Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vuln: panic while running govulncheck with 1.23+ (panic: *types.Alias: any) #70350

Closed
remiphilippe opened this issue Nov 14, 2024 · 10 comments
Closed

x/vuln: panic while running govulncheck with 1.23+ (panic: *types.Alias: any) #70350

remiphilippe opened this issue Nov 14, 2024 · 10 comments
Assignees
@timothy-king
Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
vuln/unplanned

Comments

@remiphilippe
Copy link

Go version

go version go1.23.3 darwin/arm64

Output of go env in your module/workspace:

GO111MODULE='on'
GOARCH='arm64'
GOBIN=''
GOCACHE='/tmp'
GOENV=''
GOEXE=''
GOEXPERIMENT='nocoverageredesign'
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/private/var/tmp/_bazel_remi.philippe/31cd85a1ec48238d5daadb374fa5b243/execroot/doublezero/bazel-out/darwin_arm64-fastbuild/bin/go/doublezero.io/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/private/var/tmp/_bazel_remi.philippe/31cd85a1ec48238d5daadb374fa5b243/execroot/doublezero/bazel-out/darwin_arm64-fastbuild/bin/go/doublezero.io/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/private/var/tmp/_bazel_remi.philippe/31cd85a1ec48238d5daadb374fa5b243/execroot/doublezero/external/go_sdk'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/private/var/tmp/_bazel_remi.philippe/31cd85a1ec48238d5daadb374fa5b243/execroot/doublezero/external/go_sdk/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.23.3'
GODEBUG=''
GOTELEMETRY='off'
GOTELEMETRYDIR=''
GCCGO='gccgo'
GOARM64='v8.0'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='0'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/3l/7xh82yq10q5gxls1skx675rc0000gp/T/go-build2649154952=/tmp/go-build -gno-record-gcc-switches'

What did you do?

govulncheck -show traces,verbose -C $EXEC_ROOT/{bin_dir}/go/doublezero.io/gopath/src/doublezero.io ./...

tested with govuln 1.1.3 and also latest master. Same behavior.

What did you see happen?

