6295 +0x71
runtime.doInit(...)
	runtime/proc.go:6295 +0x71
runtime.main(...)
	runtime/proc.go:237 +0x1d4
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 5 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c000064750 sp=0x10c000064730 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c0000647e0 sp=0x10c000064750 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c0000647e8 sp=0x10c0000647e0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 6 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c000064f50 sp=0x10c000064f30 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c000064fe0 sp=0x10c000064f50 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c000064fe8 sp=0x10c000064fe0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 7 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c000065750 sp=0x10c000065730 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c0000657e0 sp=0x10c000065750 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c0000657e8 sp=0x10c0000657e0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 8 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c000065f50 sp=0x10c000065f30 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c000065fe0 sp=0x10c000065f50 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c000065fe8 sp=0x10c000065fe0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 9 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c00145e750 sp=0x10c00145e730 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c00145e7e0 sp=0x10c00145e750 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c00145e7e8 sp=0x10c00145e7e0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 10 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c00145ef50 sp=0x10c00145ef30 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c00145efe0 sp=0x10c00145ef50 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c00145efe8 sp=0x10c00145efe0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 11 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c00145f750 sp=0x10c00145f730 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c00145f7e0 sp=0x10c00145f750 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c00145f7e8 sp=0x10c00145f7e0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 12 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c00145ff50 sp=0x10c00145ff30 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c00145ffe0 sp=0x10c00145ff50 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c00145ffe8 sp=0x10c00145ffe0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 13 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c001460750 sp=0x10c001460730 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c0014607e0 sp=0x10c001460750 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c0014607e8 sp=0x10c0014607e0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 14 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c001460f50 sp=0x10c001460f30 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c001460fe0 sp=0x10c001460f50 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c001460fe8 sp=0x10c001460fe0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 15 [GC worker (idle)]:
runtime.gopark(0x1249e20?, 0x1?, 0x8e?, 0xd3?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c001461750 sp=0x10c001461730 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c0014617e0 sp=0x10c001461750 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c0014617e8 sp=0x10c0014617e0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 35 [GC worker (idle)]:
runtime.gopark(0x1249e20?, 0x1?, 0x14?, 0x9b?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c00145a750 sp=0x10c00145a730 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c00145a7e0 sp=0x10c00145a750 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c00145a7e8 sp=0x10c00145a7e0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 36 [GC worker (idle)]:
runtime.gopark(0x1249e20?, 0x1?, 0x42?, 0x4f?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c00145af50 sp=0x10c00145af30 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c00145afe0 sp=0x10c00145af50 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c00145afe8 sp=0x10c00145afe0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 37 [GC worker (idle)]:
runtime.gopark(0x1249e20?, 0x1?, 0x5f?, 0xfa?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c00145b750 sp=0x10c00145b730 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c00145b7e0 sp=0x10c00145b750 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c00145b7e8 sp=0x10c00145b7e0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1

goroutine 38 [GC worker (idle)]:
runtime.gopark(0x2d1c3df989ac55?, 0x1?, 0xf2?, 0x3?, 0x0?)
	runtime/proc.go:363 +0xd6 fp=0x10c00145bf50 sp=0x10c00145bf30 pc=0x5a3076
runtime.gcBgMarkWorker()
	runtime/mgc.go:1235 +0xf1 fp=0x10c00145bfe0 sp=0x10c00145bf50 pc=0x586bf1
runtime.goexit()
	runtime/asm_amd64.s:1594 +0x1 fp=0x10c00145bfe8 sp=0x10c00145bfe0 pc=0x5ccb81
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1159 +0x25
[originating from goroutine 17]:
runtime.systemstack_switch(...)
	?:0 +0x1
runtime.newproc(...)
	runtime/proc.go:4089 +0x51
runtime.gcBgMarkStartWorkers(...)
	runtime/mgc.go:1161 +0x25
runtime.gcStart(...)
	runtime/mgc.go:645 +0x20a
runtime.GC(...)
	runtime/mgc.go:448 +0x45
github.com/google/gonids.FuzzParseRule(...)
	github.com/google/gonids/fuzz.go:37 +0x179
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x74
_cgoexp_756e57aa05c2_LLVMFuzzerTestOneInput(...)
	_cgo_gotypes.go:50 +0x1e
runtime.cgocallbackg1(...)
	runtime/cgocall.go:324 +0x2c2
runtime.cgocallbackg(...)
	runtime/cgocall.go:241 +0x109
runtime.cgocallback(...)
	runtime/asm_amd64.s:999 +0xb3
runtime.goexit(...)
	runtime/asm_amd64.s:1595 +0x1
==1== ERROR: libFuzzer: deadly signal
    #0 0x539071 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x457b88 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x43c863 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
    #3 0x7efe7146341f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    #4 0x5ce7c0 in runtime.raise.abi0 runtime/sys_linux_amd64.s:158

It reproduced now twice in 223 runs !

And it also reproduces with my local build !

So, what should I try to debug ? Get some core dump ? Try some other values for GOTRACEBACK ? or GODEBUG ? Add some recover to get more info after the panic ?

