Skip to content

panic in glob conversion function

Created by: rvantonder

I updated the fuzz harness and decided to fuzz some changes in the parser. It found two bugs I introduced, happy about discovering those :-). After fixing them, the fuzzer found this one in the glob converter code:

query example (one of many): file:0[0300z0_0]\

It looks like all the crashing inputs have a trailing \ at the end? I didn't investigate further.

panic: runtime error: index out of range [12] with length 12

goroutine 1 [running]:
github.com/sourcegraph/sourcegraph/internal/search/query.globToRegex(0xc00048a4c0, 0xc, 0x203000, 0x1f8f478, 0xc0001079c0, 0x100b976)
    /Users/rvt/sourcegraph/internal/search/query/transformer.go:166 +0x83c
github.com/sourcegraph/sourcegraph/internal/search/query.mapGlobToRegex.func1(0xc00048a458, 0x4, 0xc00048a4c0, 0xc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x11, ...)
    /Users/rvt/sourcegraph/internal/search/query/transformer.go:213 +0x1d0
github.com/sourcegraph/sourcegraph/internal/search/query.(*ParameterMapper).MapParameter(0xc0007ea170, 0x1461900, 0xc0007ea170, 0xc00048a458, 0x4, 0xc00048a4c0, 0xc, 0x0, 0x0, 0x0, ...)
    /Users/rvt/sourcegraph/internal/search/query/mapper.go:73 +0xac
github.com/sourcegraph/sourcegraph/internal/search/query.(*BaseMapper).MapNodes(0xc0007ea170, 0x1461900, 0xc0007ea170, 0xc000260630, 0x1, 0x1, 0x0, 0x11, 0xc000107d68)
    /Users/rvt/sourcegraph/internal/search/query/mapper.go:25 +0x520
github.com/sourcegraph/sourcegraph/internal/search/query.MapParameter(...)
    /Users/rvt/sourcegraph/internal/search/query/mapper.go:117
github.com/sourcegraph/sourcegraph/internal/search/query.mapGlobToRegex(0xc000260630, 0x1, 0x1, 0xc000260630, 0x1, 0x1, 0x0, 0x0)
    /Users/rvt/sourcegraph/internal/search/query/transformer.go:211 +0x147
github.com/sourcegraph/sourcegraph/internal/search/query.ProcessAndOr(0xc000107e48, 0x11, 0x0, 0x1, 0xc000107e48, 0x11, 0xba649ff9, 0x342a9ba649ff9)
    /Users/rvt/sourcegraph/internal/search/query/parser.go:901 +0x2df
github.com/sourcegraph/sourcegraph/internal/search/query.Fuzz(0x92f0000, 0x11, 0x11, 0x3)
    /Users/rvt/sourcegraph/internal/search/query/fuzz.go:26 +0x1a5
go-fuzz-dep.Main(0xc000107f70, 0x1, 0x1)
    go-fuzz-dep/main.go:36 +0x1ad
main.main()
    github.com/sourcegraph/sourcegraph/internal/search/query/go.fuzz.main/main.go:15 +0x52
exit status 2

This is a good opportunity to see the fuzzer in action and run it for yourself (may be useful for other things in future). To reproduce, just follow the instructions as in fuzz.go (though you will likely see crashes caused by my code before seeing the one in the glob converter code, since those fixes are not merged yet. So I suggest adding that example crashing input above in a test case for fixing the glob code):

  • run go-fuzz-build in ~/sourcegraph/internal/query
  • run go-fuzz
  • wait like 15 seconds and you'll see 'crashers' with a number greater than 0. hit ctrl-c, and find the crashers inputs and outputs in the crashers folder.