When using go 1.23+

panic: any

goroutine 77239 [running]:
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c3bc8, 0x140001240c0})
        external/org_golang_x_tools/go/ssa/parameterized.go:124 +0x4f0
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c3ba0, 0x14015b604c0})
        external/org_golang_x_tools/go/ssa/parameterized.go:102 +0x14c
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c2d18, 0x14015b6a1c0})
        external/org_golang_x_tools/go/ssa/parameterized.go:118 +0x4c4
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c3b28, 0x14015b64ea0})
        external/org_golang_x_tools/go/ssa/parameterized.go:59 +0x64c
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c2d18, 0x14015b6a150})
        external/org_golang_x_tools/go/ssa/parameterized.go:118 +0x4c4
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c3b28, 0x14015b64db0})
        external/org_golang_x_tools/go/ssa/parameterized.go:59 +0x64c
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c2d18, 0x14015b6a0e0})
        external/org_golang_x_tools/go/ssa/parameterized.go:118 +0x4c4
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c2cf0, 0x14015b5cf90})
        external/org_golang_x_tools/go/ssa/parameterized.go:65 +0x1a8
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c3b50, 0x14015b4d6e0})
        external/org_golang_x_tools/go/ssa/parameterized.go:70 +0x6c0
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c3b78, 0x14015b5ee00})
        external/org_golang_x_tools/go/ssa/parameterized.go:83 +0x2dc
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c3a38, 0x14015b63cc0})
        external/org_golang_x_tools/go/ssa/parameterized.go:87 +0x54c
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c2d18, 0x14015b6a070})
        external/org_golang_x_tools/go/ssa/parameterized.go:118 +0x4c4
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c3b28, 0x140463789c0})
        external/org_golang_x_tools/go/ssa/parameterized.go:59 +0x64c
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c2d18, 0x14034b4d1f0})
        external/org_golang_x_tools/go/ssa/parameterized.go:118 +0x4c4
golang.org/x/tools/go/ssa.(*tpWalker).isParameterizedLocked(0x141649a7808, {0x1006c2cf0, 0x140945db120})
        external/org_golang_x_tools/go/ssa/parameterized.go:65 +0x1a8
golang.org/x/tools/go/ssa.(*tpWalker).anyParameterized(0x141649a7808, {0x140d7fc7640?, 0x141641e3500?, 0x140d7fc7640?})
        external/org_golang_x_tools/go/ssa/parameterized.go:136 +0xec
golang.org/x/tools/go/ssa.createInstance(0x140849d5d40, {0x140d7fc7640, 0x2, 0x2}, 0x14131a14760)
        external/org_golang_x_tools/go/ssa/instantiate.go:80 +0x12c
golang.org/x/tools/go/ssa.(*Function).instance(0x140849d5d40, {0x140d7fc7640, 0x2, 0x2}, 0x14131a14760)
        external/org_golang_x_tools/go/ssa/instantiate.go:37 +0x10c
golang.org/x/tools/go/ssa.(*builder).expr0(0x1405144c720, 0x14088c869c0, {0x1006c48b0?, 0x140945ea800}, {0x0, {0x0, 0x0}, {0x0, 0x0}})
        external/org_golang_x_tools/go/ssa/builder.go:768 +0x1ea8
golang.org/x/tools/go/ssa.(*builder).expr(0x1405144c720, 0x14088c869c0, {0x1006c48b0, 0x140945ea800})
        external/org_golang_x_tools/go/ssa/builder.go:584 +0x11c
golang.org/x/tools/go/ssa.(*builder).expr0(0x1405144c720, 0x14088c869c0, {0x1006c4af0?, 0x140945d2e70}, {0x7, {0x1006c3b78, 0x140945f8b40}, {0x0, 0x0}})
        external/org_golang_x_tools/go/ssa/builder.go:783 +0x10c4
golang.org/x/tools/go/ssa.(*builder).expr(0x1405144c720, 0x14088c869c0, {0x1006c4af0, 0x140945d2e70})
        external/org_golang_x_tools/go/ssa/builder.go:584 +0x11c
golang.org/x/tools/go/ssa.(*builder).setCallFunc(0x1405144c720?, 0x14088c869c0?, 0x140945d9cc0?, 0x14165461c40)
        external/org_golang_x_tools/go/ssa/builder.go:1000 +0x2ac
golang.org/x/tools/go/ssa.(*builder).setCall(0x1405144c720, 0x14088c869c0, 0x140945d9cc0, 0x14165461c40)
        external/org_golang_x_tools/go/ssa/builder.go:1078 +0x2c
golang.org/x/tools/go/ssa.(*builder).expr0(0x1405144c720, 0x14088c869c0, {0x1006c4c10?, 0x140945d9cc0}, {0x1, {0x1006c3b50, 0x0}, {0x0, 0x0}})
        external/org_golang_x_tools/go/ssa/builder.go:665 +0x2000
golang.org/x/tools/go/ssa.(*builder).expr(0x1405144c720, 0x14088c869c0, {0x1006c4c10, 0x140945d9cc0})
        external/org_golang_x_tools/go/ssa/builder.go:584 +0x11c
golang.org/x/tools/go/ssa.(*builder).stmt(0x1405144c720, 0x14088c869c0, {0x1006c4f40?, 0x140945dae70?})
        external/org_golang_x_tools/go/ssa/builder.go:2303 +0xf0
golang.org/x/tools/go/ssa.(*builder).stmtList(...)
        external/org_golang_x_tools/go/ssa/builder.go:909
golang.org/x/tools/go/ssa.(*builder).stmt(0x1405144c720, 0x14088c869c0, {0x1006c4d60?, 0x140945f43c0?})
        external/org_golang_x_tools/go/ssa/builder.go:2420 +0xbf0
golang.org/x/tools/go/ssa.(*builder).buildFromSyntax(0x1405144c720, 0x14088c869c0)
        external/org_golang_x_tools/go/ssa/builder.go:2532 +0x204
golang.org/x/tools/go/ssa.(*builder).buildFunction(0x1?, 0x14088c869c0)
        external/org_golang_x_tools/go/ssa/builder.go:2486 +0x110
golang.org/x/tools/go/ssa.(*builder).iterate(0x1405144c720)
        external/org_golang_x_tools/go/ssa/builder.go:2474 +0x2c
golang.org/x/tools/go/ssa.(*Package).build(0x14131a14700)
        external/org_golang_x_tools/go/ssa/builder.go:2603 +0xa4
sync.(*Once).doSlow(0x11b?, 0x141833ec550?)
        bazel-out/darwin_arm64-fastbuild-ST-b33d65c724e6/bin/external/io_bazel_rules_go/stdlib_/src/sync/once.go:76 +0xf8
sync.(*Once).Do(...)
        bazel-out/darwin_arm64-fastbuild-ST-b33d65c724e6/bin/external/io_bazel_rules_go/stdlib_/src/sync/once.go:67
golang.org/x/tools/go/ssa.(*Package).Build(...)
        external/org_golang_x_tools/go/ssa/builder.go:2592
golang.org/x/tools/go/ssa.(*Program).Build.func1(0x0?)
        external/org_golang_x_tools/go/ssa/builder.go:2575 +0x50
created by golang.org/x/tools/go/ssa.(*Program).Build in goroutine 77050
        external/org_golang_x_tools/go/ssa/builder.go:2574 +0x16c

no issues with 1.22.7

What did you expect to see?

no panic, and the output of govulncheck
@gopherbot gopherbot added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Nov 14, 2024
@gopherbot gopherbot modified the milestones: Unreleased, vuln/unplanned Nov 14, 2024
@gabyhelp
Copy link

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@seankhliao
Copy link
Member

What version of go was govulncheck built with?