I managed to reproduce the bug locally ! But with the fuzz target built externally (not the one I build locally)

I got it only once :

/out/fuzz /out/clusterfuzz-testcase-minimized-fuzz_parserule-6053343530450944 -runs=100 -rss_limit_mb=2560 -timeout=60 
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1601842765
INFO: Loaded 1 modules   (7054 inline 8-bit counters): 7054 [0x124dd08, 0x124f896), 
INFO: Loaded 1 PC tables (7054 PCs): 7054 [0x10c000088000,0x10c0000a38e0), 
/out/fuzz: Running 1 inputs 100 time(s) each.
Running: /out/clusterfuzz-testcase-minimized-fuzz_parserule-6053343530450944
GODEBUG=panic: runtime error: slice bounds out of range [:18416821108032] with length 854986

goroutine 17 [running, locked to thread]:
regexp.(*Regexp).Split(0x10c000132640, {0x10c000ad001b, 0xd0bca}, 0xffffffffffffffff)
	regexp/regexp.go:1275 +0x876
github.com/google/gonids.(*Rule).option(0x10c0002de180, {0xd0be7?, {0x10c000ad0012?, 0x7f2ca8e41800?}}, 0x10c0002da000)
	github.com/google/gonids/parser.go:675 +0x1d71
github.com/google/gonids.parseRuleAux({0x10c000ad0000, 0xd0be7}, 0x0)
	github.com/google/gonids/parser.go:943 +0x8a9
github.com/google/gonids.ParseRule(...)
	github.com/google/gonids/parser.go:972
github.com/google/gonids.FuzzParseRule({0x7f2c97900800?, 0xd0be7?, 0x10c000006601?})
	github.com/google/gonids/fuzz.go:31 +0x171
main.LLVMFuzzerTestOneInput(...)
	./main.52060591.go:21
AddressSanitizer:DEADLYSIGNAL
=================================================================
==142==ERROR: AddressSanitizer: ABRT on unknown address 0x00000000008e (pc 0x0000005ce121 bp 0x10c000148dc0 sp 0x10c000148da8 T0)
SCARINESS: 10 (signal)
    #0 0x5ce121  (/out/fuzz+0x5ce121)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/out/fuzz+0x5ce121) 
==142==ABORTING

Now, I am trying a bash loop running this command 153 runs without crashes (over the night) so far…

So @aclements I think the commit introducing the regression is yours 9dd71ba91397c7f69571ae7f0810d64f2f38547a

How could I get such an insurance

Running the test under the race detector would be a step, if it works.

produces a different stack trace

The stack trace looks pretty much the same as the original one. It is the same stack of functions.

How can I check the indirectly way ?

The easiest is probably go tool nm <binary> | grep "runtime\.Stack".

No results

Could you be sure that the memory corruption is not caused by the user code, or by the C++ code?

How could I get such an insurance ?

New fact : d4aa72002e is not really good, but the bug produces a different stack trace

panic: runtime error: slice bounds out of range [:107202383708288] with length 26259
--
  |  
  | goroutine 17 [running, locked to thread]:
  | regexp.(*Regexp).Split(0x10c0000b6640, 0x10c000176a9f, 0x774bc0, 0xffffffffffffffff)
  | regexp/regexp.go:1266 +0x61c
  | github.com/google/gonids.(*Rule).option(0x10c000084600, 0x1010000000050, 0x10c000176a96, 0x0, 0x7fb715876778)
  | github.com/google/gonids/parser.go:675 +0x3705
  | github.com/google/gonids.parseRuleAux(0x10c000176a80, 0x62b0000cb200, 0x6600)
  | github.com/google/gonids/parser.go:943 +0x6ce
  | github.com/google/gonids.ParseRule(...)
  | github.com/google/gonids/parser.go:972
  | github.com/google/gonids.FuzzParseRule(0x62b0000cb200, 0x0, 0x1)
  | github.com/google/gonids/fuzz.go:20 +0x54
  | main.LLVMFuzzerTestOneInput(...)
  | ./main.834012382.go:21
  | AddressSanitizer:DEADLYSIGNAL

So, I will be back to bisecting b05903a9f6…d3853fb4e

Great find, thanks @catenacyber!

Just to clarify, this bisect was pointing OSS-Fuzz at https://github.com/google/gonids/blob/master/fuzz.go#L19 and waiting for failures? We don’t have a consistent reproducer, right?

Is it possible/are there instructions for running this fuzzer locally as a reproducer? Is https://github.com/golang/go/issues/49075#issuecomment-947735939 still accurate? We control the build of Go used in https://github.com/google/oss-fuzz/blob/master/projects/gonids/build.sh#L18?

Looks like the regression ended up with commit 537cde0b4b cmd/compile, runtime: add metadata for argument printing in traceback as the culprit

What is next @josharian ?

Possibly related to #49961 , if oss-fuzz uses reflect.Call or friends.

Side note on reproducing the issue. It happened 35 times on November 14th, among more than 2400 runs It happens about one time in 100 runs…

Thanks Ian, you answered may question. GODEBUG likely needs to be set up before start… which is complicated on oss-fuzz… which is the only place where the bug reproduces…

If it does, then we can figure out whether setting it while running the program will work.

There will be no more point to do it for me. The point is that it is easier to set GODEBUG from the fuzz target running, than outside of it before running it…

So, I guess I will think on it…