[dev.fuzz] minimization discards crasher in favour of a non-crasher #48327
Description
What version of Go are you using (go version)?
$ go version go version devel go1.18-7c648e2acb3 Thu Sep 9 17:28:03 2021 +0000 linux/amd64
Does this issue reproduce with the latest release?
What operating system and processor architecture are you using (go env)?
go env Output
$ go env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/home/stevie/.cache/go-build" GOENV="/home/stevie/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/home/stevie/go/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/home/stevie/go" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/home/stevie/sdk/gotip" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/home/stevie/sdk/gotip/pkg/tool/linux_amd64" GOVCS="" GOVERSION="devel go1.18-7c648e2acb3 Thu Sep 9 17:28:03 2021 +0000" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/home/stevie/minimize/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1101915129=/tmp/go-build -gno-record-gcc-switches"
What did you do?
package minimize
import (
"fmt"
"testing"
)
//go:noinline
func branch1(i int) {
b := []byte{1, 2, 3}
fmt.Printf("%d\n", b[4])
}
//go:noinline
func branch2(i int) {
panic(i)
}
func FuzzMinimizeToWrongCrash(f *testing.F) {
f.Add(-20000) // this will force the fuzzer to crash in the the first branch
f.Fuzz(func(t *testing.T, b int) {
if b <= -20000 {
branch1(b)
return
}
if b > 10000 {
// the corpus will contain a crasher for this branch
branch2(b)
return
}
})
}$ ./minimize.test -test.fuzz=Fuzz -test.fuzzcachedir=./cache -test.run=^$
found a crash, minimizing...
gathering baseline coverage, elapsed: 0.0s, workers: 8, left: 1
--- FAIL: FuzzMinimizeToWrongCrash (0.01s)
panic: runtime error: index out of range [4] with length 3
goroutine 12 [running]:
runtime/debug.Stack()
/home/stevie/sdk/gotip/src/runtime/debug/stack.go:24 +0x90
testing.tRunner.func1.2({0x5ac400, 0xc000018138})
/home/stevie/sdk/gotip/src/testing/testing.go:1288 +0x265
testing.tRunner.func1()
/home/stevie/sdk/gotip/src/testing/testing.go:1295 +0x225
panic({0x5ac400, 0xc000018138})
/home/stevie/sdk/gotip/src/runtime/panic.go:814 +0x207
minimize.branch1(0x0)
/home/stevie/minimize/fuzz_test.go:11 +0x2c
minimize.FuzzMinimizeToWrongCrash.func1(0x0, 0xffffffffffffb1e0)
/home/stevie/minimize/fuzz_test.go:23 +0xc5
reflect.Value.call({0x58e720, 0x5c7c78, 0x13}, {0x5ba083, 0x4}, {0xc00007ca20, 0x2, 0x2})
/home/stevie/sdk/gotip/src/reflect/value.go:542 +0x814
reflect.Value.Call({0x58e720, 0x5c7c78, 0xc00007fad0}, {0xc00007ca20, 0x2, 0x2})
/home/stevie/sdk/gotip/src/reflect/value.go:338 +0xc5
testing.(*F).Fuzz.func1.1(0x0)
/home/stevie/sdk/gotip/src/testing/fuzz.go:389 +0x1c6
testing.tRunner(0xc000127520, 0xc000150100)
/home/stevie/sdk/gotip/src/testing/testing.go:1342 +0x102
created by testing.(*F).Fuzz.func1
/home/stevie/sdk/gotip/src/testing/fuzz.go:378 +0x4e5
--- FAIL: FuzzMinimizeToWrongCrash (0.00s)
Crash written to testdata/corpus/FuzzMinimizeToWrongCrash/0c1ac182586a8c1e8819f7f8e6fae6027d9cf8ba51a15d24cec73d21a593cf26
To re-run:
go test minimize -run=FuzzMinimizeToWrongCrash/0c1ac182586a8c1e8819f7f8e6fae6027d9cf8ba51a15d24cec73d21a593cf26
FAIL
$ cat testdata/corpus/FuzzMinimizeToWrongCrash/0c1ac182586a8c1e8819f7f8e6fae6027d9cf8ba51a15d24cec73d21a593cf26
go test fuzz v1
int(-19978)
The "crasher" is -19978 which doesn't cause a crash.
What did you expect to see?
Minimization failed to find an alternative similar crash. It should have a correct value in the corpus.
What did you see instead?
A crasher in the corpus which doesn't cause a crash.