@remi-philippe-sp
Copy link

1.23.3 (everything runs in Bazel on with 1.23.3 workspace)
output of govulncheck version

Go: go1.23.3
DB: https://vuln.go.dev
DB updated: 2024-11-12 14:50:10 +0000 UTC

@timothy-king timothy-king self-assigned this Nov 14, 2024
@zpavlinovic
Copy link
Contributor

Any chance we get a reproducer? Thanks for reporting this!

@remi-philippe-sp
Copy link

trying to find a minimal repro, but the error is not helping a lot.
I'm guessing it's something bazel is doing that's causing the issue, but still digging!

@timothy-king
Copy link
Contributor

timothy-king commented Nov 14, 2024
edited
Loading

The code in the stack trace was removed in https://go.dev/cl/573135. That was Mar 21, 2024. Alias support for 1.23 has improved since then for x/tools/go/ssa and should have fixed this.

Aliases were enabled for 1.23+ toolchains in https://go.dev/cl/627715. If you just picked up https://go.dev/cl/627715 , you need to update your copy of x/tools too.

@remi-philippe-sp
Copy link

thanks @timothy-king, to test, I added this in my go.mod: replace golang.org/x/tools => golang.org/x/tools v0.27.1-0.20241114194445-3c20e3f6cb81

no more panics so far!

@remi-philippe-sp
Copy link

just got one, but could be cache related. Will clean and retry everything from 0

panic: Cannot range over: func(yield func(K, V) bool)

goroutine 78045 [running]:
golang.org/x/tools/go/ssa.(*builder).rangeStmt(0x141a6fb1d20, 0x1406eae8820, 0x14001f8a720, 0x0)
        external/org_golang_x_tools/go/ssa/builder.go:2278 +0x690
golang.org/x/tools/go/ssa.(*builder).stmt(0x141a6fb1d20, 0x1406eae8820, {0x104ffd270?, 0x14001f8a720?})
        external/org_golang_x_tools/go/ssa/builder.go:2508 +0x1d8
golang.org/x/tools/go/ssa.(*builder).stmtList(...)
        external/org_golang_x_tools/go/ssa/builder.go:908
golang.org/x/tools/go/ssa.(*builder).stmt(0x141a6fb1d20, 0x1406eae8820, {0x104ffd150?, 0x1400632af60?})
        external/org_golang_x_tools/go/ssa/builder.go:2470 +0xc1c
golang.org/x/tools/go/ssa.(*builder).buildFromSyntax(0x141a6fb1d20, 0x1406eae8820)
        external/org_golang_x_tools/go/ssa/builder.go:2582 +0x204
golang.org/x/tools/go/ssa.(*builder).buildFunction(0x104f65601?, 0x1406eae8820)
        external/org_golang_x_tools/go/ssa/builder.go:2536 +0x110
golang.org/x/tools/go/ssa.(*builder).iterate(0x141a6fb1d20)
        external/org_golang_x_tools/go/ssa/builder.go:2524 +0x2c
golang.org/x/tools/go/ssa.(*Package).build(0x1414184f280)
        external/org_golang_x_tools/go/ssa/builder.go:2658 +0xa4
sync.(*Once).doSlow(0xd1?, 0x1408368ee00?)
        GOROOT/src/sync/once.go:76 +0xf8
sync.(*Once).Do(...)
        GOROOT/src/sync/once.go:67
golang.org/x/tools/go/ssa.(*Package).Build(...)
        external/org_golang_x_tools/go/ssa/builder.go:2647
golang.org/x/tools/go/ssa.(*Program).Build.func1(0x0?)
        external/org_golang_x_tools/go/ssa/builder.go:2626 +0x50
created by golang.org/x/tools/go/ssa.(*Program).Build in goroutine 73632
        external/org_golang_x_tools/go/ssa/builder.go:2625 +0x17c

@timothy-king timothy-king added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Nov 15, 2024
@timothy-king
Copy link
Contributor

Let us know if this cleared up the types.Alias: any panics for you. If you are just seeing the Cannot range over issues, please close this and open a new issue. Thanks.

@gabyhelp gabyhelp mentioned this issue Nov 19, 2024
Closed
@gopherbot
Copy link
Contributor

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@gopherbot gopherbot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timothy-king timothy-king

Labels
vulncheck or vulndb Issues for the x/vuln or x/vulndb repo WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
vuln/unplanned
Development

No branches or pull requests
8 participants
@timothy-king @zpavlinovic @remiphilippe @gopherbot @seankhliao @remi-philippe-sp @gabyhelp and others